LC
Uploaded byLinuxCon ContainerCon CloudOpen China
298 views

Container Security

该文档介绍了华为在容器安全方面的技术与解决方案,涵盖了主机及容器运行环境的安全机制,包括可信启动和运行时保护等。文中提到的工具如镜像扫描和签名机制旨在确保容器的安全性与完整性。作者张永长期从事Linux系统开发,为华为EulerOS部门负责相关项目。

Embed presentation

Downloaded 25 times
www.huawei.com Security Level: HUAWEI TECHNOLOGIES CO., LTD. 容器安全 Author:张永 Email: zhangyong23@huawei.com Date: 2017-06-14
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 2 背景介绍 主机安全 容器安全 Q&A 目录
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 3 背景介绍  2008 ~ 2015年:WindRiver Linux 部门  2015.5 ~ Now:华为EulerOS系 统部  长期从事linux系统开发,活跃 于linux社区  在华为EulerOS部门主要负责容 器项目的开发设计 张永 Email:yong.zhang0@gmail.com; zhangyong23@huawei.com --我是谁??
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 4 多租 EulerOS iSula 容器存储 docker-engine 容器网络 (iCan) k8s 容器 日志 (flu entd) 容器 监控 (Pr ome theu s) 容器 开发 toolkit容器运行环境 vm OCI runtimerunv runtime interface 编排调度 interface mesos swarm 标准用户接口(standard user interface) WEB UI CLI用户接口 TPM EPT/ TLS/ 安全 审查 多租/ 安全 隔离 docker 容器 调用 链 (op en traci ng) 容器 安全 EulerOS iSula负责的范围 容器仓库 背景介绍 --EulerOS iSula
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 5 • 主机安全问题 -- -- -- • 容器安全问题 -- -- -- 系统 路径 安全 配置 网络 接口 访问 权限 运行 权限 系统 资源 内核 功能 docker 逃逸 检测 背景介绍 --安全?安全!
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 6 通过在启动过程中识别基础系统信任问题,确保 主机安全 主机安全 --安全启动
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 7 OS 应用 OSLoader BIOS CRTM TBB 7 5 3 8 6 4 2 1 执 行 流 程 TPM PCR 扩展 度量 硬件(Intel) HOST OS Containr 1 Containr nContainr 2 TPM docker daemon TPM vTPMGUEST OS 主机安全 --可信启动
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 8 主机安全 --其他…  Kernel  ACL  Capabilities  namespace  seccomp  iptables  audit  selinux  IMA  Address Space Layout Randomization (ASLR)  OS  不可变基础设施  容器OS(Container OS)
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 9 容器安全 --运行环境  Kernel  ACL  Capabilities  namespace  seccomp  iptables  audit  selinux  IMA(TPM)  Address Space Layout Randomization (ASLR)  cgroups  OS  不可变基础设施  容器OS(Container OS)
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 10 容器安全 --镜像扫描 针对Docker容器的漏洞扫描工具,解决容器镜像携带漏洞的问题, 更进一步,发现带有恶意程序的镜像。 EulerOS & Nessus CVE DB user repo scan DB push 镜像安全扫描 notify scan Partner 3Rd
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 11 容器安全 --镜像签名  DOCKER_CONTENT_TRUST  Norary open source project PIC from notary
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 12 容器安全 --运行时  docker run --readonly  No privilege  no root in docker  镜像完整性检查
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 13 Join us at github.com/isula Q&A

More Related Content

PDF
Docker初识
byhubugui
 
PPTX
Docker Compose
byMiles Chou
 
PDF
基于Fuel的超融合一体机
byEdwardBadBoy
 
PDF
Docker Build
byMiles Chou
 
PPTX
Docker一期培训
by青帅 常
 
PDF
Docker home ted
byLayne Peng
 
PDF
Wot2013云计算架构师峰会 -陈轶飞2
bydotCloud
 
PPT
Software Engineer Talk
byLarry Cai
 
Docker初识
byhubugui
 
Docker Compose
byMiles Chou
 
基于Fuel的超融合一体机
byEdwardBadBoy
 
Docker Build
byMiles Chou
 
Docker一期培训
by青帅 常
 
Docker home ted
byLayne Peng
 
Wot2013云计算架构师峰会 -陈轶飞2
bydotCloud
 
Software Engineer Talk
byLarry Cai
 

What's hot

PPTX
開發人員必須知道的 Kubernetes 核心技術 - Kubernetes Summit 2018
byWill Huang
 
PPTX
Rancher: 建立你的牧場艦隊
byMiles Chou
 
PDF
docker intro
bykoji lin
 
PDF
微服務自己動手做
byYenChen Liu 劉晏辰
 
PDF
Docker應用
byJui An Huang (黃瑞安)
 
PPTX
Docker 淺入淺出
byMiles Chou
 
PDF
容器式基礎架構介紹
byPhilip Zheng
 
PDF
20220224台中演講k8s
bychabateryuhlin
 
PDF
Docker容器微服務 x WorkShop
byPhilip Zheng
 
PPTX
Mininet Learning Guide(Mininet 学习指南)
by呈 李
 
PPTX
快速上手 Windows Containers 容器技術 (Docker Taipei)
byWill Huang
 
PPT
OpenWRT, A value-add base solution for your product. (2nd, Macpual)
byMacpaul Lin
 
PPTX
微软Bot framework简介
byZhichao Liang
 
PDF
Proxmox: 建立自己的虛擬主機
by維泰 蔡
 
PPTX
Docker tutorial
byazole Lai
 
PDF
容器式軟體開發介紹
byPhilip Zheng
 
PDF
企業導入容器經驗分享與開源技能培養
byPhilip Zheng
 
PPTX
Docker open stack
byGuangya Liu
 
PDF
Kubernetes project update and how to contribute
byinwin stack
 
PDF
OpenWRT, A value-add base solution for your product. (1st part, chihchun)
byRex Tsai
 
開發人員必須知道的 Kubernetes 核心技術 - Kubernetes Summit 2018
byWill Huang
 
Rancher: 建立你的牧場艦隊
byMiles Chou
 
docker intro
bykoji lin
 
微服務自己動手做
byYenChen Liu 劉晏辰
 
Docker應用
byJui An Huang (黃瑞安)
 
Docker 淺入淺出
byMiles Chou
 
容器式基礎架構介紹
byPhilip Zheng
 
20220224台中演講k8s
bychabateryuhlin
 
Docker容器微服務 x WorkShop
byPhilip Zheng
 
Mininet Learning Guide(Mininet 学习指南)
by呈 李
 
快速上手 Windows Containers 容器技術 (Docker Taipei)
byWill Huang
 
OpenWRT, A value-add base solution for your product. (2nd, Macpual)
byMacpaul Lin
 
微软Bot framework简介
byZhichao Liang
 
Proxmox: 建立自己的虛擬主機
by維泰 蔡
 
Docker tutorial
byazole Lai
 
容器式軟體開發介紹
byPhilip Zheng
 
企業導入容器經驗分享與開源技能培養
byPhilip Zheng
 
Docker open stack
byGuangya Liu
 
Kubernetes project update and how to contribute
byinwin stack
 
OpenWRT, A value-add base solution for your product. (1st part, chihchun)
byRex Tsai
 

Viewers also liked

PDF
OCI Support in Mesos
byLinuxCon ContainerCon CloudOpen China
 
PDF
Make Accelerator Pluggable for Container Engine
byLinuxCon ContainerCon CloudOpen China
 
PDF
Introduction to OCI Image Technologies Serving Container
byLinuxCon ContainerCon CloudOpen China
 
PDF
From Resilient to Antifragile Chaos Engineering Primer
byLinuxCon ContainerCon CloudOpen China
 
PDF
UEFI HTTP/HTTPS Boot
byLinuxCon ContainerCon CloudOpen China
 
PDF
Scale Kubernetes to support 50000 services
byLinuxCon ContainerCon CloudOpen China
 
PDF
GPU Acceleration for Containers on Intel Processor Graphics
byLinuxCon ContainerCon CloudOpen China
 
PDF
Status of Embedded Linux
byLinuxCon ContainerCon CloudOpen China
 
PDF
Libvirt API Certification
byLinuxCon ContainerCon CloudOpen China
 
PDF
LiteOS
byLinuxCon ContainerCon CloudOpen China
 
PDF
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...
byLinuxCon ContainerCon CloudOpen China
 
PDF
Releasing a Distribution in the Age of DevOps.
byLinuxCon ContainerCon CloudOpen China
 
PDF
Practical CNI
byLinuxCon ContainerCon CloudOpen China
 
PDF
点融网区块链即服务实践 - The Practice of Blockchain as a Service in Dianrong
byLinuxCon ContainerCon CloudOpen China
 
PDF
kdump: usage and_internals
byLinuxCon ContainerCon CloudOpen China
 
PDF
Linuxcon secureefficientcontainerimagemanagementharbor
byLinuxCon ContainerCon CloudOpen China
 
PDF
Hyperledger Technical Community in China.
byLinuxCon ContainerCon CloudOpen China
 
PDF
Simplify Networking for Containers
byLinuxCon ContainerCon CloudOpen China
 
PDF
Linux Kernel Development
byLinuxCon ContainerCon CloudOpen China
 
PDF
OpenDaylight OpenStack Integration
byLinuxCon ContainerCon CloudOpen China
 
OCI Support in Mesos
byLinuxCon ContainerCon CloudOpen China
 
Make Accelerator Pluggable for Container Engine
byLinuxCon ContainerCon CloudOpen China
 
Introduction to OCI Image Technologies Serving Container
byLinuxCon ContainerCon CloudOpen China
 
From Resilient to Antifragile Chaos Engineering Primer
byLinuxCon ContainerCon CloudOpen China
 
UEFI HTTP/HTTPS Boot
byLinuxCon ContainerCon CloudOpen China
 
Scale Kubernetes to support 50000 services
byLinuxCon ContainerCon CloudOpen China
 
GPU Acceleration for Containers on Intel Processor Graphics
byLinuxCon ContainerCon CloudOpen China
 
Status of Embedded Linux
byLinuxCon ContainerCon CloudOpen China
 
Libvirt API Certification
byLinuxCon ContainerCon CloudOpen China
 
LiteOS
byLinuxCon ContainerCon CloudOpen China
 
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...
byLinuxCon ContainerCon CloudOpen China
 
Releasing a Distribution in the Age of DevOps.
byLinuxCon ContainerCon CloudOpen China
 
Practical CNI
byLinuxCon ContainerCon CloudOpen China
 
点融网区块链即服务实践 - The Practice of Blockchain as a Service in Dianrong
byLinuxCon ContainerCon CloudOpen China
 
kdump: usage and_internals
byLinuxCon ContainerCon CloudOpen China
 
Linuxcon secureefficientcontainerimagemanagementharbor
byLinuxCon ContainerCon CloudOpen China
 
Hyperledger Technical Community in China.
byLinuxCon ContainerCon CloudOpen China
 
Simplify Networking for Containers
byLinuxCon ContainerCon CloudOpen China
 
Linux Kernel Development
byLinuxCon ContainerCon CloudOpen China
 
OpenDaylight OpenStack Integration
byLinuxCon ContainerCon CloudOpen China
 

More from LinuxCon ContainerCon CloudOpen China

PDF
SecurityPI - Hardening your IoT endpoints in Home.
byLinuxCon ContainerCon CloudOpen China
 
PDF
Building a Better Thermostat
byLinuxCon ContainerCon CloudOpen China
 
PDF
Flowchain: A case study on building a Blockchain for the IoT
byLinuxCon ContainerCon CloudOpen China
 
PDF
Secure Containers with EPT Isolation
byLinuxCon ContainerCon CloudOpen China
 
PDF
Open Source Software Business Models Redux
byLinuxCon ContainerCon CloudOpen China
 
PDF
OpenStack on AArch64
byLinuxCon ContainerCon CloudOpen China
 
PDF
Running Legacy Applications with Containers
byLinuxCon ContainerCon CloudOpen China
 
PDF
Rebuild - Simplifying Embedded and IoT Development Using Linux Containers
byLinuxCon ContainerCon CloudOpen China
 
PDF
Policy-based Resource Placement
byLinuxCon ContainerCon CloudOpen China
 
PDF
See what happened with real time kvm when building real time cloud pezhang@re...
byLinuxCon ContainerCon CloudOpen China
 
PDF
How Open Source Communities do Standardization
byLinuxCon ContainerCon CloudOpen China
 
PDF
Fully automated kubernetes deployment and management
byLinuxCon ContainerCon CloudOpen China
 
PDF
Is there still room for innovation in container orchestration and scheduling
byLinuxCon ContainerCon CloudOpen China
 
PDF
Quickly Debug VM Failures in OpenStack
byLinuxCon ContainerCon CloudOpen China
 
PDF
Obstacles & Solutions for Livepatch Support on ARM64 Architecture
byLinuxCon ContainerCon CloudOpen China
 
PDF
Rethinking the OS
byLinuxCon ContainerCon CloudOpen China
 
PDF
Zephyr: Creating a Best-of-Breed, Secure RTOS for IoT
byLinuxCon ContainerCon CloudOpen China
 
SecurityPI - Hardening your IoT endpoints in Home.
byLinuxCon ContainerCon CloudOpen China
 
Building a Better Thermostat
byLinuxCon ContainerCon CloudOpen China
 
Flowchain: A case study on building a Blockchain for the IoT
byLinuxCon ContainerCon CloudOpen China
 
Secure Containers with EPT Isolation
byLinuxCon ContainerCon CloudOpen China
 
Open Source Software Business Models Redux
byLinuxCon ContainerCon CloudOpen China
 
OpenStack on AArch64
byLinuxCon ContainerCon CloudOpen China
 
Running Legacy Applications with Containers
byLinuxCon ContainerCon CloudOpen China
 
Rebuild - Simplifying Embedded and IoT Development Using Linux Containers
byLinuxCon ContainerCon CloudOpen China
 
Policy-based Resource Placement
byLinuxCon ContainerCon CloudOpen China
 
See what happened with real time kvm when building real time cloud pezhang@re...
byLinuxCon ContainerCon CloudOpen China
 
How Open Source Communities do Standardization
byLinuxCon ContainerCon CloudOpen China
 
Fully automated kubernetes deployment and management
byLinuxCon ContainerCon CloudOpen China
 
Is there still room for innovation in container orchestration and scheduling
byLinuxCon ContainerCon CloudOpen China
 
Quickly Debug VM Failures in OpenStack
byLinuxCon ContainerCon CloudOpen China
 
Obstacles & Solutions for Livepatch Support on ARM64 Architecture
byLinuxCon ContainerCon CloudOpen China
 
Rethinking the OS
byLinuxCon ContainerCon CloudOpen China
 
Zephyr: Creating a Best-of-Breed, Secure RTOS for IoT
byLinuxCon ContainerCon CloudOpen China
 

Container Security

  • 1.
    www.huawei.com Security Level: HUAWEI TECHNOLOGIESCO., LTD. 容器安全 Author:张永 Email: zhangyong23@huawei.com Date: 2017-06-14
  • 2.
    HUAWEI TECHNOLOGIES CO.,LTD. Huawei Confidential 2 背景介绍 主机安全 容器安全 Q&A 目录
  • 3.
    HUAWEI TECHNOLOGIES CO.,LTD. Huawei Confidential 3 背景介绍  2008 ~ 2015年:WindRiver Linux 部门  2015.5 ~ Now:华为EulerOS系 统部  长期从事linux系统开发,活跃 于linux社区  在华为EulerOS部门主要负责容 器项目的开发设计 张永 Email:yong.zhang0@gmail.com; zhangyong23@huawei.com --我是谁??
  • 4.
    HUAWEI TECHNOLOGIES CO.,LTD. Huawei Confidential 4 多租 EulerOS iSula 容器存储 docker-engine 容器网络 (iCan) k8s 容器 日志 (flu entd) 容器 监控 (Pr ome theu s) 容器 开发 toolkit容器运行环境 vm OCI runtimerunv runtime interface 编排调度 interface mesos swarm 标准用户接口(standard user interface) WEB UI CLI用户接口 TPM EPT/ TLS/ 安全 审查 多租/ 安全 隔离 docker 容器 调用 链 (op en traci ng) 容器 安全 EulerOS iSula负责的范围 容器仓库 背景介绍 --EulerOS iSula
  • 5.
    HUAWEI TECHNOLOGIES CO.,LTD. Huawei Confidential 5 • 主机安全问题 -- -- -- • 容器安全问题 -- -- -- 系统 路径 安全 配置 网络 接口 访问 权限 运行 权限 系统 资源 内核 功能 docker 逃逸 检测 背景介绍 --安全?安全!
  • 6.
    HUAWEI TECHNOLOGIES CO.,LTD. Huawei Confidential 6 通过在启动过程中识别基础系统信任问题,确保 主机安全 主机安全 --安全启动
  • 7.
    HUAWEI TECHNOLOGIES CO.,LTD. Huawei Confidential 7 OS 应用 OSLoader BIOS CRTM TBB 7 5 3 8 6 4 2 1 执 行 流 程 TPM PCR 扩展 度量 硬件(Intel) HOST OS Containr 1 Containr nContainr 2 TPM docker daemon TPM vTPMGUEST OS 主机安全 --可信启动
  • 8.
    HUAWEI TECHNOLOGIES CO.,LTD. Huawei Confidential 8 主机安全 --其他…  Kernel  ACL  Capabilities  namespace  seccomp  iptables  audit  selinux  IMA  Address Space Layout Randomization (ASLR)  OS  不可变基础设施  容器OS(Container OS)
  • 9.
    HUAWEI TECHNOLOGIES CO.,LTD. Huawei Confidential 9 容器安全 --运行环境  Kernel  ACL  Capabilities  namespace  seccomp  iptables  audit  selinux  IMA(TPM)  Address Space Layout Randomization (ASLR)  cgroups  OS  不可变基础设施  容器OS(Container OS)
  • 10.
    HUAWEI TECHNOLOGIES CO.,LTD. Huawei Confidential 10 容器安全 --镜像扫描 针对Docker容器的漏洞扫描工具,解决容器镜像携带漏洞的问题, 更进一步,发现带有恶意程序的镜像。 EulerOS & Nessus CVE DB user repo scan DB push 镜像安全扫描 notify scan Partner 3Rd
  • 11.
    HUAWEI TECHNOLOGIES CO.,LTD. Huawei Confidential 11 容器安全 --镜像签名  DOCKER_CONTENT_TRUST  Norary open source project PIC from notary
  • 12.
    HUAWEI TECHNOLOGIES CO.,LTD. Huawei Confidential 12 容器安全 --运行时  docker run --readonly  No privilege  no root in docker  镜像完整性检查
  • 13.
    HUAWEI TECHNOLOGIES CO.,LTD. Huawei Confidential 13 Join us at github.com/isula Q&A