docs(day-1): First talk
All checks were successful
Build latest image / build-container (push) Successful in 47s
All checks were successful
Build latest image / build-container (push) Successful in 47s
This commit is contained in:
parent
17b4407fea
commit
80f62fd567
57
content/day-1/01_container-security.md
Normal file
57
content/day-1/01_container-security.md
Normal file
@ -0,0 +1,57 @@
|
||||
---
|
||||
title: What I wish i knew about container security
|
||||
weight: 1
|
||||
tags:
|
||||
- rejekts
|
||||
- security
|
||||
---
|
||||
|
||||
<!-- {{% button href="https://youtu.be/rkteV6Mzjfs" style="warning" icon="video" %}}Watch talk on YouTube{{% /button %}} -->
|
||||
|
||||
## BAseline
|
||||
|
||||
- Linux is like a hammer and containers look a lot like nails
|
||||
- Containers aren't real: They are just processes with besser isolation
|
||||
- IPTables is complicates
|
||||
|
||||
### Hard parts
|
||||
|
||||
- The kernel is shared we only predent to seperate processes through namespaces
|
||||
- Filesystems: Containers bring a bunch of filesystems and sharing filesystems between multiple containers
|
||||
- Softlinks are hard to do right because they point to a path and not the data itself
|
||||
|
||||
### How did we get here?
|
||||
|
||||
1. Unix with a buch of tools we still use
|
||||
2. Linux (originally designed to for the desktop)
|
||||
3. Kernel gets iptables
|
||||
4. The rist concept of namespaces
|
||||
5. More hypervisor stuff and official user namespaces
|
||||
6. Containers (first lxc then docker)
|
||||
|
||||
## Sandboxing
|
||||
|
||||
- In browsers: They must protect the user from malicious content
|
||||
- In containers: PRetty much the same - both run untrusted code that has to be isolated
|
||||
|
||||
## Namespaces
|
||||
|
||||
- Better isolation from other processes including resource constraints
|
||||
- But: The shared kernel interacts with all processes (so kernel bugs can affect all namespaces)
|
||||
|
||||
|
||||
|
||||
|
||||
## Improvements
|
||||
|
||||
- Secure Computing: Implement a secure state that we transition into before the process actually does stuff
|
||||
- Paravirtualization: Instead of system calls to a shared kernel we make hyper-calls to the hypervisor
|
||||
- Virtualization: The classic virtualization where everyone hosts their own kernel
|
||||
|
||||
## Stuff to look out for
|
||||
|
||||
> More or less a bit of advertisement
|
||||
|
||||
- Edera: Container native hypervisor without a shared kernel
|
||||
- Styrolite: Rust-based container runtime sandbox
|
||||
- eBPF and Tetragon for prevention and monitoring
|
||||
BIN
content/day-1/_imgs/namespaces.png
Normal file
BIN
content/day-1/_imgs/namespaces.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 181 KiB |
@ -4,7 +4,7 @@ title: Day -1
|
||||
weight: 3
|
||||
---
|
||||
|
||||
TODO:
|
||||
The second and last day of cloud native rejekts and (some might say most importantly) time for my talk.
|
||||
|
||||
## Talk recommendations
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user