Containers provide isolation at the operating system level through mechanisms like namespaces and cgroups. While containers isolate applications from each other better than traditional virtualization, some experts argue that full virtualization using hypervisors provides stronger security due to stronger isolation between virtual machines. However, container security has improved significantly over time and many argue containers can provide adequate security for many use cases. There is an ongoing debate in the industry around the relative security of containers versus virtual machines.
2. “There may be ways ... for an application to escape out of its container or deny service to the
host or other containers.” – Mark Russinovich, CTO Microsoft Azure
https://azure.microsoft.com/en-us/blog/containers-docker-windows-and-trends/
“For Google I would say that security is probably the number one priority, for KVM it is the killer
feature otherwise we could just sell people Docker containers or just let them run on Linux
processors. So the main thing that VMs actual provide it that isolation and all our VM’s are on
KVM.” - Andrew Honig, tech lead on the Cloud Security Team at Google
https://youtu.be/L7ScFlkJEO8?t=33
“The inter-process isolation provided by a monolithic kernel such as Windows or Linux could
never be compared to the inter-VM isolation offered even by the most lousy hypervisors. This is
simply because the sizes of the interfaces exposed to untrusted entities (processes in case of a
monolithic kernel; VMs in case of a hypervisor) are just incomparable. ”
“ Sadly … we have finally came to the conclusion that consumer Windows OS, with all those
one-would-think sophisticated security mechanisms, is just not usable for any real-world domain
isolation. ” - Joanna Rutkowska – Security researcher & architect of Qubes OS
http://blog.invisiblethings.org/2014/01/15/shattering-myths-of-windows-security.html
3. “Some people make the mistake of thinking of containers as a better and faster way of
running virtual machines. From a security point of view, containers are much weaker.” – Dan
Walsh, SELinux architect (?)
“There’s contentions all over the place that containers are not as secure as hypervisors. This is
not actually true. Parallels and Virtuozo, we’ve been running secure containers for at least 10
years.” – James Bottomley, Linux Maintainer and Parallels CTO
“Virtual Machines might be more secure today, but containers are definitely catching up. –
Jerome Petazzoni, Senior Software Engineer at Docker
“You are absolutely deluded, if not stupid, if you think that a worldwide collection of software
engineers who can’t write a operating system or application without security holes, can then
turn around and suddenly write virtualization layers without security holes” Theo de Raadt,
OpenBSD project lead
https://fosdem.org/2015/schedule/event/zombieapocalypse/
4. Agenda
• Not about Docker security
• Entropy
• History of Kernel Security
• Conclusion
10. HW
OS OS OS
App
VIRT
App App App App App
Virt HW Virt HW Virt HW
HW
OS OS OS
App
VIRT
App App App
Virt HW Virt HW Virt HW
IAAS with HW virt
•AWS
•Azure Infra
•Google Com-
pute Engine
•Joyent
HW
VIRT
Virt HW Virt HW Virt HW
OS OS OS
http://bit.ly/2015-cloud-mq
(try update year in link when expired)
( )
App App
11. db web file etcmid.
ware
App1
db web file etcmid.
ware
App2 App3
PAAS
•EC3
•Azure App Service
•Google App Engine
db web file etcmid.
waredb web file etcmid.
ware
App1 App2 App3
db web file etcmid.
ware
App1 App2 App3
12. Jérôme Petazzoni explaining:
• The only difference between a-process-in-a-
container and a-process-not-in-a-container is
a few labels on top on a process that say this is
in container X
• A context-switch between two containers is
exactly the same as a context-switch between
two processes
https://youtu.be/pUQ5ukrVaH4?t=600https://youtu.be/pUQ5ukrVaH4?t=667
13. IAAS with OSvirt/Zones/Containers
HW
OS
Container
Virt OS
App
Lib
Lib
Container
Virt OS
App
Lib
Lib
Container
Virt OS
App
Lib
Lib
Container
Virt OS
App
Lib
Lib
Lib
Lib
HW
OS
Container
Virt OS
App
Lib
Lib
Container
Virt OS
App
Lib
Lib
? ?
18. Docker v0.9 and up
DOCKER_OPTS="-e lxc"During install, libcontainer :
Setting up lxc-docker-1.x.0
https://blog.docker.com/2014/03/docker-0-9-introducing-execution-drivers-and-libcontainer/ http://blog.docker.com/2015/06/runc/
Kernel
Lib-
container
App
HW
Lib
Lib
Docker
Kernel
LXC
App
HW
Docker
Kernel
runC
App
HW
Docker
Announced june15:
runC replaces Libcontainer
19. Kernel
App
HW
Lib
Lib
libCSystem Calls
GO: nolibc
GO does system calls manually, without relying
on libc or anything else - Aram Hăvărnanu
https://archive.fosdem.org/2014/schedule/event/porting_go_to_new_platforms/ https://youtu.be/tnXOeHRuyyA?t=1322
User
(ring3)
Kernel
(ring0)
Kernel
HW
Lib
Lib
System Calls
GO
app
20. Building Docker Images for Static Go Binaries
Statically Linked, with syscall 'package'
https://medium.com/@kelseyhightower/optimizing-docker-images-for-static-binaries-b5696e26eb07
FROM scratch
MAINTAINER Kelsey Hightower <kelsey.hightower@gmail.com>
ADD contributors contributors
ENV PORT 80
EXPOSE 80
ENTRYPOINT ["/contributors"]
Total size of image: 6MB
21. Triton
• LX: run Linux on Solaris
• Docker on Illumos
• Joyent
Solaris
Kernel
App
Lib
Lib
libCLinux Syscalls
Container
Solaris Syscalls
https://www.joyent.com/blog/triton-docker-and-the-best-of-all-worlds
http://us-east.manta.joyent.com/jmc/public/opensolaris/ARChive/PSARC/2002/174/zones-design.spec.opensolaris.pdf
http://www.crn.com/slide-shows/cloud/300076877/heres-who-made-gartners-2015-cloud-iaas-magic-quadrant.htm/pgno/0/19
23. Qubes - Joanna Rutkowska
• with a GUI
• multilayer defense
https://www.qubes-os.org/
24. Microsoft
• OneCore
– 64bit only
– refactoring
– base for Win10, Server, Phone & Nano server
• Containers
Docker support
https://channel9.msdn.com/Events/Build/2015/2-704
https://channel9.msdn.com/Events/Build/2015/2-683
https://azure.microsoft.com/en-us/blog/containers-docker-windows-and-trends/
30. VMware
• Photon Linux distribution
• Open Source
• Management door mesos,
Hadoop, Openstack, Pivotal CF
(Lattice), CoreOs, Kubernetes,
etc
Micro-visor
Hardware
Photon
docker-machine
Photon
App
LIB
Photon
App
LIB
• Photon platform
31. Gartner IAAS MQ 2015
Gartner also recommends
cloud buyers adopt a
bimodal strategy that
allows them to maintain
critical IT operations while
innovating on agile
development platforms.
http://bit.ly/2015-cloud-mq (try update year in link when expired)