5. 5
A container is:
1. An application bundled with its dependencies (also
called a container image).
2. A running copy of that application that has been
isolated from other system resources via a container
runtime.
7. 7
Container Images
• Like a VM image
• Immutable bundle
• Application code plus dependencies
• Portable across different hosts
8. 8
Running Container
• Like a virtual machine
• Protected from host and other applications via:
• Isolation of Owned Resources – Namespaces
• Restriction of Actions – Capabilities
• Limits on Shared Resources – Cgroups
9. 9
Isolation – Namespaces + Access Control
• Linux Namespaces
• User
• Ipc
• Uts
• Network
• Mount
• Process
• Access Control: SELinux/AppArmor
• Prevents access to other resources in the event of a
namespace escape
10. 10
Restriction – Capabilities + Setuid + Seccomp
• Drop linux capabilities
• Setuid Setgid to limited user and group
• Restrict access to syscalls via seccomp
11. 11
Limits – Cgroups + Resource Limits
• Cgroups are primarily used to control
• Memory
• CPU
• Block IO
• Other Resource Limits
• Prevent filling up disk (quotas)
• Prevent overloading host daemons (rate limiting)
• Prevent network saturation (qos)
12. 12
Container Orchestrator
• Primarily designed for stateless microservices
• Schedules work across a fleet of machines
• Keeps multiple copies of an application running
• Allows for dynamic scaling of application
• Defines how applications can communicate
13. 13
Containerization Operational Changes
• Rebuild instead of security patch
• Different monitoring tools
• Deployment as immutable artifacts
• Build tooling vs configuration management
14. 14
Worst Practices
• Developers without an operations mentality
• Multiple applications per container
• Lack of CI/CD automation
• Container Bloat
• Handling of security vulnerabilities
15. 15
Oracle – Open Source Contributions
railcar
Alternative Docker runtime
implemented in Rust following
the Open Container Initiative
OCI-Runtime Spec
smith
A simple command line utility for
building microcontainers from
rpm packages or Open Container
Initiative images.
crashcart
A simple command line utility
that lets you side load an
image with linux binaries into
an existing container.
Facilitates easier debugging
18. 18
What’s wrong with big containers?
• Large images
• Often > 1GB in size
• Bloat
• I wanted a banana. I got the banana and a jungle and an
800lb Gorilla
• Privilege escalation
• whole Linux user space bigger attack surface
• Vulnerability management
• What files do I really need to patch?
19. 19
A Microcontainer
• Contains only
• Single executable
• Dependencies (of the executable)
• Runs with a read only root filesystem
• Files are all owned and read by a single user
20. 20
Result
• Small image
• Eliminate layers reduce complexity
• Fast, easy distribution
• Smaller attack surface
• Certainty over vulnerabilities
25. 25
Safe Harbor Statement
The preceding is intended to outline our general product
direction. It is intended for information purposes only, and
may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality,
and should not be relied upon in making purchasing
decisions. The development, release, and timing of any
features or functionality described for Oracle’s products
remains at the sole discretion of Oracle.