the problem - elinux...cloud-native app same owner xen no multi-tenancy only run cloud-native apps...
Post on 28-May-2020
2 Views
Preview:
TRANSCRIPT
The Problem
Packaging vs. Runtime
OCI Image Spec vs. OCI Runtime Spec
Linux Kernel
Linux Namespaces
Docker Registry
Linux Namespaces
Cloud-Native App
Linux Namespaces
Cloud-Native App
App binaries
App librariesCloud Native App
(rootfs + manifest)
App binaries
App libraries
Docker
The problem withLinux namespaces
Cloud-native App
Cloud-native App
Linux kernel
POSIX
Cloud-native App
Cloud-native App
Cloud-native App
Linux kernel
POSIX
Large surface of attack
On average, 3 privilege escalation vulnerabilities per Linux release!
Cloud-native App
Cloud-native AppMalicious App
Linux kernel
POSIX
Cloud-native App
Large surface of attack
On average, 3 privilege escalation vulnerabilities per Linux release!
Cloud-native AppMalicious App
Linux kernel
POSIX
Cloud-native App
Large surface of attack
On average, 3 privilege escalation vulnerabilities per Linux release!
Cloud-native AppMalicious App
Linux kernel
POSIX
Cloud-native App
Large surface of attack
On average, 3 privilege escalation vulnerabilities per Linux release!
Cloud-native AppMalicious App
Linux kernel
POSIX
Cloud-native App
Large surface of attack
On average, 3 privilege escalation vulnerabilities per Linux release!
App (Container)
same owner
App (Container)
same owner
Linux kernel
App (Container)
same owner
Cloud-native App
same owner
Cloud-native App
same owner
Linux kernel
POSIX
Cloud-native App
same owner
Xen
● No multi-tenancy
● Only run cloud-native apps from the same user on the same host
● Use VMs (or bare-metal) as security boundary
● Need to handle both VMs provisioning and Cloud-Native app provisioning
Virtual interface, on average:
Xen PV: 1 priv escalation vuln / year KVM: 4 priv escalation vuln / year
Run
Virtualizationas container runtime
On R
Yes but,Does it run containers?
Cloud-native App
Cloud-native App
Linux
Cloud-native App
Embedded Hypervisor
POSIX
Linux Linux
VMX
VM● 1 container app <--> 1 VM
● Secure by default
● Mix and match traditional VMs and container apps on a single platform
● Support mixed criticality workloads
● Support real time apps
● Support device assignment
How do we do it?
Linux Kernel
Linux Namespaces
Docker Registry
Linux Namespaces
Cloud-Native App
Linux Namespaces
Cloud-Native App
App binaries
App librariesCloud-Native
App
App binaries
App libraries
Docker
This is justrootfs + manifest
Xen
VM
Docker Registry
VM
Cloud-Native App
VM
Cloud-Native App
App binaries
App librariesCloud-Native
App
App binaries
App libraries
CoreOS rkt
PVCalls
Cloud-native App
Linux DomU
Xen
POSIX
PV Interface
VM
Each app is run in a small separate Xen VM for isolation.
POSIX calls are confined within the VM, “emulated” by the guest kernel.
Few selected syscalls are handled securely by Dom0 (filesystem and socket syscalls primarily).
Dom0
PV Calls
Dom0Cloud-native app
XenPV Interface
VM
Syscall backend
Syscallfrontend
PV CallsAll othersyscalls
Linux DomU internals
Considerations on Meltdown
Linux 4.15no fix
Linux 4.15fix
Linux 4.15On Xen
CompileBench, Higher is Better
Native Native Xen VM
Demo
Stefano Stabellinisstabellini AT kernel.orgtwitter.com/stabellinist
top related