$30 off During Our Annual Pro Sale. View Details »

Rootless containers from scratch

Liz Rice
October 27, 2020
Technology
1
3.4k

Rootless containers from scratch

As seen at OS Summit EU 2020

Liz Rice

October 27, 2020
Tweet

More Decks by Liz Rice

See All by Liz Rice
When is a Secure Connection not encrypted? And other stories
lizrice
0
6
Keeping it simple: Cilium Mesh - networking for multi-cloud Kubernetes and beyond
lizrice
1
380
How Many Proxies Do You Need
lizrice
1
94
eBPF for Security Observability
lizrice
0
890
Beginner's Guide to eBPF Programming for Networking
lizrice
1
1.7k
Contributing to Open Source - what's in it for my business?
lizrice
0
33
Cloud Native eBPF Superpowers
lizrice
0
210
Beginner's Guide to eBPF programming with Go
lizrice
0
950
Kubernetes-native security with Starboard
lizrice
0
150

Other Decks in Technology

See All in Technology
LINEでのコミュニケーションにマスコットキーホルダーを使ってみる / LINEを使ったLT大会 #5
you
PRO
0
100
Railsアプリをコスパよく読むための環境整備
ikumatadokoro
1
130
Autonomous Database - Dedicated 技術詳細 / adb-d_technical_detail_jp
oracle4engineer
PRO
2
3.9k
visionOSについてGlobeeが取り組んでいること
toshi0383
0
200
Kafka Streamsで作る10万rpsを支えるイベント駆動マイクロサービス
joker1007
7
2.3k
3つの⽴場で考える技術的負債への組織的アプローチ
sansantech
PRO
16
4.8k
eBPF for the rest of us - Golab 2023
fedepaol
0
280
ChatGPT for Developer - 超入門
dahatake
40
22k
Exploring Postgres VACUUM with the VACUUM Simulator
keiko713
5
630
技術コミュニティ参加のすすめ
minorun365
PRO
4
270
つくばチャレンジ2023EX with PLATEAU@つくばセンター広場課題コース
tsukubachallenge
0
320
RealSense T265とD415とUFACTORY Lite 6で模倣学習の実験
hygradme
0
300

Featured

See All Featured
Embracing the Ebb and Flow
colly
77
3.8k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
0
1k
The Power of CSS Pseudo Elements
geoffreycrofte
56
4.7k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
352
21k
What’s in a name? Adding method to the madness
productmarketing
PRO
14
2.3k
Designing for humans not robots
tammielis
246
24k
Designing Experiences People Love
moore
133
23k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
656
120k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
225
51k
Stop Working from a Prison Cell
hatefulcrawdad
264
18k
Docker and Python
trallard
32
2.4k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
12
1k

Transcript

  1. © 2020 Aqua Security Software Ltd., All Rights Reserved
    Rootless containers
    from scratch
    Liz Rice
    VP Open Source Engineering, Aqua Security
    @lizrice

    View Slide

  2. @lizrice
    What is a container?
    What is a rootless container?

    View Slide

  3. @lizrice
    By default, containers run as root
    The same root as on the host

    View Slide

  4. @lizrice

    View Slide

  5. @lizrice

    View Slide

  6. @lizrice
    Limit what a process can see
    • Unix Timesharing System
    • Process IDs
    • Mounts
    • Network
    • InterProcess Comms
    • User IDs
    Namespaces

    View Slide

  7. @lizrice
    Limit what a process can see
    • Unix Timesharing System
    • Process IDs
    • Mounts
    • Network
    • InterProcess Comms
    • User IDs
    Namespaces

    View Slide

  8. @lizrice
    Starting in Linux 3.8, unprivileged processes can create
    user namespaces
    man user_namespaces

    View Slide

  9. @lizrice
    Starting in Linux 3.8, unprivileged processes can create
    user namespaces
    The child process created … with the CLONE_NEWUSER flag
    starts out with a complete set of capabilities in the new
    user namespace.
    man user_namespaces

    View Slide

  10. @lizrice
    Starting in Linux 3.8, unprivileged processes can create
    user namespaces
    The child process created … with the CLONE_NEWUSER flag
    starts out with a complete set of capabilities in the new
    user namespace.
    If CLONE_NEWUSER is specified along with other CLONE_NEW*
    flags … the user namespace is guaranteed to be created
    first, giving the child … privileges over the remaining
    namespaces created by the call.
    man user_namespaces

    View Slide

  11. @lizrice
    Host User IDs
    0
    1
    2

    1000
    1001
    1002
    1003

    Namespace User IDs
    0
    1
    2

    size

    View Slide

  12. @lizrice
    func main() {
    switch os.Args[1] {
    case "run":
    run()
    case "child":
    child()
    default:
    panic("Missing argument 1")
    }
    }
    func run() {
    fmt.Printf("Running %v as user %d in process %d\n", os.Args[2:], os.Geteuid(), os.Getpid())
    cmd := exec.Command("/proc/self/exe", append([]string{"child"}, os.Args[2:]...)...)
    cmd.Stdout = os.Stdout
    cmd.Stderr = os.Stderr
    cmd.Stdin = os.Stdin
    cmd.SysProcAttr = &syscall.SysProcAttr{
    Cloneflags: syscall.CLONE_NEWUTS | syscall.CLONE_NEWUSER|syscall.CLONE_NEWNS|syscall.CLONE_NEWPID,
    UidMappings: []syscall.SysProcIDMap{{
    ContainerID: 0,
    HostID: 1000,
    Size: 1}},
    }
    must(cmd.Run())
    }
    func child() { fmt.Printf("Running %v as user %d in process %d\n", os.Args[2:], os.Geteuid(),
    os.Getpid()) fmt.Printf("Capabilities: %s\n", showCaps())

    View Slide

  13. @lizrice
    func child() {
    fmt.Printf("Running %v as user %d in process %d\n", os.Args[2:], os.Geteuid(), os.Getpid())
    must(syscall.Chroot("/home/vagrant/alpinefs"))
    must(os.Chdir("/"))
    must(syscall.Mount("proc", "proc", "proc", 0, ""))
    cmd := exec.Command(os.Args[2], os.Args[3:]...)
    cmd.Stdout = os.Stdout
    cmd.Stderr = os.Stderr
    cmd.Stdin = os.Stdin
    must(cmd.Run())
    must(syscall.Unmount("proc", 0))
    }
    func must(err error) {
    if err != nil {
    panic(err)
    }
    }

    View Slide

  14. @lizrice
    Rootless container support

    View Slide

  15. @lizrice
    Rootless container support

    View Slide

  16. © 2020 Aqua Security Software Ltd., All Rights Reserved
    Thank you
    github.com/rootless-containers/rootlesskit
    github.com/lizrice/containers-from-scratch

    View Slide