Daniel Walsh

Recent Posts

How to run systemd in a container

How to run systemd in a container

I have been talking about systemd in a container for a long time. Way back in 2014, I wrote “Running systemd within a Docker Container.” And, a couple of years later, I wrote another article, “Running systemd in a non-privileged container,” explaining how things hadn’t gotten much better. In that article, I stated, “Sadly, two years later if you google Docker systemd, this is still the article people see—it’s time for an update.” I also linked to a talk about how upstream Docker and upstream systemd would not compromise. In this article, I’ll look at the progress that’s been made and how Podman can help.

Continue reading “How to run systemd in a container”


Running systemd in a non-privileged container

UPDATE: Read the new article “How to run systemd in a container” for the latest information.

What is the scoop on running systemd in a container?

A couple of years ago I wrote an article on Running systemd with a docker-formatted Container. Sadly, two years later if you google docker systemd this is still the article people see — it’s time for an update. This is a follow-up for my last article.

docker upstream vs. systemd

I have given many talks on the opposing upstream — here is a review of one of my talks https://lwn.net/Articles/676831/

Continue reading “Running systemd in a non-privileged container”

Introducing a *Super* Privileged Container Concept

Introducing a *Super* Privileged Container Concept

Letting the containers out of containment.padlock

I have written a lot about *Containing the Containers*, e.g. *Are Docker containers really secure?* and *Bringing new security features to Docker*. However, what if you want to ship a container that needs to have access to the host system or other containers? Well, let’s talk about removing all the security! Safely?

Continue reading “Introducing a *Super* Privileged Container Concept”

Opensource.com – Bringing new security features to Docker

Opensource.com – Bringing new security features to Docker

In the first of this series on Docker security, I wrote “containers do not contain.” In this second article, I’ll cover why and what we’re doing about it.homepage-docker-logo

Docker, Red Hat, and the open source community are working together to make Docker more secure. When I look at security containers, I am looking to protect the host from the processes within the container, and I’m also looking to protect containers from each other. With Docker we are using the layered security approach, which is “the practice of combining multiple mitigating security controls to protect resources and data.”

Basically, we want to put in as many security barriers as possible to prevent a break out. If a privileged process can break out of one containment mechanism, we want to block them with the next. With Docker, we want to take advantage of as many security mechanisms of Linux as possible.

Luckily, with Red Hat Enterprise Linux (RHEL) 7, we get a plethora of security features.

Continue reading “Opensource.com – Bringing new security features to Docker”

Opensource.com –   Are Docker containers really secure?

Opensource.com – Are Docker containers really secure?

This article from opensource.com is based on a talk I gave at DockerCon this year. It will discuss Docker container security, where we are currently, and where we are headed.homepage-docker-logo

Containers do not contain

I hear and read about a lot of people assuming that Docker containers actually sandbox applications—meaning they can run random applications on their system as root with Docker. They believe Docker containers will actually protect their host system.

  • I have heard people say Docker containers are as secure as running processes in separate VMs/KVM.
  • I know people are downloading random Docker images and then launching them on their host.
  • I have even seen PaaS servers (not OpenShift, yet) allowing users to upload their own images to run on a multi-tenant system.
  • I have a co-worker who said: “Docker is about running random code downloaded from the Internet and running it as root.”

“Will you walk into my parlour?,” said the Spider to the Fly.

Stop assuming that Docker and the Linux kernel protect you from malware.

Continue reading “Opensource.com – Are Docker containers really secure?”


Running systemd within a Docker Container

UPDATE: Read the new article “How to run systemd in a container” for the latest information.

I have been working on Docker for the last few months, mainly getting SELinux added to help CONTAIN Containers.

libvirt-sandbox – virt-sandbox-service

For the last couple of years I was working on a different container technology using libvirt-lxc, in addition to my regular SELinux job. I built the virt-sandbox-service tool which would carve up your host system into a bunch of service containers.  My idea was to run systemd within a container and then systemd would start services the same way inside a container as it would outside the container.  Running a virt-sandbox-service container with an Apache unit file, you only see systemd, journald and the httpd processes running.  Very little overhead, and creating a service container was simple, you only needed to specify the unit file of the service you wanted to put in the container.

Continue reading “Running systemd within a Docker Container”