Download as PDF, PPTX
![Building Docker Images for Static Go Binaries
Statically Linked, with syscall 'package'
https://medium.com/@kelseyhightower/optimizing-docker-images-for-static-binaries-b5696e26eb07
FROM scratch
MAINTAINER Kelsey Hightower <kelsey.hightower@gmail.com>
ADD contributors contributors
ENV PORT 80
EXPOSE 80
ENTRYPOINT ["/contributors"]
Total size of image: 6MB](https://image.slidesharecdn.com/dockerandkernelsecurity-150709223750-lva1-app6891/75/Docker-and-kernel-security-18-2048.jpg)
More Related Content
Similar to Docker and kernel security
Docker and kernel security
- 1. “Some people makethe mistake of thinking of containers as a better and faster way of running virtual machines. From a security point of view, containers are much weaker.” – Dan Walsh, SELinux architect (?) “There’s contentions all over the place that containers are not as secure as hypervisors. This is not actually true. Parallels and Virtuozo, we’ve been running secure containers for at least 10 years.” – James Bottomley, Linux Maintainer and Parallels CTO “Virtual Machines might be more secure today, but containers are definitely catching up. – Jerome Petazzoni, Senior Software Engineer at Docker “You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can’t write a operating system or application without security holes, can then turn around and suddenly write virtualization layers without security holes” Theo de Raadt, OpenBSD project lead https://fosdem.org/2015/schedule/event/zombieapocalypse/ “For Google I would say that security is probably the number one priority, for KVM it is the killer feature otherwise we could just sell people Docker containers or just let them run on Linux processors. So the main thing that VMs actual provide it that isolation and all our VM’s are on KVM.” - Andrew Honig, tech lead on the Cloud Security Team at Google https://youtu.be/L7ScFlkJEO8?t=33 “The inter-process isolation provided by a monolithic kernel such as Windows or Linux could never be compared to the inter-VM isolation offered even by the most lousy hypervisors. This is simply because the sizes of the interfaces exposed to untrusted entities (processes in case of a monolithic kernel; VMs in case of a hypervisor) are just incomparable. ” “ Sadly … we have finally came to the conclusion that consumer Windows OS, with all those one-would-think sophisticated security mechanisms, is just not usable for any real-world domain isolation. ” - Joanna Rutkowska – Security researcher & architect of Qubes OS http://blog.invisiblethings.org/2014/01/15/shattering-myths- of-windows-security.html
- 2.
- 3. Agenda • Not aboutDocker security talk Adrian, 4/6 • Entropy • History of Kernel Security • Conclusion https://youtu.be/04LOuMgNj9U
- 4. Bart Smith • WindowsNT 3.1 • Design & security • Migrating to web-scale
- 5. Fortress • Few doorsand windows • Easy blocking • Defense in Depth, multilayer
- 6.
- 7. SPI - stack •SAAS • PAAS • IAAS
- 8. HW OS OS OS App VIRT AppApp App App App Virt HW Virt HW Virt HW HW OS OS OS App VIRT App App App Virt HW Virt HW Virt HW IAAS with HW virt •AWS •Azure Infra •Google Com- pute Engine •Joyent HW VIRT Virt HW Virt HW Virt HW OS OS OS http://bit.ly/2014-cloud-mq ( ) App App
- 9. db web fileetcmid. ware App1 db web file etcmid. ware App2 App3 PAAS •EC3 •Azure App Service •Google App Engine db web file etcmid. waredb web file etcmid. ware App1 App2 App3 db web file etcmid. ware App1 App2 App3
- 10. Jérôme Petazzoni explaining: •The only difference between a-process-in-a- container and a-process-not-in-a-container is a few labels on top on a process that say this is in container X • A context-switch between two containers is exactly the same as a context-switch between two processes https://youtu.be/pUQ5ukrVaH4?t=600https://youtu.be/pUQ5ukrVaH4?t=667
- 11. IAAS with OSvirt/Zones/Containers HW OS Container VirtOS App Lib Lib Container Virt OS App Lib Lib Container Virt OS App Lib Lib Container Virt OS App Lib Lib Lib Lib HW OS Container Virt OS App Lib Lib Container Virt OS App Lib Lib ? ?
- 12.
- 13. DEV Performance Security PAAS Containers IAAS Hypervisor App HW OS VirtHW App OS VirtHW Kernel Container App HW db Code1 web 2 ?
- 14.
- 15.
- 16. Docker v0.9 andup DOCKER_OPTS="-e lxc"During install, libcontainer : Setting up lxc-docker-1.x.0 https://blog.docker.com/2014/03/docker-0-9-introducing-execution-drivers-and-libcontainer/ http://blog.docker.com/2015/06/runc/ Kernel Lib- container App HW Lib Lib Docker Kernel LXC App HW Docker Kernel runC App HW Docker Announced june15: runC replaces Libcontainer
- 17. Kernel App HW Lib Lib libCSystem Calls GO: nolibc GOdoes system calls manually, without relying on libc or anything else - Aram Hăvărnanu https://archive.fosdem.org/2014/schedule/event/porting_go_to_new_platforms/ https://youtu.be/tnXOeHRuyyA?t=1322 User (ring3) Kernel (ring0) Kernel HW Lib Lib System Calls GO app
- 18. Building Docker Imagesfor Static Go Binaries Statically Linked, with syscall 'package' https://medium.com/@kelseyhightower/optimizing-docker-images-for-static-binaries-b5696e26eb07 FROM scratch MAINTAINER Kelsey Hightower <kelsey.hightower@gmail.com> ADD contributors contributors ENV PORT 80 EXPOSE 80 ENTRYPOINT ["/contributors"] Total size of image: 6MB
- 19. Triton • LX: runLinux on Solaris • Docker on Illumos • Joyent Solaris Kernel App Lib Lib libCLinux Syscalls Container Solaris Syscalls https://www.joyent.com/blog/triton-docker-and-the-best-of-all-worlds
- 20. Mirage OS -Cambridge • unikernel • Stat. linked kernel • No Firewall needed • defense: limit interfaces (including Xen) • 20ms startup http://media.ccc.de/browse/congress/2014/31c3_-_6443_-_en_-_saal_2_-_201412271245_- _trustworthy_secure_modular_operating_system_engineering_-_hannes_-_david_kaloper.html Some kernel HW Lib LibOCaml Xen Hypervisor Dom0
- 21. Qubes - JoannaRutkowska • with a GUI • multilayer defense https://www.qubes-os.org/
- 22. Microsoft • OneCore – 64bitonly – refactoring – base for Win10, Server, Phone & Nano server • Containers Docker support https://channel9.msdn.com/Events/Build/2015/2-704 https://channel9.msdn.com/Events/Build/2015/2-683
- 23. Microsoft Containers Server CoreNanoServer Born in the cloud applications Traditional Applications Highly CompatibleHighly Optimized
- 24. Microsoft’s Container Runtimes WindowsServer Container HIGHLY AUTOMATED EFFICIENT SCALABLE AND ELASTIC Hyper-V Container HIGHLY AUTOMATED EFFICIENT SCALABLE AND ELASTIC PUBLIC MULTI- TEANCY SHARED HOSTING SECURE SECURE HOSTING TRUSTED MULTI-TENANCY REGULATED WORKLOADS
- 25. Nano Server: reverseforwarders • Additional packages – WoW64 for backward compatibility – Hyper-V host – Replicated File services https://channel9.msdn.com/Events/Ignite/2015/BRK2461
- 26. What runs todaywith the Reverse Forwarders?• Chef • PHP • Nginx • Python 3.5 • Node.js • GO • Redis • MySQL • OpenSSL • Java (OpenJDK) • Ruby (2.1.5) • SQLite
- 27. Intel: Clear Linux •1000 VM/host • 200ms startup http://www.theregister.co.uk/2015/05/21/intel_wants_containers_to_be_alone_together_naturally/ http://www.infoworld.com/article/2925038/linux/intel-takes-on-coreos-with-its-own-container-based-linux.html http://lwn.net/Articles/644675/
- 28. Gartner IAAS MQ2015 Gartner also recommends cloud buyers adopt a bimodal strategy that allows them to maintain critical IT operations while innovating on agile development platforms. http://www.crn.com/slide-shows/cloud/300076877/heres-who-made-gartners-2015-cloud-iaas-magic-quadrant.htm
- 29. Conclusion • ARM simplerVirtualization • Converge Containers & VM
- 30.