Skip to main content

Is it Safe to Run Applications in Linux Containers?

Jerome Petazzoni (Docker Inc.)
Average rating: ***..
(3.89, 19 ratings)
Slides:   1-PDF 

Virtual machines are generally considered secure. At least, they are secure enough, when implemented properly, to power highly multi-tenant, large-scale public clouds, where a single physical machine can host a large number of virtual instances belonging to different customers. Containers have many advantages over virtual machines: they boot faster, have less performance overhead, and use less resources. However, those advantages also stem from the fact that containers share the kernel of their host, instead of abstracting an new independent environment. This sharing has significant security implications, as kernel exploits can now lead to host-wide escalations.

Additionally, the default settings for Linux Containers are often very permissive, which has led many people to state that containers are not secure. We will show techniques to lock down containers, and discuss which risks they mitigate. The list will include:

  • Locking down kernel capabilities;
  • Enabling mandatory access control like AppArmor;
  • Using a hardened kernel, for instance with the GRSEC patchset;
  • Segregating the root user with the recent “user namespace” kernel feature.

We will also detail the specific drawbacks of each method, and demonstrate a way to seamlessly integrate classic virtualization in a container workload when there is no other acceptable possibility.

Photo of Jerome Petazzoni

Jerome Petazzoni

Docker Inc.

Jerome is a senior engineer at Docker, where he rotates between Ops, Support and Evangelist duties. In another life he built and operated Xen clouds when EC2 was just the name of a plane, developed a GIS to deploy fiber interconnects through the French subway, managed commando deployments of large-scale video streaming systems in bandwidth-constrained environments such as conference centers, and various other feats of technical wizardry. When annoyed, he threatens to replace things with a very small shell script. His left hand cares for the dotCloud PAAS servers, while his right hand builds cool hacks around Docker.

Leave a Comment or Question

Help us make this conference the best it can be for you. Have questions you'd like this speaker to address? Suggestions for issues that deserve extra attention? Feedback that you'd like to share with the speaker and other attendees?

Join the conversation here (requires login)

Comments

Picture of Jerome Petazzoni
07/24/2014 12:29pm PDT

I guess that the slides will be available through the OSCON website one way or another (I uploaded them there), but meanwhile, you can check them on slideshare:

http://www.slideshare.net/jpetazzo/is-it-safe-to-run-applications-in-linux-containers

07/23/2014 9:19pm PDT

Is there an URL for the slides?