THE ROUTE TO ROOTLESS

Similar documents
The State of Rootless Containers

Rootless Containers with runc. Aleksa Sarai Software Engineer

Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING

OS Security III: Sandbox and SFI

Understanding user namespaces

Sandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018

Container mechanics in Linux and rkt FOSDEM 2016

Docker Security. Mika Vatanen

1 Virtualization Recap

Travis Cardwell Technical Meeting

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

Namespaces and Capabilities Overview and Recent Developments

Container Security. Daniel J Walsh Consulting Engineer Blog: danwalsh.livejournal.com

State of Containers. Convergence of Big Data, AI and HPC

High Performance Containers. Convergence of Hyperscale, Big Data and Big Compute

Infrastructure Security 2.0

Introduction to Container Technology. Patrick Ladd Technical Account Manager April 13, 2016

LXC(Linux Container) Lightweight virtual system mechanism Gao feng

Container Isolation at Scale (... and introducing gvisor) Dawn Chen and Zhengyu He

OS Containers. Michal Sekletár November 06, 2016

How to build and run OCI containers

User Namespaces. Linux Capabilities and Namespaces. Outline. Michael Kerrisk, man7.org c 2018 March 2018

Landlock LSM: toward unprivileged sandboxing

OS Virtualization. Linux Containers (LXC)

Container Security. Docker London July 20, Everything You Probably Should Know

Overlayfs And Containers. Miklos Szeredi, Red Hat Vivek Goyal, Red Hat

TEN LAYERS OF CONTAINER SECURITY

How Container Runtimes matter in Kubernetes?

HTCondor: Virtualization (without Virtual Machines)

The Case for Security Enhanced (SE) Android. Stephen Smalley Trusted Systems Research National Security Agency

Security Namespace: Making Linux Security Frameworks Available to Containers

Operating system security models

Introduction to Containers

Container Detection and Forensics, Gotta catch them all!

STATUS OF PLANS TO USE CONTAINERS IN THE WORLDWIDE LHC COMPUTING GRID

Linux Containers Roadmap Red Hat Enterprise Linux 7 RC. Bhavna Sarathy Senior Technology Product Manager, Red Hat

PROCESS MANAGEMENT Operating Systems Design Euiseong Seo

OCI Runtime Tools for Container Standardization

SOFT CONTAINER TOWARDS 100% RESOURCE UTILIZATION ACCELA ZHAO, LAYNE PENG

Flatpak a technical walk-through. Alexander Larsson, Red Hat

Hacking and Hardening Kubernetes

An introduction to Docker

CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT

Capabilities. Linux Capabilities and Namespaces. Outline. Michael Kerrisk, man7.org c 2018 March 2018

Cloud Foundry Diego: The New Cloud Runtime. Heterogeneous Container Scheduling, Docker & More

Containers and isolation as implemented in the Linux kernel

Samba and Chrome OS the Start of a beautiful Friendship

Deploy containers on your cluster - A proof of concept

File access-control per container with Landlock

Docker Deep Dive. Daniel Klopp

Secure and Simple Sandboxing in SELinux

Engineering Robust Server Software

Secure Architecture Principles

Comparing Next-Generation Container Image Building Tools

IBM Research Report. Docker and Container Security White Paper

Course 55187B Linux System Administration

The Linux capabilities model

CSCE 410/611: Virtualization

Singularity: Containers for High-Performance Computing. Grigory Shamov Nov 21, 2017

Intro to Container Security. Thomas Cameron Global Cloud Strategy Evangelist Mrunal Patel Principal Software Engineer

Seccomp, network and namespaces. Francesco Tornieri <francesco.tornieri AT kiratech.it>

Docker und IBM Digital Experience in Docker Container

Next Generation Tools for container technology. Dan

Docker 101 Workshop. Eric Smalling - Solution Architect, Docker

深 入解析 Docker 背后的 Linux 内核技术. 孙健波浙江 大学 SEL/VLIS 实验室

Multitenancy Deep Dive

Container Security and new container technologies. Dan

Securing Microservices Containerized Security in AWS

TEN LAYERS OF CONTAINER SECURITY

CS-580K/480K Advanced Topics in Cloud Computing. Container III

SAINT LOUIS JAVA USER GROUP MAY 2014

ISLET: Jon Schipp, AIDE jonschipp.com. An Attempt to Improve Linux-based Software Training

Charliecloud Unprivileged Containers for HPC

Docker and Security. September 28, 2017 VASCAN Michael Irwin

Portable, lightweight, & interoperable Docker containers across Red Hat solutions

Infoblox Kubernetes1.0.0 IPAM Plugin

Zdeněk Kubala Senior QA

Linux Kernel Security Overview

TEN LAYERS OF CONTAINER SECURITY. Kirsten Newcomer Security Strategist

We ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?

Exam LFCS/Course 55187B Linux System Administration

Replacing Docker With Podman. By Dan

Is it safe to run applications in Linux Containers?

Securing Containers on the High Seas. Jack OWASP Belgium September 2018

Sandboxing Linux code to mitigate exploitation. (Or: How to ship a secure operating system that includes third-party code)

Linux Filesystems and Storage Chris Mason Fusion-io

Cross platform enablement for the yocto project with containers. ELC 2017 Randy Witt Intel Open Source Technology Center

Distributed Computing Framework Based on Software Containers for Heterogeneous Embedded Devices

Secure Containers with EPT Isolation

Chapter Two. Lesson A. Objectives. Exploring the UNIX File System and File Security. Understanding Files and Directories

CSE 565 Computer Security Fall 2018

Container's Anatomy. Namespaces, cgroups, and some filesystem magic 1 / 59

ISSN (Online)

Dockerized Tizen Platform

Centre de Calcul de l Institut National de Physique Nucléaire et de Physique des Particules. Singularity overview. Vanessa HAMAR

At course completion. Overview. Audience profile. Course Outline. : 55187B: Linux System Administration. Course Outline :: 55187B::

Alternatives to Solaris Containers and ZFS for Linux on System z

Linux Capabilities & Set-UID Vulnerability

Splunk N Box. Splunk Multi-Site Clusters In 20 Minutes or Less! Mohamad Hassan Sales Engineer. 9/25/2017 Washington, DC

Introduction to Virtualization and Containers Phil Hopkins

Transcription:

THE ROUTE TO ROOTLESS

THE ROUTE TO ROOTLESS

BILL AND TED'S ROOTLESS ADVENTURE

THE ROUTE TO ROOTLESS

WHAT SECURITY PROBLEM IS GARDEN SOLVING IN CLOUD FOUNDRY?

THE PROBLEM IN CLOUD FOUNDRY Public Multi-Tenant Docker Workloads

WHAT IS A CONTAINER?

THE GREATEST TRICK CONTAINERS EVER PULLED WAS CONVINCING THE WORLD THEY EXIST

WHAT IS A CONTAINER? Confinement Own view of the system Fair share of resources Unable to modify constraints Dependency Management

CONFINEMENT Linux Namespaces Cgroups Dropping Capabilities Seccomp AppArmor

LINUX NAMESPACES There are global resources in linux such as process trees, mount tables, network devices, etc. Namespaces wrap these global system resources to make it appear to the processes within the namespace that they have their own isolated instance of the global resource.

LINUX NAMESPACES PID - Process IDs MNT - Mount points NET - Network devices, stacks, ports, etc UTS - Hostname and NIS domain name IPC - Inter Process Communication USER - User and group IDs CGROUP - Cgroup root directory

SHARING Control Groups Resource limiting Prioritization Accounting Control Disk Quotas More on this trainwreck later!

CAPABILITIES Historically, processes could be privileged (effective user ID = 0, known as root) or unprivileged. Privileged processes would bypass all kernel permission checks. Since 2.2 Linux has divided superuser permissions into distinct units known as capabilities, which can be independently enabled or disabled.

CAPABILITIES CAP_SET_UID (change uid) CAP_NET_BIND_SERVICE (listen on privileged ports) CAP_KILL (send signals to any process) CAP_CHOWN (chown any files) CAP_DAC_OVERRIDE (bypass permission checks) CAP_SYS_ADMIN (do all the things!)

SECCOMP Seccomp stands for secure computing mode. It's a kernel sandboxing tool since Linux version 2.6.12. Enabling seccomp on a process limits the system calls available to that process. Also can limit args allowable in a system call (e.g. namespace clone flags).

APPARMOR AppArmor is a mandatory access control mechanism. Profiles are applied to running process to limit access to resources or privilege. `deny @{PROC}/sysrq-trigger rwklx`

I GET KNOCKED DOWN, BUT I GET UP AGAIN CVE-2016-9962: runc fd traversal: User Namespaces, Capability Dropping, AppArmor CVE-2017-16539: SCSI MICDROP - User Namespaces, AppArmor CVE-2017-16995: ebpf verifier vulnerability - Capability Dropping (sometimes), Seccomp

DEPENDENCY MANAGEMENT pivot_root(8) Layered filesystems

PIVOT ROOT What's in /? run.sh Boring Host Ubuntu Cool Container Busybox

PIVOT ROOT pivot_root! run.sh Boring Host Ubuntu Cool Container Busybox

PIVOT ROOT pivot_root! run.sh Boring Host Ubuntu Cool Container Busybox

PIVOT ROOT What's in /? run.sh Boring Host Ubuntu Cool Container Busybox

LAYERED FILESYSTEMS run.sh

LAYERED FILESYSTEMS run.sh /bin/os-specific

LAYERED FILESYSTEMS run.sh /bin/os-specific AMI

LAYERED FILESYSTEMS run.sh Δ B Δ A Base ROOTFS

WHAT IS A CONTAINER? Confinement Own view of the system Fair share of resources Unable to modify constraints Dependency Management

SO EVERYTHING IS SECURE IN A CLOUD FOUNDRY CONTAINER RIGHT?

YES...BUT...

ROUTE TO ROUTELESS

CREDITS Jessie Frazelle (@jessfraz) Aleksa Sarai (@lordcyphar) Akihiro Suda (@_AkihiroSuda_)

WHAT IS A CONTAINER? Confinement Own view of the system Fair share of resources Unable to modify constraints Dependency Management

CONFINEMENT Unprivileged user namespaces Since Linux 3.8 Just need CAP_SYS_ADMIN in the owning user namespace to do the rest: Other namespaces Seccomp AppArmor

HOW DO USER NAMESPACES WORK? Users are living a double life...

IN THE HOST

IN THE CONTAINER

HOW DO USER NAMESPACES WORK? /proc/self/uid_map and /proc/self/gid_map specify user id mappings from outer to inner user namespace. Mappings are triples of (inner ID, outer ID, range)

CONFINEMENT How do unprivileged user namespaces work? newuidmap/newgidmap setuid binaries validate mappings against /etc/subuid PRed support to runc

SHARING There's no way to do cgroups entirely unprivileged yet cgroups are a virtual filesystem like proc /sys/fs/cgroup/memory/** Files are owned by root by default Privileged setup can chown cgroups to our container root user, so runc can write to them PRed support to runc

DEPENDENCY MANAGEMENT pivot_root(8) User namespace gives us CAP_SYS_ADMIN

DEPENDENCY MANAGEMENT Layered filesystems AUFS mounts Not possible unprivileged BTRFS Snapshots OverlayFS mounts

DEPENDENCY MANAGEMENT Layered filesystems AUFS mounts (not possible unprivileged) BTRFS Snapshots Initial setup as privileged Snapshots can be done unprivileged Exploded with quotas at scale :( OverlayFS mounts (seems to be working?!)

DEPENDENCY MANAGEMENT Layered filesystems AUFS mounts (not possible unprivileged) BTRFS Snapshots OverlayFS mounts Possible on Ubuntu unprivileged Seems to be working?!

OVERLAY ROOTFUL

OVERLAY ROOTLESS

ROAD BLOCKS

DISK QUOTAS We use XFS for filesystem quotas XFS requires privilege Small, focused setuid binary just for quota management

NETWORKING Networking used to be integrated into Garden Garden supports a plugin architecture garden-external-networker is setuid Some awesome work going on from Aleksa Sarai and Akihiro Suda on this front!

GDN SETUP cgroup chowning in garden setup No user input Before any workload can be running in CF At least one attempt to fix this by Aleksa Sarai, but no luck yet

BUT IT'S OK...

REDUCING PRIVILEGE Reduce privilege where we can, when we can Break apart monoliths to only allow privilege where required Some things take time Proving out slowly is a positive thing It's getting better!

DOES IT WORK?

HOW CAN I TRY IT? Experimental config option in BOSH manifest

THANKS

"ET TU ROOT?" - JULIUS CAESAR

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback