Cloud Native Computing Foundation KubeCon + CloudNativeCon North America 2020 - Virtual, 4 Dec 2020

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: containerd: Rootless Containers 2020 - Akihiro Suda, NTT

Description

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

containerd: Rootless Containers 2020 - Akihiro Suda, NTT

Rootless Containers means running the container runtimes (e.g. runc, containerd, and kubelet) as well as the containers without the host root privileges. The most significant advantage of Rootless Containers is that it can mitigate potential container-breakout vulnerability of the runtimes, but it is also useful for isolating multi-user environments on HPC hosts. This talk will contain the introduction to rootless containers and deep-dive topics about the recent updates such as Seccomp User Notification. The main focus will be on containerd (CNCF Graduated Project) and its consumer projects including Kubernetes and Docker/Moby, but topics about other runtimes will be discussed as well.

https://sched.co/fGWc

A

Hi there, my name is I'm a software engineer working for njt and I'm a manager of several open source projects, including country id.

A

This session will show the overview and recent objects of urges containers, if you have questions, feel free to ask me at the cnc slack. This is pre-recorded session, so I can answer questions at any time. During my talk.

A

So what is root risk, continuous nutrients containers means running grassy country, chrono, cube red and everything without root privileges. This is useful for protecting the host from potential viabilities and misconfigurations.

A

There are several techniques that may sound similar, but don't be confused. This is not about setting security context, not wrong as user.

A

This is not about the children's enhancement proposal for supporting username services.

A

Unlike these techniques, bluetooth continuous means running the whole stack, including cube rate controller d and run c with absolute. It's not just about running continuous as a different user.

A

So why do we need routers? It's because most runtimes tend to have serious vulnerabilities.

A

There has been really a bunch of range of vulnerabilities in the past years in every component, such as ranci continuity, decardi and kubrick, and probably more variabilities. That will come in the next couple of years.

A

Most of these vulnerabilities could be mitigated if we had useless containers.

A

And users often make misconfigurations they may try setting up port security policy, jet clipper or other kinds of admission photographs, but setting it up properly, isn't straightforward and some people still exposes the tcp ports of system components such as kubrick and ducati to the internet without mutual tas authentication, or even if they could manage to search up to trs.

A

Sometimes they make mistakes about the private keys, such as exposing the keys, as is metadata that is accessible by any container in the cluster.

A

So mutual continuous is useful for mitigating impact of such vulnerabilities and misconfigurations.

A

Even if the host gets compromised, the attacker won't be able to access other users. Files won't be able to modify firmware and kernel. Also, attacker won't be able to do absorption and dns sprouting.

A

But of course it's not a bunch here: it's not effective against corner probabilities, ddos attacks and cryptomining attacks.

A

And also there are some caveats about network performance, but we are seeing huge improvements this year.

A

Also, we can't use nfs and block sources, but this is not a huge deal when you can use managed databases or managed objects, managed object. Storages such as amazon, s3.

A

Let's take a look at the history of bluetooth containers, it started about eight years ago it was before I began to work on rigorous containers.

A

It was soon adopted by lxc, but wasn't popular until 2018.

A

Also, due to this containers at that time was very different from modern, useless containers, notably setting up networking requires root privileges at that time,.

A

In 2018 buildkit started to support users containers mostly for building images inside the current clusters, using continuity technology directly towards the game changer after building supported, uterus mode, docker, platinum and cryo. All these runtimes also began to support uterus merge.

A

We also protect reuters mode in tubercs, but it's still not upstream yet, mostly because we didn't have support on c group at that time, but our work is already adopted by k3s and in 2019 we gained support for c groups using sql version, 2 and systemd single version. 2 itself has been there for several years, but it wasn't useful for continuous under 2019 because it had rapid support for device controllers and freezers.

A

So, starting with this year, luja's containers began to support setting up c groups for limiting memory resources and for limiting cpu resources.

A

In this year we are seeing faster networking with a new car feature called second fd.

A

Let's take a look into examples of routers containers. For example, darker has been offshoring supporting nutrients mode since project 90.03.

A

It was experience it was experimental in 19.63, but it's going to be ga in 20.10.

A

This new version also comes with notable objects for c group and fuse over fs.

A

Bluetooth structure can be easily installed by running a script from https constructors, get.com uterus and you can run docker command with localhost environment. Variable like this unix clone translators, transfers, users, rush, uid, stroke.

A

And if you run ps3 commands, you can see that all processes, including continuity and degrading as well as containers, are running without the route.

A

So next is utilities.

A

Usernative is our current distribution that doesn't require the route it even supports master of networking using flannel and vxram.

A

It provides a demo of metronome cluster as a drupal component suck, so you can easily try it for crv runtimes. We support both contrary and acquire, and these runtimes can be mixed up together in a single cluster, and you can see that all processes, including continuity, runner, cube red, are running as a non-reducer and dsps3.

A

Screen so next is k3s, which is a cncf sandbox project focusing on edge computing.

A

K3S also supports reverse mode by incorporating usernamespaces ahead of the keyboard in this upstream.

A

K3S uses control d as the cri runtime, so next is buildkit a control image builder, built on contrary technology and also adopted by docker, build.

A

Building can be executed in several ways, such as as a platformer kardi or as a shuttle demo or as a clearance spot to run this job or as a text on task.

A

To run build the kit inside kubernetes, you don't need to set security contacts, dot progress, but you might need to specify security contacts, dot second profile and up armor annotations to arrow. Calling several system calls such as unshare and mount.

A

The last topic is how rudely containers work. It uses several kind of features, but amongst these features, the most important one is username species.

A

Usernamespaces is a color feature that maps a non-reducer to a fake rules user with uij0. It's not a real route, but enough to run continuous.

A

It also sets up your ids called supported, urgs to use multiple uids other than zero.

A

By using username species, a user can also create multiname spaces, but the user cannot mount most of our systems, especially the user cannot amount over influence, cannot mount anywheres and can't mount block charges at all, but starting with of 4.18 huge file systems such as fuse overlays can be mounted.

A

So you don't need to care about over fs.

A

Next is network name species; a user can also create network name spaces with username species, but cannot create virtual economic peers for internet connectivity.

A

So, instead of rotary scientific, we need to use a slope which translates insulin packets into certain scores. This is true, but we are seeing huge improvements this year. I will talk about this speculator.

A

With regards to c group, we didn't have support for c groups. Version 1, just means on single project run hosts. We couldn't set up memory, limit, cpu limit and pid limit, but we can use similar version. 2.

A

fedora has already switched the default to version 2. Recently, probably other distributions will follow soon.

A

So next topic is second user notification, which was merged in 5.0.

A

It's a new way to hook system calls in the user space. This is similar to pdrs, but it's significantly faster. This can be used for emulating, supported uids without slash agencies throughout some uid file.

A

And kernel 5.9 added support for sec, comp, io ctl native at fd, which allows injecting file descriptors from host into containers. This can be used for eliminating the throughput overhead observed.

A

Let's reject my torque router's controllers can protect the host from potential vulnerabilities and misconceptions.

A

It's already adopted by lots of projects such as brilliant joker concerning potma, cryo and k3s.

A

It's also being proposed to the this upstream.

A

There are some drawbacks, but these drawbacks are being significantly improved. Using sacrum user notification share some resources on the internet, such as https current structures, uteruscontain.rs.

A

If you have questions feel free to ask me at cncf shark.

A

That's all of my talk thanks.