Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Virtualized Containers - How Good is it - Ananth - Siemens - CC18


Published on

This presentation was made as part of Container Conference 2018 :

"Typically enterprise applications are deployed as processes on Virtual Machines or as Containers. For example, applications can be deployed on Amazon EC2 instances or as Docker containers in on-premise Kubernetes cluster. Both the strategies have their own pros and cons. While VMs are portable and secure, they are also bulky and time consuming to bring up. Containers on the other hand are lightweight, portable and can be launched very quickly, but their security concerns remain.

Even though traditional containers (such as Docker) isolate the application process namespace from other containers, they share the host OS kernel. Considering the number of un-trusted applications that are run as containers, the entire host OS can be compromised. Even though the community has come up with a variety of tools for scanning vulnerabilities (such as Clair) and modules for enhancing the security (such as AppArmor & SELinux), the onus is on the administrator to use these tools and make the environment secure. In this presentation we explore Virtualized Containers, an evolving container technology which inherently provides security by design without compromising on speed and flexibility."

Published in: Software
  • Be the first to comment

  • Be the first to like this

Virtualized Containers - How Good is it - Ananth - Siemens - CC18

  1. 1. VIRTUALIZED CONTAINERS Ananth, Himanshu, Rajaram, Sandeep, Siva, Sanjay
  2. 2. AGENDA • VMs vs containers • Virtualized containers • Kata containers • Container security • Kata containers & Docker • Kata containers & K8s • Summary
  4. 4. VM VS CONTAINERS • VMs are abstraction of the hardware, allowing multiple servers to run on the same hardware • Containers are abstraction at the application layer, that packages app code and dependencies together • Each VM has its own operating system, all necessary binaries and libraries, making it heavy • Containers share the host OS kernel and has only those packages necessary to run the application, therefore very light • VMs take time to boot-up and the images are large in size • The USP for containers is speed and portability
  5. 5. VIRTUALIZED CONTAINERS • Speed of containers • Security of VMs • Otherwise called hypervisor based containers Image Ref Image Ref Image refImage Ref
  6. 6. VIRTUALIZED CONTAINERS CONTD… Traditional containers such as Docker Virtualized containers Ref: Shared kernel Dedicated kernel
  7. 7. VIRTUALIZED CONTAINERS CONTD… • Traditional containers share the underlying OS kernel. • We run a lot of unknown un-trusted applications on containers in our datacenter. • If a malicious user gains access to the host OS kernel, rest of the containers and the entire system can be compromised. • Kata-runtime boots each containers as a light weight VM, using hardware virtualization. • Provides double isolation without compromising on performance • Reduces the attacking surface, thereby improving security
  8. 8. CONTAINER SECURITY • Docker itself is built with security and isolation in mind. It provides lot of inherent features and hooks to make your system more secure. • However, it does not prevent you from “Running random code downloaded from the Internet and running it as root” • We need not worry if proper security measures are taken and best practices are adhered to
  9. 9. CONTAINER SECURITY CONTD… • Host and kernel security • Denial-of-service attacks • Container breakout • Credentials and secrets • Authenticity of images • Static image vulnerabilities • Runtime security
  10. 10. KATA CONTAINERS Ref:
  12. 12. CONFIGURATION STEPS • Enable virtualization (Intel VT / AMD-V) on the docker host • Create a config file inside docker.service.d • Restart docker • Spin up kata containers using docker run command and docker images [root@tt2aio docker-host]# cd /etc/systemd/system/docker.service.d [root@tt2aio docker-host]# cat <<EOF | sudo tee kata-containers.conf [Service] ExecStart= ExecStart=/usr/bin/dockerd -D --add-runtime kata- runtime=/usr/bin/kata-runtime --default-runtime=kata-runtime EOF [root@tt2aio docker-host]# systemctl daemon-reload [root@tt2aio docker-host]# systemctl restart docker
  13. 13. K8S – CRI - OCI Ref: kubernetes
  14. 14. KATA CONTAINERS AND KUBERNETES Kubelet cri-containerd Kata Runtime CRI OCI cri-o VM Pod Container
  15. 15. SUMMARY • Kata-containers are new, exciting, evolving • More secure by design without much impact on performance • Has limited support for various hypervisors to begin with • Does not replace Docker and Kubernetes, rather complements them.
  16. 16. WHAT’S IN STORE • Support hypervisor based runtime called fracti. • Fracti can schedule pods and containers directly inside a hypervisor via runV. • Enable runV to kata-runtime migrations • Provide “official” support for Kubernetes Contribute to
  17. 17. REFERENCES • • • Docker runtime execution options • Why Kata containers cannot replaces K8S • Container security vulnerabilities and threats • Securing containers • Running kata with Docker • Running kata with K8s