Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Unimatrix / Technical Board / 15 Sep 2021
Unimatrix / Technical Board / 15 Sep 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: UniMatrix Technical Board Call 2021-09-15

Description

https://gitlab.com/unimatrix/meetings/-/blob/master/TB/20210915.md

A

All right.

B

Sorry.

A

Who will join for the container security.

B

From our side, uh frederick lawson should join. um He accepted the meeting at least.

B

Okay,.

B

uh

B

Should we do you have an updated presentation from panasonic's side.

C

uh Yeah, so uh we have a little uh upgrade, uh however, so the uh younger hansa uh would be right for this meeting because of the uh pcr.

C

About uh kobit 19, therefore, so, if we can so we would like to explain the contents of the update later.

B

Okay, so when will he join.

C

I don't know uh in the worst case uh he will not join this meeting.

B

All right.

B

Do you have a presentation from high question side about security.

D

uh Hello have no uh no.

B

So should we do the same presentation as last time again or how should we do this.

C

Oh, so I've already received that document from younger hanson. So I can read the contents so.

C

Should I read the document at first okay, okay,.

C

Can you see my screen.

A

Yes, yes,.

C

Okay, okay, and to younger handsome uh separated the document uh so orchestration part in the content part and so about the orchestration part. Security requirements for organization from master needed authentication for controlling the access to the kubernetes api.

C

Api authorization with role-based access control isolates the worker knows network, do not expose directory to public network, restrict access from pause in difference, protect the database on crosstalk, uh htcd and sql by transport, layer, security, firewall and encryption vulnerability.

C

Scanner to scan quantities, clusters and pass for additional weakness from worker could set the access permission of part to host and could not be changed from the master.

C

Node could enable the react's container security context such as up armor syrinx by default and could not be changed from the muscle mode, prevent all plugins that all allow the volume mounting to host locations, disable the privileged containers and about uh container general requirements and container vulnerability scanning and os dependency security need to scan the image, build steps, uh email, signing and enforcement and sign container images for only trusted sources.

C

Privileged containers need to be controlled and verified before the installation confined the containers with linux security modules such as a permanent ac, relax or second that's all from eye precise, and so maybe, if he can, he will join this meeting raider and so in that time, so I'll. Please ask him about this contents.

C

Okay,.

C

I will upload the this document after this meeting to get dropped. Okay,.

B

Okay, I guess we are mostly interested in the last slide. I mean the container security because we are not using kubernetes at this point.

B

Any any other comments.

B

Okay,.

B

Okay, so should I.

B

Bring up the security recommendation document that I presented last time, I made some updates on it.

C

Yes, please.

B

So, as I explained last time, I think that security implementation is up to each manufacturer, and so I think we should just make some general security recommendations rather than enforcing security, uh certain security mechanisms and so on. So I just wrote down some general things we can discuss around. So some of these are also on your list from microside.

B

So one thing is to scan for vulnerabilities.

B

I'm not sure what a gitlab provides there. I think that they have something it might be. We need to upgrade to gitlab ultimate to get.

B

The full vulnerability scanning we can also, if we use if we create an account on docker hub, if we put our containers there, we can also get scanning done in docker hub they use uh snook for that, um I'm not sure as an open source product. Probably um we are allowed to do that. um Maybe awesome. Do you have any idea. Do is that as service that they provide for open source project.

E

um Sorry, I I don't know actually, but usually they are free for open source. Those kind of scanning tools.

B

And then another recommendation is to minimize the contain the runtime containers, though so I've been using something called docker slim, which is a open source project that will.

B

Containers and remove everything that is not used also, it can yet automatically generate some security profiles for your container, so it can generate app armor and second profiles.

B

I try to use that it doesn't really it's not completely.

B

Okay, I see we got, uh hung join us now.

C

Yeah, this hansa is older, hansa.

C

So the uh security expert is younger.

F

Okay, he will, uh uh I don't know uh he will be able to join this meeting or not.

B

Okay, anyway, I I think I will continue experiment a little bit with dr slim to try to automatically generate these security profiles. It didn't work out of the box with sec comp. It I tried to.

B

I tried to do run it on a few of our containers for debus and larad, but it didn't recognize all the needed system calls. So the container wasn't running as uh as it should so. There's some something's missing.

B

Okay, so my third recommendation is to use hardening flags when you're building your containers when you're compiling uh will make. If your container is compromised, it will kind of make things more difficult for a attacker to do something hurt that is actually implementing an exploit and I believe, if we are using since we are using ubuntu, also for our at least I'm using that for the sdk. So a lot of the packages that gets installed from ubuntu, I I think already is using the hardening some holding flags when they are building.

B

Do you know, do you know if they do that.

B

Who ubuntu when they for the packages, do you get through apps? Are they built using the recommended hardening flags.

E

From debian well now from ubuntu yeah- well probably I mean there are. There are a few flags that are usually used to pie and pick flags for what you're talking about when you have dynamic, uh address, yeah addresses and also you know, there are some other flags that that's very common that doesn't really impact you in any negative way.

E

So I assume that they use them as well.

B

Usually, some of the flags have a negative, uh a small performance hit. I think when I looked at this debian hardening guide said something like five percent. uh It could be up to five percent.

E

Slower.

E

Yeah, that's probably the address space layout randomization that usually has a performance hit.

B

But normally, if you I guess uh for the cpu, normally probably you won't have your.

B

Bottlenecks in that kind of.

B

Normally, maybe it's on the inference or something like that.

B

I guess it's not really a an impact on on most applications. That is crucial.

B

Okay, so the fourth uh recommendation is to generate these security profiles, so I will experiment a little bit more with that. We're using docker slim to see if I can get it to it. Automatically is a working profile for for second and up armor.

B

But at this point I mean we have not decided to to use uh specific security module. I will just do some experimentation.

B

Okay, so my fifth recommendation is to use the username space to remap the route in the contain the container route to something else, at least.

B

And then um we come to the that each basically, each app should have its own users and you should control uh privileges for the app user.

B

So we we recommend when you install an app. It comes with the manifest that will.

B

That will give the application privileges to what it needs.

B

And but we we have not discussed an app manifest yet how it should look like so.

B

That's something maybe we should start to do.

B

Is there any ideas about about this.

E

Well, I think a good addition to this list would be the signed containers, given that you do not want to be able to modify that manifest at a later time.

B

Yes, yes, I agree.

D

This manifest is a similar like as um when we I mean install the app in the cell phone, and I mean when I try to run the the application. It will remind.

A

Me how many.

D

uh Of how many, uh how many privileges does this app need to uh apply? I mean before running right.

B

Yeah exactly so so, and this could also be.

B

I mean, if you use on, if there's an app management api. So if we come up with uh some generic names for apis, like video audio similar to to how it is in on android, I think that would be a good idea that we can push in on with actually.

B

And I think also then uh bosch would be interested in in doing that standardizing some kind of manifest.

B

I mean the bush, they have their own platform right ossa, but I think they, if we come up with the similar, manifest with some generic names for apis. That is.

B

That is independent of the architecture.

B

I think we could standardize this in on.

E

So I have a question: I'm not a part of unimatrix and I I there's lots of things I do not know about this project. But how do you intend to onboard the workers.

B

You made deploying deploying apps.

E

Well, I I assume that you have some devices out there. That will be a part of this and how how do they become a part of yeah uni matrix.

B

Yeah, well, you mean actually so you mean if you have a device so how it's uh onboarded to to become ready for deployment.

B

Yeah that part, I think, is uh manufacturer specific, so unimatrix on only comes in at deployments how you onboard your devices. uh I think it is different for uh for every company, okay, okay,.

B

Oh, did someone have a different idea.

B

uh Think that the onboarding process is different for for every company.

B

That's my idea anyway, I don't think that's something that is easily standardized.

B

Any other ideas.

B

Leo.

D

Cannot talk talk because of because of his device? uh Hey, let me ask one question: is that the manifest um the manifesto here is is for the application right is not for the talk docker container.

B

Well, it's the same thing I would say I mean.

B

And I guess the manifest could actually be part of the container. So when you install.

B

When you installed up, you could extract the manifest and check things before you run it, but at this point I mean we haven't defined anything really.

B

It could be part of the container. It could be a separate file that you, when you install it, you get in another way.

E

Okay, so I have another question regarding the scope of this work, so is it I assume it's mostly about the container format itself, whatever we can have in the container, not the master, not deployments.

E

All of that is that.

B

Correct.

B

Well, yes, but also I want to I mean we want to standardize a deployment api so that you can deploy the applications.

B

Okay, regardless of the which brand it.

B

Is but things like, uh where do you put security profiles? Is that part of the I mean.

E

And I'm and I'm thinking about the local file systems, I mean, if you run on different devices, perhaps that's something that should be in scope for this as well, which having well well named paths that are exposed, but others can't.

B

um What do you mean like.

B

The pulse in the container or what you mount into the container or what.

E

You mount into the container yeah okay, so if you run on different systems, we can't really assume that well, every part exists on that system.

B

Yeah, well, I I think generally, it should be, uh maybe standardize what you actually.

B

Which things that are standard to mount into the containers? Things like things like, like the debuss, socket and stuff like that yeah.

B

Yeah go ahead.

C

So uh last week, so I discussed and lasting uh internally in the uh uh for sure. So the application vendors should check the compatibility by using the manifest file and, in addition, so uh unimately a consortium should.

C

Put the signature to the uh ocean image application and each device edge or complements or cloud.

C

Have the uh structure of conformation conformation and uh about the signature and the container image is surely.

C

Signed by the unimatrix, the osha image should be deployed in the in each device and in addition, so the uh about the uh evaluation and so the evaluation.

C

Maybe a unimatrix consortium couldn't ensure uh the uh wall, security or uh the something else and therefore also uh finally, so each company uh only have to evaluate the content image, but so the uh unimatrix consortium uh should issue the signature uh to the each container application.

C

So what do you think about this suggestion?.

E

So that the unimatrix consortium will sign all the images yeah, so we do not distribute keys to to developers to sign themselves. But it's centralized into.

C

No, no, no, no uh unimately consortium uh will not distribute uh each application and just sign yeah.

E

No, I think, that's that's that's fine. To have a. I think, it's good to have a central point that does the signing instead of distributing keys, which is a bit hard to control.

E

So I think that's a good suggestion.

B

Yeah is that, in line with what we do at the axis, I'm not sure uh it is okay, yeah yeah, then it's probably easier.

B

Yep.

B

Okay, any other ideas.

B

Maybe we should try, we should talk about deployment then, um since we have a hard time to agree on which which contain a framework to use, I think uh maybe we should uh leave it open, like makoto-san proposed, like it's up to each company to select.

B

So one idea is to use for deployment to use on with api for that. So it's a simple api for you can post using http an app?

B

It doesn't have a manifest, but, as I said, we could build on that and add a manifest and so on.

B

So so I propose to to to start with the on with app management api as like the standard, and then, if you want to use orchestration uh like kubernetes and things it's optional.

B

What do you think about that?.

C

uh Hi is your suggestion: uh the qualities should be the one of the options right.

B

Yes, but you I I what I'm saying is that the owner, if api is mandatory but and then the other apis like docker or kubernetes, is optional.

C

Yeah yeah, maybe.

B

My idea is that we want to support quite a wider range of devices that is more limited in the amount of ram and flash and so on. So I think the the one with api is quite uh small, and uh already uh manufacturers may support only so adding support for that. Small api is probably a little uh demand on the device itself. So and, and then you you would you could you can deploy your containers using this api and run them like with a container framework?

B

So if you use cryo or.

B

Or container d you will run them like you normally do.

C

In case of kubernetes related system, so cri is the common api and therefore the system integrators.

C

If the system integrators support, cri api, and so even though the high level uh long time content runtime is cryo or container d, it would be able to work, therefore, so in case of kubernetes related to system.

C

So the cri api and only have to be supported.

B

Yeah but cri, if you're not using kubernetes cri, is not useful anyway. So I'm I'm proposing to use the on with api as the mandatory deployment api.

D

So sorry, uh the unveil profile, uh the unreal protocol you mentioned- is already released by onward.

D

Yes, it's.

B

I think it's it's.

D

Called.

B

Management service, yes, it's available on onewish.org uh it I think it's been out for for since 2012 or 2006. So I think it's 2006.

G

It's been out so.

B

For a year it's quite new, but it's yeah. I think it's been out for one year now.

B

It's simple: it's it's got like you can list apps, you can install apps, you can complete your apps, you can install a license and you can get app status. So it's quite simple api.

D

So, uh if we're already released by the web, uh I think there are no reason to why not directly reuse it, but does it uh I mean feasible, I mean deploy the application um by um real protocol. uh How does the I mean the server connected to each camera? I'm not. I can't read it, I'm not in! I don't know the the protocol before I I need to relate the first.

B

Yeah, it's.

B

The format of the applications themselves is.

B

It can be any format so that device will tell which format it supports support, so you can have an oci container as a format. So that's my idea. We we put like if you are a unimatrix device. You need to support oci containers using this app management, uh api and then.

C

I, as the raw label, uh don't continue runtime.

C

Can you repeat ah so uh the crochet image should be supported under load or the low level uh container runtime, for example, run c sierra.

F

Yeah yeah.

B

Okay, um any other ideas.

B

So I think we should I maybe until next time I will think about the manifest formats and we can have a discussion around manifest.

C

So, uh by the way, so how about the vulnerability scanning so communication board members is about to have the meeting with linux foundation.

C

um So in such time, so we will be able to confirm.

C

The uh variable vulnerability scanning uh so deeply, maybe in case of git drop, so the uh special.

C

Program is needed, however, so in case of github- so I don't know, but so it will be available or they may know another method to do the variability scan. I think.

B

Yeah, I'm not sure if github provides a container registry, that's something that gitlab does for every product, I'm not sure. If github does the same thing uh they've been trying to catch up with all the features of gitlab, so I'm probably it's there, but I'm not sure, but it might be a good idea anyway to create an account on docker hub to that's kind of the place where everybody puts their container images, uh so it. I think it makes sense for us to have our container images there as well and then.

B

See if we can, but then we can automatically get them uh scanned by snake, which I think snake provides probably the best service right now for scanning vulnerabilities of this yeah. These different tools that exist.

C

So anyway, let's try to consult it and that thing with linux foundation.

B

Okay, yeah. I think I will join you next time then, on the next communication board is the linux foundation is going to join.

A

uh Yes, jens is trying to set up a meeting with uh to include one from linux foundation, to discuss the website and other technical. It related stuff.

A

So it could be good if you join frederick, because we will talk about kit as well.

B

Okay, yeah.

A

So we will invite you for that uh meeting.

B

I think I already have it in my calendar.

A

Sure I guess jens has done the invitation, so um you should be invited. So that's good, at least on that.

A

Okay,.

B

So do we have anything else to discuss around security, otherwise we're gonna? We can discuss a little bit about organization of the gear.

C

There is nothing about security from hyperside.

B

Okay and high pack vision: do you have anything else.

D

uh We can continue to the next topic.

A

Okay,.

E

So.

B

Then I'll.

D

Drop.

E

Out then, so all right, that's, okay! So thank you thanks. Thank you.

C

Bye.

B

All right so uh makoto-san you had some ideas around the organization.

C

ah Okay, so uh now so uh communication board.

C

Is.

C

About to.

C

Revise the x official website and in parallel of course, so the git, rob or github should be reorganized and for the official launch about the matrix version 1.0, and so we would like to discuss the uh the organization about key drop and github. Maybe the current uh the uh directory structure is a little messy and therefore so for the official launch.

C

The uh structure should be reorganized in the the discrimination. Technical description uh should be modified uh in the so maybe uh for each software module in the software technology.

C

So so we would like to discuss how to proceed.

C

Such things.

B

Yeah I I agree, it's a bit messy, so let's bring up how it looks right now.

B

I will share my screen.

B

So here is the top structure, so some things here are kind of rotten. I guess that could be removed.

B

The things that are still um used, I will the meta in the matrix basically contains the ref or will contain the reference implementation of a device.

B

That should be fairly a very basic device that only basic con that only will contain docker plus what is needed to boot it. Basically, this build root. Build root, thing is old, I think we can remove. The lib unicom is something that was done by uh high vision, I believe yeah. I think it hasn't been used in a long time.

C

uh I I I think so the superior part should be transferred to the official website site, maybe, for example, the charter and like that.

B

Sorry, I I didn't understand that.

C

Yeah, so maybe uh the current uh git drop contents are included in the included.

C

Contents, it should be described on the official website there. Also several parts uh should be transferred to the uh official website, and so if uh the contents is not needed anymore, so the contents should be removed and the remainder the directories should be reorganized.

B

Yeah, we should think about it, but I I I mean it's it's useful to have it in git, because you get.

B

You get the history you can see, you can track what has been done and so on. So, if you just put it on a website, it's um it's not. You could of course clone. You can clone parts of this onto the website, but I don't believe in. I don't think we should remove things here.

B

I think it should it's better to to clone things than on the website. That is also here.

C

uh So, according to jensen, uh jensen uh is going to prepare the uh history in the about on the official website and therefore so.

C

You need to discuss with communication members closely and so make sure uh the uh current contents uh are so how we should uh to read the current contents. After now,.

B

Yeah I mean thanks for the website. I I live up to the communications, to do that. I'm just, I think, still that even the technical stuff, also it's a little bit unorganized uh right now, so the things that are used, um I think we need to describe better. I mean lara, just probably got better documentation than most of it.

B

A lot of I mean the sdk and examples and things that all of that is under the containers. uh So here is more description, is needed, what it, what it is yeah or.

C

Maybe.

B

Maybe we should move the examples down I've added now. We have three examples: one is in python, that's been there for some time and one is in c plus plus and another one, also in c, plus plus, which uses the lara api directly. So I added that one just.

C

Yeah, as you mentioned, so we need uh the detailed discussion about the organization. Therefore, so, if you can, could you uh could you please prepare the draft proposal so to organize the github contents.

B

um Yeah you mean for the next communication board meeting.

B

Yeah, I can make a proposal on uh how to organize yes, yeah.

C

And based on the uh draft proposal, so uh let's discuss uh how we proceed uh the the organization now with our communication board members.

B

Yeah but the technical stuff is, I mean this is most for more for the technical board. I would say how we organize.

B

Some things, of course, can be discussed together with communication board.

C

uh So uh well also after you create the draft proposal, so uh how about uh saturating the uh document uh in uh tv members.

B

Yep.

C

I will create uh the questionnaire about that.

B

Okay,.

C

Therefore, so uh if you are finished to make the draft proposal, please let me know.

B

Yes,.

B

All right um is there anything else you'd like to discuss or we are, can we go on to the next meeting.

B

Okay,.

B

So I propose to have a next tb meeting in in two weeks time.

B

So the same uh the same time as this one would be september, 29th.

G

All right, okay, let me check how about 28th.

B

Now 28 we have an on with meeting actually 29 is also an honest meeting.

B

30Th.

A

First thing is good.

B

um 30Th is possible, yes,.

B

So.

B

30Th, at the same time, slot.

C

Hyper is okay.

B

So this uh that's utc one o'clock uh at 1300.

B

Okay, is it is it okay from high question side.

D

uh Yes, no problem, uh you mean one o'clock p.m, right, utc time.

B

Yes, yes, yes,.

D

Okay, no problem.

B

Okay, I will send out the invitation, so I have two things for the agenda. Right now is the manifest and uh organization of git. So far, okay,.

B

Then that's all I had up for today, any other business.

C

Nothing else.

B

All right, so thanks for joining and see you next time. Thank you. Bye, bye,.

F

Thank you.

D

Bye have a nice day.