Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Christo Goosen - Google gvisor container runtim...

Christo Goosen - Google gvisor container runtime sandbox

Gvisor was released 5 months ago and promoted with Google Cloud Platform’s push for python3.7 support. Google identified the need for a user-space kernel to act as a sandbox in container/docker environments. Gvisor is written in Golang, provides a swop in runtime for docker and provides a additional layer of kernel protection from your executed code. Google’s gvisor aims to protect the host kernel with “employs rule-based execution to provide defense-in-depth”. Will cover a quick intro and how easy it is to get going with gvisor.

DevOpsDays Cape Town

September 21, 2018
Tweet

Other Decks in Technology

Transcript

  1. Whoami | grep work ME Chief Technology Officer at CTRL

    Technologies Ctrl Tech: Insurance Tech Company Website: takectrl.co.za Stack: • Python 3.7 asyncio • Ionic, Angular 5 + Typescript
  2. Whoami | grep other ME Tech, tech for good, politics,

    hiking. Studying: MSC Information Security OWASP Cape Town Open Web Application Security Project. Non profit for advancing security in web applications and other. Regular Meetups, all welcome ! • https://www.owasp.org/index.php/C ape_Town • http://www.meetup.com/OWASP-C ape-Town-Chapter-Meetup/ BSides Cape Town Community Driven Security (hacker/ conference. http://www.bsidescapetown.co.za/ • Volunteer! • Tickets! • Badges
  3. 1

  4. 1

  5. Gvisor architecture 1 • Implements around 200 of the 400~+

    Linux syscalls • The Gofer acts as a file system proxy by opening host files on behalf of the application, and passing them to the Sentry process, which has no host file access itself • Sentry runs in an empty user namespace, and the system calls made by gVisor to the host are restricted using seccomp filters • The Sentry implements its own network stack (also written in Go) called netstack • Allows network passthrough
  6. Docker daemon config { "debug" : true, "experimental" : true,

    "runtimes" : { "runsc" : { "path" : "/usr/local/bin/runsc", "runtimeArgs" : [ "--debug-log-dir=/tmp/runsc", "--debug", "--strace" ] }
  7. 3 • gVisor can run sandboxed containers in a Kubernetes

    cluster with cri-o (runtime) • Any Pod without the io.kubernetes.cri-o.TrustedSandbox annotation (or with the annotation set to false) will be run with runsc • Current support is for 1 container to a pod. Working on support for multiple containers in a pod.
  8. 3 • elasticsearch • golang • httpd • java8 •

    jenkins • mariadb • memcached • mongo • mysql • nginx • node • php • prometheus • python • redis • registry • tomcat • wordpress Supported Applications
  9. 5 gVisor supports checkpointing and restoring containers. A container’s state

    can be checkpointed and later restored into one or more containers. This can be used to save work and time in cases of failure and allow for container migration. A single container can perform slower setup tasks and then be checkpointed so that many containers with the same task can be “restored” and started more quickly. runsc checkpoint/restore
  10. Thanks! Any questions? You can find me at: ◇ @owasp_cpt

    ◇ christo<at>christogoosen.co.za ◇ christo.goosen<at>takectrl.co.za ◇ christo.goosen<at>owasp.org ◇ github.com/c-goosen
  11. Projects, libraries and examples: • https://github.com/google/gvisor • https://www.zdnet.com/article/google-open-sources-gvisor-a-sandb oxed-container-runtime/ •

    https://www.infoq.com/news/2018/05/gvisor-container-sandbox • https://twitter.com/remco_verhoef/status/1004020497745575936 • https://docs.docker.com/engine/security/security/ • https://thenewstack.io/interview-google-gvisor-and-the-challenge-of -securing-multitenant-containers/ • http://blog.nigelpoulton.com/gvisor-containers/ • https://medium.com/@remco_verhoef/sandboxing-with-gvisor-b9979 bd424b9 • Sources