the problem - elinux...cloud-native app same owner xen no multi-tenancy only run cloud-native apps...
TRANSCRIPT
![Page 1: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/1.jpg)
![Page 2: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/2.jpg)
The Problem
![Page 3: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/3.jpg)
![Page 4: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/4.jpg)
![Page 5: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/5.jpg)
![Page 6: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/6.jpg)
Packaging vs. Runtime
OCI Image Spec vs. OCI Runtime Spec
![Page 7: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/7.jpg)
Linux Kernel
Linux Namespaces
Docker Registry
Linux Namespaces
Cloud-Native App
Linux Namespaces
Cloud-Native App
App binaries
App librariesCloud Native App
(rootfs + manifest)
App binaries
App libraries
Docker
![Page 8: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/8.jpg)
![Page 9: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/9.jpg)
The problem withLinux namespaces
![Page 10: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/10.jpg)
Cloud-native App
Cloud-native App
Linux kernel
POSIX
Cloud-native App
![Page 11: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/11.jpg)
Cloud-native App
Cloud-native App
Linux kernel
POSIX
Large surface of attack
On average, 3 privilege escalation vulnerabilities per Linux release!
Cloud-native App
![Page 12: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/12.jpg)
Cloud-native AppMalicious App
Linux kernel
POSIX
Cloud-native App
Large surface of attack
On average, 3 privilege escalation vulnerabilities per Linux release!
![Page 13: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/13.jpg)
Cloud-native AppMalicious App
Linux kernel
POSIX
Cloud-native App
Large surface of attack
On average, 3 privilege escalation vulnerabilities per Linux release!
![Page 14: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/14.jpg)
Cloud-native AppMalicious App
Linux kernel
POSIX
Cloud-native App
Large surface of attack
On average, 3 privilege escalation vulnerabilities per Linux release!
![Page 15: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/15.jpg)
Cloud-native AppMalicious App
Linux kernel
POSIX
Cloud-native App
Large surface of attack
On average, 3 privilege escalation vulnerabilities per Linux release!
![Page 16: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/16.jpg)
![Page 17: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/17.jpg)
![Page 18: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/18.jpg)
![Page 19: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/19.jpg)
![Page 20: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/20.jpg)
App (Container)
same owner
App (Container)
same owner
Linux kernel
App (Container)
same owner
Cloud-native App
same owner
Cloud-native App
same owner
Linux kernel
POSIX
Cloud-native App
same owner
Xen
● No multi-tenancy
● Only run cloud-native apps from the same user on the same host
● Use VMs (or bare-metal) as security boundary
● Need to handle both VMs provisioning and Cloud-Native app provisioning
Virtual interface, on average:
Xen PV: 1 priv escalation vuln / year KVM: 4 priv escalation vuln / year
![Page 21: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/21.jpg)
![Page 22: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/22.jpg)
![Page 23: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/23.jpg)
![Page 24: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/24.jpg)
Run
![Page 25: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/25.jpg)
Virtualizationas container runtime
![Page 26: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/26.jpg)
![Page 27: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/27.jpg)
![Page 28: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/28.jpg)
On R
![Page 29: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/29.jpg)
![Page 30: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/30.jpg)
Yes but,Does it run containers?
![Page 31: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/31.jpg)
Cloud-native App
Cloud-native App
Linux
Cloud-native App
Embedded Hypervisor
POSIX
Linux Linux
VMX
VM● 1 container app <--> 1 VM
● Secure by default
● Mix and match traditional VMs and container apps on a single platform
● Support mixed criticality workloads
● Support real time apps
● Support device assignment
![Page 32: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/32.jpg)
How do we do it?
![Page 33: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/33.jpg)
Linux Kernel
Linux Namespaces
Docker Registry
Linux Namespaces
Cloud-Native App
Linux Namespaces
Cloud-Native App
App binaries
App librariesCloud-Native
App
App binaries
App libraries
Docker
This is justrootfs + manifest
![Page 34: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/34.jpg)
![Page 35: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/35.jpg)
![Page 36: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/36.jpg)
![Page 37: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/37.jpg)
Xen
VM
Docker Registry
VM
Cloud-Native App
VM
Cloud-Native App
App binaries
App librariesCloud-Native
App
App binaries
App libraries
CoreOS rkt
![Page 38: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/38.jpg)
![Page 39: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/39.jpg)
PVCalls
![Page 40: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/40.jpg)
![Page 41: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/41.jpg)
Cloud-native App
Linux DomU
Xen
POSIX
PV Interface
VM
Each app is run in a small separate Xen VM for isolation.
POSIX calls are confined within the VM, “emulated” by the guest kernel.
Few selected syscalls are handled securely by Dom0 (filesystem and socket syscalls primarily).
Dom0
PV Calls
![Page 42: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/42.jpg)
Dom0Cloud-native app
XenPV Interface
VM
Syscall backend
Syscallfrontend
PV CallsAll othersyscalls
Linux DomU internals
![Page 43: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/43.jpg)
![Page 44: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/44.jpg)
Considerations on Meltdown
![Page 45: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/45.jpg)
![Page 46: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/46.jpg)
![Page 47: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/47.jpg)
Linux 4.15no fix
Linux 4.15fix
Linux 4.15On Xen
CompileBench, Higher is Better
Native Native Xen VM
![Page 48: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/48.jpg)
![Page 49: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/49.jpg)
![Page 50: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/50.jpg)
Demo
![Page 51: The Problem - eLinux...Cloud-native App same owner Xen No multi-tenancy Only run cloud-native apps from the same user on the same host Use VMs (or bare-metal) as security boundary](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3499c91d6e046101ed8f8/html5/thumbnails/51.jpg)
Stefano Stabellinisstabellini AT kernel.orgtwitter.com/stabellinist