![Page 1: Secure Your Apps in Production using Mesos …...cgroups pid user network Introduction Limits of Containerization ? cross talk between containers and host processes (-> seccomp) containers](https://reader035.vdocuments.mx/reader035/viewer/2022070808/5f0669db7e708231d417df1c/html5/thumbnails/1.jpg)
Secure Your Apps in Production using Mesos Containerizer
![Page 2: Secure Your Apps in Production using Mesos …...cgroups pid user network Introduction Limits of Containerization ? cross talk between containers and host processes (-> seccomp) containers](https://reader035.vdocuments.mx/reader035/viewer/2022070808/5f0669db7e708231d417df1c/html5/thumbnails/2.jpg)
HELLO!I am Benjamin BannierI am here because I love Containers and Mesos. You can find me at @benjamin
2
![Page 3: Secure Your Apps in Production using Mesos …...cgroups pid user network Introduction Limits of Containerization ? cross talk between containers and host processes (-> seccomp) containers](https://reader035.vdocuments.mx/reader035/viewer/2022070808/5f0669db7e708231d417df1c/html5/thumbnails/3.jpg)
Introduction
Why Containerization ?
Why containerizationAbstracts away underlying system
For usersFor containerized Applications
Isolation - resources, networking and visibilityHelps to define application surfaceRelevance to Enterprise
3
Containers are not VMs
Containers allow you to run a linux process within certain constraints.Isolate
Process cgroups
pid
user
network
![Page 4: Secure Your Apps in Production using Mesos …...cgroups pid user network Introduction Limits of Containerization ? cross talk between containers and host processes (-> seccomp) containers](https://reader035.vdocuments.mx/reader035/viewer/2022070808/5f0669db7e708231d417df1c/html5/thumbnails/4.jpg)
Introduction
Limits of Containerization ?
▸ cross talk between containers and host processes (-> seccomp)
▸ containers requiring privileged
access to own container (-> user namespaces)
▸ containers requiring priviledged
access to host facilities (-> capabilities)
4
Goals
▸ improved isolation
▸ reduce the surface area of attack
▸ less privileged process
![Page 5: Secure Your Apps in Production using Mesos …...cgroups pid user network Introduction Limits of Containerization ? cross talk between containers and host processes (-> seccomp) containers](https://reader035.vdocuments.mx/reader035/viewer/2022070808/5f0669db7e708231d417df1c/html5/thumbnails/5.jpg)
User Namespaces
5
![Page 6: Secure Your Apps in Production using Mesos …...cgroups pid user network Introduction Limits of Containerization ? cross talk between containers and host processes (-> seccomp) containers](https://reader035.vdocuments.mx/reader035/viewer/2022070808/5f0669db7e708231d417df1c/html5/thumbnails/6.jpg)
HELLO!I am Srini BrahmaroutuI am from IBM, learning Containers and Mesos. You can find me at @srbrahma
6
![Page 7: Secure Your Apps in Production using Mesos …...cgroups pid user network Introduction Limits of Containerization ? cross talk between containers and host processes (-> seccomp) containers](https://reader035.vdocuments.mx/reader035/viewer/2022070808/5f0669db7e708231d417df1c/html5/thumbnails/7.jpg)
User Namespaces
▸History▸What are User Namespaces
▹ Virtualize users▹ Run unprivileged containers
▸Why User Namespaces▹ Protect global resources▹ Contain application’s root privileges
7
![Page 8: Secure Your Apps in Production using Mesos …...cgroups pid user network Introduction Limits of Containerization ? cross talk between containers and host processes (-> seccomp) containers](https://reader035.vdocuments.mx/reader035/viewer/2022070808/5f0669db7e708231d417df1c/html5/thumbnails/8.jpg)
User Namespaces
▸Mesos Tasks▹ unprivileged tasks
▸Enable User Namespace on Mesos▹ Agent flags▹ Isolators▹ User mapping
8
![Page 9: Secure Your Apps in Production using Mesos …...cgroups pid user network Introduction Limits of Containerization ? cross talk between containers and host processes (-> seccomp) containers](https://reader035.vdocuments.mx/reader035/viewer/2022070808/5f0669db7e708231d417df1c/html5/thumbnails/9.jpg)
User Namespaces
▸Mesos Agent flags - switch_user,userns?▹ unprivileged tasks▹ Tasks running in user namespace
sudo GLOG_v=2 ./bin/mesos-agent.sh --master=127.0.0.1:5050 --image_providers=APPC,DOCKER
--isolation=namespaces/user --switch_user=true &
UnprivilegedUser$> mesos-execute … // run your task
9
![Page 10: Secure Your Apps in Production using Mesos …...cgroups pid user network Introduction Limits of Containerization ? cross talk between containers and host processes (-> seccomp) containers](https://reader035.vdocuments.mx/reader035/viewer/2022070808/5f0669db7e708231d417df1c/html5/thumbnails/10.jpg)
User Namespaces
▸Mesos Isolators for User NamespaceCreate : Creates a isolator class ...
Prepare : Sets the clone flag
Isolate : Writes map file
Update/Recover/Cleanup : Not required
10
![Page 11: Secure Your Apps in Production using Mesos …...cgroups pid user network Introduction Limits of Containerization ? cross talk between containers and host processes (-> seccomp) containers](https://reader035.vdocuments.mx/reader035/viewer/2022070808/5f0669db7e708231d417df1c/html5/thumbnails/11.jpg)
User Namespaces
▸User Mapping/proc/[pid]/uid_map
/proc/[pid]/gid_map
/etc/subuid & /etc/subgid
11
![Page 12: Secure Your Apps in Production using Mesos …...cgroups pid user network Introduction Limits of Containerization ? cross talk between containers and host processes (-> seccomp) containers](https://reader035.vdocuments.mx/reader035/viewer/2022070808/5f0669db7e708231d417df1c/html5/thumbnails/12.jpg)
User Namespaces
▸File sytems and User Namespaces▹ Share image layers▹ Mount filesystem
12
![Page 13: Secure Your Apps in Production using Mesos …...cgroups pid user network Introduction Limits of Containerization ? cross talk between containers and host processes (-> seccomp) containers](https://reader035.vdocuments.mx/reader035/viewer/2022070808/5f0669db7e708231d417df1c/html5/thumbnails/13.jpg)
HELLO!Again, let’s talk about Capabilities.
13
![Page 14: Secure Your Apps in Production using Mesos …...cgroups pid user network Introduction Limits of Containerization ? cross talk between containers and host processes (-> seccomp) containers](https://reader035.vdocuments.mx/reader035/viewer/2022070808/5f0669db7e708231d417df1c/html5/thumbnails/14.jpg)
A POSIX/Linux mechanism to divide privileges (e.g., of root) into fine-grained capabilities.
Examples:
● binding to privileged ports < 1024,● sending signals to arbitrary processes,● bypass file permission checks,● and many more.
Capabilities
![Page 15: Secure Your Apps in Production using Mesos …...cgroups pid user network Introduction Limits of Containerization ? cross talk between containers and host processes (-> seccomp) containers](https://reader035.vdocuments.mx/reader035/viewer/2022070808/5f0669db7e708231d417df1c/html5/thumbnails/15.jpg)
To perform any privileged action, tasks needed to be run with full superuser privileges.
● hard to control privilege access,● user errors can have (unintended) effects beyond
their environment.
Does not fit expectations for containerization well.
Purpose
![Page 16: Secure Your Apps in Production using Mesos …...cgroups pid user network Introduction Limits of Containerization ? cross talk between containers and host processes (-> seccomp) containers](https://reader035.vdocuments.mx/reader035/viewer/2022070808/5f0669db7e708231d417df1c/html5/thumbnails/16.jpg)
![Page 17: Secure Your Apps in Production using Mesos …...cgroups pid user network Introduction Limits of Containerization ? cross talk between containers and host processes (-> seccomp) containers](https://reader035.vdocuments.mx/reader035/viewer/2022070808/5f0669db7e708231d417df1c/html5/thumbnails/17.jpg)
Capabilities isolator linux/capabilities.
● Operator sets up agents with set of allowed capabilities
● User request required capabilities for their tasks.
Integration into Mesos
Agent capabilities
Task capabilities
![Page 18: Secure Your Apps in Production using Mesos …...cgroups pid user network Introduction Limits of Containerization ? cross talk between containers and host processes (-> seccomp) containers](https://reader035.vdocuments.mx/reader035/viewer/2022070808/5f0669db7e708231d417df1c/html5/thumbnails/18.jpg)
Non-root tasks can effectively only use file-based capabilities.
Linux > 4.3 introduces ambient capabilities to address this.
We could extend support for capabilities for non-root tasks, e.g., via ambient capabilities, or user namespaces.
Possible future extensions
![Page 19: Secure Your Apps in Production using Mesos …...cgroups pid user network Introduction Limits of Containerization ? cross talk between containers and host processes (-> seccomp) containers](https://reader035.vdocuments.mx/reader035/viewer/2022070808/5f0669db7e708231d417df1c/html5/thumbnails/19.jpg)
In the context of the Mesos containerizer we introduced
● new Mesos abstractions for capabilities,● interfaces for operators to grant capabilities to
tasks,● interfaces for users to request capabilities.
This adds new containerization tools for privileged tasks.
![Page 20: Secure Your Apps in Production using Mesos …...cgroups pid user network Introduction Limits of Containerization ? cross talk between containers and host processes (-> seccomp) containers](https://reader035.vdocuments.mx/reader035/viewer/2022070808/5f0669db7e708231d417df1c/html5/thumbnails/20.jpg)
HELLO!I am Jay GuoI am from IBM, contributing to many open sources and Mesos. Me: @guoger
20
![Page 21: Secure Your Apps in Production using Mesos …...cgroups pid user network Introduction Limits of Containerization ? cross talk between containers and host processes (-> seccomp) containers](https://reader035.vdocuments.mx/reader035/viewer/2022070808/5f0669db7e708231d417df1c/html5/thumbnails/21.jpg)
Seccomp - What is it?21
▸ A mechanism to restrict syscalls a process can make
▸ One-way transition into “secure” state.
![Page 22: Secure Your Apps in Production using Mesos …...cgroups pid user network Introduction Limits of Containerization ? cross talk between containers and host processes (-> seccomp) containers](https://reader035.vdocuments.mx/reader035/viewer/2022070808/5f0669db7e708231d417df1c/html5/thumbnails/22.jpg)
Seccomp - Why do we need it?22
▸ Reduce attack surface of Kernel, which is shared among containers and host.
▸ Execute customer’s code with more confidence.
![Page 23: Secure Your Apps in Production using Mesos …...cgroups pid user network Introduction Limits of Containerization ? cross talk between containers and host processes (-> seccomp) containers](https://reader035.vdocuments.mx/reader035/viewer/2022070808/5f0669db7e708231d417df1c/html5/thumbnails/23.jpg)
Seccomp - How does it work?23
▸ A Berkely Packer Filter(BPF) program loaded into kernel to control which system calles are permitted.
▸ Every syscall goes through the filter first▸ Actions include
▹ KILL, ▹ TRAP, ▹ ERRNO, ▹ TRACE, ▹ ALLOW
![Page 24: Secure Your Apps in Production using Mesos …...cgroups pid user network Introduction Limits of Containerization ? cross talk between containers and host processes (-> seccomp) containers](https://reader035.vdocuments.mx/reader035/viewer/2022070808/5f0669db7e708231d417df1c/html5/thumbnails/24.jpg)
Seccomp - Who’s using it?24
▸ openSSH▸ vsftpd▸ Chrome/Chromium▸ Docker▸ …▸ ...
![Page 25: Secure Your Apps in Production using Mesos …...cgroups pid user network Introduction Limits of Containerization ? cross talk between containers and host processes (-> seccomp) containers](https://reader035.vdocuments.mx/reader035/viewer/2022070808/5f0669db7e708231d417df1c/html5/thumbnails/25.jpg)
Seccomp - When it comes to Mesos ...25
▸ Enforced by operator via mesos agent flags ▹ --isolation=linux/seccomp▹ --seccomp_profile=/home/myseccomp.json
▸ Customized profile or default one providing mild protection.
▸ Stack up seccomp profiles for extra security
![Page 26: Secure Your Apps in Production using Mesos …...cgroups pid user network Introduction Limits of Containerization ? cross talk between containers and host processes (-> seccomp) containers](https://reader035.vdocuments.mx/reader035/viewer/2022070808/5f0669db7e708231d417df1c/html5/thumbnails/26.jpg)
What can be done now ?26
▸ User namespaces▹ Review for patches▹ Need to think about filesystems
▸ Capabilities▹ In the code base, use it and thrive
▸ Seccomp▹ Review for patches
![Page 27: Secure Your Apps in Production using Mesos …...cgroups pid user network Introduction Limits of Containerization ? cross talk between containers and host processes (-> seccomp) containers](https://reader035.vdocuments.mx/reader035/viewer/2022070808/5f0669db7e708231d417df1c/html5/thumbnails/27.jpg)
Improved Container Security
CAPABILTIESSECCOMP USERNAMESPACES
27
![Page 28: Secure Your Apps in Production using Mesos …...cgroups pid user network Introduction Limits of Containerization ? cross talk between containers and host processes (-> seccomp) containers](https://reader035.vdocuments.mx/reader035/viewer/2022070808/5f0669db7e708231d417df1c/html5/thumbnails/28.jpg)
28
THANKS!Any questions?
![Page 29: Secure Your Apps in Production using Mesos …...cgroups pid user network Introduction Limits of Containerization ? cross talk between containers and host processes (-> seccomp) containers](https://reader035.vdocuments.mx/reader035/viewer/2022070808/5f0669db7e708231d417df1c/html5/thumbnails/29.jpg)
Credits
Special thanks to all the people who made and released these awesome resources for free:
▸ Presentation template by SlidesCarnival▸ Photographs by Startupstockphotos
29