docs(day-1): First talk
All checks were successful
Build latest image / build-container (push) Successful in 47s
All checks were successful
Build latest image / build-container (push) Successful in 47s
This commit is contained in:
parent
17b4407fea
commit
80f62fd567
57
content/day-1/01_container-security.md
Normal file
57
content/day-1/01_container-security.md
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
---
|
||||||
|
title: What I wish i knew about container security
|
||||||
|
weight: 1
|
||||||
|
tags:
|
||||||
|
- rejekts
|
||||||
|
- security
|
||||||
|
---
|
||||||
|
|
||||||
|
<!-- {{% button href="https://youtu.be/rkteV6Mzjfs" style="warning" icon="video" %}}Watch talk on YouTube{{% /button %}} -->
|
||||||
|
|
||||||
|
## BAseline
|
||||||
|
|
||||||
|
- Linux is like a hammer and containers look a lot like nails
|
||||||
|
- Containers aren't real: They are just processes with besser isolation
|
||||||
|
- IPTables is complicates
|
||||||
|
|
||||||
|
### Hard parts
|
||||||
|
|
||||||
|
- The kernel is shared we only predent to seperate processes through namespaces
|
||||||
|
- Filesystems: Containers bring a bunch of filesystems and sharing filesystems between multiple containers
|
||||||
|
- Softlinks are hard to do right because they point to a path and not the data itself
|
||||||
|
|
||||||
|
### How did we get here?
|
||||||
|
|
||||||
|
1. Unix with a buch of tools we still use
|
||||||
|
2. Linux (originally designed to for the desktop)
|
||||||
|
3. Kernel gets iptables
|
||||||
|
4. The rist concept of namespaces
|
||||||
|
5. More hypervisor stuff and official user namespaces
|
||||||
|
6. Containers (first lxc then docker)
|
||||||
|
|
||||||
|
## Sandboxing
|
||||||
|
|
||||||
|
- In browsers: They must protect the user from malicious content
|
||||||
|
- In containers: PRetty much the same - both run untrusted code that has to be isolated
|
||||||
|
|
||||||
|
## Namespaces
|
||||||
|
|
||||||
|
- Better isolation from other processes including resource constraints
|
||||||
|
- But: The shared kernel interacts with all processes (so kernel bugs can affect all namespaces)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## Improvements
|
||||||
|
|
||||||
|
- Secure Computing: Implement a secure state that we transition into before the process actually does stuff
|
||||||
|
- Paravirtualization: Instead of system calls to a shared kernel we make hyper-calls to the hypervisor
|
||||||
|
- Virtualization: The classic virtualization where everyone hosts their own kernel
|
||||||
|
|
||||||
|
## Stuff to look out for
|
||||||
|
|
||||||
|
> More or less a bit of advertisement
|
||||||
|
|
||||||
|
- Edera: Container native hypervisor without a shared kernel
|
||||||
|
- Styrolite: Rust-based container runtime sandbox
|
||||||
|
- eBPF and Tetragon for prevention and monitoring
|
||||||
BIN
content/day-1/_imgs/namespaces.png
Normal file
BIN
content/day-1/_imgs/namespaces.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 181 KiB |
@ -4,7 +4,7 @@ title: Day -1
|
|||||||
weight: 3
|
weight: 3
|
||||||
---
|
---
|
||||||
|
|
||||||
TODO:
|
The second and last day of cloud native rejekts and (some might say most importantly) time for my talk.
|
||||||
|
|
||||||
## Talk recommendations
|
## Talk recommendations
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user