Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Christo Goosen - Google gvisor container runtim...

Christo Goosen - Google gvisor container runtime sandbox

Gvisor was released 5 months ago and promoted with Google Cloud Platform’s push for python3.7 support. Google identified the need for a user-space kernel to act as a sandbox in container/docker environments. Gvisor is written in Golang, provides a swop in runtime for docker and provides a additional layer of kernel protection from your executed code. Google’s gvisor aims to protect the host kernel with “employs rule-based execution to provide defense-in-depth”. Will cover a quick intro and how easy it is to get going with gvisor.

Avatar for DevOpsDays Cape Town

DevOpsDays Cape Town

September 21, 2018
Tweet

Other Decks in Technology

Transcript

  1. Whoami | grep work ME Chief Technology Officer at CTRL

    Technologies Ctrl Tech: Insurance Tech Company Website: takectrl.co.za Stack: • Python 3.7 asyncio • Ionic, Angular 5 + Typescript
  2. Whoami | grep other ME Tech, tech for good, politics,

    hiking. Studying: MSC Information Security OWASP Cape Town Open Web Application Security Project. Non profit for advancing security in web applications and other. Regular Meetups, all welcome ! • https://www.owasp.org/index.php/C ape_Town • http://www.meetup.com/OWASP-C ape-Town-Chapter-Meetup/ BSides Cape Town Community Driven Security (hacker/ conference. http://www.bsidescapetown.co.za/ • Volunteer! • Tickets! • Badges
  3. 1

  4. 1

  5. Gvisor architecture 1 • Implements around 200 of the 400~+

    Linux syscalls • The Gofer acts as a file system proxy by opening host files on behalf of the application, and passing them to the Sentry process, which has no host file access itself • Sentry runs in an empty user namespace, and the system calls made by gVisor to the host are restricted using seccomp filters • The Sentry implements its own network stack (also written in Go) called netstack • Allows network passthrough
  6. Docker daemon config { "debug" : true, "experimental" : true,

    "runtimes" : { "runsc" : { "path" : "/usr/local/bin/runsc", "runtimeArgs" : [ "--debug-log-dir=/tmp/runsc", "--debug", "--strace" ] }
  7. 3 • gVisor can run sandboxed containers in a Kubernetes

    cluster with cri-o (runtime) • Any Pod without the io.kubernetes.cri-o.TrustedSandbox annotation (or with the annotation set to false) will be run with runsc • Current support is for 1 container to a pod. Working on support for multiple containers in a pod.
  8. 3 • elasticsearch • golang • httpd • java8 •

    jenkins • mariadb • memcached • mongo • mysql • nginx • node • php • prometheus • python • redis • registry • tomcat • wordpress Supported Applications
  9. 5 gVisor supports checkpointing and restoring containers. A container’s state

    can be checkpointed and later restored into one or more containers. This can be used to save work and time in cases of failure and allow for container migration. A single container can perform slower setup tasks and then be checkpointed so that many containers with the same task can be “restored” and started more quickly. runsc checkpoint/restore
  10. Thanks! Any questions? You can find me at: ◇ @owasp_cpt

    ◇ christo<at>christogoosen.co.za ◇ christo.goosen<at>takectrl.co.za ◇ christo.goosen<at>owasp.org ◇ github.com/c-goosen
  11. Projects, libraries and examples: • https://github.com/google/gvisor • https://www.zdnet.com/article/google-open-sources-gvisor-a-sandb oxed-container-runtime/ •

    https://www.infoq.com/news/2018/05/gvisor-container-sandbox • https://twitter.com/remco_verhoef/status/1004020497745575936 • https://docs.docker.com/engine/security/security/ • https://thenewstack.io/interview-google-gvisor-and-the-challenge-of -securing-multitenant-containers/ • http://blog.nigelpoulton.com/gvisor-containers/ • https://medium.com/@remco_verhoef/sandboxing-with-gvisor-b9979 bd424b9 • Sources