Daniel Walsh

Recent Posts

Best practices for running Buildah in a container

Best practices for running Buildah in a container

One of the cool things about separating the container runtimes into different tools is that you can start to combine them to help secure one other.

Lots of people would like to build OCI/container images within a system like Kubernetes. Imagine you have a CI/CD system that is constantly building container images, a tool like Red Hat OpenShift/Kubernetes would be useful for distributing the load of builds. Until recently, most people were leaking the Docker socket into the container and then allowing the containers to do docker build. As I pointed out years ago, this is one of the most dangerous things you can do.  Giving people root access on the system or sudo without requiring a password is more secure than allowing access to the Docker socket.

Because of this, many people have been attempting to run Buildah within a container. We have been watching and answering questions on this for a while. We have built an example of what we think is the best way to run Buildah inside of a container and have made these container images public at quay.io/buildah.

Continue reading “Best practices for running Buildah in a container”

Share
How to run systemd in a container

How to run systemd in a container

I have been talking about systemd in a container for a long time. Way back in 2014, I wrote “Running systemd within a Docker Container.” And, a couple of years later, I wrote another article, “Running systemd in a non-privileged container,” explaining how things hadn’t gotten much better. In that article, I stated, “Sadly, two years later if you google Docker systemd, this is still the article people see—it’s time for an update.” I also linked to a talk about how upstream Docker and upstream systemd would not compromise. In this article, I’ll look at the progress that’s been made and how Podman can help.

Continue reading “How to run systemd in a container”

Share

Running systemd in a non-privileged container

UPDATE: Read the new article “How to run systemd in a container” for the latest information.

What is the scoop on running systemd in a container?

A couple of years ago I wrote an article on Running systemd with a docker-formatted Container. Sadly, two years later if you google docker systemd this is still the article people see — it’s time for an update. This is a follow-up for my last article.

docker upstream vs. systemd

I have given many talks on the opposing upstream — here is a review of one of my talks https://lwn.net/Articles/676831/

Continue reading “Running systemd in a non-privileged container”

Share
Introducing a *Super* Privileged Container Concept

Introducing a *Super* Privileged Container Concept

Letting the containers out of containment.padlock

I have written a lot about *Containing the Containers*, e.g. *Are Docker containers really secure?* and *Bringing new security features to Docker*. However, what if you want to ship a container that needs to have access to the host system or other containers? Well, let’s talk about removing all the security! Safely?

Continue reading “Introducing a *Super* Privileged Container Concept”

Share
Opensource.com – Bringing new security features to Docker

Opensource.com – Bringing new security features to Docker

In the first of this series on Docker security, I wrote “containers do not contain.” In this second article, I’ll cover why and what we’re doing about it.homepage-docker-logo

Docker, Red Hat, and the open source community are working together to make Docker more secure. When I look at security containers, I am looking to protect the host from the processes within the container, and I’m also looking to protect containers from each other. With Docker we are using the layered security approach, which is “the practice of combining multiple mitigating security controls to protect resources and data.”

Basically, we want to put in as many security barriers as possible to prevent a break out. If a privileged process can break out of one containment mechanism, we want to block them with the next. With Docker, we want to take advantage of as many security mechanisms of Linux as possible.

Luckily, with Red Hat Enterprise Linux (RHEL) 7, we get a plethora of security features.

Continue reading “Opensource.com – Bringing new security features to Docker”

Share
Opensource.com –   Are Docker containers really secure?

Opensource.com – Are Docker containers really secure?

This article from opensource.com is based on a talk I gave at DockerCon this year. It will discuss Docker container security, where we are currently, and where we are headed.homepage-docker-logo

Containers do not contain

I hear and read about a lot of people assuming that Docker containers actually sandbox applications—meaning they can run random applications on their system as root with Docker. They believe Docker containers will actually protect their host system.

  • I have heard people say Docker containers are as secure as running processes in separate VMs/KVM.
  • I know people are downloading random Docker images and then launching them on their host.
  • I have even seen PaaS servers (not OpenShift, yet) allowing users to upload their own images to run on a multi-tenant system.
  • I have a co-worker who said: “Docker is about running random code downloaded from the Internet and running it as root.”

“Will you walk into my parlour?,” said the Spider to the Fly.

Stop assuming that Docker and the Linux kernel protect you from malware.

Continue reading “Opensource.com – Are Docker containers really secure?”

Share

Running systemd within a Docker Container

UPDATE: Read the new article “How to run systemd in a container” for the latest information.

I have been working on Docker for the last few months, mainly getting SELinux added to help CONTAIN Containers.

libvirt-sandbox – virt-sandbox-service

For the last couple of years I was working on a different container technology using libvirt-lxc, in addition to my regular SELinux job. I built the virt-sandbox-service tool which would carve up your host system into a bunch of service containers.  My idea was to run systemd within a container and then systemd would start services the same way inside a container as it would outside the container.  Running a virt-sandbox-service container with an Apache unit file, you only see systemd, journald and the httpd processes running.  Very little overhead, and creating a service container was simple, you only needed to specify the unit file of the service you wanted to put in the container.

Continue reading “Running systemd within a Docker Container”

Share