Hardcore container debugging v3
•Download as PPTX, PDF•
1 like•55 views
Microcontainers and tools for Hardcore Container Debugging Oracle Meetup - Sep 7 Santa Clara
Recommended
Recommended
More Related Content
What's hot
What's hot (19)
Similar to Hardcore container debugging v3
Similar to Hardcore container debugging v3 (20)
Recently uploaded
Recently uploaded (20)
Hardcore container debugging v3
- 1. 1 Microcontainers and Tools for Hardcore Container Debugging Vish Ishaya Abrams & TJ Fontaine
- 2. 2 Who Are We? • Former Maintainer of Node.js • Authors of Oracle Open Source Container Utilities • Founder of OpenStack at NASA
- 3. 3 Agenda • What is a Container? • Intro to Microcontainers • Building Microcontainers • Container Debugging • Questions and Answers
- 4. 4 WHAT IS A CONTAINER?
- 5. 5 A container is: 1. An application bundled with its dependencies (also called a container image). 2. A running copy of that application that has been isolated from other system resources via a container runtime.
- 6. 6 Container Workflow Container Image Repository Application Container Image Build Upload Download Container Image Container Run Container Host Build Host Container OrchestratorContinuous Delivery System
- 7. 7 Container Images • Like a VM image • Immutable bundle • Application code plus dependencies • Portable across different hosts
- 8. 8 Running Container • Like a virtual machine • Protected from host and other applications via: • Isolation of Owned Resources – Namespaces • Restriction of Actions – Capabilities • Limits on Shared Resources – Cgroups
- 9. 9 Isolation – Namespaces + Access Control • Linux Namespaces • User • Ipc • Uts • Network • Mount • Process • Access Control: SELinux/AppArmor • Prevents access to other resources in the event of a namespace escape
- 10. 10 Restriction – Capabilities + Setuid + Seccomp • Drop linux capabilities • Setuid Setgid to limited user and group • Restrict access to syscalls via seccomp
- 11. 11 Limits – Cgroups + Resource Limits • Cgroups are primarily used to control • Memory • CPU • Block IO • Other Resource Limits • Prevent filling up disk (quotas) • Prevent overloading host daemons (rate limiting) • Prevent network saturation (qos)
- 12. 12 Container Orchestrator • Primarily designed for stateless microservices • Schedules work across a fleet of machines • Keeps multiple copies of an application running • Allows for dynamic scaling of application • Defines how applications can communicate
- 13. 13 Containerization Operational Changes • Rebuild instead of security patch • Different monitoring tools • Deployment as immutable artifacts • Build tooling vs configuration management
- 14. 14 Worst Practices • Developers without an operations mentality • Multiple applications per container • Lack of CI/CD automation • Container Bloat • Handling of security vulnerabilities
- 15. 15 Oracle – Open Source Contributions railcar Alternative Docker runtime implemented in Rust following the Open Container Initiative OCI-Runtime Spec smith A simple command line utility for building microcontainers from rpm packages or Open Container Initiative images. crashcart A simple command line utility that lets you side load an image with linux binaries into an existing container. Facilitates easier debugging
- 18. 18 What’s wrong with big containers? • Large images • Often > 1GB in size • Bloat • I wanted a banana. I got the banana and a jungle and an 800lb Gorilla • Privilege escalation • whole Linux user space bigger attack surface • Vulnerability management • What files do I really need to patch?
- 19. 19 A Microcontainer • Contains only • Single executable • Dependencies (of the executable) • Runs with a read only root filesystem • Files are all owned and read by a single user
- 20. 20 Result • Small image • Eliminate layers reduce complexity • Fast, easy distribution • Smaller attack surface • Certainty over vulnerabilities
- 22. 22 Links • https://blogs.oracle.com/developers/the- microcontainer-manifesto • https://github.com/oracle/smith • https://hackernoon.com/how-to-build-a-tiny-httpd- container-ae622c37db39
- 24. 24 Links • https://blogs.oracle.com/developers/hardcore- container-debugging • https://github.com/oracle/crashcart • http://man7.org/linux/man-pages/man1/nsenter.1.html
- 25. 25 Safe Harbor Statement The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
- 27. 27 More Information • Contact Us: vish.ishaya@oracle.com tj.fontaine@oracle.com