Linux Piter 2015 / Aleksey Zalesov: "Container security" / Saint Petersburg, Russia / 21 November 2015

Aleksey Zalesov: "Container security"

Description

Container security

How secure are containers? What can be done to improve container security? When should I use VMs and when containers? 1. Containers utilise underlying kernel technologies - namespace isolation (linux namespaces) - resource limiting (cgorups) - security policies (seccomp, SELinux, kernel capabilities) 2. How process can escape from container? - SUID bit - same UID as other container process - privileged container - buggy kernel call (vmsplice example) - unsigned docker image 3. What can be done about this? - drop unnecessary capabilities - sign images - place containers on different hosts - use VMs 4. Demo: run container without docker, limit its cpu to 70%, show process structure.

Aleksey Zalesov​
Russia. Arkhangelsk
Cloud Foundry Engineer
Altoros

Alexey Zalesov is a Cloud Foundry/DevOps Engineer at Altoros with seven years of experience in system administration. His core specialization is systems for IT monitoring and management.  Alexey is particularly fascinated by the possibility to manage a full lifecycle of large distributed systems like Cloud Foundry with a single tool called BOSH. His professional interests also include Linux container tuning techniques for maximum performance.

Share
Add to calendar
Organizer
Партнер
Генеральный спонсор
Travel-спонсоры
Спонсор
Спонсор
Hashtag
#LinuxPiter
Event in socials
Official web-site
http://linuxpiter.ru/
Contacts
Диана Любавская
+7-981-846-44-58
diana@it-dominanta.ru

Congratulations!

You've successfully subscribed for news.