What is the scoop on running systemd in a container?
A couple of years ago I wrote an article on Running systemd with a docker-formatted Container. Sadly, two years later if you google docker systemd this is still the article people see — it’s time for an update. This is a follow-up for my last article.
docker upstream vs. systemd
I have given many talks on the opposing upstream — here is a review of one of my talks https://lwn.net/Articles/676831/
Continue reading “Running systemd in a non-privileged container”
Letting the containers out of containment.
I have written a lot about *Containing the Containers*, e.g. *Are Docker containers really secure?* and *Bringing new security features to Docker*. However, what if you want to ship a container that needs to have access to the host system or other containers? Well, let’s talk about removing all the security! Safely?
Continue reading “Introducing a *Super* Privileged Container Concept”
In the first of this series on Docker security, I wrote “containers do not contain.” In this second article, I’ll cover why and what we’re doing about it.
Docker, Red Hat, and the open source community are working together to make Docker more secure. When I look at security containers, I am looking to protect the host from the processes within the container, and I’m also looking to protect containers from each other. With Docker we are using the layered security approach, which is “the practice of combining multiple mitigating security controls to protect resources and data.”
Basically, we want to put in as many security barriers as possible to prevent a break out. If a privileged process can break out of one containment mechanism, we want to block them with the next. With Docker, we want to take advantage of as many security mechanisms of Linux as possible.
Luckily, with Red Hat Enterprise Linux (RHEL) 7, we get a plethora of security features.
This article from opensource.com is based on a talk I gave at DockerCon this year. It will discuss Docker container security, where we are currently, and where we are headed.
Containers do not contain
I hear and read about a lot of people assuming that Docker containers actually sandbox applications—meaning they can run random applications on their system as root with Docker. They believe Docker containers will actually protect their host system.
- I have heard people say Docker containers are as secure as running processes in separate VMs/KVM.
- I know people are downloading random Docker images and then launching them on their host.
- I have even seen PaaS servers (not OpenShift, yet) allowing users to upload their own images to run on a multi-tenant system.
- I have a co-worker who said: “Docker is about running random code downloaded from the Internet and running it as root.”
“Will you walk into my parlour?,” said the Spider to the Fly.
Stop assuming that Docker and the Linux kernel protect you from malware.
Continue reading “Opensource.com – Are Docker containers really secure?”
I have been working on Docker for the last few months, mainly getting SELinux added to help CONTAIN Containers.
libvirt-sandbox – virt-sandbox-service
For the last couple of years I was working on a different container technology using libvirt-lxc, in addition to my regular SELinux job. I built the virt-sandbox-service tool which would carve up your host system into a bunch of service containers. My idea was to run systemd within a container and then systemd would start services the same way inside a container as it would outside the container. Running a virt-sandbox-service container with an Apache unit file, you only see systemd, journald and the httpd processes running. Very little overhead, and creating a service container was simple, you only needed to specify the unit file of the service you wanted to put in the container.
Continue reading “Running systemd within a Docker Container”