SlideShare a Scribd company logo
Secure Containers for Developers
Mathias Tausig
SBA Research gGmbH SBA Live Academy 2020
History
1
Container History I
• Since the 1980s, the chroot technology allows parts of the
filesystem to separated from each other on *NIX systems
• Parallel to the rise of virtualization 2000, interest in a more
lightweight OS-Virtualization grew
◦ 2000: Virtuozzo (Linux, Windows)
− 2005 OpenVZ
◦ 2000: Jails (BSD)
◦ 2001: Linux VServer
◦ 2004: Zones (Solaris)
2
Container History II
• Around the same time, generic interfaces in the Linux kernel
were developed:
◦ 1998: AppArmor
◦ 2000: SELinux
◦ 2002: Namespaces
◦ 2007: CGroups
• 2008 saw the first release of LXC (Linux Containers), a userspace
interface to create virtualized environments using these
technologies
◦ No kernel modification neccesary
• In 2013, the company dotCloud Inc. released the first version of
its container software: Docker
◦ Initially based on LXC
◦ Switched to the libcontainer interface to use the kernel’s capabilities
3
Containers
VM vs. Container
While a virtual machine is always running a full OS on virtual
hardware, a container is part of the current host system sharing its
resources (especially the kernel).
5
VM vs. Container
A container ist more lightweight than a VM.
• Less storage space
• Less memory
• Much faster creation and startup
These performance advantages are offset by a worse isolation. Since
all containers share the same kernel, an exploit on the kernel level
can comprosie all containers on the host.
6
System- vs. application-container
• An application container is used to run a single process. If that
process is stopped, the corresponding container is terminated as
well.
• A system container is able to run multiple processes while
keeping a persisten state over a long time.
7
Privileged containers
A privileged container is one running with root privileges on the host
system.1
An unprivileged container does not have those capabilities.2
1
Default for Docker
2
Default for LXC
8
Linux containment features
Namespaces
• Since kernel 3.12
• Used to isolate system ressources and processes
• Provides a certain ressource to a process in an abstracted
fashion
◦ pid: Container may administer their own process hierarchy while having
their own (logical) init process with PID 1
◦ user: Isolation of user- and group IDS (uid and gid) allows a process to
run processes as “root” without granting it elevated privileges on the
host system
◦ net: Provides separated network devices and configurations as well as
routing tables
◦ mnt: Each container can have their own view of the filesystem hierarchy
◦ ...
10
cgroups
To limit negative consequences to the host system by a container,
Control Groups (cgroups) may be used. They are built out of various
subsystems, each of which limits a certain resource for a container.
• blkio: Limits access to block devices
• cpu, cpuacct, cpusets: Limits CPU access
• devices: Access to devices can be granted
• freezer: Allows to stop and wakeup tasks
• hugetlb, memory: Limits available RAM
• net_cls, net_prio: Used for network priorisation
• perf_event: Used for process monitoring
11
SELinux / AppArmor
The kernel security modules SELinux and AppArmor greatly extends
the usual Discretionary Access Control (DAC) model of linux Access
Controll Policies with a much more advanced and powerful
Mandatory Access Controll (MAC) system.
The allows i.e to limit which files a certain process may access, or to
cut off its network access.
12
Linux Containers
What is LXC?
LXC is a userspace interface for the Linux kernel containment
features. Through a powerful API and simple tools, it lets Li-
nux users easily create and manage system or application
containers.
– https://linuxcontainers.org
14
Frontends
LXC container can be created and managed using different tools:
• Direct usage of liblxc and lxc-utils
• Usage of a frontend
◦ libvirt
◦ ProxMox
◦ LXD
15
LXD
LXD is a next generation system container manager. It offers
a user experience similar to virtual machines but using Linux
containers instead.
– https://linuxcontainers.org/lxd/introduction/
16
LXD Architecture
LXD is based on a daemon (which in turn is based on liblxc) which
provides a REST API.
This API is consumed by the command line tool lxc3
3
No typo. The tool is really named like this.
17
Images
New containers are not installedm they get cloned from a base
image, which is retrieved from a repository4
.
4
local or online
18
Use Cases Developer
• Isolated execution of applications
• Development environments with seperated dependencies
• Test environments
19
LXD Tutorial
Requirements
The following scenarios assume the following:
• Ubuntu 18.04 Bionic 64 bit is used
• Packages lxd, lxdtool are installedm
• User is part of the group lxd5
5
Disclaimer: As with docker, this is equivalent to giving the user root privileges on the system.
Take care.
21
Documentations
• Official documentation:
https://linuxcontainers.org/lxd/docs/master/
• Blog of Stéphane Graber:
https://stgraber.org/category/lxd/
22
Initialize
$ l x d i n i t
Would you l i k e to use LXD c l u s t e r i n g ? ( yes / no ) [ d e f a u l t =no ] : no
Do you want to c o n f i g u r e a new storage pool ? ( yes / no ) [ d e f a u l t = yes ] : yes
Name of the new storage pool [ d e f a u l t = d e f a u l t ] : mystorage
Would you l i k e to connect to a MAAS s e r v e r ? ( yes / no ) [ d e f a u l t =no ] : no
Would you l i k e to create a new l o c a l network bridge ? ( yes / no ) [ d e f a u l t = yes ] : yes
What should the new bridge be c a l l e d ? [ d e f a u l t = lxdbr0 ] : l x d l o c a l
What IPv4 address should be used ? ( CIDR subnet notation , " auto " or " none " )
[ d e f a u l t = auto ] : auto
What IPv6 address should be used ? ( CIDR subnet notation , " auto " or " none " )
[ d e f a u l t = auto ] : none
Would you l i k e LXD to be a v a i l a b l e over the network ? ( yes / no ) [ d e f a u l t =no ] : no
Would you l i k e s t a l e cached images to be updated a u t o m a t i c a l l y ? ( yes / no )
[ d e f a u l t = yes ] no
Would you l i k e a YAML " l x d i n i t " preseed to be p r i n t e d ? ( yes / no )
[ d e f a u l t =no ] : yes
23
Images
$ l x c remote l i s t
+−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+
| NAME | URL | PROTOCOL |
+−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+
| images | https : // images . l i n u x c o n t a i n e r s . org | simplestreams |
+−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+
| l o c a l ( d e f a u l t ) | unix : // | l x d |
+−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+
| ubuntu | https : // cloud−images . ubuntu . com/ r e l e a s e s | simplestreams |
+−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+
| ubuntu−d a i l y | https : // cloud−images . ubuntu . com/ d a i l y | simplestreams |
+−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+
24
Images
$ l x c image l i s t ubuntu :
+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+
| DESCRIPTION | ARCH | SIZE |
+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+
| ubuntu 1 7 . 1 0 amd64 ( r e l e a s e ) (20180706) | x86_64 | 1 6 9 . 5 1MB |
+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+
| ubuntu 1 7 . 1 0 arm64 ( r e l e a s e ) (20180706) | aarch64 | 153.62MB |
+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+
| ubuntu 1 7 . 1 0 armhf ( r e l e a s e ) (20180706) | armv7l | 1 5 2 . 8 1MB |
+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+
. . .
$ l x c image l i s t images :
+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−−+
| DESCRIPTION | ARCH | SIZE |
+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−−+
| Alpine 3.6 amd64 (20190402 _13 :00) | x86_64 | 3 . 1 7MB |
+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−−+
| Alpine 3.6 arm64 (20190402 _13 :00) | aarch64 | 3.07MB |
+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−−+
. . .
25
Container lifecycle
$ l x c launch ubuntu : b i o n i c t e s t
C r e a t i n g t e s t
S t a r t i n g t e s t
$ l x c l i s t
+−−−−−−+−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−+−−−−−−+−−−−−−−−−−−−+−−−−−−−−−−−+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+−−−−−−+−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−+−−−−−−+−−−−−−−−−−−−+−−−−−−−−−−−+
| t e s t | RUNNING | 1 0 . 1 1 4 . 1 3 . 2 4 ( eth0 ) | | PERSISTENT | 0 |
+−−−−−−+−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−+−−−−−−+−−−−−−−−−−−−+−−−−−−−−−−−+
$ l x c exec t e s t −− / bin / bash
root@test : ~# e x i t
$ l x c stop t e s t
$ l x c rm t e s t
26
BTRFS storage
$ l x c storage create mybtrfs b t r f s source =/ dev / loop0
Storage pool mybtrfs created
$ df −h
F i l e s y s t e m S i z e Used A v a i l Use% Mounted on
udev 7 ,8G 0 7 ,8G 0% / dev
tmpfs 1 ,6G 2 ,0M 1 ,6G 1% / run
/ dev / sda2 1 1 7G 1 1 G 100G 10% /
[ . . . ]
/ dev / loop0 30G 17M 28G 1% / var / l i b / l x d / storage−pools / mybtrfs
$ l x c storage show mybtrfs
c o n f i g :
source : 031 d08f0−ed03−4f39 −8274−03fc4a12688c
v o l a t i l e . i n i t i a l _ s o u r c e : / dev / loop0
d e s c r i p t i o n : " "
name : mybtrfs
d r i v e r : b t r f s
used_by : [ ]
s t a t u s : Created
l o c a t i o n s :
− none
27
Profile
$ l x c p r o f i l e create myprof
$ cat lxd−p r o f i l e −myprof . yaml
c o n f i g :
user . vendor−data : |
# cloud−c o n f i g
users :
− name : ubuntu
ssh_authorized_keys :
− ssh−ed25519 AAAAC3Nza [ . . . ] oJmMZ7Y5YlrYA mat@office
s h e l l : / bin / bash
d e s c r i p t i o n : My brandnew LXD p r o f i l e
devices :
eth0 :
name : eth0
n i c t y p e : bridged
parent : l x d l o c a l
type : n i c
root :
path : /
pool : mybtrfs
type : d i s k
s i z e : 10GB
name : myprofile
$ l x c p r o f i l e e d i t myprof < lxd−p r o f i l e −myprof . yaml
28
Profile
$ l x c launch ubuntu : 1 8 . 0 4 web −−p r o f i l e myprof
$ l x c p r o f i l e show myprof
c o n f i g :
user . vendor−data : |
# cloud−c o n f i g
users :
− name : ubuntu
ssh_authorized_keys :
− ssh−ed25519 AAAAC3Nza [ . . . ] oJmMZ7Y5YlrYA mat@office
s h e l l : / bin / bash
group : sudo
d e s c r i p t i o n : My brandnew LXD p r o f i l e
devices :
eth0 :
name : eth0
n i c t y p e : bridged
parent : l x d l o c a l
type : n i c
root :
path : /
pool : mybtrfs
s i z e : 10GB
type : d i s k
name : myprof
used_by : [ web ]
29
Shared Disk
$ l x c c o n f i g device add t e s t s r c d i r d i s k path =/home/ ubuntu / s r c source =/home/my/ s r c
Device s r c d i r added to shared
$ ssh ubuntu@10 . 4 5 . 2 3 8 . 1 6 7
ubuntu@shared : ~$ mount
/ dev /dm−5 on / type b t r f s ( rw , relatime , ssd , [ . . . ] )
none on / dev type tmpfs ( rw , relatime , s i z e =492k , mode=755 , uid =165536 , gid =165536)
. . .
/ dev / mapper /myvg−home on /home/ ubuntu / s r c type ext4 ( rw , relatime , data = ordered )
. . .
ubuntu@shared : ~$ df
F i l e s y s t e m 1 K−blocks Used A v a i l a b l e Use% Mounted on
/ dev /dm−5 36700160 21135324 14910740 59% /
none 492 0 492 0% / dev
udev 3898488 0 3898488 0% / dev / t t y
tmpfs 100 0 100 0% / dev / l x d
tmpfs 100 0 100 0% / dev / . lxd−mounts
tmpfs 3930688 0 3930688 0% / dev /shm
tmpfs 3930688 172 3930516 1% / run
tmpfs 5120 0 5120 0% / run / l o c k
tmpfs 3930688 0 3930688 0% / sys / f s / cgroup
/ dev / mapper /myvg−home 95593892 85171544 5523328 94% /home/ ubuntu / s r c
tmpfs 786136 0 786136 0% / run / user /1000
30
Network
$ l x c network create i s o l a t e d
Network i s o l a t e d created
$ l x c network set i s o l a t e d ipv4 . nat f a l s e
$ l x c network set i s o l a t e d ipv6 . address none
$ l x c network set i s o l a t e d ipv6 . nat f a l s e
$ l x c network attach i s o l a t e d webdev
$ l x c network show i s o l a t e d
c o n f i g :
ipv4 . address : 1 0 . 8 1 . 2 3 8 . 1 / 2 4
ipv4 . nat : " f a l s e "
ipv6 . address : none
ipv6 . nat : " f a l s e "
d e s c r i p t i o n : " "
name : i s o l a t e d
type : bridge
used_by :
− / 1 . 0 / c o n t a i n e r s / webdev
managed : true
s t a t u s : Created
l o c a t i o n s :
− none
31
Privileged containers
$ l x c c o n f i g set webdev s e c u r i t y . p r i v i l e g e d true
$ l x c c o n f i g show webdev
a r c h i t e c t u r e : x86_64
c o n f i g :
image . a r c h i t e c t u r e : amd64
image . d e s c r i p t i o n : ubuntu 18.04 LTS amd64 ( r e l e a s e ) ( 2 0 1 9 0 8 1 3 . 1 )
[ . . . ]
s e c u r i t y . p r i v i l e g e d : " true "
[ . . . ]
v o l a t i l e . i s o l a t e d . hwaddr : 00:16:3 e :4 f : 4 7 : 1 5
v o l a t i l e . i s o l a t e d . name : eth1
v o l a t i l e . l a s t _ s t a t e . idmap : ’ [ { " I s u i d " : true , " I s g i d " : f a l s e , " Hostid " : 1 6 5 5 3 6 , [ . . . ] } ] ’
v o l a t i l e . l a s t _ s t a t e . power : RUNNING
devices :
i s o l a t e d :
n i c t y p e : bridged
parent : i s o l a t e d
type : n i c
ephemeral : f a l s e
p r o f i l e s :
− d e f a u l t
s t a t e f u l : f a l s e
d e s c r i p t i o n : " "
32
Privileged containers
$ l x c c o n f i g set webdev s e c u r i t y . p r i v i l e g e d true
$ l x c r e s t a r t webdev
$ l x c s h e l l webdev
root@webdev : ~# t a i l −f / var / log / s y s l o g &
Oct 1 1 16:30:30 webdev systemd [ 1 ] : Stopped t a r g e t Login Prompts .
[ . . . ]
root@webdev : ~# logout
$ ps aux | grep " t a i l −f "
root 19655 [ . . . ] 18:30 0:00 t a i l −f / var / log / s y s l o g
$ l x c c o n f i g set webdev s e c u r i t y . p r i v i l e g e d f a l s e
$ l x c r e s t a r t webdev
$ l x c s h e l l webdev
root@webdev : ~# t a i l −f / var / log / s y s l o g &
Oct 1 1 1 6 : 3 1 : 0 4 g i t o l i t e systemd [ 1 ] : S t a r t e d User Manager f o r UID 0.
[ . . . ]
root@webdev : ~# logout
$ ps aux | grep " t a i l −f "
165536 2 0 9 3 8 [ . . . ] 1 8 : 3 1 0:00 t a i l −f / var / log / s y s l o g
33
The End!
Klassifikation: Öffentlich 17
Professional Services
Penetration Testing
Architecture Reviews
Security Audit
Security Trainings
Incident Response Readiness
ISMS & ISO 27001 Consulting
Bridging Science and Industry
Applied Research
Industrial Security | IIoT Security |
Mathematics for Security Research |
Machine Learning | Blockchain | Network
Security | Sustainable Software Systems |
Usable Security
SBA Research
Knowledge Transfer
SBA Live Academy | sec4dev | Trainings |
Events | Teaching | sbaPRIME
Contact us: anfragen@sba-research.org

More Related Content

What's hot

OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security Linters
EricBrown328
 
Wireguard VPN
Wireguard VPNWireguard VPN
Wireguard VPN
All Things Open
 
Down by the Docker
Down by the DockerDown by the Docker
Down by the Docker
NotSoSecure Global Services
 
Enterprise Architecture Case in PHP (MUZIK Online)
Enterprise Architecture Case in PHP (MUZIK Online)Enterprise Architecture Case in PHP (MUZIK Online)
Enterprise Architecture Case in PHP (MUZIK Online)
Yi-Feng Tzeng
 
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE - ATT&CKcon
 
Testing NodeJS Security
Testing NodeJS SecurityTesting NodeJS Security
Testing NodeJS Security
Jose Manuel Ortega Candel
 
AWS Survival Guide
AWS Survival GuideAWS Survival Guide
AWS Survival Guide
Ken Johnson
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
 
Appsec DC - wXf -2010
Appsec DC - wXf  -2010Appsec DC - wXf  -2010
Appsec DC - wXf -2010
Chris Gates
 
Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)
Guy Podjarny
 
SauceCon 2017: Building a Better Wormhole
SauceCon 2017: Building a Better WormholeSauceCon 2017: Building a Better Wormhole
SauceCon 2017: Building a Better Wormhole
Sauce Labs
 
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
NETWAYS
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Chris Gates
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016
Rahul
 
Chris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickChris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security Brick
Michael Man
 
Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applications
Daniel Garcia (a.k.a cr0hn)
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackers
Chris Gates
 
Passive Fingerprinting of HTTP/2 Clients by Ory Segal
Passive Fingerprinting of HTTP/2 Clients by Ory SegalPassive Fingerprinting of HTTP/2 Clients by Ory Segal
Passive Fingerprinting of HTTP/2 Clients by Ory Segal
CODE BLUE
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Michael Man
 

What's hot (20)

OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security Linters
 
Wireguard VPN
Wireguard VPNWireguard VPN
Wireguard VPN
 
Down by the Docker
Down by the DockerDown by the Docker
Down by the Docker
 
Enterprise Architecture Case in PHP (MUZIK Online)
Enterprise Architecture Case in PHP (MUZIK Online)Enterprise Architecture Case in PHP (MUZIK Online)
Enterprise Architecture Case in PHP (MUZIK Online)
 
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
 
Testing NodeJS Security
Testing NodeJS SecurityTesting NodeJS Security
Testing NodeJS Security
 
AWS Survival Guide
AWS Survival GuideAWS Survival Guide
AWS Survival Guide
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
Appsec DC - wXf -2010
Appsec DC - wXf  -2010Appsec DC - wXf  -2010
Appsec DC - wXf -2010
 
Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)Stranger Danger: Securing Third Party Components (Tech2020)
Stranger Danger: Securing Third Party Components (Tech2020)
 
SauceCon 2017: Building a Better Wormhole
SauceCon 2017: Building a Better WormholeSauceCon 2017: Building a Better Wormhole
SauceCon 2017: Building a Better Wormhole
 
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016
 
Chris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickChris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security Brick
 
Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applications
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackers
 
Passive Fingerprinting of HTTP/2 Clients by Ory Segal
Passive Fingerprinting of HTTP/2 Clients by Ory SegalPassive Fingerprinting of HTTP/2 Clients by Ory Segal
Passive Fingerprinting of HTTP/2 Clients by Ory Segal
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
 

Similar to SBA Live Academy - Secure Containers for Developer by Mathias Tausig

Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Prague
tomasbart
 
Podman rootless containers
Podman rootless containersPodman rootless containers
Podman rootless containers
Giuseppe Scrivano
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawn
Gábor Nyers
 
Shifter: Containers in HPC Environments
Shifter: Containers in HPC EnvironmentsShifter: Containers in HPC Environments
Shifter: Containers in HPC Environments
inside-BigData.com
 
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
ArangoDB Database
 
The State of Rootless Containers
The State of Rootless ContainersThe State of Rootless Containers
The State of Rootless Containers
Akihiro Suda
 
Linux Containers (LXC)
Linux Containers (LXC)Linux Containers (LXC)
Linux Containers (LXC)
Vladimir Melnic
 
Rootless Containers & Unresolved issues
Rootless Containers & Unresolved issuesRootless Containers & Unresolved issues
Rootless Containers & Unresolved issues
Akihiro Suda
 
Containers > VMs
Containers > VMsContainers > VMs
Containers > VMs
David Timothy Strauss
 
Navigating container technology for enhanced security by Niklas Saari
Navigating container technology for enhanced security by Niklas SaariNavigating container technology for enhanced security by Niklas Saari
Navigating container technology for enhanced security by Niklas Saari
Metosin Oy
 
Linux containers and docker
Linux containers and dockerLinux containers and docker
Linux containers and docker
Fabio Fumarola
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
Dobrica Pavlinušić
 
Commit to excellence - Java in containers
Commit to excellence - Java in containersCommit to excellence - Java in containers
Commit to excellence - Java in containers
Red Hat Developers
 
Ippevent : openshift Introduction
Ippevent : openshift IntroductionIppevent : openshift Introduction
Ippevent : openshift Introduction
kanedafromparis
 
Linux Systems Performance 2016
Linux Systems Performance 2016Linux Systems Performance 2016
Linux Systems Performance 2016
Brendan Gregg
 
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Patrick Chanezon
 
Docker 原理與實作
Docker 原理與實作Docker 原理與實作
Docker 原理與實作
kao kuo-tung
 
Docker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xDocker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12x
rkr10
 
Tutorial to setup OpenStreetMap tileserver with customized boundaries of India
Tutorial to setup OpenStreetMap tileserver with customized boundaries of IndiaTutorial to setup OpenStreetMap tileserver with customized boundaries of India
Tutorial to setup OpenStreetMap tileserver with customized boundaries of India
Arun Ganesh
 
Container Performance Analysis
Container Performance AnalysisContainer Performance Analysis
Container Performance Analysis
Brendan Gregg
 

Similar to SBA Live Academy - Secure Containers for Developer by Mathias Tausig (20)

Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Prague
 
Podman rootless containers
Podman rootless containersPodman rootless containers
Podman rootless containers
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawn
 
Shifter: Containers in HPC Environments
Shifter: Containers in HPC EnvironmentsShifter: Containers in HPC Environments
Shifter: Containers in HPC Environments
 
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
 
The State of Rootless Containers
The State of Rootless ContainersThe State of Rootless Containers
The State of Rootless Containers
 
Linux Containers (LXC)
Linux Containers (LXC)Linux Containers (LXC)
Linux Containers (LXC)
 
Rootless Containers & Unresolved issues
Rootless Containers & Unresolved issuesRootless Containers & Unresolved issues
Rootless Containers & Unresolved issues
 
Containers > VMs
Containers > VMsContainers > VMs
Containers > VMs
 
Navigating container technology for enhanced security by Niklas Saari
Navigating container technology for enhanced security by Niklas SaariNavigating container technology for enhanced security by Niklas Saari
Navigating container technology for enhanced security by Niklas Saari
 
Linux containers and docker
Linux containers and dockerLinux containers and docker
Linux containers and docker
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
 
Commit to excellence - Java in containers
Commit to excellence - Java in containersCommit to excellence - Java in containers
Commit to excellence - Java in containers
 
Ippevent : openshift Introduction
Ippevent : openshift IntroductionIppevent : openshift Introduction
Ippevent : openshift Introduction
 
Linux Systems Performance 2016
Linux Systems Performance 2016Linux Systems Performance 2016
Linux Systems Performance 2016
 
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
 
Docker 原理與實作
Docker 原理與實作Docker 原理與實作
Docker 原理與實作
 
Docker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xDocker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12x
 
Tutorial to setup OpenStreetMap tileserver with customized boundaries of India
Tutorial to setup OpenStreetMap tileserver with customized boundaries of IndiaTutorial to setup OpenStreetMap tileserver with customized boundaries of India
Tutorial to setup OpenStreetMap tileserver with customized boundaries of India
 
Container Performance Analysis
Container Performance AnalysisContainer Performance Analysis
Container Performance Analysis
 

More from SBA Research

SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Research
 
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
SBA Research
 
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Research
 
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Research
 
SBA Security Meetup: I want to break free - The attacker inside a Container
SBA Security Meetup: I want to break free - The attacker inside a ContainerSBA Security Meetup: I want to break free - The attacker inside a Container
SBA Security Meetup: I want to break free - The attacker inside a Container
SBA Research
 
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
SBA Research
 
Secure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSecure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas Falk
SBA Research
 
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talksSBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Research
 
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen MitarbeiternSBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Research
 
SBA Live Academy, What the heck is secure computing
SBA Live Academy, What the heck is secure computingSBA Live Academy, What the heck is secure computing
SBA Live Academy, What the heck is secure computing
SBA Research
 
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
SBA Research
 
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Research
 
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Research
 
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Research
 
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Research
 
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon TjoaSBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Research
 
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald SenderaSBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Research
 
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas KonradSBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Research
 
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Research
 
SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...
SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...
SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...
SBA Research
 

More from SBA Research (20)

SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
 
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
 
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
 
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
 
SBA Security Meetup: I want to break free - The attacker inside a Container
SBA Security Meetup: I want to break free - The attacker inside a ContainerSBA Security Meetup: I want to break free - The attacker inside a Container
SBA Security Meetup: I want to break free - The attacker inside a Container
 
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
 
Secure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSecure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas Falk
 
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talksSBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
 
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen MitarbeiternSBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
 
SBA Live Academy, What the heck is secure computing
SBA Live Academy, What the heck is secure computingSBA Live Academy, What the heck is secure computing
SBA Live Academy, What the heck is secure computing
 
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
 
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
 
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
 
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
 
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
 
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon TjoaSBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
 
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald SenderaSBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
 
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas KonradSBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
 
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
 
SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...
SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...
SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...
 

Recently uploaded

How RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptxHow RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptx
SynapseIndia
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
Google Developer Group - Harare
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
Tatiana Al-Chueyr
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
Jimmy Lai
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Torry Harris
 
How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
Adam Dunkels
 
Implementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling  in real worldImplementations of Fused Deposition Modeling  in real world
Implementations of Fused Deposition Modeling in real world
Emerging Tech
 
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
Edge AI and Vision Alliance
 
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptxRPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
SynapseIndia
 
Choose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presenceChoose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presence
rajancomputerfbd
 
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptxIntroduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
313mohammedarshad
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
aakash malhotra
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
Kief Morris
 
CiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.pptCiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.ppt
moinahousna
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Muhammad Ali
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
Priyanka Aash
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Kunal Gupta
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Networks
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
Safe Software
 

Recently uploaded (20)

How RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptxHow RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptx
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
 
How to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptxHow to Build a Profitable IoT Product.pptx
How to Build a Profitable IoT Product.pptx
 
Implementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling  in real worldImplementations of Fused Deposition Modeling  in real world
Implementations of Fused Deposition Modeling in real world
 
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
 
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptxRPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptx
 
Choose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presenceChoose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presence
 
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptxIntroduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
 
CiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.pptCiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.ppt
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
 

SBA Live Academy - Secure Containers for Developer by Mathias Tausig

  • 1. Secure Containers for Developers Mathias Tausig SBA Research gGmbH SBA Live Academy 2020
  • 3. Container History I • Since the 1980s, the chroot technology allows parts of the filesystem to separated from each other on *NIX systems • Parallel to the rise of virtualization 2000, interest in a more lightweight OS-Virtualization grew ◦ 2000: Virtuozzo (Linux, Windows) − 2005 OpenVZ ◦ 2000: Jails (BSD) ◦ 2001: Linux VServer ◦ 2004: Zones (Solaris) 2
  • 4. Container History II • Around the same time, generic interfaces in the Linux kernel were developed: ◦ 1998: AppArmor ◦ 2000: SELinux ◦ 2002: Namespaces ◦ 2007: CGroups • 2008 saw the first release of LXC (Linux Containers), a userspace interface to create virtualized environments using these technologies ◦ No kernel modification neccesary • In 2013, the company dotCloud Inc. released the first version of its container software: Docker ◦ Initially based on LXC ◦ Switched to the libcontainer interface to use the kernel’s capabilities 3
  • 6. VM vs. Container While a virtual machine is always running a full OS on virtual hardware, a container is part of the current host system sharing its resources (especially the kernel). 5
  • 7. VM vs. Container A container ist more lightweight than a VM. • Less storage space • Less memory • Much faster creation and startup These performance advantages are offset by a worse isolation. Since all containers share the same kernel, an exploit on the kernel level can comprosie all containers on the host. 6
  • 8. System- vs. application-container • An application container is used to run a single process. If that process is stopped, the corresponding container is terminated as well. • A system container is able to run multiple processes while keeping a persisten state over a long time. 7
  • 9. Privileged containers A privileged container is one running with root privileges on the host system.1 An unprivileged container does not have those capabilities.2 1 Default for Docker 2 Default for LXC 8
  • 11. Namespaces • Since kernel 3.12 • Used to isolate system ressources and processes • Provides a certain ressource to a process in an abstracted fashion ◦ pid: Container may administer their own process hierarchy while having their own (logical) init process with PID 1 ◦ user: Isolation of user- and group IDS (uid and gid) allows a process to run processes as “root” without granting it elevated privileges on the host system ◦ net: Provides separated network devices and configurations as well as routing tables ◦ mnt: Each container can have their own view of the filesystem hierarchy ◦ ... 10
  • 12. cgroups To limit negative consequences to the host system by a container, Control Groups (cgroups) may be used. They are built out of various subsystems, each of which limits a certain resource for a container. • blkio: Limits access to block devices • cpu, cpuacct, cpusets: Limits CPU access • devices: Access to devices can be granted • freezer: Allows to stop and wakeup tasks • hugetlb, memory: Limits available RAM • net_cls, net_prio: Used for network priorisation • perf_event: Used for process monitoring 11
  • 13. SELinux / AppArmor The kernel security modules SELinux and AppArmor greatly extends the usual Discretionary Access Control (DAC) model of linux Access Controll Policies with a much more advanced and powerful Mandatory Access Controll (MAC) system. The allows i.e to limit which files a certain process may access, or to cut off its network access. 12
  • 15. What is LXC? LXC is a userspace interface for the Linux kernel containment features. Through a powerful API and simple tools, it lets Li- nux users easily create and manage system or application containers. – https://linuxcontainers.org 14
  • 16. Frontends LXC container can be created and managed using different tools: • Direct usage of liblxc and lxc-utils • Usage of a frontend ◦ libvirt ◦ ProxMox ◦ LXD 15
  • 17. LXD LXD is a next generation system container manager. It offers a user experience similar to virtual machines but using Linux containers instead. – https://linuxcontainers.org/lxd/introduction/ 16
  • 18. LXD Architecture LXD is based on a daemon (which in turn is based on liblxc) which provides a REST API. This API is consumed by the command line tool lxc3 3 No typo. The tool is really named like this. 17
  • 19. Images New containers are not installedm they get cloned from a base image, which is retrieved from a repository4 . 4 local or online 18
  • 20. Use Cases Developer • Isolated execution of applications • Development environments with seperated dependencies • Test environments 19
  • 22. Requirements The following scenarios assume the following: • Ubuntu 18.04 Bionic 64 bit is used • Packages lxd, lxdtool are installedm • User is part of the group lxd5 5 Disclaimer: As with docker, this is equivalent to giving the user root privileges on the system. Take care. 21
  • 23. Documentations • Official documentation: https://linuxcontainers.org/lxd/docs/master/ • Blog of Stéphane Graber: https://stgraber.org/category/lxd/ 22
  • 24. Initialize $ l x d i n i t Would you l i k e to use LXD c l u s t e r i n g ? ( yes / no ) [ d e f a u l t =no ] : no Do you want to c o n f i g u r e a new storage pool ? ( yes / no ) [ d e f a u l t = yes ] : yes Name of the new storage pool [ d e f a u l t = d e f a u l t ] : mystorage Would you l i k e to connect to a MAAS s e r v e r ? ( yes / no ) [ d e f a u l t =no ] : no Would you l i k e to create a new l o c a l network bridge ? ( yes / no ) [ d e f a u l t = yes ] : yes What should the new bridge be c a l l e d ? [ d e f a u l t = lxdbr0 ] : l x d l o c a l What IPv4 address should be used ? ( CIDR subnet notation , " auto " or " none " ) [ d e f a u l t = auto ] : auto What IPv6 address should be used ? ( CIDR subnet notation , " auto " or " none " ) [ d e f a u l t = auto ] : none Would you l i k e LXD to be a v a i l a b l e over the network ? ( yes / no ) [ d e f a u l t =no ] : no Would you l i k e s t a l e cached images to be updated a u t o m a t i c a l l y ? ( yes / no ) [ d e f a u l t = yes ] no Would you l i k e a YAML " l x d i n i t " preseed to be p r i n t e d ? ( yes / no ) [ d e f a u l t =no ] : yes 23
  • 25. Images $ l x c remote l i s t +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ | NAME | URL | PROTOCOL | +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ | images | https : // images . l i n u x c o n t a i n e r s . org | simplestreams | +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ | l o c a l ( d e f a u l t ) | unix : // | l x d | +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ | ubuntu | https : // cloud−images . ubuntu . com/ r e l e a s e s | simplestreams | +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ | ubuntu−d a i l y | https : // cloud−images . ubuntu . com/ d a i l y | simplestreams | +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ 24
  • 26. Images $ l x c image l i s t ubuntu : +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+ | DESCRIPTION | ARCH | SIZE | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+ | ubuntu 1 7 . 1 0 amd64 ( r e l e a s e ) (20180706) | x86_64 | 1 6 9 . 5 1MB | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+ | ubuntu 1 7 . 1 0 arm64 ( r e l e a s e ) (20180706) | aarch64 | 153.62MB | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+ | ubuntu 1 7 . 1 0 armhf ( r e l e a s e ) (20180706) | armv7l | 1 5 2 . 8 1MB | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+ . . . $ l x c image l i s t images : +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−−+ | DESCRIPTION | ARCH | SIZE | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−−+ | Alpine 3.6 amd64 (20190402 _13 :00) | x86_64 | 3 . 1 7MB | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−−+ | Alpine 3.6 arm64 (20190402 _13 :00) | aarch64 | 3.07MB | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−−+ . . . 25
  • 27. Container lifecycle $ l x c launch ubuntu : b i o n i c t e s t C r e a t i n g t e s t S t a r t i n g t e s t $ l x c l i s t +−−−−−−+−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−+−−−−−−+−−−−−−−−−−−−+−−−−−−−−−−−+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +−−−−−−+−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−+−−−−−−+−−−−−−−−−−−−+−−−−−−−−−−−+ | t e s t | RUNNING | 1 0 . 1 1 4 . 1 3 . 2 4 ( eth0 ) | | PERSISTENT | 0 | +−−−−−−+−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−+−−−−−−+−−−−−−−−−−−−+−−−−−−−−−−−+ $ l x c exec t e s t −− / bin / bash root@test : ~# e x i t $ l x c stop t e s t $ l x c rm t e s t 26
  • 28. BTRFS storage $ l x c storage create mybtrfs b t r f s source =/ dev / loop0 Storage pool mybtrfs created $ df −h F i l e s y s t e m S i z e Used A v a i l Use% Mounted on udev 7 ,8G 0 7 ,8G 0% / dev tmpfs 1 ,6G 2 ,0M 1 ,6G 1% / run / dev / sda2 1 1 7G 1 1 G 100G 10% / [ . . . ] / dev / loop0 30G 17M 28G 1% / var / l i b / l x d / storage−pools / mybtrfs $ l x c storage show mybtrfs c o n f i g : source : 031 d08f0−ed03−4f39 −8274−03fc4a12688c v o l a t i l e . i n i t i a l _ s o u r c e : / dev / loop0 d e s c r i p t i o n : " " name : mybtrfs d r i v e r : b t r f s used_by : [ ] s t a t u s : Created l o c a t i o n s : − none 27
  • 29. Profile $ l x c p r o f i l e create myprof $ cat lxd−p r o f i l e −myprof . yaml c o n f i g : user . vendor−data : | # cloud−c o n f i g users : − name : ubuntu ssh_authorized_keys : − ssh−ed25519 AAAAC3Nza [ . . . ] oJmMZ7Y5YlrYA mat@office s h e l l : / bin / bash d e s c r i p t i o n : My brandnew LXD p r o f i l e devices : eth0 : name : eth0 n i c t y p e : bridged parent : l x d l o c a l type : n i c root : path : / pool : mybtrfs type : d i s k s i z e : 10GB name : myprofile $ l x c p r o f i l e e d i t myprof < lxd−p r o f i l e −myprof . yaml 28
  • 30. Profile $ l x c launch ubuntu : 1 8 . 0 4 web −−p r o f i l e myprof $ l x c p r o f i l e show myprof c o n f i g : user . vendor−data : | # cloud−c o n f i g users : − name : ubuntu ssh_authorized_keys : − ssh−ed25519 AAAAC3Nza [ . . . ] oJmMZ7Y5YlrYA mat@office s h e l l : / bin / bash group : sudo d e s c r i p t i o n : My brandnew LXD p r o f i l e devices : eth0 : name : eth0 n i c t y p e : bridged parent : l x d l o c a l type : n i c root : path : / pool : mybtrfs s i z e : 10GB type : d i s k name : myprof used_by : [ web ] 29
  • 31. Shared Disk $ l x c c o n f i g device add t e s t s r c d i r d i s k path =/home/ ubuntu / s r c source =/home/my/ s r c Device s r c d i r added to shared $ ssh ubuntu@10 . 4 5 . 2 3 8 . 1 6 7 ubuntu@shared : ~$ mount / dev /dm−5 on / type b t r f s ( rw , relatime , ssd , [ . . . ] ) none on / dev type tmpfs ( rw , relatime , s i z e =492k , mode=755 , uid =165536 , gid =165536) . . . / dev / mapper /myvg−home on /home/ ubuntu / s r c type ext4 ( rw , relatime , data = ordered ) . . . ubuntu@shared : ~$ df F i l e s y s t e m 1 K−blocks Used A v a i l a b l e Use% Mounted on / dev /dm−5 36700160 21135324 14910740 59% / none 492 0 492 0% / dev udev 3898488 0 3898488 0% / dev / t t y tmpfs 100 0 100 0% / dev / l x d tmpfs 100 0 100 0% / dev / . lxd−mounts tmpfs 3930688 0 3930688 0% / dev /shm tmpfs 3930688 172 3930516 1% / run tmpfs 5120 0 5120 0% / run / l o c k tmpfs 3930688 0 3930688 0% / sys / f s / cgroup / dev / mapper /myvg−home 95593892 85171544 5523328 94% /home/ ubuntu / s r c tmpfs 786136 0 786136 0% / run / user /1000 30
  • 32. Network $ l x c network create i s o l a t e d Network i s o l a t e d created $ l x c network set i s o l a t e d ipv4 . nat f a l s e $ l x c network set i s o l a t e d ipv6 . address none $ l x c network set i s o l a t e d ipv6 . nat f a l s e $ l x c network attach i s o l a t e d webdev $ l x c network show i s o l a t e d c o n f i g : ipv4 . address : 1 0 . 8 1 . 2 3 8 . 1 / 2 4 ipv4 . nat : " f a l s e " ipv6 . address : none ipv6 . nat : " f a l s e " d e s c r i p t i o n : " " name : i s o l a t e d type : bridge used_by : − / 1 . 0 / c o n t a i n e r s / webdev managed : true s t a t u s : Created l o c a t i o n s : − none 31
  • 33. Privileged containers $ l x c c o n f i g set webdev s e c u r i t y . p r i v i l e g e d true $ l x c c o n f i g show webdev a r c h i t e c t u r e : x86_64 c o n f i g : image . a r c h i t e c t u r e : amd64 image . d e s c r i p t i o n : ubuntu 18.04 LTS amd64 ( r e l e a s e ) ( 2 0 1 9 0 8 1 3 . 1 ) [ . . . ] s e c u r i t y . p r i v i l e g e d : " true " [ . . . ] v o l a t i l e . i s o l a t e d . hwaddr : 00:16:3 e :4 f : 4 7 : 1 5 v o l a t i l e . i s o l a t e d . name : eth1 v o l a t i l e . l a s t _ s t a t e . idmap : ’ [ { " I s u i d " : true , " I s g i d " : f a l s e , " Hostid " : 1 6 5 5 3 6 , [ . . . ] } ] ’ v o l a t i l e . l a s t _ s t a t e . power : RUNNING devices : i s o l a t e d : n i c t y p e : bridged parent : i s o l a t e d type : n i c ephemeral : f a l s e p r o f i l e s : − d e f a u l t s t a t e f u l : f a l s e d e s c r i p t i o n : " " 32
  • 34. Privileged containers $ l x c c o n f i g set webdev s e c u r i t y . p r i v i l e g e d true $ l x c r e s t a r t webdev $ l x c s h e l l webdev root@webdev : ~# t a i l −f / var / log / s y s l o g & Oct 1 1 16:30:30 webdev systemd [ 1 ] : Stopped t a r g e t Login Prompts . [ . . . ] root@webdev : ~# logout $ ps aux | grep " t a i l −f " root 19655 [ . . . ] 18:30 0:00 t a i l −f / var / log / s y s l o g $ l x c c o n f i g set webdev s e c u r i t y . p r i v i l e g e d f a l s e $ l x c r e s t a r t webdev $ l x c s h e l l webdev root@webdev : ~# t a i l −f / var / log / s y s l o g & Oct 1 1 1 6 : 3 1 : 0 4 g i t o l i t e systemd [ 1 ] : S t a r t e d User Manager f o r UID 0. [ . . . ] root@webdev : ~# logout $ ps aux | grep " t a i l −f " 165536 2 0 9 3 8 [ . . . ] 1 8 : 3 1 0:00 t a i l −f / var / log / s y s l o g 33
  • 36. Klassifikation: Öffentlich 17 Professional Services Penetration Testing Architecture Reviews Security Audit Security Trainings Incident Response Readiness ISMS & ISO 27001 Consulting Bridging Science and Industry Applied Research Industrial Security | IIoT Security | Mathematics for Security Research | Machine Learning | Blockchain | Network Security | Sustainable Software Systems | Usable Security SBA Research Knowledge Transfer SBA Live Academy | sec4dev | Trainings | Events | Teaching | sbaPRIME Contact us: anfragen@sba-research.org