Loading…

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Linux Systems [clear filter]
Tuesday, October 27
 

16:15 GMT

Rootless Containers from Scratch - Liz Rice, Aqua Security
Containers have taken off as one of the foundational technologies that enabled cloud native application development and deployment. But despite their widespread adoption through Docker, Kubernetes and other tools, there has been a significant security risk: users have effectively needed root privileges in order to run containers on a host. Recently there have been significant advances to enable “rootless containers” - containers that can be run without requiring root privileges. This talk will use live-coding in Go to illustrate how rootless containers are created, exploring why root was originally required and what has changed to enable rootless operation. This talk assumes that you have some familiarity with how containers are built using namespaces, cgroups and chroot.

Speakers
avatar for Liz Rice

Liz Rice

VP Open Source Engineering, Aqua Security
Liz Rice is VP Open Source Engineering with cloud native security specialists Aqua Security, looking after projects including Starboard, Trivy, Tracee, kube-hunter and kube-bench. She is chair of the CNCF's Technical Oversight Committee, and was Co-Chair of KubeCon + CloudNativeCon... Read More →


Tuesday October 27, 2020 16:15 - 17:05 GMT
Linux Systems Theater

16:15 GMT

Tutorial: Running Your Own VM & Container Cluster at Home - Stephane Graber & Christian Brauner, Canonical Ltd.
LXD is an easy to use system container and virtual machine manager. On top of letting you create and run containers and virtual machines on a wide selection of storage and network options as well as featuring a modern REST API for remote management, it can also be very easily clustered. In this tutorial, we'll go over setting up LXD from scratch on 3 Raspberry Pi 4 and then configure it to allow remote systems to create and manage containers and virtual machines on those. Such a setup can be interacted with easily from the built-in command line tool available for Linux, macOS and Windows and can be shared with multiple users by using independent "projects" on that cluster. We'll also go over the most common web interface option to make it even easier to manage from any system on the network. This kind of setup can easily be replicated in the cloud or on any spare physical hardware and on the majority of hardware architectures. The Raspberry Pi 4 used in this case allows for someone to set such a redundant cluster for themselves at a very reasonable cost, making it a perfect way to experiment.

Speakers
avatar for Stéphane Graber

Stéphane Graber

Project leader for LXD, LXC and LXCFS, Canonical Ltd.
Stéphane Graber is the engineering manager for the LXD team at Canonical Ltd. He is the upstream project leader for LXC and LXD and a frequent speaker and track leader at events related to containers and Linux. Stéphane is also a longtime contributor to the Ubuntu Linux distribution... Read More →
avatar for Christian Brauner

Christian Brauner

Senior Software Engineer, Canonical
Christian Brauner is a kernel developer and maintainer of the LXD and LXC projects currently working at Canonical. He works mostly upstream on the Linux Kernel maintaining various bits and pieces. He is strongly committed to working in the open, and an avid proponent of Free Software... Read More →



Tuesday October 27, 2020 16:15 - 18:05 GMT
Linux Systems Theater
 
Wednesday, October 28
 

12:00 GMT

Syscall Supervision - Christian Brauner, Canonical
Unprivileged programs such as containers employing user namespaces are severely restricted by the kernel to protect the host from malicious workloads. This means that certain syscalls are completely off-limits for critical workloads even when a privileged, supervising process such as the container manager can vouch for the safety. To solve this problem in a generic way we extended the Linux kernel to allow for syscall supervision. This means a process such as the container manager can receive notifications about the syscalls of a process running inside the container which remains blocked until the container manager allows it to proceed. In this talk we will look at how syscall supervision works in the kernel and how a container manager can use it to allow unprivileged containers to mount filesystems and create devices it would otherwise not be able to. We will also look at new features built on top of this enabling a container manager to inject and receive file descriptors from another process allowing to open() files for the container it would otherwise not be able to open.

Speakers
avatar for Christian Brauner

Christian Brauner

Senior Software Engineer, Canonical
Christian Brauner is a kernel developer and maintainer of the LXD and LXC projects currently working at Canonical. He works mostly upstream on the Linux Kernel maintaining various bits and pieces. He is strongly committed to working in the open, and an avid proponent of Free Software... Read More →


Wednesday October 28, 2020 12:00 - 12:50 GMT
Linux Systems Theater
 

Twitter Feed