How secure are containers? What can be done to improve container security? When should I use VMs and when containers? 1. Containers utilise underlying kernel technologies - namespace isolation (linux namespaces) - resource limiting (cgorups) - security policies (seccomp, SELinux, kernel capabilities) 2. How process can escape from container? - SUID bit - same UID as other container process - privileged container - buggy kernel call (vmsplice example) - unsigned docker image 3. What can be done about this? - drop unnecessary capabilities - sign images - place containers on different hosts - use VMs 4. Demo: run container without docker, limit its cpu to 70%, show process structure.
Cloud Foundry Engineer
Alexey Zalesov is a Cloud Foundry/DevOps Engineer at Altoros with seven years of experience in system administration. His core specialization is systems for IT monitoring and management. Alexey is particularly fascinated by the possibility to manage a full lifecycle of large distributed systems like Cloud Foundry with a single tool called BOSH. His professional interests also include Linux container tuning techniques for maximum performance.