SlideShare une entreprise Scribd logo

Rootless Containers & Unresolved issues

A
Akihiro Suda

Rootless containers and unresolved issues as of May 2019.

Logiciels
1  sur  55
Télécharger pour lire hors ligne
Rootless Containers & Unresolved Issues Akihiro Suda / NTT (@_AkihiroSuda_) May 17, 2019 1
Agenda • Introduction to Rootless Containers • How it works • Adoption status • Unresolved issues • containerd dev plan 2
Introduction 3
Rootless Containers • Run containers, runtimes, and orchestrators as a non-root user • Don’t confuse with: – usermod -aG docker penguin – docker run --user – dockerd --userns-remap 4
Motivation of Rootless Containers • To mitigate potential vulnerability of container runtimes and orchestrator (the primary motivation) • To allow users of shared machines (e.g. HPC) to run containers without the risk of breaking other users environments – Still unsuitable for “multi-tenancy” where you can’t really trust other users • To isolate nested containers, e.g. “Docker-in-Docker” 5
Runtime vulnerabilities • Docker “Shocker” (2014) – A malicious container was allowed to access the host file system, as CAP_DAC_READ_SEARCH was effective by default • Docker CVE-2014-9357 – A malicious docker build container could run arbitrary binary on the host as the root due to an LZMA archive issue • containerd #2001 (2018) – A malicious container image could remove /tmp on the host when the image was pulled (not when actually launched!) 6
Runtime vulnerabilities • Docker “Shocker” (2014) – A malicious container was allowed to access the host file system, as CAP_DAC_READ_SEARCH was effective by default • Docker CVE-2014-9357 – A malicious docker build container could run arbitrary binary on the host as the root due to an LZMA archive issue • containerd #2001 (2018) – A malicious container image could remove /tmp on the host when the image was pulled (not when actually launched!) 7 Vulnerability of daemons, not containers per se So --userns-remap is not effective
Runtime vulnerabilities • runc #1962 (2019) – Container break-out via /proc/sys/kernel/core_pattern or /sys/kernel/uevent_helper – Hosts with the initrd rootfs (DOCKER_RAMDISK) were affected (e.g. Minikube) • runc CVE-2019-5736 – Container break-out via /proc/self/exe 8
Other vulnerabilities • Kubernetes CVE-2017-1002101, CVE-2017-1002102 – A malicious container was allowed to access the host filesystem via vulnerabilities related to volumes • Kubernetes CVE-2018-1002105 – A malicious API call could be used to gain cluster-admin (and hence the root privileges on the nodes) • Git CVE-2018-11235 (affected Kubernetes gitRepo volumes) – A malicious repo could execute an arbitrary binary as the root when it was cloned 9
Other vulnerabilities • Kubernetes CVE-2017-1002101, CVE-2017-1002102 – A malicious container was allowed to access the host filesystem via vulnerabilities related to volumes • Kubernetes CVE-2018-1002105 – A malicious API call could be used to gain cluster-admin (and hence the root privileges on the nodes) • Git CVE-2018-11235 (affected Kubernetes gitRepo volumes) – A malicious repo could execute an arbitrary binary as the root when it was cloned 10 --userns-remap might not be effective
Play-with-Docker.com vulnerability • Play-with-Docker.com: Online Docker playground, implemented using Docker-in-Docker with custom AppArmor profiles • Malicious kernel module was loadable due to AppArmor misconfiguration (revealed on Jan 14, 2019) – Not really an issue of Docker 11https://www.cyberark.com/threat-research-blog/how-i-hacked-play-with-docker-and-remotely-ran-code-on-the-host/
What Rootless Containers can • Prohibit accessing files owned by other users • Prohibit modifying firmware and kernel (→ undetectable malware) • Prohibit other privileged operations like ARP spoofing, rebooting,... 12
What Rootless Containers cannot • If a container was broke out, the attacker still might be able to – Mine cryptocurrencies – Springboard-attack to other hosts • Not effective for kernel / VM/ HW vulns – But we could use gVisor together for mitigating some of them 13
How it works 14
User Namespaces • User namespaces allow non-root users to pretend to be the root • Root-in-UserNS can have “fake” UID 0 and also create other namespaces (MountNS, NetNS..) 15
User Namespaces 16 $ id -u 1001 $ ls -ln -rw-rw---- 1 1001 1001 42 May 1 12:00 foo $ docker-rootless run -v $(pwd):/mnt -it alpine / # id -u 0 / # ls -ln /mnt -rw-rw---- 1 0 0 42 May 1 12:00 foo
User Namespaces 17 $ docker-rootless run -v /:/host -it alpine / # ls -ln /host/dev/sda brw-rw---- 1 65534 65534 8, 0 May 1 12:00 /host/dev/sda / # cat /host/dev/sda cat: can’t open ‘/host/dev/sda’: Permission denied
Sub-users (and sub-groups) • Put users in your user account so you can be a user while you are being a user • Sub-users are used as non-root users in a container – USER in Dockerfile – docker run --user 18
Sub-users (and sub-groups) • If /etc/subuid contains “1001:100000:65536” • Having 65536 sub-users should be enough for most containers 19 0 1001 100000 165535 232 Host UserNS primary user sub-users start sub-users length 0 1 65536
Sub-users (and sub-groups) • Sub-users are configured via SUID binaries /usr/bin/{newuidmap, newgidmap} • SETUID binary can be dangerous; newuidmap & newgidmap had two CVEs so far: – CVE-2016-6252 (CVSS v3: 7.8): integer overflow issue – CVE-2018-7169 (CVSS v3: 5.3): supplementary GID issue 20
Sub-users (and sub-groups) • Also hard to maintain sub-users – LDAP / AD – Nesting user namespaces might need huge number of sub-users 21
Sub-users (and sub-groups) • Alternative way: Single-mapping mode • Does not require newuidmap/newgidmap • Ptrace and/or Seccomp can be used for intercepting syscalls to emulate sub-users – user.rootlesscontainers xattr can be used for chown emulation 22
Network Namespaces • An unprivileged user can create network namespaces along with user namespaces • With network namespaces, the user can – isolate abstract (pathless) UNIX sockets • important to prevent container breakout – create iptables rules – set up overlay networking with VXLAN – run tcpdump – ... 23
Network Namespaces • But an unprivileged user cannot set up veth pairs across the host and namespaces, i.e. No internet connection 24 The Internet Host UserNS + NetNS
Network Namespaces 25 • lxc-user-nic SUID binary allows unprivileged users to create veth, but we are not huge fun of SUID binaries • Our approach: use completely unprivileged usermode network (“Slirp”) with a TAP device TAP “Slirp” TAPFD send fd as a SCM_RIGHTS cmsg The Internet Host UserNS + NetNS
Network Namespaces Benchmark of several “Slirp” implementations: • slirp4netns (our own implementation based on QEMU Slirp) is the fastest because it avoids copying packets across the namespaces MTU=1500 MTU=4000 MTU=16384 MTU=65520 vde_plug 763 Mbps Unsupported Unsupported Unsupported VPNKit 514 Mbps 526 Mbps 540 Mbps Unsupported slirp4netns 1.07 Gbps 2.78 Gbps 4.55 Gbps 9.21 Gbps cf. rootful veth 52.1 Gbps 45.4 Gbps 43.6 Gbps 51.5 Gbps Benchmark: iperf3 (netns -> host), measured on Travis CI. See rootless-containers/rootlesskit#12 26
Multi-node networking • Flannel VXLAN is known to work – Encapsulates Ethernet packets in UDP packets – Provides L2 connectivity across rootless containers on different nodes • Other protocols should work as well, except ones that require access to raw Ethernet 27
Snapshotting • OverlayFS is currently unavailable in UserNS (except on Ubuntu kernel) • FUSE-OverlayFS can be used instead with kernel 4.18+ • XFS reflink can be also used to deduplicate files (but slow) 28
Cgroup • pam_cgfs can be used for delegating permissions to unprivileged users, but considered insecure by systemd folks https://github.com/containers/libpod/issues/1429 • cgroup2 provides proper support for delegation, but not adopted by OCI at the moment 29
Rootless Containers in Containers • Urge demand for building images on Kubernetes cluster • Seccomp and AppArmor needs to be disabled for the parent containers • To allow the children to mount procfs (pid-namespaced), maskedPaths and readonlyPaths for /proc/* for the parent needs to be removed (weird!) – Same applies to sysfs (net-namespaced) 30
Rootless Containers in Containers • So --privileged had been typically required anyway :( – Or at least --security-opt {seccomp,apparmor}=unconfined • Docker 19.03 supports --security-opt systempaths=unconfined for allowing procfs & sysfs mount (Kube: securityContext.procMount, but no sysMount yet) – Make sure to lock the root in the container! (passwd -l root, Alpine CVE-2019-5021 ) 31
Adoption status 32
Adoption status: runtimes 33 Docker v19.03 containerd runc Podman (≈ CRI-O) crun LXC Singularity NetNS isolation with Internet connectivity ● VPNKit ● slirp4netns ● lxc-user-nic (SUID) slirp4netns lxc-user-nic (SUID) No support Supports FUSE-OverlayFS No Yes No No Cgroup No Limited support for cgroup2 pam_cgfs No
Adoption status: runtimes::GPU • nvidia-container-runtime is known to work • Need to disable cgroup manually • Rootful nVIDIA container needs to be executed on every system startup • Probably, other devices such as FPGA should work as well (untested) 34
Adoption status: runtimes::single-mapping mode • udocker does not need subuid configuration, as it can emulate subuser with ptrace (based on PRoot) – but no persistent chown • runROOTLESS (Don’t confuse with upstream rootless runc) supports persistent chown as well, using user.rootlesscontainers xattr – the xattr value is a pair of UID and GID in protobuf encoding – the xattr convention is compatible with umoci 35
Adoption status: runtimes::single-mapping mode • Ptrace is slow https://github.com/rootless-containers/runrootless/issues/14 • seccomp can be used for acceleration but hard to implement correctly 36
Adoption status: image builders • BuildKit / img / Buildah supports rootless mode – Works in containers as well as on the host – Does not need --privileged but Seccomp and AppArmor needs to be disabled 37
Adoption status: image builders • Similar but different work: Kaniko & Makisu – Rootful – But no need to disable seccomp and AppArmor, because they don’t create containers for RUN instructions in Dockerfile 38
Adoption status: Kubernetes • Usernetes project provides patches for rootless Kubernetes, but not proposed to the upstream yet – Supports all major CRI runtimes: dockershim, containerd, CRI-O – Flannel VXLAN is known to work – Lack of cgroup might be huge concern • But Usernetes is already integrated into k3s! (5 less than k8s) 39 $ k3s server --rootless
You can rootlesify your own project easily! • RootlessKit does almost all things for rootlessifying your container project (or almost any rootful app) – Creates UserNS with sub-users and sub-groups – Creates MountNS with writable /etc, /run but without chroot – Creates NetNS with VPNKit/slirp4netns/lxc-user-nic – Provides REST API on UNIX socket for port forwarding management 40
You can rootlesify your own project easily! 41 $ rootlesskit --net=slirp4netns --copy-up=/etc --port-driver=builtin bash # id -u 0 # touch /etc/here-is-writable-tmpfs # ip a ... 2: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> inet 10.0.2.100/24 scope global tap0 ... # rootlessctl add-ports 0.0.0.0:8080:80/tcp
You can rootlesify your own project easily! • With RootlessKit, you just need to work on disabling cgroup stuff, sysctl stuff, and changing the data path from /var/lib to /home • Used by Docker, BuildKit, k3s 42
Unresolved Issues 43
Kernel has vulns • UserNS tends to have priv escalation vulns – CVE 2013-1858: UserNS + CLONE_FS – CVE-2014-4014: UserNS + chmod – CVE-2015-1328: UserNS + OverlayFS (Ubuntu-only) • So rootless OverlayFS is still not merged in upstream – CVE-2018-18955: UserNS + complex ID mapping 44
Kernel has vulns • A bunch of code paths that can hang up the kernel – e.g. CVE-2018-7191 (unpublished published today): creating a tap device with illegal name – And more, see https://medium.com/@jain.sm/security-challenges-with-kubernetes-818fad4a89f2 • Unlimited resources e.g. – Pending signals – Max user process – Max FDs per user (see the same URL above) 45
Kernel has vulns • So I’ve never suggested using rootless containers for real multi-tenancy ¯_(ツ)_/¯ 46
Kernel has vulns • gVisor might be able to mitigate them but significant overhead and syscall incompatibility • UML (20 yo, still alive!) is almost compatible with real Linux but it even lacks support for SMP • linuxd: similar to UML but accelerated with host kernel patches – Still no public code https://schd.ws/hosted_files/ossna18/db/Containerize%20Linux%20Kernel.pdf 47
Cgroups • cgroup2 is not adopted in OCI • crun is trying to support cgroup2 without changing OCI spec 48
Mount • Only supports: – tmpfs – bind – procfs (PID-namespaced) – sysfs (net-namespaced) – FUSE (since kernel 4.18) – Overlay (Ubuntu only) • No support for mounting any block devices (even loopback devices) 49
Landlock • landlock: unprivileged sandbox LSM • Not merged in the upstream kernel, but promising as AppArmor-alternative 50
LDAP / Active Directory • /etc/sub{u,g}id configuration is painful for LDAP/AD • Alternatively, implementing NSS module is under discussion, but no code yet https://github.com/shadow-maint/shadow/issues/154 51
Single-mapping mode • runROOTLESS / PRoot could be accelerated with seccomp but implementation is broken • Kernel 5.0 seccomp could be used for getting rid of ptrace completely 52
containerd dev plan 53
containerd dev plan • Implement FUSE-OverlayFS snapshotter plugin – Probably in a separate repo – Should not be difficult • Support cgroup2 – Probably we want to wait for OCI Runtime Spec and runc to be revised – But we can also consider beginning support cgroup2 right now with crun 54
containerd dev plan • Support running containerd inside gVisor – So as to allow running rootless containers in a container without disabling seccomp & apparmor – And to mitigate potential kernel vulns – Currently MountNS is not working https://github.com/google/gvisor/issues/221 55

Recommandé

Rootless Containers
Rootless ContainersRootless Containers
Rootless ContainersAkihiro Suda
 
Comparing Next-Generation Container Image Building Tools
Comparing Next-Generation Container Image Building Tools Comparing Next-Generation Container Image Building Tools
Comparing Next-Generation Container Image Building ToolsAkihiro Suda
 
Faster Container Image Distribution on a Variety of Tools with Lazy Pulling
Faster Container Image Distribution on a Variety of Tools with Lazy PullingFaster Container Image Distribution on a Variety of Tools with Lazy Pulling
Faster Container Image Distribution on a Variety of Tools with Lazy PullingKohei Tokunaga
 
Docker Registry V2
Docker Registry V2Docker Registry V2
Docker Registry V2Docker, Inc.
 
Docker: From Zero to Hero
Docker: From Zero to HeroDocker: From Zero to Hero
Docker: From Zero to Herofazalraja
 
[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020Akihiro Suda
 
Introduction and Deep Dive Into Containerd
Introduction and Deep Dive Into ContainerdIntroduction and Deep Dive Into Containerd
Introduction and Deep Dive Into ContainerdKohei Tokunaga
 
The world of Containers with Podman, Buildah, Skopeo by Seema - CCDays
The world of Containers with Podman, Buildah, Skopeo by Seema - CCDaysThe world of Containers with Podman, Buildah, Skopeo by Seema - CCDays
The world of Containers with Podman, Buildah, Skopeo by Seema - CCDaysCodeOps Technologies LLP
 

Recommandé

Rootless Containers
Rootless ContainersRootless Containers
Rootless ContainersAkihiro Suda
 
Comparing Next-Generation Container Image Building Tools
Comparing Next-Generation Container Image Building Tools Comparing Next-Generation Container Image Building Tools
Comparing Next-Generation Container Image Building ToolsAkihiro Suda
 
Faster Container Image Distribution on a Variety of Tools with Lazy Pulling
Faster Container Image Distribution on a Variety of Tools with Lazy PullingFaster Container Image Distribution on a Variety of Tools with Lazy Pulling
Faster Container Image Distribution on a Variety of Tools with Lazy PullingKohei Tokunaga
 
Docker Registry V2
Docker Registry V2Docker Registry V2
Docker Registry V2Docker, Inc.
 
Docker: From Zero to Hero
Docker: From Zero to HeroDocker: From Zero to Hero
Docker: From Zero to Herofazalraja
 
[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020Akihiro Suda
 
Introduction and Deep Dive Into Containerd
Introduction and Deep Dive Into ContainerdIntroduction and Deep Dive Into Containerd
Introduction and Deep Dive Into ContainerdKohei Tokunaga
 
The world of Containers with Podman, Buildah, Skopeo by Seema - CCDays
The world of Containers with Podman, Buildah, Skopeo by Seema - CCDaysThe world of Containers with Podman, Buildah, Skopeo by Seema - CCDays
The world of Containers with Podman, Buildah, Skopeo by Seema - CCDaysCodeOps Technologies LLP
 
Rootless Kubernetes
Rootless KubernetesRootless Kubernetes
Rootless KubernetesAkihiro Suda
 
DockerとKubernetesをかけめぐる
DockerとKubernetesをかけめぐるDockerとKubernetesをかけめぐる
DockerとKubernetesをかけめぐるKohei Tokunaga
 
Podman rootless containers
Podman rootless containersPodman rootless containers
Podman rootless containersGiuseppe Scrivano
 
Extending kubernetes with CustomResourceDefinitions
Extending kubernetes with CustomResourceDefinitionsExtending kubernetes with CustomResourceDefinitions
Extending kubernetes with CustomResourceDefinitionsStefan Schimanski
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes NetworkingGiragadurai Vallirajan
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes securityThomas Fricke
 
Dockerクイックツアー
DockerクイックツアーDockerクイックツアー
DockerクイックツアーEtsuji Nakai
 
Kubernetes extensibility: CRDs & Operators
Kubernetes extensibility: CRDs & OperatorsKubernetes extensibility: CRDs & Operators
Kubernetes extensibility: CRDs & OperatorsSIGHUP
 
Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies
Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies
Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies Daniel Oh
 
OSTree: OSイメージとパッケージシステムの間にGitのアプローチを
OSTree: OSイメージとパッケージシステムの間にGitのアプローチをOSTree: OSイメージとパッケージシステムの間にGitのアプローチを
OSTree: OSイメージとパッケージシステムの間にGitのアプローチをi_yudai
 
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui... [KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...Akihiro Suda
 
Admission controllers - PSP, OPA, Kyverno and more!
Admission controllers - PSP, OPA, Kyverno and more!Admission controllers - PSP, OPA, Kyverno and more!
Admission controllers - PSP, OPA, Kyverno and more!SebastienSEYMARC
 
Kubernetes環境に対する性能試験(Kubernetes Novice Tokyo #2 発表資料)
Kubernetes環境に対する性能試験(Kubernetes Novice Tokyo #2 発表資料)Kubernetes環境に対する性能試験(Kubernetes Novice Tokyo #2 発表資料)
Kubernetes環境に対する性能試験(Kubernetes Novice Tokyo #2 発表資料)NTT DATA Technology & Innovation
 
eStargzイメージとlazy pullingによる高速なコンテナ起動
eStargzイメージとlazy pullingによる高速なコンテナ起動eStargzイメージとlazy pullingによる高速なコンテナ起動
eStargzイメージとlazy pullingによる高速なコンテナ起動Kohei Tokunaga
 
Rootlessコンテナ
RootlessコンテナRootlessコンテナ
RootlessコンテナAkihiro Suda
 
Starting up Containers Super Fast With Lazy Pulling of Images
Starting up Containers Super Fast With Lazy Pulling of ImagesStarting up Containers Super Fast With Lazy Pulling of Images
Starting up Containers Super Fast With Lazy Pulling of ImagesKohei Tokunaga
 
今話題のいろいろなコンテナランタイムを比較してみた
今話題のいろいろなコンテナランタイムを比較してみた今話題のいろいろなコンテナランタイムを比較してみた
今話題のいろいろなコンテナランタイムを比較してみたKohei Tokunaga
 
Kubernetes Story - Day 1: Build and Manage Containers with Podman
Kubernetes Story - Day 1: Build and Manage Containers with PodmanKubernetes Story - Day 1: Build and Manage Containers with Podman
Kubernetes Story - Day 1: Build and Manage Containers with PodmanMihai Criveti
 
コンテナネットワーキング(CNI)最前線
コンテナネットワーキング(CNI)最前線コンテナネットワーキング(CNI)最前線
コンテナネットワーキング(CNI)最前線Motonori Shindo
 
Docker internals
Docker internalsDocker internals
Docker internalsRohit Jnagal
 
The State of Rootless Containers
The State of Rootless ContainersThe State of Rootless Containers
The State of Rootless ContainersAkihiro Suda
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudSalman Baset
 

Contenu connexe

Tendances

Rootless Kubernetes
Rootless KubernetesRootless Kubernetes
Rootless KubernetesAkihiro Suda
 
DockerとKubernetesをかけめぐる
DockerとKubernetesをかけめぐるDockerとKubernetesをかけめぐる
DockerとKubernetesをかけめぐるKohei Tokunaga
 
Extending kubernetes with CustomResourceDefinitions
Extending kubernetes with CustomResourceDefinitionsExtending kubernetes with CustomResourceDefinitions
Extending kubernetes with CustomResourceDefinitionsStefan Schimanski
 
Dockerクイックツアー
DockerクイックツアーDockerクイックツアー
DockerクイックツアーEtsuji Nakai
 
Kubernetes extensibility: CRDs & Operators
Kubernetes extensibility: CRDs & OperatorsKubernetes extensibility: CRDs & Operators
Kubernetes extensibility: CRDs & OperatorsSIGHUP
 
Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies
Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies
Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies Daniel Oh
 
OSTree: OSイメージとパッケージシステムの間にGitのアプローチを
OSTree: OSイメージとパッケージシステムの間にGitのアプローチをOSTree: OSイメージとパッケージシステムの間にGitのアプローチを
OSTree: OSイメージとパッケージシステムの間にGitのアプローチをi_yudai
 
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui... [KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...Akihiro Suda
 
Admission controllers - PSP, OPA, Kyverno and more!
Admission controllers - PSP, OPA, Kyverno and more!Admission controllers - PSP, OPA, Kyverno and more!
Admission controllers - PSP, OPA, Kyverno and more!SebastienSEYMARC
 
Kubernetes環境に対する性能試験(Kubernetes Novice Tokyo #2 発表資料)
Kubernetes環境に対する性能試験(Kubernetes Novice Tokyo #2 発表資料)Kubernetes環境に対する性能試験(Kubernetes Novice Tokyo #2 発表資料)
Kubernetes環境に対する性能試験(Kubernetes Novice Tokyo #2 発表資料)NTT DATA Technology & Innovation
 
eStargzイメージとlazy pullingによる高速なコンテナ起動
eStargzイメージとlazy pullingによる高速なコンテナ起動eStargzイメージとlazy pullingによる高速なコンテナ起動
eStargzイメージとlazy pullingによる高速なコンテナ起動Kohei Tokunaga
 
Rootlessコンテナ
RootlessコンテナRootlessコンテナ
RootlessコンテナAkihiro Suda
 
Starting up Containers Super Fast With Lazy Pulling of Images
Starting up Containers Super Fast With Lazy Pulling of ImagesStarting up Containers Super Fast With Lazy Pulling of Images
Starting up Containers Super Fast With Lazy Pulling of ImagesKohei Tokunaga
 
今話題のいろいろなコンテナランタイムを比較してみた
今話題のいろいろなコンテナランタイムを比較してみた今話題のいろいろなコンテナランタイムを比較してみた
今話題のいろいろなコンテナランタイムを比較してみたKohei Tokunaga
 
Kubernetes Story - Day 1: Build and Manage Containers with Podman
Kubernetes Story - Day 1: Build and Manage Containers with PodmanKubernetes Story - Day 1: Build and Manage Containers with Podman
Kubernetes Story - Day 1: Build and Manage Containers with PodmanMihai Criveti
 
コンテナネットワーキング(CNI)最前線
コンテナネットワーキング(CNI)最前線コンテナネットワーキング(CNI)最前線
コンテナネットワーキング(CNI)最前線Motonori Shindo
 

Tendances (20)

Rootless Kubernetes
Rootless KubernetesRootless Kubernetes
Rootless Kubernetes
 
DockerとKubernetesをかけめぐる
DockerとKubernetesをかけめぐるDockerとKubernetesをかけめぐる
DockerとKubernetesをかけめぐる
 
Podman rootless containers
Podman rootless containersPodman rootless containers
Podman rootless containers
 
Extending kubernetes with CustomResourceDefinitions
Extending kubernetes with CustomResourceDefinitionsExtending kubernetes with CustomResourceDefinitions
Extending kubernetes with CustomResourceDefinitions
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
 
Dockerクイックツアー
DockerクイックツアーDockerクイックツアー
Dockerクイックツアー
 
Kubernetes extensibility: CRDs & Operators
Kubernetes extensibility: CRDs & OperatorsKubernetes extensibility: CRDs & Operators
Kubernetes extensibility: CRDs & Operators
 
Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies
Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies
Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies
 
OSTree: OSイメージとパッケージシステムの間にGitのアプローチを
OSTree: OSイメージとパッケージシステムの間にGitのアプローチをOSTree: OSイメージとパッケージシステムの間にGitのアプローチを
OSTree: OSイメージとパッケージシステムの間にGitのアプローチを
 
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui... [KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
 
Admission controllers - PSP, OPA, Kyverno and more!
Admission controllers - PSP, OPA, Kyverno and more!Admission controllers - PSP, OPA, Kyverno and more!
Admission controllers - PSP, OPA, Kyverno and more!
 
Kubernetes環境に対する性能試験(Kubernetes Novice Tokyo #2 発表資料)
Kubernetes環境に対する性能試験(Kubernetes Novice Tokyo #2 発表資料)Kubernetes環境に対する性能試験(Kubernetes Novice Tokyo #2 発表資料)
Kubernetes環境に対する性能試験(Kubernetes Novice Tokyo #2 発表資料)
 
eStargzイメージとlazy pullingによる高速なコンテナ起動
eStargzイメージとlazy pullingによる高速なコンテナ起動eStargzイメージとlazy pullingによる高速なコンテナ起動
eStargzイメージとlazy pullingによる高速なコンテナ起動
 
Rootlessコンテナ
RootlessコンテナRootlessコンテナ
Rootlessコンテナ
 
Starting up Containers Super Fast With Lazy Pulling of Images
Starting up Containers Super Fast With Lazy Pulling of ImagesStarting up Containers Super Fast With Lazy Pulling of Images
Starting up Containers Super Fast With Lazy Pulling of Images
 
今話題のいろいろなコンテナランタイムを比較してみた
今話題のいろいろなコンテナランタイムを比較してみた今話題のいろいろなコンテナランタイムを比較してみた
今話題のいろいろなコンテナランタイムを比較してみた
 
Kubernetes Story - Day 1: Build and Manage Containers with Podman
Kubernetes Story - Day 1: Build and Manage Containers with PodmanKubernetes Story - Day 1: Build and Manage Containers with Podman
Kubernetes Story - Day 1: Build and Manage Containers with Podman
 
コンテナネットワーキング(CNI)最前線
コンテナネットワーキング(CNI)最前線コンテナネットワーキング(CNI)最前線
コンテナネットワーキング(CNI)最前線
 
Docker internals
Docker internalsDocker internals
Docker internals
 

Similaire à Rootless Containers & Unresolved issues

The State of Rootless Containers
The State of Rootless ContainersThe State of Rootless Containers
The State of Rootless ContainersAkihiro Suda
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudSalman Baset
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityPhil Estes
 
[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless PodmanAkihiro Suda
 
[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless mode[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless modeAkihiro Suda
 
DCSF19 Hardening Docker daemon with Rootless mode
DCSF19 Hardening Docker daemon with Rootless modeDCSF19 Hardening Docker daemon with Rootless mode
DCSF19 Hardening Docker daemon with Rootless modeDocker, Inc.
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...Akihiro Suda
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
The internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesThe internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesAkihiro Suda
 
Big Data in Container; Hadoop Spark in Docker and Mesos
Big Data in Container; Hadoop Spark in Docker and MesosBig Data in Container; Hadoop Spark in Docker and Mesos
Big Data in Container; Hadoop Spark in Docker and MesosHeiko Loewe
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security OverviewSreenivas Makam
 
How to swim with a whale
How to swim with a whaleHow to swim with a whale
How to swim with a whaleŁukasz Siudut
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context ConstraintsAlessandro Arrichiello
 
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...Patrick Chanezon
 
Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerPhil Estes
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Praguetomasbart
 
Tech talk on docker with demo
Tech talk on docker with demoTech talk on docker with demo
Tech talk on docker with demoSandeep Karnawat
 
Dockerizing the Hard Services: Neutron and Nova
Dockerizing the Hard Services: Neutron and NovaDockerizing the Hard Services: Neutron and Nova
Dockerizing the Hard Services: Neutron and Novaclayton_oneill
 
Docker 1.11 Presentation
Docker 1.11 PresentationDocker 1.11 Presentation
Docker 1.11 PresentationSreenivas Makam
 

Similaire à Rootless Containers & Unresolved issues (20)

The State of Rootless Containers
The State of Rootless ContainersThe State of Rootless Containers
The State of Rootless Containers
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production Cloud
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker Security
 
[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman
 
[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless mode[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless mode
 
DCSF19 Hardening Docker daemon with Rootless mode
DCSF19 Hardening Docker daemon with Rootless modeDCSF19 Hardening Docker daemon with Rootless mode
DCSF19 Hardening Docker daemon with Rootless mode
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
The internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesThe internals and the latest trends of container runtimes
The internals and the latest trends of container runtimes
 
Big Data in Container; Hadoop Spark in Docker and Mesos
Big Data in Container; Hadoop Spark in Docker and MesosBig Data in Container; Hadoop Spark in Docker and Mesos
Big Data in Container; Hadoop Spark in Docker and Mesos
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
 
How to swim with a whale
How to swim with a whaleHow to swim with a whale
How to swim with a whale
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
 
Docker.io
Docker.ioDocker.io
Docker.io
 
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
 
Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in Docker
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Prague
 
Tech talk on docker with demo
Tech talk on docker with demoTech talk on docker with demo
Tech talk on docker with demo
 
Dockerizing the Hard Services: Neutron and Nova
Dockerizing the Hard Services: Neutron and NovaDockerizing the Hard Services: Neutron and Nova
Dockerizing the Hard Services: Neutron and Nova
 
Docker 1.11 Presentation
Docker 1.11 PresentationDocker 1.11 Presentation
Docker 1.11 Presentation
 

Plus de Akihiro Suda

20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_Akihiro Suda
 
20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdfAkihiro Suda
 
20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdfAkihiro Suda
 
[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilionAkihiro Suda
 
[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilionAkihiro Suda
 
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdfAkihiro Suda
 
[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2Akihiro Suda
 
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...Akihiro Suda
 
[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilionAkihiro Suda
 
[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilionAkihiro Suda
 
[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?Akihiro Suda
 
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with DockerfileAkihiro Suda
 
[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] LimaAkihiro Suda
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOSAkihiro Suda
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Akihiro Suda
 
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...Akihiro Suda
 
[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10Akihiro Suda
 
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into ContainerdAkihiro Suda
 
DockerとPodmanの比較
DockerとPodmanの比較DockerとPodmanの比較
DockerとPodmanの比較Akihiro Suda
 
[KubeCon EU 2020] containerd Deep Dive
[KubeCon EU 2020] containerd Deep Dive[KubeCon EU 2020] containerd Deep Dive
[KubeCon EU 2020] containerd Deep DiveAkihiro Suda
 

Plus de Akihiro Suda (20)

20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_
 
20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf
 
20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf
 
[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion
 
[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion
 
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
 
[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2
 
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
 
[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion
 
[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion
 
[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?
 
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
 
[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行
 
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
 
[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10
 
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
 
DockerとPodmanの比較
DockerとPodmanの比較DockerとPodmanの比較
DockerとPodmanの比較
 
[KubeCon EU 2020] containerd Deep Dive
[KubeCon EU 2020] containerd Deep Dive[KubeCon EU 2020] containerd Deep Dive
[KubeCon EU 2020] containerd Deep Dive
 

Dernier

Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 

Dernier (20)

Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 

Rootless Containers & Unresolved issues

  • 1. Rootless Containers & Unresolved Issues Akihiro Suda / NTT (@_AkihiroSuda_) May 17, 2019 1
  • 2. Agenda • Introduction to Rootless Containers • How it works • Adoption status • Unresolved issues • containerd dev plan 2
  • 4. Rootless Containers • Run containers, runtimes, and orchestrators as a non-root user • Don’t confuse with: – usermod -aG docker penguin – docker run --user – dockerd --userns-remap 4
  • 5. Motivation of Rootless Containers • To mitigate potential vulnerability of container runtimes and orchestrator (the primary motivation) • To allow users of shared machines (e.g. HPC) to run containers without the risk of breaking other users environments – Still unsuitable for “multi-tenancy” where you can’t really trust other users • To isolate nested containers, e.g. “Docker-in-Docker” 5
  • 6. Runtime vulnerabilities • Docker “Shocker” (2014) – A malicious container was allowed to access the host file system, as CAP_DAC_READ_SEARCH was effective by default • Docker CVE-2014-9357 – A malicious docker build container could run arbitrary binary on the host as the root due to an LZMA archive issue • containerd #2001 (2018) – A malicious container image could remove /tmp on the host when the image was pulled (not when actually launched!) 6
  • 7. Runtime vulnerabilities • Docker “Shocker” (2014) – A malicious container was allowed to access the host file system, as CAP_DAC_READ_SEARCH was effective by default • Docker CVE-2014-9357 – A malicious docker build container could run arbitrary binary on the host as the root due to an LZMA archive issue • containerd #2001 (2018) – A malicious container image could remove /tmp on the host when the image was pulled (not when actually launched!) 7 Vulnerability of daemons, not containers per se So --userns-remap is not effective
  • 8. Runtime vulnerabilities • runc #1962 (2019) – Container break-out via /proc/sys/kernel/core_pattern or /sys/kernel/uevent_helper – Hosts with the initrd rootfs (DOCKER_RAMDISK) were affected (e.g. Minikube) • runc CVE-2019-5736 – Container break-out via /proc/self/exe 8
  • 9. Other vulnerabilities • Kubernetes CVE-2017-1002101, CVE-2017-1002102 – A malicious container was allowed to access the host filesystem via vulnerabilities related to volumes • Kubernetes CVE-2018-1002105 – A malicious API call could be used to gain cluster-admin (and hence the root privileges on the nodes) • Git CVE-2018-11235 (affected Kubernetes gitRepo volumes) – A malicious repo could execute an arbitrary binary as the root when it was cloned 9
  • 10. Other vulnerabilities • Kubernetes CVE-2017-1002101, CVE-2017-1002102 – A malicious container was allowed to access the host filesystem via vulnerabilities related to volumes • Kubernetes CVE-2018-1002105 – A malicious API call could be used to gain cluster-admin (and hence the root privileges on the nodes) • Git CVE-2018-11235 (affected Kubernetes gitRepo volumes) – A malicious repo could execute an arbitrary binary as the root when it was cloned 10 --userns-remap might not be effective
  • 11. Play-with-Docker.com vulnerability • Play-with-Docker.com: Online Docker playground, implemented using Docker-in-Docker with custom AppArmor profiles • Malicious kernel module was loadable due to AppArmor misconfiguration (revealed on Jan 14, 2019) – Not really an issue of Docker 11https://www.cyberark.com/threat-research-blog/how-i-hacked-play-with-docker-and-remotely-ran-code-on-the-host/
  • 12. What Rootless Containers can • Prohibit accessing files owned by other users • Prohibit modifying firmware and kernel (→ undetectable malware) • Prohibit other privileged operations like ARP spoofing, rebooting,... 12
  • 13. What Rootless Containers cannot • If a container was broke out, the attacker still might be able to – Mine cryptocurrencies – Springboard-attack to other hosts • Not effective for kernel / VM/ HW vulns – But we could use gVisor together for mitigating some of them 13
  • 15. User Namespaces • User namespaces allow non-root users to pretend to be the root • Root-in-UserNS can have “fake” UID 0 and also create other namespaces (MountNS, NetNS..) 15
  • 16. User Namespaces 16 $ id -u 1001 $ ls -ln -rw-rw---- 1 1001 1001 42 May 1 12:00 foo $ docker-rootless run -v $(pwd):/mnt -it alpine / # id -u 0 / # ls -ln /mnt -rw-rw---- 1 0 0 42 May 1 12:00 foo
  • 17. User Namespaces 17 $ docker-rootless run -v /:/host -it alpine / # ls -ln /host/dev/sda brw-rw---- 1 65534 65534 8, 0 May 1 12:00 /host/dev/sda / # cat /host/dev/sda cat: can’t open ‘/host/dev/sda’: Permission denied
  • 18. Sub-users (and sub-groups) • Put users in your user account so you can be a user while you are being a user • Sub-users are used as non-root users in a container – USER in Dockerfile – docker run --user 18
  • 19. Sub-users (and sub-groups) • If /etc/subuid contains “1001:100000:65536” • Having 65536 sub-users should be enough for most containers 19 0 1001 100000 165535 232 Host UserNS primary user sub-users start sub-users length 0 1 65536
  • 20. Sub-users (and sub-groups) • Sub-users are configured via SUID binaries /usr/bin/{newuidmap, newgidmap} • SETUID binary can be dangerous; newuidmap & newgidmap had two CVEs so far: – CVE-2016-6252 (CVSS v3: 7.8): integer overflow issue – CVE-2018-7169 (CVSS v3: 5.3): supplementary GID issue 20
  • 21. Sub-users (and sub-groups) • Also hard to maintain sub-users – LDAP / AD – Nesting user namespaces might need huge number of sub-users 21
  • 22. Sub-users (and sub-groups) • Alternative way: Single-mapping mode • Does not require newuidmap/newgidmap • Ptrace and/or Seccomp can be used for intercepting syscalls to emulate sub-users – user.rootlesscontainers xattr can be used for chown emulation 22
  • 23. Network Namespaces • An unprivileged user can create network namespaces along with user namespaces • With network namespaces, the user can – isolate abstract (pathless) UNIX sockets • important to prevent container breakout – create iptables rules – set up overlay networking with VXLAN – run tcpdump – ... 23
  • 24. Network Namespaces • But an unprivileged user cannot set up veth pairs across the host and namespaces, i.e. No internet connection 24 The Internet Host UserNS + NetNS
  • 25. Network Namespaces 25 • lxc-user-nic SUID binary allows unprivileged users to create veth, but we are not huge fun of SUID binaries • Our approach: use completely unprivileged usermode network (“Slirp”) with a TAP device TAP “Slirp” TAPFD send fd as a SCM_RIGHTS cmsg The Internet Host UserNS + NetNS
  • 26. Network Namespaces Benchmark of several “Slirp” implementations: • slirp4netns (our own implementation based on QEMU Slirp) is the fastest because it avoids copying packets across the namespaces MTU=1500 MTU=4000 MTU=16384 MTU=65520 vde_plug 763 Mbps Unsupported Unsupported Unsupported VPNKit 514 Mbps 526 Mbps 540 Mbps Unsupported slirp4netns 1.07 Gbps 2.78 Gbps 4.55 Gbps 9.21 Gbps cf. rootful veth 52.1 Gbps 45.4 Gbps 43.6 Gbps 51.5 Gbps Benchmark: iperf3 (netns -> host), measured on Travis CI. See rootless-containers/rootlesskit#12 26
  • 27. Multi-node networking • Flannel VXLAN is known to work – Encapsulates Ethernet packets in UDP packets – Provides L2 connectivity across rootless containers on different nodes • Other protocols should work as well, except ones that require access to raw Ethernet 27
  • 28. Snapshotting • OverlayFS is currently unavailable in UserNS (except on Ubuntu kernel) • FUSE-OverlayFS can be used instead with kernel 4.18+ • XFS reflink can be also used to deduplicate files (but slow) 28
  • 29. Cgroup • pam_cgfs can be used for delegating permissions to unprivileged users, but considered insecure by systemd folks https://github.com/containers/libpod/issues/1429 • cgroup2 provides proper support for delegation, but not adopted by OCI at the moment 29
  • 30. Rootless Containers in Containers • Urge demand for building images on Kubernetes cluster • Seccomp and AppArmor needs to be disabled for the parent containers • To allow the children to mount procfs (pid-namespaced), maskedPaths and readonlyPaths for /proc/* for the parent needs to be removed (weird!) – Same applies to sysfs (net-namespaced) 30
  • 31. Rootless Containers in Containers • So --privileged had been typically required anyway :( – Or at least --security-opt {seccomp,apparmor}=unconfined • Docker 19.03 supports --security-opt systempaths=unconfined for allowing procfs & sysfs mount (Kube: securityContext.procMount, but no sysMount yet) – Make sure to lock the root in the container! (passwd -l root, Alpine CVE-2019-5021 ) 31
  • 33. Adoption status: runtimes 33 Docker v19.03 containerd runc Podman (≈ CRI-O) crun LXC Singularity NetNS isolation with Internet connectivity ● VPNKit ● slirp4netns ● lxc-user-nic (SUID) slirp4netns lxc-user-nic (SUID) No support Supports FUSE-OverlayFS No Yes No No Cgroup No Limited support for cgroup2 pam_cgfs No
  • 34. Adoption status: runtimes::GPU • nvidia-container-runtime is known to work • Need to disable cgroup manually • Rootful nVIDIA container needs to be executed on every system startup • Probably, other devices such as FPGA should work as well (untested) 34
  • 35. Adoption status: runtimes::single-mapping mode • udocker does not need subuid configuration, as it can emulate subuser with ptrace (based on PRoot) – but no persistent chown • runROOTLESS (Don’t confuse with upstream rootless runc) supports persistent chown as well, using user.rootlesscontainers xattr – the xattr value is a pair of UID and GID in protobuf encoding – the xattr convention is compatible with umoci 35
  • 36. Adoption status: runtimes::single-mapping mode • Ptrace is slow https://github.com/rootless-containers/runrootless/issues/14 • seccomp can be used for acceleration but hard to implement correctly 36
  • 37. Adoption status: image builders • BuildKit / img / Buildah supports rootless mode – Works in containers as well as on the host – Does not need --privileged but Seccomp and AppArmor needs to be disabled 37
  • 38. Adoption status: image builders • Similar but different work: Kaniko & Makisu – Rootful – But no need to disable seccomp and AppArmor, because they don’t create containers for RUN instructions in Dockerfile 38
  • 39. Adoption status: Kubernetes • Usernetes project provides patches for rootless Kubernetes, but not proposed to the upstream yet – Supports all major CRI runtimes: dockershim, containerd, CRI-O – Flannel VXLAN is known to work – Lack of cgroup might be huge concern • But Usernetes is already integrated into k3s! (5 less than k8s) 39 $ k3s server --rootless
  • 40. You can rootlesify your own project easily! • RootlessKit does almost all things for rootlessifying your container project (or almost any rootful app) – Creates UserNS with sub-users and sub-groups – Creates MountNS with writable /etc, /run but without chroot – Creates NetNS with VPNKit/slirp4netns/lxc-user-nic – Provides REST API on UNIX socket for port forwarding management 40
  • 41. You can rootlesify your own project easily! 41 $ rootlesskit --net=slirp4netns --copy-up=/etc --port-driver=builtin bash # id -u 0 # touch /etc/here-is-writable-tmpfs # ip a ... 2: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> inet 10.0.2.100/24 scope global tap0 ... # rootlessctl add-ports 0.0.0.0:8080:80/tcp
  • 42. You can rootlesify your own project easily! • With RootlessKit, you just need to work on disabling cgroup stuff, sysctl stuff, and changing the data path from /var/lib to /home • Used by Docker, BuildKit, k3s 42
  • 44. Kernel has vulns • UserNS tends to have priv escalation vulns – CVE 2013-1858: UserNS + CLONE_FS – CVE-2014-4014: UserNS + chmod – CVE-2015-1328: UserNS + OverlayFS (Ubuntu-only) • So rootless OverlayFS is still not merged in upstream – CVE-2018-18955: UserNS + complex ID mapping 44
  • 45. Kernel has vulns • A bunch of code paths that can hang up the kernel – e.g. CVE-2018-7191 (unpublished published today): creating a tap device with illegal name – And more, see https://medium.com/@jain.sm/security-challenges-with-kubernetes-818fad4a89f2 • Unlimited resources e.g. – Pending signals – Max user process – Max FDs per user (see the same URL above) 45
  • 46. Kernel has vulns • So I’ve never suggested using rootless containers for real multi-tenancy ¯_(ツ)_/¯ 46
  • 47. Kernel has vulns • gVisor might be able to mitigate them but significant overhead and syscall incompatibility • UML (20 yo, still alive!) is almost compatible with real Linux but it even lacks support for SMP • linuxd: similar to UML but accelerated with host kernel patches – Still no public code https://schd.ws/hosted_files/ossna18/db/Containerize%20Linux%20Kernel.pdf 47
  • 48. Cgroups • cgroup2 is not adopted in OCI • crun is trying to support cgroup2 without changing OCI spec 48
  • 49. Mount • Only supports: – tmpfs – bind – procfs (PID-namespaced) – sysfs (net-namespaced) – FUSE (since kernel 4.18) – Overlay (Ubuntu only) • No support for mounting any block devices (even loopback devices) 49
  • 50. Landlock • landlock: unprivileged sandbox LSM • Not merged in the upstream kernel, but promising as AppArmor-alternative 50
  • 51. LDAP / Active Directory • /etc/sub{u,g}id configuration is painful for LDAP/AD • Alternatively, implementing NSS module is under discussion, but no code yet https://github.com/shadow-maint/shadow/issues/154 51
  • 52. Single-mapping mode • runROOTLESS / PRoot could be accelerated with seccomp but implementation is broken • Kernel 5.0 seccomp could be used for getting rid of ptrace completely 52
  • 54. containerd dev plan • Implement FUSE-OverlayFS snapshotter plugin – Probably in a separate repo – Should not be difficult • Support cgroup2 – Probably we want to wait for OCI Runtime Spec and runc to be revised – But we can also consider beginning support cgroup2 right now with crun 54
  • 55. containerd dev plan • Support running containerd inside gVisor – So as to allow running rootless containers in a container without disabling seccomp & apparmor – And to mitigate potential kernel vulns – Currently MountNS is not working https://github.com/google/gvisor/issues/221 55