SBA Research, profile picture
Uploaded bySBA Research
179 views

SBA Live Academy - Secure Containers for Developer by Mathias Tausig

The document outlines the history and development of container technology in Unix systems, starting from the chroot technology of the 1980s to the creation of Docker in 2013. It explains the differences between virtual machines and containers, their various types, and their underlying Linux containment features such as namespaces and cgroups. Furthermore, it introduces tools for managing containers, including LXC and LXD, and discusses use cases and commands for initiating and managing container lifecycles.

Embed presentation

Download to read offline
Secure Containers for Developers Mathias Tausig SBA Research gGmbH SBA Live Academy 2020
History 1
Container History I • Since the 1980s, the chroot technology allows parts of the filesystem to separated from each other on *NIX systems • Parallel to the rise of virtualization 2000, interest in a more lightweight OS-Virtualization grew ◦ 2000: Virtuozzo (Linux, Windows) − 2005 OpenVZ ◦ 2000: Jails (BSD) ◦ 2001: Linux VServer ◦ 2004: Zones (Solaris) 2
Container History II • Around the same time, generic interfaces in the Linux kernel were developed: ◦ 1998: AppArmor ◦ 2000: SELinux ◦ 2002: Namespaces ◦ 2007: CGroups • 2008 saw the first release of LXC (Linux Containers), a userspace interface to create virtualized environments using these technologies ◦ No kernel modification neccesary • In 2013, the company dotCloud Inc. released the first version of its container software: Docker ◦ Initially based on LXC ◦ Switched to the libcontainer interface to use the kernel’s capabilities 3
Containers
VM vs. Container While a virtual machine is always running a full OS on virtual hardware, a container is part of the current host system sharing its resources (especially the kernel). 5
VM vs. Container A container ist more lightweight than a VM. • Less storage space • Less memory • Much faster creation and startup These performance advantages are offset by a worse isolation. Since all containers share the same kernel, an exploit on the kernel level can comprosie all containers on the host. 6
System- vs. application-container • An application container is used to run a single process. If that process is stopped, the corresponding container is terminated as well. • A system container is able to run multiple processes while keeping a persisten state over a long time. 7
Privileged containers A privileged container is one running with root privileges on the host system.1 An unprivileged container does not have those capabilities.2 1 Default for Docker 2 Default for LXC 8
Linux containment features
Namespaces • Since kernel 3.12 • Used to isolate system ressources and processes • Provides a certain ressource to a process in an abstracted fashion ◦ pid: Container may administer their own process hierarchy while having their own (logical) init process with PID 1 ◦ user: Isolation of user- and group IDS (uid and gid) allows a process to run processes as “root” without granting it elevated privileges on the host system ◦ net: Provides separated network devices and configurations as well as routing tables ◦ mnt: Each container can have their own view of the filesystem hierarchy ◦ ... 10
cgroups To limit negative consequences to the host system by a container, Control Groups (cgroups) may be used. They are built out of various subsystems, each of which limits a certain resource for a container. • blkio: Limits access to block devices • cpu, cpuacct, cpusets: Limits CPU access • devices: Access to devices can be granted • freezer: Allows to stop and wakeup tasks • hugetlb, memory: Limits available RAM • net_cls, net_prio: Used for network priorisation • perf_event: Used for process monitoring 11
SELinux / AppArmor The kernel security modules SELinux and AppArmor greatly extends the usual Discretionary Access Control (DAC) model of linux Access Controll Policies with a much more advanced and powerful Mandatory Access Controll (MAC) system. The allows i.e to limit which files a certain process may access, or to cut off its network access. 12
Linux Containers
What is LXC? LXC is a userspace interface for the Linux kernel containment features. Through a powerful API and simple tools, it lets Li- nux users easily create and manage system or application containers. – https://linuxcontainers.org 14
Frontends LXC container can be created and managed using different tools: • Direct usage of liblxc and lxc-utils • Usage of a frontend ◦ libvirt ◦ ProxMox ◦ LXD 15
LXD LXD is a next generation system container manager. It offers a user experience similar to virtual machines but using Linux containers instead. – https://linuxcontainers.org/lxd/introduction/ 16
LXD Architecture LXD is based on a daemon (which in turn is based on liblxc) which provides a REST API. This API is consumed by the command line tool lxc3 3 No typo. The tool is really named like this. 17
Images New containers are not installedm they get cloned from a base image, which is retrieved from a repository4 . 4 local or online 18
Use Cases Developer • Isolated execution of applications • Development environments with seperated dependencies • Test environments 19
LXD Tutorial
Requirements The following scenarios assume the following: • Ubuntu 18.04 Bionic 64 bit is used • Packages lxd, lxdtool are installedm • User is part of the group lxd5 5 Disclaimer: As with docker, this is equivalent to giving the user root privileges on the system. Take care. 21
Documentations • Official documentation: https://linuxcontainers.org/lxd/docs/master/ • Blog of Stéphane Graber: https://stgraber.org/category/lxd/ 22
Initialize $ l x d i n i t Would you l i k e to use LXD c l u s t e r i n g ? ( yes / no ) [ d e f a u l t =no ] : no Do you want to c o n f i g u r e a new storage pool ? ( yes / no ) [ d e f a u l t = yes ] : yes Name of the new storage pool [ d e f a u l t = d e f a u l t ] : mystorage Would you l i k e to connect to a MAAS s e r v e r ? ( yes / no ) [ d e f a u l t =no ] : no Would you l i k e to create a new l o c a l network bridge ? ( yes / no ) [ d e f a u l t = yes ] : yes What should the new bridge be c a l l e d ? [ d e f a u l t = lxdbr0 ] : l x d l o c a l What IPv4 address should be used ? ( CIDR subnet notation , " auto " or " none " ) [ d e f a u l t = auto ] : auto What IPv6 address should be used ? ( CIDR subnet notation , " auto " or " none " ) [ d e f a u l t = auto ] : none Would you l i k e LXD to be a v a i l a b l e over the network ? ( yes / no ) [ d e f a u l t =no ] : no Would you l i k e s t a l e cached images to be updated a u t o m a t i c a l l y ? ( yes / no ) [ d e f a u l t = yes ] no Would you l i k e a YAML " l x d i n i t " preseed to be p r i n t e d ? ( yes / no ) [ d e f a u l t =no ] : yes 23
Images $ l x c remote l i s t +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ | NAME | URL | PROTOCOL | +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ | images | https : // images . l i n u x c o n t a i n e r s . org | simplestreams | +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ | l o c a l ( d e f a u l t ) | unix : // | l x d | +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ | ubuntu | https : // cloud−images . ubuntu . com/ r e l e a s e s | simplestreams | +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ | ubuntu−d a i l y | https : // cloud−images . ubuntu . com/ d a i l y | simplestreams | +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ 24
Images $ l x c image l i s t ubuntu : +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+ | DESCRIPTION | ARCH | SIZE | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+ | ubuntu 1 7 . 1 0 amd64 ( r e l e a s e ) (20180706) | x86_64 | 1 6 9 . 5 1MB | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+ | ubuntu 1 7 . 1 0 arm64 ( r e l e a s e ) (20180706) | aarch64 | 153.62MB | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+ | ubuntu 1 7 . 1 0 armhf ( r e l e a s e ) (20180706) | armv7l | 1 5 2 . 8 1MB | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+ . . . $ l x c image l i s t images : +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−−+ | DESCRIPTION | ARCH | SIZE | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−−+ | Alpine 3.6 amd64 (20190402 _13 :00) | x86_64 | 3 . 1 7MB | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−−+ | Alpine 3.6 arm64 (20190402 _13 :00) | aarch64 | 3.07MB | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−−+ . . . 25
Container lifecycle $ l x c launch ubuntu : b i o n i c t e s t C r e a t i n g t e s t S t a r t i n g t e s t $ l x c l i s t +−−−−−−+−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−+−−−−−−+−−−−−−−−−−−−+−−−−−−−−−−−+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +−−−−−−+−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−+−−−−−−+−−−−−−−−−−−−+−−−−−−−−−−−+ | t e s t | RUNNING | 1 0 . 1 1 4 . 1 3 . 2 4 ( eth0 ) | | PERSISTENT | 0 | +−−−−−−+−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−+−−−−−−+−−−−−−−−−−−−+−−−−−−−−−−−+ $ l x c exec t e s t −− / bin / bash root@test : ~# e x i t $ l x c stop t e s t $ l x c rm t e s t 26
BTRFS storage $ l x c storage create mybtrfs b t r f s source =/ dev / loop0 Storage pool mybtrfs created $ df −h F i l e s y s t e m S i z e Used A v a i l Use% Mounted on udev 7 ,8G 0 7 ,8G 0% / dev tmpfs 1 ,6G 2 ,0M 1 ,6G 1% / run / dev / sda2 1 1 7G 1 1 G 100G 10% / [ . . . ] / dev / loop0 30G 17M 28G 1% / var / l i b / l x d / storage−pools / mybtrfs $ l x c storage show mybtrfs c o n f i g : source : 031 d08f0−ed03−4f39 −8274−03fc4a12688c v o l a t i l e . i n i t i a l _ s o u r c e : / dev / loop0 d e s c r i p t i o n : " " name : mybtrfs d r i v e r : b t r f s used_by : [ ] s t a t u s : Created l o c a t i o n s : − none 27
Profile $ l x c p r o f i l e create myprof $ cat lxd−p r o f i l e −myprof . yaml c o n f i g : user . vendor−data : | # cloud−c o n f i g users : − name : ubuntu ssh_authorized_keys : − ssh−ed25519 AAAAC3Nza [ . . . ] oJmMZ7Y5YlrYA mat@office s h e l l : / bin / bash d e s c r i p t i o n : My brandnew LXD p r o f i l e devices : eth0 : name : eth0 n i c t y p e : bridged parent : l x d l o c a l type : n i c root : path : / pool : mybtrfs type : d i s k s i z e : 10GB name : myprofile $ l x c p r o f i l e e d i t myprof < lxd−p r o f i l e −myprof . yaml 28
Profile $ l x c launch ubuntu : 1 8 . 0 4 web −−p r o f i l e myprof $ l x c p r o f i l e show myprof c o n f i g : user . vendor−data : | # cloud−c o n f i g users : − name : ubuntu ssh_authorized_keys : − ssh−ed25519 AAAAC3Nza [ . . . ] oJmMZ7Y5YlrYA mat@office s h e l l : / bin / bash group : sudo d e s c r i p t i o n : My brandnew LXD p r o f i l e devices : eth0 : name : eth0 n i c t y p e : bridged parent : l x d l o c a l type : n i c root : path : / pool : mybtrfs s i z e : 10GB type : d i s k name : myprof used_by : [ web ] 29
Shared Disk $ l x c c o n f i g device add t e s t s r c d i r d i s k path =/home/ ubuntu / s r c source =/home/my/ s r c Device s r c d i r added to shared $ ssh ubuntu@10 . 4 5 . 2 3 8 . 1 6 7 ubuntu@shared : ~$ mount / dev /dm−5 on / type b t r f s ( rw , relatime , ssd , [ . . . ] ) none on / dev type tmpfs ( rw , relatime , s i z e =492k , mode=755 , uid =165536 , gid =165536) . . . / dev / mapper /myvg−home on /home/ ubuntu / s r c type ext4 ( rw , relatime , data = ordered ) . . . ubuntu@shared : ~$ df F i l e s y s t e m 1 K−blocks Used A v a i l a b l e Use% Mounted on / dev /dm−5 36700160 21135324 14910740 59% / none 492 0 492 0% / dev udev 3898488 0 3898488 0% / dev / t t y tmpfs 100 0 100 0% / dev / l x d tmpfs 100 0 100 0% / dev / . lxd−mounts tmpfs 3930688 0 3930688 0% / dev /shm tmpfs 3930688 172 3930516 1% / run tmpfs 5120 0 5120 0% / run / l o c k tmpfs 3930688 0 3930688 0% / sys / f s / cgroup / dev / mapper /myvg−home 95593892 85171544 5523328 94% /home/ ubuntu / s r c tmpfs 786136 0 786136 0% / run / user /1000 30
Network $ l x c network create i s o l a t e d Network i s o l a t e d created $ l x c network set i s o l a t e d ipv4 . nat f a l s e $ l x c network set i s o l a t e d ipv6 . address none $ l x c network set i s o l a t e d ipv6 . nat f a l s e $ l x c network attach i s o l a t e d webdev $ l x c network show i s o l a t e d c o n f i g : ipv4 . address : 1 0 . 8 1 . 2 3 8 . 1 / 2 4 ipv4 . nat : " f a l s e " ipv6 . address : none ipv6 . nat : " f a l s e " d e s c r i p t i o n : " " name : i s o l a t e d type : bridge used_by : − / 1 . 0 / c o n t a i n e r s / webdev managed : true s t a t u s : Created l o c a t i o n s : − none 31
Privileged containers $ l x c c o n f i g set webdev s e c u r i t y . p r i v i l e g e d true $ l x c c o n f i g show webdev a r c h i t e c t u r e : x86_64 c o n f i g : image . a r c h i t e c t u r e : amd64 image . d e s c r i p t i o n : ubuntu 18.04 LTS amd64 ( r e l e a s e ) ( 2 0 1 9 0 8 1 3 . 1 ) [ . . . ] s e c u r i t y . p r i v i l e g e d : " true " [ . . . ] v o l a t i l e . i s o l a t e d . hwaddr : 00:16:3 e :4 f : 4 7 : 1 5 v o l a t i l e . i s o l a t e d . name : eth1 v o l a t i l e . l a s t _ s t a t e . idmap : ’ [ { " I s u i d " : true , " I s g i d " : f a l s e , " Hostid " : 1 6 5 5 3 6 , [ . . . ] } ] ’ v o l a t i l e . l a s t _ s t a t e . power : RUNNING devices : i s o l a t e d : n i c t y p e : bridged parent : i s o l a t e d type : n i c ephemeral : f a l s e p r o f i l e s : − d e f a u l t s t a t e f u l : f a l s e d e s c r i p t i o n : " " 32
Privileged containers $ l x c c o n f i g set webdev s e c u r i t y . p r i v i l e g e d true $ l x c r e s t a r t webdev $ l x c s h e l l webdev root@webdev : ~# t a i l −f / var / log / s y s l o g & Oct 1 1 16:30:30 webdev systemd [ 1 ] : Stopped t a r g e t Login Prompts . [ . . . ] root@webdev : ~# logout $ ps aux | grep " t a i l −f " root 19655 [ . . . ] 18:30 0:00 t a i l −f / var / log / s y s l o g $ l x c c o n f i g set webdev s e c u r i t y . p r i v i l e g e d f a l s e $ l x c r e s t a r t webdev $ l x c s h e l l webdev root@webdev : ~# t a i l −f / var / log / s y s l o g & Oct 1 1 1 6 : 3 1 : 0 4 g i t o l i t e systemd [ 1 ] : S t a r t e d User Manager f o r UID 0. [ . . . ] root@webdev : ~# logout $ ps aux | grep " t a i l −f " 165536 2 0 9 3 8 [ . . . ] 1 8 : 3 1 0:00 t a i l −f / var / log / s y s l o g 33
The End!
Klassifikation: Öffentlich 17 Professional Services Penetration Testing Architecture Reviews Security Audit Security Trainings Incident Response Readiness ISMS & ISO 27001 Consulting Bridging Science and Industry Applied Research Industrial Security | IIoT Security | Mathematics for Security Research | Machine Learning | Blockchain | Network Security | Sustainable Software Systems | Usable Security SBA Research Knowledge Transfer SBA Live Academy | sec4dev | Trainings | Events | Teaching | sbaPRIME Contact us: anfragen@sba-research.org

More Related Content

PDF
Tools &amp; techniques, building a dev secops culture at mozilla sba live a...
bySBA Research
 
PDF
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
bySBA Research
 
PDF
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
byMauricio Velazco
 
PPTX
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
byCODE BLUE
 
PDF
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
byDevSecCon
 
ODP
OpenShift & SELinux with Dan Walsh @rhatdan
byOpenShift Origin
 
PPTX
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
byOWASP
 
PPTX
Security Walls in Linux Environment: Practice, Experience, and Results
byIgor Beliaiev
 
Tools &amp; techniques, building a dev secops culture at mozilla sba live a...
bySBA Research
 
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
bySBA Research
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
byMauricio Velazco
 
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
byCODE BLUE
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
byDevSecCon
 
OpenShift & SELinux with Dan Walsh @rhatdan
byOpenShift Origin
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
byOWASP
 
Security Walls in Linux Environment: Practice, Experience, and Results
byIgor Beliaiev
 

What's hot

PDF
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
byOWASP
 
PPTX
Bandit and Gosec - Security Linters
byEricBrown328
 
ODP
Wireguard VPN
byAll Things Open
 
PDF
Down by the Docker
byNotSoSecure Global Services
 
PDF
Enterprise Architecture Case in PHP (MUZIK Online)
byYi-Feng Tzeng
 
PDF
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
byMITRE - ATT&CKcon
 
PDF
Testing NodeJS Security
byJose Manuel Ortega Candel
 
PPTX
AWS Survival Guide
byKen Johnson
 
PPTX
DevOOPS: Attacks and Defenses for DevOps Toolchains
byChris Gates
 
PDF
Appsec DC - wXf -2010
byChris Gates
 
PDF
Stranger Danger: Securing Third Party Components (Tech2020)
byGuy Podjarny
 
PDF
SauceCon 2017: Building a Better Wormhole
bySauce Labs
 
PDF
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
byNETWAYS
 
PPTX
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
byChris Gates
 
PDF
Introduction to Mod security session April 2016
byRahul
 
PDF
Chris Rutter: Avoiding The Security Brick
byMichael Man
 
PPTX
Security in NodeJS applications
byDaniel Garcia (a.k.a cr0hn)
 
PDF
Open Canary - novahackers
byChris Gates
 
PPTX
Passive Fingerprinting of HTTP/2 Clients by Ory Segal
byCODE BLUE
 
PDF
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
byMichael Man
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
byOWASP
 
Bandit and Gosec - Security Linters
byEricBrown328
 
Wireguard VPN
byAll Things Open
 
Down by the Docker
byNotSoSecure Global Services
 
Enterprise Architecture Case in PHP (MUZIK Online)
byYi-Feng Tzeng
 
MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, ...
byMITRE - ATT&CKcon
 
Testing NodeJS Security
byJose Manuel Ortega Candel
 
AWS Survival Guide
byKen Johnson
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
byChris Gates
 
Appsec DC - wXf -2010
byChris Gates
 
Stranger Danger: Securing Third Party Components (Tech2020)
byGuy Podjarny
 
SauceCon 2017: Building a Better Wormhole
bySauce Labs
 
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
byNETWAYS
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
byChris Gates
 
Introduction to Mod security session April 2016
byRahul
 
Chris Rutter: Avoiding The Security Brick
byMichael Man
 
Security in NodeJS applications
byDaniel Garcia (a.k.a cr0hn)
 
Open Canary - novahackers
byChris Gates
 
Passive Fingerprinting of HTTP/2 Clients by Ory Segal
byCODE BLUE
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
byMichael Man
 

Similar to SBA Live Academy - Secure Containers for Developer by Mathias Tausig

PDF
Linux Containers (LXC)
byVladimir Melnic
 
PPTX
Lxc – next gen virtualization for cloud intro (cloudexpo)
byBoden Russell
 
PDF
Docker and friends at Linux Days 2014 in Prague
bytomasbart
 
PDF
Linuxcon Barcelon 2012: LXC Best Practices
bychristophm
 
PPT
Linux containers and docker
byFabio Fumarola
 
PDF
Evolution of containers to kubernetes
byKrishna-Kumar
 
PDF
Lightweight Virtualization in Linux
bySadegh Dorri N.
 
PDF
Evolution of Linux Containerization
byWSO2
 
PDF
Evoluation of Linux Container Virtualization
byImesh Gunaratne
 
PDF
Containerizing legacy applications
byAndrew Kirkpatrick
 
PPT
Develop with linux containers and docker
byFabio Fumarola
 
PDF
Revolutionizing the cloud with container virtualization
byWSO2
 
PPT
2 Linux Container and Docker
byFabio Fumarola
 
PPTX
Docker - Portable Deployment
byjavaonfly
 
PDF
Navigating container technology for enhanced security by Niklas Saari
byMetosin Oy
 
PPTX
Linux Container Brief for IEEE WG P2302
byBoden Russell
 
PDF
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
bydotCloud
 
PDF
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
byDocker, Inc.
 
PDF
Drupalcamp es 2013 drupal with lxc docker and vagrant
byRicardo Amaro
 
PDF
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
byYandex
 
Linux Containers (LXC)
byVladimir Melnic
 
Lxc – next gen virtualization for cloud intro (cloudexpo)
byBoden Russell
 
Docker and friends at Linux Days 2014 in Prague
bytomasbart
 
Linuxcon Barcelon 2012: LXC Best Practices
bychristophm
 
Linux containers and docker
byFabio Fumarola
 
Evolution of containers to kubernetes
byKrishna-Kumar
 
Lightweight Virtualization in Linux
bySadegh Dorri N.
 
Evolution of Linux Containerization
byWSO2
 
Evoluation of Linux Container Virtualization
byImesh Gunaratne
 
Containerizing legacy applications
byAndrew Kirkpatrick
 
Develop with linux containers and docker
byFabio Fumarola
 
Revolutionizing the cloud with container virtualization
byWSO2
 
2 Linux Container and Docker
byFabio Fumarola
 
Docker - Portable Deployment
byjavaonfly
 
Navigating container technology for enhanced security by Niklas Saari
byMetosin Oy
 
Linux Container Brief for IEEE WG P2302
byBoden Russell
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
bydotCloud
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
byDocker, Inc.
 
Drupalcamp es 2013 drupal with lxc docker and vagrant
byRicardo Amaro
 
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
byYandex
 

More from SBA Research

PDF
CyberResilienceAct_sec4devDialogues2025pdf
bySBA Research
 
PDF
SBATop10 Vulnerabilities_sec4devDialogues2025
bySBA Research
 
PDF
Passkeys & 2FA/MFA_sec4dev_Dialogues2025
bySBA Research
 
PDF
Gefahren von Prompt-Injection Angriffen_sec4devDialogues.pdf
bySBA Research
 
PDF
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
bySBA Research
 
PDF
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
bySBA Research
 
PDF
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
bySBA Research
 
PDF
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
bySBA Research
 
PDF
SBA Security Meetup: I want to break free - The attacker inside a Container
bySBA Research
 
PDF
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
bySBA Research
 
PPTX
Secure development on Kubernetes by Andreas Falk
bySBA Research
 
PDF
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
bySBA Research
 
PDF
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
bySBA Research
 
PDF
SBA Live Academy, What the heck is secure computing
bySBA Research
 
PDF
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
bySBA Research
 
PDF
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
bySBA Research
 
PDF
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
bySBA Research
 
PDF
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
bySBA Research
 
PDF
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
bySBA Research
 
PDF
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
bySBA Research
 
CyberResilienceAct_sec4devDialogues2025pdf
bySBA Research
 
SBATop10 Vulnerabilities_sec4devDialogues2025
bySBA Research
 
Passkeys & 2FA/MFA_sec4dev_Dialogues2025
bySBA Research
 
Gefahren von Prompt-Injection Angriffen_sec4devDialogues.pdf
bySBA Research
 
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
bySBA Research
 
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
bySBA Research
 
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
bySBA Research
 
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
bySBA Research
 
SBA Security Meetup: I want to break free - The attacker inside a Container
bySBA Research
 
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
bySBA Research
 
Secure development on Kubernetes by Andreas Falk
bySBA Research
 
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
bySBA Research
 
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
bySBA Research
 
SBA Live Academy, What the heck is secure computing
bySBA Research
 
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
bySBA Research
 
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
bySBA Research
 
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
bySBA Research
 
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
bySBA Research
 
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
bySBA Research
 
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
bySBA Research
 

Recently uploaded

PDF
final.pdf
byomarbishtawi04
 
PDF
How to Prepare for the RWA Tokenization Trend
byrose mason
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PPTX
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PPTX
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
final.pdf
byomarbishtawi04
 
How to Prepare for the RWA Tokenization Trend
byrose mason
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
Workflow and decision Automation with Flowable
bychakib ch
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 

SBA Live Academy - Secure Containers for Developer by Mathias Tausig

  • 1.
    Secure Containers forDevelopers Mathias Tausig SBA Research gGmbH SBA Live Academy 2020
  • 2.
  • 3.
    Container History I •Since the 1980s, the chroot technology allows parts of the filesystem to separated from each other on *NIX systems • Parallel to the rise of virtualization 2000, interest in a more lightweight OS-Virtualization grew ◦ 2000: Virtuozzo (Linux, Windows) − 2005 OpenVZ ◦ 2000: Jails (BSD) ◦ 2001: Linux VServer ◦ 2004: Zones (Solaris) 2
  • 4.
    Container History II •Around the same time, generic interfaces in the Linux kernel were developed: ◦ 1998: AppArmor ◦ 2000: SELinux ◦ 2002: Namespaces ◦ 2007: CGroups • 2008 saw the first release of LXC (Linux Containers), a userspace interface to create virtualized environments using these technologies ◦ No kernel modification neccesary • In 2013, the company dotCloud Inc. released the first version of its container software: Docker ◦ Initially based on LXC ◦ Switched to the libcontainer interface to use the kernel’s capabilities 3
  • 5.
  • 6.
    VM vs. Container Whilea virtual machine is always running a full OS on virtual hardware, a container is part of the current host system sharing its resources (especially the kernel). 5
  • 7.
    VM vs. Container Acontainer ist more lightweight than a VM. • Less storage space • Less memory • Much faster creation and startup These performance advantages are offset by a worse isolation. Since all containers share the same kernel, an exploit on the kernel level can comprosie all containers on the host. 6
  • 8.
    System- vs. application-container •An application container is used to run a single process. If that process is stopped, the corresponding container is terminated as well. • A system container is able to run multiple processes while keeping a persisten state over a long time. 7
  • 9.
    Privileged containers A privilegedcontainer is one running with root privileges on the host system.1 An unprivileged container does not have those capabilities.2 1 Default for Docker 2 Default for LXC 8
  • 10.
  • 11.
    Namespaces • Since kernel3.12 • Used to isolate system ressources and processes • Provides a certain ressource to a process in an abstracted fashion ◦ pid: Container may administer their own process hierarchy while having their own (logical) init process with PID 1 ◦ user: Isolation of user- and group IDS (uid and gid) allows a process to run processes as “root” without granting it elevated privileges on the host system ◦ net: Provides separated network devices and configurations as well as routing tables ◦ mnt: Each container can have their own view of the filesystem hierarchy ◦ ... 10
  • 12.
    cgroups To limit negativeconsequences to the host system by a container, Control Groups (cgroups) may be used. They are built out of various subsystems, each of which limits a certain resource for a container. • blkio: Limits access to block devices • cpu, cpuacct, cpusets: Limits CPU access • devices: Access to devices can be granted • freezer: Allows to stop and wakeup tasks • hugetlb, memory: Limits available RAM • net_cls, net_prio: Used for network priorisation • perf_event: Used for process monitoring 11
  • 13.
    SELinux / AppArmor Thekernel security modules SELinux and AppArmor greatly extends the usual Discretionary Access Control (DAC) model of linux Access Controll Policies with a much more advanced and powerful Mandatory Access Controll (MAC) system. The allows i.e to limit which files a certain process may access, or to cut off its network access. 12
  • 14.
  • 15.
    What is LXC? LXCis a userspace interface for the Linux kernel containment features. Through a powerful API and simple tools, it lets Li- nux users easily create and manage system or application containers. – https://linuxcontainers.org 14
  • 16.
    Frontends LXC container canbe created and managed using different tools: • Direct usage of liblxc and lxc-utils • Usage of a frontend ◦ libvirt ◦ ProxMox ◦ LXD 15
  • 17.
    LXD LXD is anext generation system container manager. It offers a user experience similar to virtual machines but using Linux containers instead. – https://linuxcontainers.org/lxd/introduction/ 16
  • 18.
    LXD Architecture LXD isbased on a daemon (which in turn is based on liblxc) which provides a REST API. This API is consumed by the command line tool lxc3 3 No typo. The tool is really named like this. 17
  • 19.
    Images New containers arenot installedm they get cloned from a base image, which is retrieved from a repository4 . 4 local or online 18
  • 20.
    Use Cases Developer •Isolated execution of applications • Development environments with seperated dependencies • Test environments 19
  • 21.
  • 22.
    Requirements The following scenariosassume the following: • Ubuntu 18.04 Bionic 64 bit is used • Packages lxd, lxdtool are installedm • User is part of the group lxd5 5 Disclaimer: As with docker, this is equivalent to giving the user root privileges on the system. Take care. 21
  • 23.
    Documentations • Official documentation: https://linuxcontainers.org/lxd/docs/master/ •Blog of Stéphane Graber: https://stgraber.org/category/lxd/ 22
  • 24.
    Initialize $ l xd i n i t Would you l i k e to use LXD c l u s t e r i n g ? ( yes / no ) [ d e f a u l t =no ] : no Do you want to c o n f i g u r e a new storage pool ? ( yes / no ) [ d e f a u l t = yes ] : yes Name of the new storage pool [ d e f a u l t = d e f a u l t ] : mystorage Would you l i k e to connect to a MAAS s e r v e r ? ( yes / no ) [ d e f a u l t =no ] : no Would you l i k e to create a new l o c a l network bridge ? ( yes / no ) [ d e f a u l t = yes ] : yes What should the new bridge be c a l l e d ? [ d e f a u l t = lxdbr0 ] : l x d l o c a l What IPv4 address should be used ? ( CIDR subnet notation , " auto " or " none " ) [ d e f a u l t = auto ] : auto What IPv6 address should be used ? ( CIDR subnet notation , " auto " or " none " ) [ d e f a u l t = auto ] : none Would you l i k e LXD to be a v a i l a b l e over the network ? ( yes / no ) [ d e f a u l t =no ] : no Would you l i k e s t a l e cached images to be updated a u t o m a t i c a l l y ? ( yes / no ) [ d e f a u l t = yes ] no Would you l i k e a YAML " l x d i n i t " preseed to be p r i n t e d ? ( yes / no ) [ d e f a u l t =no ] : yes 23
  • 25.
    Images $ l xc remote l i s t +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ | NAME | URL | PROTOCOL | +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ | images | https : // images . l i n u x c o n t a i n e r s . org | simplestreams | +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ | l o c a l ( d e f a u l t ) | unix : // | l x d | +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ | ubuntu | https : // cloud−images . ubuntu . com/ r e l e a s e s | simplestreams | +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ | ubuntu−d a i l y | https : // cloud−images . ubuntu . com/ d a i l y | simplestreams | +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ 24
  • 26.
    Images $ l xc image l i s t ubuntu : +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+ | DESCRIPTION | ARCH | SIZE | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+ | ubuntu 1 7 . 1 0 amd64 ( r e l e a s e ) (20180706) | x86_64 | 1 6 9 . 5 1MB | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+ | ubuntu 1 7 . 1 0 arm64 ( r e l e a s e ) (20180706) | aarch64 | 153.62MB | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+ | ubuntu 1 7 . 1 0 armhf ( r e l e a s e ) (20180706) | armv7l | 1 5 2 . 8 1MB | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+ . . . $ l x c image l i s t images : +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−−+ | DESCRIPTION | ARCH | SIZE | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−−+ | Alpine 3.6 amd64 (20190402 _13 :00) | x86_64 | 3 . 1 7MB | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−−+ | Alpine 3.6 arm64 (20190402 _13 :00) | aarch64 | 3.07MB | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−−+ . . . 25
  • 27.
    Container lifecycle $ lx c launch ubuntu : b i o n i c t e s t C r e a t i n g t e s t S t a r t i n g t e s t $ l x c l i s t +−−−−−−+−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−+−−−−−−+−−−−−−−−−−−−+−−−−−−−−−−−+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +−−−−−−+−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−+−−−−−−+−−−−−−−−−−−−+−−−−−−−−−−−+ | t e s t | RUNNING | 1 0 . 1 1 4 . 1 3 . 2 4 ( eth0 ) | | PERSISTENT | 0 | +−−−−−−+−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−+−−−−−−+−−−−−−−−−−−−+−−−−−−−−−−−+ $ l x c exec t e s t −− / bin / bash root@test : ~# e x i t $ l x c stop t e s t $ l x c rm t e s t 26
  • 28.
    BTRFS storage $ lx c storage create mybtrfs b t r f s source =/ dev / loop0 Storage pool mybtrfs created $ df −h F i l e s y s t e m S i z e Used A v a i l Use% Mounted on udev 7 ,8G 0 7 ,8G 0% / dev tmpfs 1 ,6G 2 ,0M 1 ,6G 1% / run / dev / sda2 1 1 7G 1 1 G 100G 10% / [ . . . ] / dev / loop0 30G 17M 28G 1% / var / l i b / l x d / storage−pools / mybtrfs $ l x c storage show mybtrfs c o n f i g : source : 031 d08f0−ed03−4f39 −8274−03fc4a12688c v o l a t i l e . i n i t i a l _ s o u r c e : / dev / loop0 d e s c r i p t i o n : " " name : mybtrfs d r i v e r : b t r f s used_by : [ ] s t a t u s : Created l o c a t i o n s : − none 27
  • 29.
    Profile $ l xc p r o f i l e create myprof $ cat lxd−p r o f i l e −myprof . yaml c o n f i g : user . vendor−data : | # cloud−c o n f i g users : − name : ubuntu ssh_authorized_keys : − ssh−ed25519 AAAAC3Nza [ . . . ] oJmMZ7Y5YlrYA mat@office s h e l l : / bin / bash d e s c r i p t i o n : My brandnew LXD p r o f i l e devices : eth0 : name : eth0 n i c t y p e : bridged parent : l x d l o c a l type : n i c root : path : / pool : mybtrfs type : d i s k s i z e : 10GB name : myprofile $ l x c p r o f i l e e d i t myprof < lxd−p r o f i l e −myprof . yaml 28
  • 30.
    Profile $ l xc launch ubuntu : 1 8 . 0 4 web −−p r o f i l e myprof $ l x c p r o f i l e show myprof c o n f i g : user . vendor−data : | # cloud−c o n f i g users : − name : ubuntu ssh_authorized_keys : − ssh−ed25519 AAAAC3Nza [ . . . ] oJmMZ7Y5YlrYA mat@office s h e l l : / bin / bash group : sudo d e s c r i p t i o n : My brandnew LXD p r o f i l e devices : eth0 : name : eth0 n i c t y p e : bridged parent : l x d l o c a l type : n i c root : path : / pool : mybtrfs s i z e : 10GB type : d i s k name : myprof used_by : [ web ] 29
  • 31.
    Shared Disk $ lx c c o n f i g device add t e s t s r c d i r d i s k path =/home/ ubuntu / s r c source =/home/my/ s r c Device s r c d i r added to shared $ ssh ubuntu@10 . 4 5 . 2 3 8 . 1 6 7 ubuntu@shared : ~$ mount / dev /dm−5 on / type b t r f s ( rw , relatime , ssd , [ . . . ] ) none on / dev type tmpfs ( rw , relatime , s i z e =492k , mode=755 , uid =165536 , gid =165536) . . . / dev / mapper /myvg−home on /home/ ubuntu / s r c type ext4 ( rw , relatime , data = ordered ) . . . ubuntu@shared : ~$ df F i l e s y s t e m 1 K−blocks Used A v a i l a b l e Use% Mounted on / dev /dm−5 36700160 21135324 14910740 59% / none 492 0 492 0% / dev udev 3898488 0 3898488 0% / dev / t t y tmpfs 100 0 100 0% / dev / l x d tmpfs 100 0 100 0% / dev / . lxd−mounts tmpfs 3930688 0 3930688 0% / dev /shm tmpfs 3930688 172 3930516 1% / run tmpfs 5120 0 5120 0% / run / l o c k tmpfs 3930688 0 3930688 0% / sys / f s / cgroup / dev / mapper /myvg−home 95593892 85171544 5523328 94% /home/ ubuntu / s r c tmpfs 786136 0 786136 0% / run / user /1000 30
  • 32.
    Network $ l xc network create i s o l a t e d Network i s o l a t e d created $ l x c network set i s o l a t e d ipv4 . nat f a l s e $ l x c network set i s o l a t e d ipv6 . address none $ l x c network set i s o l a t e d ipv6 . nat f a l s e $ l x c network attach i s o l a t e d webdev $ l x c network show i s o l a t e d c o n f i g : ipv4 . address : 1 0 . 8 1 . 2 3 8 . 1 / 2 4 ipv4 . nat : " f a l s e " ipv6 . address : none ipv6 . nat : " f a l s e " d e s c r i p t i o n : " " name : i s o l a t e d type : bridge used_by : − / 1 . 0 / c o n t a i n e r s / webdev managed : true s t a t u s : Created l o c a t i o n s : − none 31
  • 33.
    Privileged containers $ lx c c o n f i g set webdev s e c u r i t y . p r i v i l e g e d true $ l x c c o n f i g show webdev a r c h i t e c t u r e : x86_64 c o n f i g : image . a r c h i t e c t u r e : amd64 image . d e s c r i p t i o n : ubuntu 18.04 LTS amd64 ( r e l e a s e ) ( 2 0 1 9 0 8 1 3 . 1 ) [ . . . ] s e c u r i t y . p r i v i l e g e d : " true " [ . . . ] v o l a t i l e . i s o l a t e d . hwaddr : 00:16:3 e :4 f : 4 7 : 1 5 v o l a t i l e . i s o l a t e d . name : eth1 v o l a t i l e . l a s t _ s t a t e . idmap : ’ [ { " I s u i d " : true , " I s g i d " : f a l s e , " Hostid " : 1 6 5 5 3 6 , [ . . . ] } ] ’ v o l a t i l e . l a s t _ s t a t e . power : RUNNING devices : i s o l a t e d : n i c t y p e : bridged parent : i s o l a t e d type : n i c ephemeral : f a l s e p r o f i l e s : − d e f a u l t s t a t e f u l : f a l s e d e s c r i p t i o n : " " 32
  • 34.
    Privileged containers $ lx c c o n f i g set webdev s e c u r i t y . p r i v i l e g e d true $ l x c r e s t a r t webdev $ l x c s h e l l webdev root@webdev : ~# t a i l −f / var / log / s y s l o g & Oct 1 1 16:30:30 webdev systemd [ 1 ] : Stopped t a r g e t Login Prompts . [ . . . ] root@webdev : ~# logout $ ps aux | grep " t a i l −f " root 19655 [ . . . ] 18:30 0:00 t a i l −f / var / log / s y s l o g $ l x c c o n f i g set webdev s e c u r i t y . p r i v i l e g e d f a l s e $ l x c r e s t a r t webdev $ l x c s h e l l webdev root@webdev : ~# t a i l −f / var / log / s y s l o g & Oct 1 1 1 6 : 3 1 : 0 4 g i t o l i t e systemd [ 1 ] : S t a r t e d User Manager f o r UID 0. [ . . . ] root@webdev : ~# logout $ ps aux | grep " t a i l −f " 165536 2 0 9 3 8 [ . . . ] 1 8 : 3 1 0:00 t a i l −f / var / log / s y s l o g 33
  • 35.
  • 36.
    Klassifikation: Öffentlich 17 ProfessionalServices Penetration Testing Architecture Reviews Security Audit Security Trainings Incident Response Readiness ISMS & ISO 27001 Consulting Bridging Science and Industry Applied Research Industrial Security | IIoT Security | Mathematics for Security Research | Machine Learning | Blockchain | Network Security | Sustainable Software Systems | Usable Security SBA Research Knowledge Transfer SBA Live Academy | sec4dev | Trainings | Events | Teaching | sbaPRIME Contact us: anfragen@sba-research.org