SlideShare une entreprise Scribd logo

[KubeCon NA 2020] containerd: Rootless Containers 2020

A
Akihiro Suda

Rootless Containers means running the container runtimes (e.g. runc, containerd, and kubelet) as well as the containers without the host root privileges. The most significant advantage of Rootless Containers is that it can mitigate potential container-breakout vulnerability of the runtimes, but it is also useful for isolating multi-user environments on HPC hosts. This talk will contain the introduction to rootless containers and deep-dive topics about the recent updates such as Seccomp User Notification. The main focus will be on containerd (CNCF Graduated Project) and its consumer projects including Kubernetes and Docker/Moby, but topics about other runtimes will be discussed as well. https://sched.co/fGWc

Logiciels
1  sur  30
Télécharger pour lire hors ligne
Akihiro Suda (containerd / NTT) Rootless Containers 2020
Akihiro Suda (containerd / NTT) Rootless Containers 2020 Ask me questions at #2-kubecon-maintainer ( https://slack.cncf.io )
What is Rootless Containers? • Running container runtimes (and also containers, of course) as a non- root user on the host • OCI (e.g. runc) • CRI (e.g. containerd) • CNI (e.g. Flannel) • kubelet, dockerd, … • Protects the host from potential vulnerabilities and misconfigurations 3
What is Rootless Containers? Don’t be confused… The following stuffs are unrelated: • .spec.securityContext.runAsUser (≈ docker run --user) • UserNS KEP (≈ dockerd --userns-remap) • usermod -aG docker foo • Singularity with SETUID 4
Why do we need Rootless? Most runtimes are designed to be secure by default, but they are still likely to have vulnerabilities Identifier Component Description CVE-2017-1002102 kubelet Files on the host could be removed containerd#2001 (2018) containerd /tmp on the host could be removed CVE-2018-11235 kubelet Arbitrary command could be executed on the host runc#1962 (2019) runc Bare procfs was exposed with non-pivot rootfs mode CVE-2019-5736 runc runc binary could be replaced with a malicious file CVE-2019-11245 kubelet An image could be executed with an unexpected UID CVE-2019-14271 dockerd A malicious NSS library could be loaded … … … And more! 5
Why do we need Rootless? • People often make misconfigurations L • Sets up insufficient PodSecurityPolicy / Gatekeeper policies • Exposes system components’ TCP ports without mTLS (e.g. etcd, kube-apiserver, kubelet, dockerd…) • Exposes private keys as IaaS metadata (169.254.169.254) • Uses same kubelet certs for all the nodes • … 6
Why do we need Rootless? • Rootless Containers can mitigate the impacts of such vulnerabilities and misconfiguration • Even if the host gets compromised, the attacker won’t be able to: • access files owned by other users • modify firmware and kernel (→ undetectable malware) • ARP spoofing (→ DNS spoofing) 7
Not a panacea, of course… Not effective against: • Vulnerabilities of kernel and hardware • DDoS attacks • Cryptomining … 8
Not a panacea, of course… Some caveats apply • Network throughput is slowed down (But we are seeing HUGE improvements in 2020) • No support for NFS and block storages (But it doesn’t matter if you use managed DBs and object storages) 9
History It began in c. 2012… But wasn’t popular until 2018-2019 Year Low layers High layers 2012 Kernel [officially in 2013] 2013 Semi-privileged networking with SETUID LXC 2014 2015 2016 runc [officially in 2017] 2017 10
History It began in c. 2012… But wasn’t popular until 2018-2019 Year Low layers High layers 2018 Unprivileged networking (slirp4netns) Unprivileged FUSE-OverlayFS BuildKit, based on containerd tech Docker [officially in 2019] & containerd Podman & CRI-O Kubernetes [unofficial, still] 2019 Unprivileged cgroup v2 via systemd Faster port forwarding (RootlessKit) k3s 2020 Faster networking with seccomp addfd 2021+ Kubernetes, officially? 11
• https://get.docker.com/rootless • Rootless mode was experimental in v19.03, will be GA in v20.10 • Other notables updates in v20.10 w.r.t. Rootless: • Resource limitation with Cgroup v2 • FUSE-OverlayFS • Improved installer Example: Docker 12
Easy to install Example: Docker 13 $ curl -fsSL https://get.docker.com/rootless | sh ⏎ $ export DOCKER_HOST=unix:///run/user/1000/docker.sock ⏎ $ docker run -d --name caddy -p 8080:80 caddy ⏎ $ curl http://localhost:8080 ⏎ ... <title>Caddy works!</title> ...
All processes are running as a non-root user Example: Docker 14 $ pstree user ⏎ sshd───bash───pstree systemd─┬─(sd-pam) ├─containerd-shim─┬─caddy───7*[{caddy}] │ └─12*[{containerd-shim}] └─rootlesskit─┬─exe─┬─dockerd─┬─containerd───10*[{containerd}] │ │ ├─rootlesskit-doc─┬─docker-proxy───6*[{docker-proxy}] │ │ │ └─6*[{rootlesskit-doc}] │ │ └─11*[{dockerd}] │ └─11*[{exe}] ├─vpnkit───4*[{vpnkit}] └─8*[{rootlesskit}]
• https://github.com/rootless-containers/usernetes • Rootless Kubernetes distribution • Multi-node demo is provided as a Docker Compose stack • CNI: Flannel (VXLAN) Example: Usernetes 15 $ docker-compose up –d ⏎ $ kubectl get nodes ⏎ NAME STATUS ROLES AGE VERSION node-containerd Ready <none> 3m46s v1.19.0-usernetes node-crio Ready <none> 3m46s v1.19.0-usernetes
Example: Usernetes 16 $ docker exec usernetes_node-containerd_1 pstree user ⏎ journalctl---(sd-pam) systemd-+-(sd-pam) |-containerd-fuse---containerd-fuse---4*[{containerd-fuse}] |-containerd.sh---containerd---10*[{containerd}] |-flanneld.sh---flanneld---9*[{flanneld}] |-nsenter.sh---kubelet---13*[{kubelet}] |-nsenter.sh---kube-proxy---7*[{kube-proxy}] `-rootlesskit.sh---rootlesskit-+-exe-+-rootlesskit.sh---sleep | `-9*[{exe}] |-slirp4netns `-8*[{rootlesskit}]
Example: k3s 17 $ k3s server --rootless ⏎ $ k3s kubectl apply –f manifest.yaml ⏎ • https://k3s.io/ • CNCF Sandbox Project • Focuses on edge computing • Incorporates Usernetes patches for supporting rootless, ahead of the Kubernetes upstream • Uses containerd as the CRI runtime
Example: BuildKit 18 • https://github.com/moby/buildkit • A container image builder, built on containerd technology • Can be executed in several ways • As a built-in feature of dockerd • As a standalone daemon • As a Kubernetes Pod • As a Kubernetes Job, without a daemon Pod • As a Tekton Task
No need to set securityContext.Privileged But Seccomp and AppArmor constraints need to be relaxed Example: BuildKit 19 spec: containers: - securityContext: runAsUser: 1000 seccompProfile: type: Unconfined metadata: annotations: container.apparmor.security.beta.kubernetes.io/buildkitd: unconfined
How it works • UserNS • MountNS • NetNS • Cgroup • New frontier: Seccomp User Notification 20
• Maps a non-root user (e.g. UID 1000) to a fake root user (UID 0) • Not the real root, but enough to run containers • Subordinate UIDs are mapped as well ( typically 65,536 UIDs, defined in /etc/subuid ) How it works: UserNS 21 Host UserNS 0 1 65536 0 1000 100000 165535 232
How it works: MountNS • A non-root user can create MontNS along with UserNS • But cannot mount most filesystems, except bind-mount, tmpfs, procfs, and sysfs... • No Overlayfs (on vanilla kernel) • No NFS • No block storages • FUSE is supported since kernel 4.18 • FUSE-OverlayFS can substitute real OverlayFS 22
• A non-root user can also create NetNS with UserNS • But cannot create vEth pairs, i.e. No internet connectivity • Slirp is used instead of vEth for unprivileged internet connectivity • Slow (51.5Gbps → 9.21Gbps), but we are seeing huge improvements NetNS How it works: NetNS 23 TAP Kernelslirp4netns Ethernet packets Socket syscalls
How it works: Cgroup • No support for cgroup v1 • i.e. no memory limit, no CPU limit, no fork-bomb guard... • Cgroup v2 is almost fully supported • Fedora has already switched the default to v2 • Other distros will follow in 2021-2022 ? 24
A new frontier in 2020: Seccomp User Notification • Kernel 5.0 merged the support for Seccomp User Notification: a new way to hook syscalls in the userspace • Similar to ptrace, but less numbers of context switches • Allows emulating subordinate UIDs without /etc/subuid • POC: https://github.com/rootless-containers/subuidless 25
A new frontier in 2020: Seccomp User Notification • Kernel 5.9 merged the support for SECCOMP_IOCTL_NOTIF_ADDFD • Allows injecting file descriptors from a host process into container processes • e.g. replace sockfd on connect(2) • No slirp overhead any more • POC: https://github.com/rootless-containers/bypass4netns 26
Recap • Rootless Containers can protect the host from potential vulnerabilities and misconfigurations • Already adopted by lots of projects: BuildKit, Docker, containerd, Podman, CRI-O, k3s ... • Being also proposed to the Kubernetes upstream • There are some drawbacks, but being significantly improved using Seccomp User Notification 27
Resources • Rootless Containers overview: https://rootlesscontaine.rs/ • Rootless containerd: https://github.com/containerd/containerd/blob/master/docs/rootless.md • Rootless Docker: https://get.docker.com/rootless • Usernetes: https://github.com/rootless-containers/usernetes • Rootless KEP: https://github.com/kubernetes/enhancements/pull/1371 28
Questions? • Ask me questions at #2-kubecon-maintainer ( https://slack.cncf.io ) 29
[KubeCon NA 2020] containerd: Rootless Containers 2020

Recommandé

[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] LimaAkihiro Suda
 
eStargzイメージとlazy pullingによる高速なコンテナ起動
eStargzイメージとlazy pullingによる高速なコンテナ起動eStargzイメージとlazy pullingによる高速なコンテナ起動
eStargzイメージとlazy pullingによる高速なコンテナ起動Kohei Tokunaga
 
[Container Runtime Meetup] runc & User Namespaces
[Container Runtime Meetup] runc & User Namespaces[Container Runtime Meetup] runc & User Namespaces
[Container Runtime Meetup] runc & User NamespacesAkihiro Suda
 
コンテナネットワーキング(CNI)最前線
コンテナネットワーキング(CNI)最前線コンテナネットワーキング(CNI)最前線
コンテナネットワーキング(CNI)最前線Motonori Shindo
 
Red Hat OpenShift Container Storage
Red Hat OpenShift Container StorageRed Hat OpenShift Container Storage
Red Hat OpenShift Container StorageTakuya Utsunomiya
 
コンテナを突き破れ!! ~コンテナセキュリティ入門基礎の基礎~(Kubernetes Novice Tokyo #11 発表資料)
コンテナを突き破れ!! ~コンテナセキュリティ入門基礎の基礎~(Kubernetes Novice Tokyo #11 発表資料)コンテナを突き破れ!! ~コンテナセキュリティ入門基礎の基礎~(Kubernetes Novice Tokyo #11 発表資料)
コンテナを突き破れ!! ~コンテナセキュリティ入門基礎の基礎~(Kubernetes Novice Tokyo #11 発表資料)NTT DATA Technology & Innovation
 
root権限無しでKubernetesを動かす
root権限無しでKubernetesを動かす root権限無しでKubernetesを動かす
root権限無しでKubernetesを動かす Akihiro Suda
 
containerdの概要と最近の機能
containerdの概要と最近の機能containerdの概要と最近の機能
containerdの概要と最近の機能Kohei Tokunaga
 

Recommandé

[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] LimaAkihiro Suda
 
eStargzイメージとlazy pullingによる高速なコンテナ起動
eStargzイメージとlazy pullingによる高速なコンテナ起動eStargzイメージとlazy pullingによる高速なコンテナ起動
eStargzイメージとlazy pullingによる高速なコンテナ起動Kohei Tokunaga
 
[Container Runtime Meetup] runc & User Namespaces
[Container Runtime Meetup] runc & User Namespaces[Container Runtime Meetup] runc & User Namespaces
[Container Runtime Meetup] runc & User NamespacesAkihiro Suda
 
コンテナネットワーキング(CNI)最前線
コンテナネットワーキング(CNI)最前線コンテナネットワーキング(CNI)最前線
コンテナネットワーキング(CNI)最前線Motonori Shindo
 
Red Hat OpenShift Container Storage
Red Hat OpenShift Container StorageRed Hat OpenShift Container Storage
Red Hat OpenShift Container StorageTakuya Utsunomiya
 
コンテナを突き破れ!! ~コンテナセキュリティ入門基礎の基礎~(Kubernetes Novice Tokyo #11 発表資料)
コンテナを突き破れ!! ~コンテナセキュリティ入門基礎の基礎~(Kubernetes Novice Tokyo #11 発表資料)コンテナを突き破れ!! ~コンテナセキュリティ入門基礎の基礎~(Kubernetes Novice Tokyo #11 発表資料)
コンテナを突き破れ!! ~コンテナセキュリティ入門基礎の基礎~(Kubernetes Novice Tokyo #11 発表資料)NTT DATA Technology & Innovation
 
root権限無しでKubernetesを動かす
root権限無しでKubernetesを動かす root権限無しでKubernetesを動かす
root権限無しでKubernetesを動かす Akihiro Suda
 
containerdの概要と最近の機能
containerdの概要と最近の機能containerdの概要と最近の機能
containerdの概要と最近の機能Kohei Tokunaga
 
BuildKitでLazy Pullを有効にしてビルドを早くする話
BuildKitでLazy Pullを有効にしてビルドを早くする話BuildKitでLazy Pullを有効にしてビルドを早くする話
BuildKitでLazy Pullを有効にしてビルドを早くする話Kohei Tokunaga
 
自宅k8s/vSphere入門
自宅k8s/vSphere入門自宅k8s/vSphere入門
自宅k8s/vSphere入門富士通クラウドテクノロジーズ株式会社
 
Rootlessコンテナ
RootlessコンテナRootlessコンテナ
RootlessコンテナAkihiro Suda
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Akihiro Suda
 
[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?Akihiro Suda
 
macOSの仮想化技術について ~Virtualization-rs Rust bindings for virtualization.framework ~
macOSの仮想化技術について ~Virtualization-rs Rust bindings for virtualization.framework ~macOSの仮想化技術について ~Virtualization-rs Rust bindings for virtualization.framework ~
macOSの仮想化技術について ~Virtualization-rs Rust bindings for virtualization.framework ~NTT Communications Technology Development
 
Linux KVM環境におけるGPGPU活用最新動向
Linux KVM環境におけるGPGPU活用最新動向Linux KVM環境におけるGPGPU活用最新動向
Linux KVM環境におけるGPGPU活用最新動向Taira Hajime
 
仮想化環境におけるパケットフォワーディング
仮想化環境におけるパケットフォワーディング仮想化環境におけるパケットフォワーディング
仮想化環境におけるパケットフォワーディングTakuya ASADA
 
Comparing Next-Generation Container Image Building Tools
Comparing Next-Generation Container Image Building Tools Comparing Next-Generation Container Image Building Tools
Comparing Next-Generation Container Image Building ToolsAkihiro Suda
 
OpenStack Ironic - Bare Metal-as-a-Service
OpenStack Ironic - Bare Metal-as-a-ServiceOpenStack Ironic - Bare Metal-as-a-Service
OpenStack Ironic - Bare Metal-as-a-ServiceRamon Acedo Rodriguez
 
BuildKitの概要と最近の機能
BuildKitの概要と最近の機能BuildKitの概要と最近の機能
BuildKitの概要と最近の機能Kohei Tokunaga
 
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
[DockerCon 2020] Hardening Docker daemon with Rootless Mode[DockerCon 2020] Hardening Docker daemon with Rootless Mode
[DockerCon 2020] Hardening Docker daemon with Rootless ModeAkihiro Suda
 
コンテナ未経験新人が学ぶコンテナ技術入門
コンテナ未経験新人が学ぶコンテナ技術入門コンテナ未経験新人が学ぶコンテナ技術入門
コンテナ未経験新人が学ぶコンテナ技術入門Kohei Tokunaga
 
Monitoring in CloudStack
Monitoring in CloudStackMonitoring in CloudStack
Monitoring in CloudStackShapeBlue
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Kohei Tokunaga
 
Interrupt Affinityについて
Interrupt AffinityについてInterrupt Affinityについて
Interrupt AffinityについてTakuya ASADA
 
DockerとPodmanの比較
DockerとPodmanの比較DockerとPodmanの比較
DockerとPodmanの比較Akihiro Suda
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOSAkihiro Suda
 
Kubernetes環境に対する性能試験(Kubernetes Novice Tokyo #2 発表資料)
Kubernetes環境に対する性能試験(Kubernetes Novice Tokyo #2 発表資料)Kubernetes環境に対する性能試験(Kubernetes Novice Tokyo #2 発表資料)
Kubernetes環境に対する性能試験(Kubernetes Novice Tokyo #2 発表資料)NTT DATA Technology & Innovation
 
20111015 勉強会 (PCIe / SR-IOV)
20111015 勉強会 (PCIe / SR-IOV)20111015 勉強会 (PCIe / SR-IOV)
20111015 勉強会 (PCIe / SR-IOV)Kentaro Ebisawa
 
Rootless Containers & Unresolved issues
Rootless Containers & Unresolved issuesRootless Containers & Unresolved issues
Rootless Containers & Unresolved issuesAkihiro Suda
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...Akihiro Suda
 

Contenu connexe

Tendances

BuildKitでLazy Pullを有効にしてビルドを早くする話
BuildKitでLazy Pullを有効にしてビルドを早くする話BuildKitでLazy Pullを有効にしてビルドを早くする話
BuildKitでLazy Pullを有効にしてビルドを早くする話Kohei Tokunaga
 
Rootlessコンテナ
RootlessコンテナRootlessコンテナ
RootlessコンテナAkihiro Suda
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Akihiro Suda
 
[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?Akihiro Suda
 
macOSの仮想化技術について ~Virtualization-rs Rust bindings for virtualization.framework ~
macOSの仮想化技術について ~Virtualization-rs Rust bindings for virtualization.framework ~macOSの仮想化技術について ~Virtualization-rs Rust bindings for virtualization.framework ~
macOSの仮想化技術について ~Virtualization-rs Rust bindings for virtualization.framework ~NTT Communications Technology Development
 
Linux KVM環境におけるGPGPU活用最新動向
Linux KVM環境におけるGPGPU活用最新動向Linux KVM環境におけるGPGPU活用最新動向
Linux KVM環境におけるGPGPU活用最新動向Taira Hajime
 
仮想化環境におけるパケットフォワーディング
仮想化環境におけるパケットフォワーディング仮想化環境におけるパケットフォワーディング
仮想化環境におけるパケットフォワーディングTakuya ASADA
 
Comparing Next-Generation Container Image Building Tools
Comparing Next-Generation Container Image Building Tools Comparing Next-Generation Container Image Building Tools
Comparing Next-Generation Container Image Building ToolsAkihiro Suda
 
OpenStack Ironic - Bare Metal-as-a-Service
OpenStack Ironic - Bare Metal-as-a-ServiceOpenStack Ironic - Bare Metal-as-a-Service
OpenStack Ironic - Bare Metal-as-a-ServiceRamon Acedo Rodriguez
 
BuildKitの概要と最近の機能
BuildKitの概要と最近の機能BuildKitの概要と最近の機能
BuildKitの概要と最近の機能Kohei Tokunaga
 
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
[DockerCon 2020] Hardening Docker daemon with Rootless Mode[DockerCon 2020] Hardening Docker daemon with Rootless Mode
[DockerCon 2020] Hardening Docker daemon with Rootless ModeAkihiro Suda
 
コンテナ未経験新人が学ぶコンテナ技術入門
コンテナ未経験新人が学ぶコンテナ技術入門コンテナ未経験新人が学ぶコンテナ技術入門
コンテナ未経験新人が学ぶコンテナ技術入門Kohei Tokunaga
 
Monitoring in CloudStack
Monitoring in CloudStackMonitoring in CloudStack
Monitoring in CloudStackShapeBlue
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Kohei Tokunaga
 
Interrupt Affinityについて
Interrupt AffinityについてInterrupt Affinityについて
Interrupt AffinityについてTakuya ASADA
 
DockerとPodmanの比較
DockerとPodmanの比較DockerとPodmanの比較
DockerとPodmanの比較Akihiro Suda
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOSAkihiro Suda
 
Kubernetes環境に対する性能試験(Kubernetes Novice Tokyo #2 発表資料)
Kubernetes環境に対する性能試験(Kubernetes Novice Tokyo #2 発表資料)Kubernetes環境に対する性能試験(Kubernetes Novice Tokyo #2 発表資料)
Kubernetes環境に対する性能試験(Kubernetes Novice Tokyo #2 発表資料)NTT DATA Technology & Innovation
 
20111015 勉強会 (PCIe / SR-IOV)
20111015 勉強会 (PCIe / SR-IOV)20111015 勉強会 (PCIe / SR-IOV)
20111015 勉強会 (PCIe / SR-IOV)Kentaro Ebisawa
 

Tendances (20)

BuildKitでLazy Pullを有効にしてビルドを早くする話
BuildKitでLazy Pullを有効にしてビルドを早くする話BuildKitでLazy Pullを有効にしてビルドを早くする話
BuildKitでLazy Pullを有効にしてビルドを早くする話
 
自宅k8s/vSphere入門
自宅k8s/vSphere入門自宅k8s/vSphere入門
自宅k8s/vSphere入門
 
Rootlessコンテナ
RootlessコンテナRootlessコンテナ
Rootlessコンテナ
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行
 
[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?
 
macOSの仮想化技術について ~Virtualization-rs Rust bindings for virtualization.framework ~
macOSの仮想化技術について ~Virtualization-rs Rust bindings for virtualization.framework ~macOSの仮想化技術について ~Virtualization-rs Rust bindings for virtualization.framework ~
macOSの仮想化技術について ~Virtualization-rs Rust bindings for virtualization.framework ~
 
Linux KVM環境におけるGPGPU活用最新動向
Linux KVM環境におけるGPGPU活用最新動向Linux KVM環境におけるGPGPU活用最新動向
Linux KVM環境におけるGPGPU活用最新動向
 
仮想化環境におけるパケットフォワーディング
仮想化環境におけるパケットフォワーディング仮想化環境におけるパケットフォワーディング
仮想化環境におけるパケットフォワーディング
 
Comparing Next-Generation Container Image Building Tools
Comparing Next-Generation Container Image Building Tools Comparing Next-Generation Container Image Building Tools
Comparing Next-Generation Container Image Building Tools
 
OpenStack Ironic - Bare Metal-as-a-Service
OpenStack Ironic - Bare Metal-as-a-ServiceOpenStack Ironic - Bare Metal-as-a-Service
OpenStack Ironic - Bare Metal-as-a-Service
 
BuildKitの概要と最近の機能
BuildKitの概要と最近の機能BuildKitの概要と最近の機能
BuildKitの概要と最近の機能
 
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
[DockerCon 2020] Hardening Docker daemon with Rootless Mode[DockerCon 2020] Hardening Docker daemon with Rootless Mode
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
 
コンテナ未経験新人が学ぶコンテナ技術入門
コンテナ未経験新人が学ぶコンテナ技術入門コンテナ未経験新人が学ぶコンテナ技術入門
コンテナ未経験新人が学ぶコンテナ技術入門
 
Monitoring in CloudStack
Monitoring in CloudStackMonitoring in CloudStack
Monitoring in CloudStack
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行
 
Interrupt Affinityについて
Interrupt AffinityについてInterrupt Affinityについて
Interrupt Affinityについて
 
DockerとPodmanの比較
DockerとPodmanの比較DockerとPodmanの比較
DockerとPodmanの比較
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS
 
Kubernetes環境に対する性能試験(Kubernetes Novice Tokyo #2 発表資料)
Kubernetes環境に対する性能試験(Kubernetes Novice Tokyo #2 発表資料)Kubernetes環境に対する性能試験(Kubernetes Novice Tokyo #2 発表資料)
Kubernetes環境に対する性能試験(Kubernetes Novice Tokyo #2 発表資料)
 
20111015 勉強会 (PCIe / SR-IOV)
20111015 勉強会 (PCIe / SR-IOV)20111015 勉強会 (PCIe / SR-IOV)
20111015 勉強会 (PCIe / SR-IOV)
 

Similaire à [KubeCon NA 2020] containerd: Rootless Containers 2020

Rootless Containers & Unresolved issues
Rootless Containers & Unresolved issuesRootless Containers & Unresolved issues
Rootless Containers & Unresolved issuesAkihiro Suda
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...Akihiro Suda
 
Rootless Containers
Rootless ContainersRootless Containers
Rootless ContainersAkihiro Suda
 
Docker and coreos20141020b
Docker and coreos20141020bDocker and coreos20141020b
Docker and coreos20141020bRichard Kuo
 
[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless PodmanAkihiro Suda
 
The State of Rootless Containers
The State of Rootless ContainersThe State of Rootless Containers
The State of Rootless ContainersAkihiro Suda
 
[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless mode[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless modeAkihiro Suda
 
DCSF19 Hardening Docker daemon with Rootless mode
DCSF19 Hardening Docker daemon with Rootless modeDCSF19 Hardening Docker daemon with Rootless mode
DCSF19 Hardening Docker daemon with Rootless modeDocker, Inc.
 
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetesJuraj Hantak
 
The internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesThe internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesAkihiro Suda
 
Comparison of existing cni plugins for kubernetes
Comparison of existing cni plugins for kubernetesComparison of existing cni plugins for kubernetes
Comparison of existing cni plugins for kubernetesAdam Hamsik
 
Docker 0.11 at MaxCDN meetup in Los Angeles
Docker 0.11 at MaxCDN meetup in Los AngelesDocker 0.11 at MaxCDN meetup in Los Angeles
Docker 0.11 at MaxCDN meetup in Los AngelesJérôme Petazzoni
 
Introducing Container Technology to TSUBAME3.0 Supercomputer
Introducing Container Technology to TSUBAME3.0 SupercomputerIntroducing Container Technology to TSUBAME3.0 Supercomputer
Introducing Container Technology to TSUBAME3.0 SupercomputerAkihiro Nomura
 
Introduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New YorkIntroduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New YorkJérôme Petazzoni
 
Big Data in Container; Hadoop Spark in Docker and Mesos
Big Data in Container; Hadoop Spark in Docker and MesosBig Data in Container; Hadoop Spark in Docker and Mesos
Big Data in Container; Hadoop Spark in Docker and MesosHeiko Loewe
 
A Gentle Introduction to Docker and Containers
A Gentle Introduction to Docker and ContainersA Gentle Introduction to Docker and Containers
A Gentle Introduction to Docker and ContainersDocker, Inc.
 

Similaire à [KubeCon NA 2020] containerd: Rootless Containers 2020 (20)

Rootless Containers & Unresolved issues
Rootless Containers & Unresolved issuesRootless Containers & Unresolved issues
Rootless Containers & Unresolved issues
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
 
Rootless Containers
Rootless ContainersRootless Containers
Rootless Containers
 
Docker and coreos20141020b
Docker and coreos20141020bDocker and coreos20141020b
Docker and coreos20141020b
 
[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman
 
The State of Rootless Containers
The State of Rootless ContainersThe State of Rootless Containers
The State of Rootless Containers
 
Kubernetes
KubernetesKubernetes
Kubernetes
 
[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless mode[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless mode
 
DCSF19 Hardening Docker daemon with Rootless mode
DCSF19 Hardening Docker daemon with Rootless modeDCSF19 Hardening Docker daemon with Rootless mode
DCSF19 Hardening Docker daemon with Rootless mode
 
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
 
Podman rootless containers
Podman rootless containersPodman rootless containers
Podman rootless containers
 
The internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesThe internals and the latest trends of container runtimes
The internals and the latest trends of container runtimes
 
Comparison of existing cni plugins for kubernetes
Comparison of existing cni plugins for kubernetesComparison of existing cni plugins for kubernetes
Comparison of existing cni plugins for kubernetes
 
Docker 0.11 at MaxCDN meetup in Los Angeles
Docker 0.11 at MaxCDN meetup in Los AngelesDocker 0.11 at MaxCDN meetup in Los Angeles
Docker 0.11 at MaxCDN meetup in Los Angeles
 
Introducing Container Technology to TSUBAME3.0 Supercomputer
Introducing Container Technology to TSUBAME3.0 SupercomputerIntroducing Container Technology to TSUBAME3.0 Supercomputer
Introducing Container Technology to TSUBAME3.0 Supercomputer
 
Containers > VMs
Containers > VMsContainers > VMs
Containers > VMs
 
Introduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New YorkIntroduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New York
 
Docker_AGH_v0.1.3
Docker_AGH_v0.1.3Docker_AGH_v0.1.3
Docker_AGH_v0.1.3
 
Big Data in Container; Hadoop Spark in Docker and Mesos
Big Data in Container; Hadoop Spark in Docker and MesosBig Data in Container; Hadoop Spark in Docker and Mesos
Big Data in Container; Hadoop Spark in Docker and Mesos
 
A Gentle Introduction to Docker and Containers
A Gentle Introduction to Docker and ContainersA Gentle Introduction to Docker and Containers
A Gentle Introduction to Docker and Containers
 

Plus de Akihiro Suda

20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_Akihiro Suda
 
20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdfAkihiro Suda
 
20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdfAkihiro Suda
 
[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilionAkihiro Suda
 
[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilionAkihiro Suda
 
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdfAkihiro Suda
 
[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2Akihiro Suda
 
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...Akihiro Suda
 
[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilionAkihiro Suda
 
[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilionAkihiro Suda
 
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with DockerfileAkihiro Suda
 
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...Akihiro Suda
 
[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10Akihiro Suda
 
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into ContainerdAkihiro Suda
 
[KubeCon EU 2020] containerd Deep Dive
[KubeCon EU 2020] containerd Deep Dive[KubeCon EU 2020] containerd Deep Dive
[KubeCon EU 2020] containerd Deep DiveAkihiro Suda
 
[FOSDEM 2020] Lazy distribution of container images
[FOSDEM 2020] Lazy distribution of container images[FOSDEM 2020] Lazy distribution of container images
[FOSDEM 2020] Lazy distribution of container imagesAkihiro Suda
 
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui... [KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...Akihiro Suda
 
[CNDT] 最近のDockerの新機能
[CNDT] 最近のDockerの新機能[CNDT] 最近のDockerの新機能
[CNDT] 最近のDockerの新機能Akihiro Suda
 

Plus de Akihiro Suda (19)

20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_
 
20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf
 
20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf
 
[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion
 
[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion
 
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
 
[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2
 
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
 
[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion
 
[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion
 
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
 
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
 
[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10
 
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
 
[KubeCon EU 2020] containerd Deep Dive
[KubeCon EU 2020] containerd Deep Dive[KubeCon EU 2020] containerd Deep Dive
[KubeCon EU 2020] containerd Deep Dive
 
[FOSDEM 2020] Lazy distribution of container images
[FOSDEM 2020] Lazy distribution of container images[FOSDEM 2020] Lazy distribution of container images
[FOSDEM 2020] Lazy distribution of container images
 
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui... [KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
 
[CNDT] 最近のDockerの新機能
[CNDT] 最近のDockerの新機能[CNDT] 最近のDockerの新機能
[CNDT] 最近のDockerの新機能
 
ISC HPCW talks
ISC HPCW talksISC HPCW talks
ISC HPCW talks
 

Dernier

Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 

Dernier (20)

Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 

[KubeCon NA 2020] containerd: Rootless Containers 2020

  • 1. Akihiro Suda (containerd / NTT) Rootless Containers 2020
  • 2. Akihiro Suda (containerd / NTT) Rootless Containers 2020 Ask me questions at #2-kubecon-maintainer ( https://slack.cncf.io )
  • 3. What is Rootless Containers? • Running container runtimes (and also containers, of course) as a non- root user on the host • OCI (e.g. runc) • CRI (e.g. containerd) • CNI (e.g. Flannel) • kubelet, dockerd, … • Protects the host from potential vulnerabilities and misconfigurations 3
  • 4. What is Rootless Containers? Don’t be confused… The following stuffs are unrelated: • .spec.securityContext.runAsUser (≈ docker run --user) • UserNS KEP (≈ dockerd --userns-remap) • usermod -aG docker foo • Singularity with SETUID 4
  • 5. Why do we need Rootless? Most runtimes are designed to be secure by default, but they are still likely to have vulnerabilities Identifier Component Description CVE-2017-1002102 kubelet Files on the host could be removed containerd#2001 (2018) containerd /tmp on the host could be removed CVE-2018-11235 kubelet Arbitrary command could be executed on the host runc#1962 (2019) runc Bare procfs was exposed with non-pivot rootfs mode CVE-2019-5736 runc runc binary could be replaced with a malicious file CVE-2019-11245 kubelet An image could be executed with an unexpected UID CVE-2019-14271 dockerd A malicious NSS library could be loaded … … … And more! 5
  • 6. Why do we need Rootless? • People often make misconfigurations L • Sets up insufficient PodSecurityPolicy / Gatekeeper policies • Exposes system components’ TCP ports without mTLS (e.g. etcd, kube-apiserver, kubelet, dockerd…) • Exposes private keys as IaaS metadata (169.254.169.254) • Uses same kubelet certs for all the nodes • … 6
  • 7. Why do we need Rootless? • Rootless Containers can mitigate the impacts of such vulnerabilities and misconfiguration • Even if the host gets compromised, the attacker won’t be able to: • access files owned by other users • modify firmware and kernel (→ undetectable malware) • ARP spoofing (→ DNS spoofing) 7
  • 8. Not a panacea, of course… Not effective against: • Vulnerabilities of kernel and hardware • DDoS attacks • Cryptomining … 8
  • 9. Not a panacea, of course… Some caveats apply • Network throughput is slowed down (But we are seeing HUGE improvements in 2020) • No support for NFS and block storages (But it doesn’t matter if you use managed DBs and object storages) 9
  • 10. History It began in c. 2012… But wasn’t popular until 2018-2019 Year Low layers High layers 2012 Kernel [officially in 2013] 2013 Semi-privileged networking with SETUID LXC 2014 2015 2016 runc [officially in 2017] 2017 10
  • 11. History It began in c. 2012… But wasn’t popular until 2018-2019 Year Low layers High layers 2018 Unprivileged networking (slirp4netns) Unprivileged FUSE-OverlayFS BuildKit, based on containerd tech Docker [officially in 2019] & containerd Podman & CRI-O Kubernetes [unofficial, still] 2019 Unprivileged cgroup v2 via systemd Faster port forwarding (RootlessKit) k3s 2020 Faster networking with seccomp addfd 2021+ Kubernetes, officially? 11
  • 12. • https://get.docker.com/rootless • Rootless mode was experimental in v19.03, will be GA in v20.10 • Other notables updates in v20.10 w.r.t. Rootless: • Resource limitation with Cgroup v2 • FUSE-OverlayFS • Improved installer Example: Docker 12
  • 13. Easy to install Example: Docker 13 $ curl -fsSL https://get.docker.com/rootless | sh ⏎ $ export DOCKER_HOST=unix:///run/user/1000/docker.sock ⏎ $ docker run -d --name caddy -p 8080:80 caddy ⏎ $ curl http://localhost:8080 ⏎ ... <title>Caddy works!</title> ...
  • 14. All processes are running as a non-root user Example: Docker 14 $ pstree user ⏎ sshd───bash───pstree systemd─┬─(sd-pam) ├─containerd-shim─┬─caddy───7*[{caddy}] │ └─12*[{containerd-shim}] └─rootlesskit─┬─exe─┬─dockerd─┬─containerd───10*[{containerd}] │ │ ├─rootlesskit-doc─┬─docker-proxy───6*[{docker-proxy}] │ │ │ └─6*[{rootlesskit-doc}] │ │ └─11*[{dockerd}] │ └─11*[{exe}] ├─vpnkit───4*[{vpnkit}] └─8*[{rootlesskit}]
  • 15. • https://github.com/rootless-containers/usernetes • Rootless Kubernetes distribution • Multi-node demo is provided as a Docker Compose stack • CNI: Flannel (VXLAN) Example: Usernetes 15 $ docker-compose up –d ⏎ $ kubectl get nodes ⏎ NAME STATUS ROLES AGE VERSION node-containerd Ready <none> 3m46s v1.19.0-usernetes node-crio Ready <none> 3m46s v1.19.0-usernetes
  • 16. Example: Usernetes 16 $ docker exec usernetes_node-containerd_1 pstree user ⏎ journalctl---(sd-pam) systemd-+-(sd-pam) |-containerd-fuse---containerd-fuse---4*[{containerd-fuse}] |-containerd.sh---containerd---10*[{containerd}] |-flanneld.sh---flanneld---9*[{flanneld}] |-nsenter.sh---kubelet---13*[{kubelet}] |-nsenter.sh---kube-proxy---7*[{kube-proxy}] `-rootlesskit.sh---rootlesskit-+-exe-+-rootlesskit.sh---sleep | `-9*[{exe}] |-slirp4netns `-8*[{rootlesskit}]
  • 17. Example: k3s 17 $ k3s server --rootless ⏎ $ k3s kubectl apply –f manifest.yaml ⏎ • https://k3s.io/ • CNCF Sandbox Project • Focuses on edge computing • Incorporates Usernetes patches for supporting rootless, ahead of the Kubernetes upstream • Uses containerd as the CRI runtime
  • 18. Example: BuildKit 18 • https://github.com/moby/buildkit • A container image builder, built on containerd technology • Can be executed in several ways • As a built-in feature of dockerd • As a standalone daemon • As a Kubernetes Pod • As a Kubernetes Job, without a daemon Pod • As a Tekton Task
  • 19. No need to set securityContext.Privileged But Seccomp and AppArmor constraints need to be relaxed Example: BuildKit 19 spec: containers: - securityContext: runAsUser: 1000 seccompProfile: type: Unconfined metadata: annotations: container.apparmor.security.beta.kubernetes.io/buildkitd: unconfined
  • 20. How it works • UserNS • MountNS • NetNS • Cgroup • New frontier: Seccomp User Notification 20
  • 21. • Maps a non-root user (e.g. UID 1000) to a fake root user (UID 0) • Not the real root, but enough to run containers • Subordinate UIDs are mapped as well ( typically 65,536 UIDs, defined in /etc/subuid ) How it works: UserNS 21 Host UserNS 0 1 65536 0 1000 100000 165535 232
  • 22. How it works: MountNS • A non-root user can create MontNS along with UserNS • But cannot mount most filesystems, except bind-mount, tmpfs, procfs, and sysfs... • No Overlayfs (on vanilla kernel) • No NFS • No block storages • FUSE is supported since kernel 4.18 • FUSE-OverlayFS can substitute real OverlayFS 22
  • 23. • A non-root user can also create NetNS with UserNS • But cannot create vEth pairs, i.e. No internet connectivity • Slirp is used instead of vEth for unprivileged internet connectivity • Slow (51.5Gbps → 9.21Gbps), but we are seeing huge improvements NetNS How it works: NetNS 23 TAP Kernelslirp4netns Ethernet packets Socket syscalls
  • 24. How it works: Cgroup • No support for cgroup v1 • i.e. no memory limit, no CPU limit, no fork-bomb guard... • Cgroup v2 is almost fully supported • Fedora has already switched the default to v2 • Other distros will follow in 2021-2022 ? 24
  • 25. A new frontier in 2020: Seccomp User Notification • Kernel 5.0 merged the support for Seccomp User Notification: a new way to hook syscalls in the userspace • Similar to ptrace, but less numbers of context switches • Allows emulating subordinate UIDs without /etc/subuid • POC: https://github.com/rootless-containers/subuidless 25
  • 26. A new frontier in 2020: Seccomp User Notification • Kernel 5.9 merged the support for SECCOMP_IOCTL_NOTIF_ADDFD • Allows injecting file descriptors from a host process into container processes • e.g. replace sockfd on connect(2) • No slirp overhead any more • POC: https://github.com/rootless-containers/bypass4netns 26
  • 27. Recap • Rootless Containers can protect the host from potential vulnerabilities and misconfigurations • Already adopted by lots of projects: BuildKit, Docker, containerd, Podman, CRI-O, k3s ... • Being also proposed to the Kubernetes upstream • There are some drawbacks, but being significantly improved using Seccomp User Notification 27
  • 28. Resources • Rootless Containers overview: https://rootlesscontaine.rs/ • Rootless containerd: https://github.com/containerd/containerd/blob/master/docs/rootless.md • Rootless Docker: https://get.docker.com/rootless • Usernetes: https://github.com/rootless-containers/usernetes • Rootless KEP: https://github.com/kubernetes/enhancements/pull/1371 28
  • 29. Questions? • Ask me questions at #2-kubecon-maintainer ( https://slack.cncf.io ) 29