Send in the chown()s - systemd containers in user namespaces
Wominjeka Theatre | Sat 15 Jan 1:30 p.m.–2:15 p.m.
Presented by
-
Fraser works on security and identity solutions at Red Hat. He is a fan of functional
programming and prefers pair programming with powerful compilers. Outside of
computers he enjoys art, music and little plastic bricks made in Denmark.
Abstract
"systemd in a container - what! why!?" We've got our Reasons, and I'll even explain them.
But more interesting than the "why" is the "how", and that's what this talk is about. Come and
learn about upcoming and already-delivered Kernel and Kubernetes security features that
enable better container isolation and secure deployment of systemd-based workloads.
This is a talk about what happened when a handful of complete container newbies tried to port
their massive, complex, "legacy" application to Kubernetes. In a single "monolithic"
container. Based on systemd.
The container runtime shunned our application. Cloud engineers howled in dismay at our
architecture decisions. Ultimately, like the hackers we are, we ignored their admonitions and
doubled down. If the container runtime won't run our application, well, we'll just modify the
container runtime!
And so we did. Our journey took us into the darkest corners of container runtimes, Kubernetes
and systemd. And we have emerged to tell you the tale. There will be demos.
Attendees should expect to learn more about the security technologies that underpin Linux
containers, including namespaces and cgroups, as well as the behaviour of systemd in
containers.
"systemd in a container - what! why!?" We've got our Reasons, and I'll even explain them. But more interesting than the "why" is the "how", and that's what this talk is about. Come and learn about upcoming and already-delivered Kernel and Kubernetes security features that enable better container isolation and secure deployment of systemd-based workloads. This is a talk about what happened when a handful of complete container newbies tried to port their massive, complex, "legacy" application to Kubernetes. In a single "monolithic" container. Based on systemd. The container runtime shunned our application. Cloud engineers howled in dismay at our architecture decisions. Ultimately, like the hackers we are, we ignored their admonitions and doubled down. If the container runtime won't run our application, well, we'll just modify the container runtime! And so we did. Our journey took us into the darkest corners of container runtimes, Kubernetes and systemd. And we have emerged to tell you the tale. There will be demos. Attendees should expect to learn more about the security technologies that underpin Linux containers, including namespaces and cgroups, as well as the behaviour of systemd in containers.