Containers provide isolation at the operating system level through mechanisms like namespaces and cgroups. While containers isolate applications from each other better than traditional virtualization, some experts argue that full virtualization using hypervisors provides stronger security due to stronger isolation between virtual machines. However, container security has improved significantly over time and many argue containers can provide adequate security for many use cases. There is an ongoing debate in the industry around the relative security of containers versus virtual machines.

1. Containers security
Kernel internals

2. “There may be ways ... for an application to escape out of its container or deny service to the
host or other containers.” – Mark Russinovich, CTO Microsoft Azure
https://azure.microsoft.com/en-us/blog/containers-docker-windows-and-trends/
“For Google I would say that security is probably the number one priority, for KVM it is the killer
feature otherwise we could just sell people Docker containers or just let them run on Linux
processors. So the main thing that VMs actual provide it that isolation and all our VM’s are on
KVM.” - Andrew Honig, tech lead on the Cloud Security Team at Google
https://youtu.be/L7ScFlkJEO8?t=33
“The inter-process isolation provided by a monolithic kernel such as Windows or Linux could
never be compared to the inter-VM isolation offered even by the most lousy hypervisors. This is
simply because the sizes of the interfaces exposed to untrusted entities (processes in case of a
monolithic kernel; VMs in case of a hypervisor) are just incomparable. ”
“ Sadly … we have finally came to the conclusion that consumer Windows OS, with all those
one-would-think sophisticated security mechanisms, is just not usable for any real-world domain
isolation. ” - Joanna Rutkowska – Security researcher & architect of Qubes OS
http://blog.invisiblethings.org/2014/01/15/shattering-myths-of-windows-security.html

3. “Some people make the mistake of thinking of containers as a better and faster way of
running virtual machines. From a security point of view, containers are much weaker.” – Dan
Walsh, SELinux architect (?)
“There’s contentions all over the place that containers are not as secure as hypervisors. This is
not actually true. Parallels and Virtuozo, we’ve been running secure containers for at least 10
years.” – James Bottomley, Linux Maintainer and Parallels CTO
“Virtual Machines might be more secure today, but containers are definitely catching up. –
Jerome Petazzoni, Senior Software Engineer at Docker
“You are absolutely deluded, if not stupid, if you think that a worldwide collection of software
engineers who can’t write a operating system or application without security holes, can then
turn around and suddenly write virtualization layers without security holes” Theo de Raadt,
OpenBSD project lead
https://fosdem.org/2015/schedule/event/zombieapocalypse/

4. Agenda
• Not about Docker security
• Entropy
• History of Kernel Security
• Conclusion

5. Bart Smith
• Stadjer
• Windows NT 3.1
• Design & security
• Migrating to Cloud Native

6. Why is Docker so popular?
1. instant startup
2. namespace isolation & resource governance
3. small memory footprint
4. common toolset
5. packaging - Open Container Initiative OCI
6. ease deployment - DockerHub
More security see talk Adrian 4/6/15 https://youtu.be/04LOuMgNj9U

7. Fortress
• Few doors and windows
• Easy blocking
• Defense in Depth, multilayer

8. Entropy
Peter Sewell,
Cambridge
@31C3
http://media.ccc.de/browse/congress/2014/31c3_-_6574_-_en_-_saal_1_-_201412301245_-_why_are_computers_so_and_what_can_we_do_about_it_-_peter_sewell.html

9. SPI - stack
• SAAS
• PAAS
• IAAS

10. HW
OS OS OS
App
VIRT
App App App App App
Virt HW Virt HW Virt HW
HW
OS OS OS
App
VIRT
App App App
Virt HW Virt HW Virt HW
IAAS with HW virt
•AWS
•Azure Infra
•Google Com-
pute Engine
•Joyent
HW
VIRT
Virt HW Virt HW Virt HW
OS OS OS
http://bit.ly/2015-cloud-mq
(try update year in link when expired)
( )
App App

11. db web file etcmid.
ware
App1
db web file etcmid.
ware
App2 App3
PAAS
•EC3
•Azure App Service
•Google App Engine
db web file etcmid.
waredb web file etcmid.
ware
App1 App2 App3
db web file etcmid.
ware
App1 App2 App3

12. Jérôme Petazzoni explaining:
• The only difference between a-process-in-a-
container and a-process-not-in-a-container is
a few labels on top on a process that say this is
in container X
• A context-switch between two containers is
exactly the same as a context-switch between
two processes
https://youtu.be/pUQ5ukrVaH4?t=600https://youtu.be/pUQ5ukrVaH4?t=667

13. IAAS with OSvirt/Zones/Containers
HW
OS
Container
Virt OS
App
Lib
Lib
Container
Virt OS
App
Lib
Lib
Container
Virt OS
App
Lib
Lib
Container
Virt OS
App
Lib
Lib
Lib
Lib
HW
OS
Container
Virt OS
App
Lib
Lib
Container
Virt OS
App
Lib
Lib
? ?

14. MAAS
•Ubuntu
•Softlayer/IBM
•Leaseweb
HW

15. DEV Performance Security
PAAS   
Containers  
IAAS   
Hypervisor
App
HW
OS
VirtHW
App
OS
VirtHW
Kernel
Container
App
HW
db
Code1
web
2
?

16. https://en.wikipedia.org/wiki/Operating-system-level_virtualization#Implementations

17. Docker < v0.9
Kernel
LXC
App
HW
Lib
Lib
Docker

18. Docker v0.9 and up
DOCKER_OPTS="-e lxc"During install, libcontainer :
Setting up lxc-docker-1.x.0
https://blog.docker.com/2014/03/docker-0-9-introducing-execution-drivers-and-libcontainer/ http://blog.docker.com/2015/06/runc/
Kernel
Lib-
container
App
HW
Lib
Lib
Docker
Kernel
LXC
App
HW
Docker
Kernel
runC
App
HW
Docker
Announced june15:
runC replaces Libcontainer

19. Kernel
App
HW
Lib
Lib
libCSystem Calls
GO: nolibc
GO does system calls manually, without relying
on libc or anything else - Aram Hăvărnanu
https://archive.fosdem.org/2014/schedule/event/porting_go_to_new_platforms/ https://youtu.be/tnXOeHRuyyA?t=1322
User
(ring3)
Kernel
(ring0)
Kernel
HW
Lib
Lib
System Calls
GO
app

20. Building Docker Images for Static Go Binaries
Statically Linked, with syscall 'package'
https://medium.com/@kelseyhightower/optimizing-docker-images-for-static-binaries-b5696e26eb07
FROM scratch
MAINTAINER Kelsey Hightower <kelsey.hightower@gmail.com>
ADD contributors contributors
ENV PORT 80
EXPOSE 80
ENTRYPOINT ["/contributors"]
Total size of image: 6MB

21. Triton
• LX: run Linux on Solaris
• Docker on Illumos
• Joyent
Solaris
Kernel
App
Lib
Lib
libCLinux Syscalls
Container
Solaris Syscalls
https://www.joyent.com/blog/triton-docker-and-the-best-of-all-worlds
http://us-east.manta.joyent.com/jmc/public/opensolaris/ARChive/PSARC/2002/174/zones-design.spec.opensolaris.pdf
http://www.crn.com/slide-shows/cloud/300076877/heres-who-made-gartners-2015-cloud-iaas-magic-quadrant.htm/pgno/0/19

22. Mirage OS - Cambridge
• unikernel
• Stat. linked kernel
• No Firewall needed
• defense: limit interfaces
(including Xen)
• 20ms startup
http://media.ccc.de/browse/congress/2014/31c3_-_6443_-_en_-_saal_2_-_201412271245_-
_trustworthy_secure_modular_operating_system_engineering_-_hannes_-_david_kaloper.html
Some kernel
HW
Lib
LibOCaml
Xen Hypervisor
Dom0

23. Qubes - Joanna Rutkowska
• with a GUI
• multilayer defense
https://www.qubes-os.org/

24. Microsoft
• OneCore
– 64bit only
– refactoring
– base for Win10, Server, Phone & Nano server
• Containers
Docker support
https://channel9.msdn.com/Events/Build/2015/2-704
https://channel9.msdn.com/Events/Build/2015/2-683
https://azure.microsoft.com/en-us/blog/containers-docker-windows-and-trends/

25. Microsoft Containers
Server CoreNano Server
Born in the cloud applications Traditional Applications
Highly CompatibleHighly Optimized

26. Microsoft’s Container Runtimes
Windows Server Container
HIGHLY
AUTOMATED EFFICIENT
SCALABLE
AND ELASTIC
Hyper-V Container
HIGHLY
AUTOMATED EFFICIENT
SCALABLE
AND ELASTIC
PUBLIC
MULTI-
TEANCY
SHARED
HOSTING
SECURE
SECURE
HOSTING
TRUSTED
MULTI-TENANCY
REGULATED
WORKLOADS

27. Nano Server: reverse forwarders
• Additional packages
– WoW64 for backward compatibility
– Hyper-V host
– Replicated File services
https://channel9.msdn.com/Events/Ignite/2015/BRK2461

28. What runs today with the Reverse
Forwarders?• Chef
• PHP
• Nginx
• Python 3.5
• Node.js
• GO
• Redis
• MySQL
• OpenSSL
• Java (OpenJDK)
• Ruby (2.1.5)
• SQLite

29. Intel: Clear Linux
• 1000 VM/host
• 200ms startup
• Intel VT
http://www.theregister.co.uk/2015/05/21/intel_wants_containers_to_be_alone_together_naturally/
http://www.infoworld.com/article/2925038/linux/intel-takes-on-coreos-with-its-own-container-based-linux.html
http://lwn.net/Articles/644675/ https://www.clearlinux.org

30. VMware
• Photon Linux distribution
• Open Source
• Management door mesos,
Hadoop, Openstack, Pivotal CF
(Lattice), CoreOs, Kubernetes,
etc
Micro-visor
Hardware
Photon
docker-machine
Photon
App
LIB
Photon
App
LIB
• Photon platform

31. Gartner IAAS MQ 2015
Gartner also recommends
cloud buyers adopt a
bimodal strategy that
allows them to maintain
critical IT operations while
innovating on agile
development platforms.
http://bit.ly/2015-cloud-mq (try update year in link when expired)

32. Conclusion
• ARM simpler Virtualization
• Converge Containers & VM

33. Questions?
Docker training/conferenties
http://dutchdockerday.nl 20 Nov 15, €99 (early bird) Amsterdam
https://skillsmatter.com/conferences/7208-containersched-2015 London
http://softwarecircus.eu Okt 2016 €150 (early bird) Amsterdam
http://nkhare.github.io/data_and_network_containers/ self training

34. Link Q&A
• side-channel attack processor cache
– http://wp.me/p26mzH-c5
– http://reg.cx/2f6r