SUSE Containers, Docker and Beyond · 13 Linux Containers – Security •Do not give root...
Transcript of SUSE Containers, Docker and Beyond · 13 Linux Containers – Security •Do not give root...
![Page 1: SUSE Containers, Docker and Beyond · 13 Linux Containers – Security •Do not give root privileges unless needed •Apply security patches both on the host and on inside of the](https://reader030.fdocuments.in/reader030/viewer/2022041003/5ea4f4a373a0c87b53166582/html5/thumbnails/1.jpg)
SUSE® Containers, Docker and Beyond
Michal SvecSenior Product Manager
Flavio CastelliSenior Software Engineer
![Page 2: SUSE Containers, Docker and Beyond · 13 Linux Containers – Security •Do not give root privileges unless needed •Apply security patches both on the host and on inside of the](https://reader030.fdocuments.in/reader030/viewer/2022041003/5ea4f4a373a0c87b53166582/html5/thumbnails/2.jpg)
2
Agenda
• Linux Containers
• Docker
• Demo
![Page 3: SUSE Containers, Docker and Beyond · 13 Linux Containers – Security •Do not give root privileges unless needed •Apply security patches both on the host and on inside of the](https://reader030.fdocuments.in/reader030/viewer/2022041003/5ea4f4a373a0c87b53166582/html5/thumbnails/3.jpg)
Why Containers?
![Page 4: SUSE Containers, Docker and Beyond · 13 Linux Containers – Security •Do not give root privileges unless needed •Apply security patches both on the host and on inside of the](https://reader030.fdocuments.in/reader030/viewer/2022041003/5ea4f4a373a0c87b53166582/html5/thumbnails/4.jpg)
4
Challenges to Address
Operations• Managing growing
services, from virtual to cloud
• Reliability and uptime when adding new codes
• Time to market, agility and efficiency
Developers• Frequent release
vs. staged production schedule
• “It works on my machine”
New features; faster please!
![Page 5: SUSE Containers, Docker and Beyond · 13 Linux Containers – Security •Do not give root privileges unless needed •Apply security patches both on the host and on inside of the](https://reader030.fdocuments.in/reader030/viewer/2022041003/5ea4f4a373a0c87b53166582/html5/thumbnails/5.jpg)
5
Linux Containers
• Lightweight virtualization– Faster provisioning, less downtime
– Higher virtualization density
• Flexibility and agility– Containerized apps can be deployed
anywhere
– Normal I/O, no congestion
• Near native performance– IBM research: http://ibm.com/Search/?q=rc25482
![Page 6: SUSE Containers, Docker and Beyond · 13 Linux Containers – Security •Do not give root privileges unless needed •Apply security patches both on the host and on inside of the](https://reader030.fdocuments.in/reader030/viewer/2022041003/5ea4f4a373a0c87b53166582/html5/thumbnails/6.jpg)
Linux Containers
![Page 7: SUSE Containers, Docker and Beyond · 13 Linux Containers – Security •Do not give root privileges unless needed •Apply security patches both on the host and on inside of the](https://reader030.fdocuments.in/reader030/viewer/2022041003/5ea4f4a373a0c87b53166582/html5/thumbnails/7.jpg)
7
Traditional virtualization
Server
Host OS
Hypervisor (Type 2)
Bins/Libs
AppA
Guest OS
Virt
ual M
achi
ne
Bins/Libs
AppA'
Guest OS
Bins/Libs
AppB
Guest OS
Bins/Libs
AppB'
Guest OS
![Page 8: SUSE Containers, Docker and Beyond · 13 Linux Containers – Security •Do not give root privileges unless needed •Apply security patches both on the host and on inside of the](https://reader030.fdocuments.in/reader030/viewer/2022041003/5ea4f4a373a0c87b53166582/html5/thumbnails/8.jpg)
8
Linux Containers
Server
Host OS
Bins/Libs
AppA
Guest OS
Bins/Libs
AppB
Guest OS
Kernel
Hypervisor (Type 2)
Bins/Libs
AppA'
Guest OS
Bins/Libs
AppB'
App
licat
ion
cont
aine
r
Sys
tem
con
tain
er
Guest OS
Kernel
![Page 9: SUSE Containers, Docker and Beyond · 13 Linux Containers – Security •Do not give root privileges unless needed •Apply security patches both on the host and on inside of the](https://reader030.fdocuments.in/reader030/viewer/2022041003/5ea4f4a373a0c87b53166582/html5/thumbnails/9.jpg)
9
What is a Linux Container?
Server
Kernel
cgroups
Kernel namespaces
Apps
Container 1
Apps
cgroups
Kernel namespaces
Apps
Container 2
![Page 10: SUSE Containers, Docker and Beyond · 13 Linux Containers – Security •Do not give root privileges unless needed •Apply security patches both on the host and on inside of the](https://reader030.fdocuments.in/reader030/viewer/2022041003/5ea4f4a373a0c87b53166582/html5/thumbnails/10.jpg)
10
Advantages of Linux Containers
• Lightweight virtualization solution‒ Isolated from the other processes
‒ 1 kernel to rule them all
‒ Normal I/O
‒ Dynamic changes possible without reboot
‒ Nested virtualization is not a problem
‒ No boot time or very short one
• Isolate services (e.g. web server, ftp, ...)
• Provide root read-only access‒ Mount host / as read-only
‒ Add only needed resources read-write
![Page 11: SUSE Containers, Docker and Beyond · 13 Linux Containers – Security •Do not give root privileges unless needed •Apply security patches both on the host and on inside of the](https://reader030.fdocuments.in/reader030/viewer/2022041003/5ea4f4a373a0c87b53166582/html5/thumbnails/11.jpg)
11
Linux Containers Use Cases
• Deploy everywhere quickly‒ Deploy application and their dependencies together.
• Enterprise Data Center‒ Limit applications which have a tendency to grab all resources
on a system:
‒ Memory (databases)
‒ CPU cycles/scheduling (compute intensive applications)
• Outsourcing business‒ Guarantee a specific amount of resources (SLAs!) to a set of
applications for a specific customer without more heavy virtualization technologies
![Page 12: SUSE Containers, Docker and Beyond · 13 Linux Containers – Security •Do not give root privileges unless needed •Apply security patches both on the host and on inside of the](https://reader030.fdocuments.in/reader030/viewer/2022041003/5ea4f4a373a0c87b53166582/html5/thumbnails/12.jpg)
12
Linux Containers – Limitations
• They cannot run a different OS/architecture‒ Cannot run Windows containers on Linux
• Risk of escaping from containers‒ Solution: user namespaces
• Shared kernel with the host‒ Syscall exploits can be exploited from within the container
‒ Solution: seccomp2 (in Linux kernel since 3.5)
![Page 13: SUSE Containers, Docker and Beyond · 13 Linux Containers – Security •Do not give root privileges unless needed •Apply security patches both on the host and on inside of the](https://reader030.fdocuments.in/reader030/viewer/2022041003/5ea4f4a373a0c87b53166582/html5/thumbnails/13.jpg)
13
Linux Containers – Security
• Do not give root privileges unless needed
• Apply security patches both on the host and on inside of the container
• Drop Kernel capabilities that are not used
• Secure containers with SELinux, AppArmor‒ SELinux policy applies to complete container
‒ Support for SELinux with LXC on a case by case basis
‒ AppArmor support is ready upstream
• Paranoid? Run the containers inside of a VM
![Page 14: SUSE Containers, Docker and Beyond · 13 Linux Containers – Security •Do not give root privileges unless needed •Apply security patches both on the host and on inside of the](https://reader030.fdocuments.in/reader030/viewer/2022041003/5ea4f4a373a0c87b53166582/html5/thumbnails/14.jpg)
Docker
![Page 15: SUSE Containers, Docker and Beyond · 13 Linux Containers – Security •Do not give root privileges unless needed •Apply security patches both on the host and on inside of the](https://reader030.fdocuments.in/reader030/viewer/2022041003/5ea4f4a373a0c87b53166582/html5/thumbnails/15.jpg)
16
Why Docker?
• Shipping applications everywhere
• Repository of images‒ https://registry.hub.docker.com/
‒ Private repository possible
• Workflow for containers like git‒ Commits; push / pull
‒ DevOps oriented
• Better disk usage: changes layers
• Easy to build new images
• Allows for image versioning
![Page 16: SUSE Containers, Docker and Beyond · 13 Linux Containers – Security •Do not give root privileges unless needed •Apply security patches both on the host and on inside of the](https://reader030.fdocuments.in/reader030/viewer/2022041003/5ea4f4a373a0c87b53166582/html5/thumbnails/16.jpg)
17
Docker
Server
Host OS
Con
tain
er
DockerDaemon
Bins/Libs
AppA
Bins/Libs
AppB
Bins/Libs
AppA'
Bins/Libs
AppB'
YaST
![Page 17: SUSE Containers, Docker and Beyond · 13 Linux Containers – Security •Do not give root privileges unless needed •Apply security patches both on the host and on inside of the](https://reader030.fdocuments.in/reader030/viewer/2022041003/5ea4f4a373a0c87b53166582/html5/thumbnails/17.jpg)
18
Speak Like Docker
• Registry
On-line storage for docker images
• Repository
Bag containing several versions of an image
• Image
Prepared system to run in a container
• Container
Linux container running a docker image
![Page 18: SUSE Containers, Docker and Beyond · 13 Linux Containers – Security •Do not give root privileges unless needed •Apply security patches both on the host and on inside of the](https://reader030.fdocuments.in/reader030/viewer/2022041003/5ea4f4a373a0c87b53166582/html5/thumbnails/18.jpg)
Docker at SUSE
![Page 19: SUSE Containers, Docker and Beyond · 13 Linux Containers – Security •Do not give root privileges unless needed •Apply security patches both on the host and on inside of the](https://reader030.fdocuments.in/reader030/viewer/2022041003/5ea4f4a373a0c87b53166582/html5/thumbnails/19.jpg)
22
Official images
• Pre-built images ready to be download
• Built from trusted sources
• Actively maintained by SUSE
• Available for different architectures
• Can be audited and inspected with tooling made by SUSE
![Page 20: SUSE Containers, Docker and Beyond · 13 Linux Containers – Security •Do not give root privileges unless needed •Apply security patches both on the host and on inside of the](https://reader030.fdocuments.in/reader030/viewer/2022041003/5ea4f4a373a0c87b53166582/html5/thumbnails/20.jpg)
23
YaST module
• Simple solution to get started with Docker
• Manage the available Docker images
• Run Docker images
• Control of running containers
![Page 21: SUSE Containers, Docker and Beyond · 13 Linux Containers – Security •Do not give root privileges unless needed •Apply security patches both on the host and on inside of the](https://reader030.fdocuments.in/reader030/viewer/2022041003/5ea4f4a373a0c87b53166582/html5/thumbnails/21.jpg)
24
Portus
• Authentication: control access to your images
• Easy of use: navigate and search your catalog of images
• Collaboration: organize your users with teams
• Auditing: keep everyting under control
![Page 22: SUSE Containers, Docker and Beyond · 13 Linux Containers – Security •Do not give root privileges unless needed •Apply security patches both on the host and on inside of the](https://reader030.fdocuments.in/reader030/viewer/2022041003/5ea4f4a373a0c87b53166582/html5/thumbnails/22.jpg)
29
What's Next – SLES 12 SP1
• Portus fully supported
• Patch and update of images/containers
• OpenStack integration
• Support for IBM Power and System z
• Docker Security
![Page 23: SUSE Containers, Docker and Beyond · 13 Linux Containers – Security •Do not give root privileges unless needed •Apply security patches both on the host and on inside of the](https://reader030.fdocuments.in/reader030/viewer/2022041003/5ea4f4a373a0c87b53166582/html5/thumbnails/23.jpg)
30
Outlook
• Patch and update UI and integration
• Minimal OS (JeOS)
• Orchestration
• Physical to Docker migration
![Page 24: SUSE Containers, Docker and Beyond · 13 Linux Containers – Security •Do not give root privileges unless needed •Apply security patches both on the host and on inside of the](https://reader030.fdocuments.in/reader030/viewer/2022041003/5ea4f4a373a0c87b53166582/html5/thumbnails/24.jpg)
31
Docker from SUSE, Fully Supported
Enterprise-ready• Images from trusted source (repository)• Full control over your data: on-premise registry,
authentication • Pre-built Docker images
Operational Efficiency• Complementary virtualization of Xen/KVM• Btrfs support• Higher virtualization density
Easy-to-use tools• YaST interface• sle2docker, zypper-docker• Portus
![Page 25: SUSE Containers, Docker and Beyond · 13 Linux Containers – Security •Do not give root privileges unless needed •Apply security patches both on the host and on inside of the](https://reader030.fdocuments.in/reader030/viewer/2022041003/5ea4f4a373a0c87b53166582/html5/thumbnails/25.jpg)
32
Learn More
• We listen! Join our Docker beta program:
• Docker mini-course videos– https://www.suse.com/promo/sle/docker.html
• Try SUSE Linux Enterprise Server 12– https://www.suse.com/products/server/download/
• SUSE Docker QuickStart– https://www.suse.com/documentation/sles-12/singlehtml/docke
rquick/dockerquick.html
• More information in SUSE Linux Enterprise 12– https://www.suse.com/promo/sle12.html
![Page 26: SUSE Containers, Docker and Beyond · 13 Linux Containers – Security •Do not give root privileges unless needed •Apply security patches both on the host and on inside of the](https://reader030.fdocuments.in/reader030/viewer/2022041003/5ea4f4a373a0c87b53166582/html5/thumbnails/26.jpg)
Thank you.
34
It's Demo Time!
![Page 27: SUSE Containers, Docker and Beyond · 13 Linux Containers – Security •Do not give root privileges unless needed •Apply security patches both on the host and on inside of the](https://reader030.fdocuments.in/reader030/viewer/2022041003/5ea4f4a373a0c87b53166582/html5/thumbnails/27.jpg)
35
Docker at SUSECon 2015
TUT19930 - Docker & Portus : A Winning Duo for Your Infrastructure
– Tue, Nov 3rd, 3:15 PM – 4:15 PM
5 Roland Holst kamer
HO19929 - Hands on session on Docker
– Wednesday, Nov 4th, 2:15 PM - 4:15 PM
B-Keurzaal
– Thursday, Nov 5th, 9:00 AM - 11:00 AM
B-Keurzaal
![Page 28: SUSE Containers, Docker and Beyond · 13 Linux Containers – Security •Do not give root privileges unless needed •Apply security patches both on the host and on inside of the](https://reader030.fdocuments.in/reader030/viewer/2022041003/5ea4f4a373a0c87b53166582/html5/thumbnails/28.jpg)
Corporate HeadquartersMaxfeldstrasse 590409 NurembergGermany
+49 911 740 53 0 (Worldwide)www.suse.com
Join us on:www.opensuse.org
36
![Page 29: SUSE Containers, Docker and Beyond · 13 Linux Containers – Security •Do not give root privileges unless needed •Apply security patches both on the host and on inside of the](https://reader030.fdocuments.in/reader030/viewer/2022041003/5ea4f4a373a0c87b53166582/html5/thumbnails/29.jpg)
BACKUP
![Page 30: SUSE Containers, Docker and Beyond · 13 Linux Containers – Security •Do not give root privileges unless needed •Apply security patches both on the host and on inside of the](https://reader030.fdocuments.in/reader030/viewer/2022041003/5ea4f4a373a0c87b53166582/html5/thumbnails/30.jpg)
Unpublished Work of SUSE LLC. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary and trade secret information of SUSE LLC. Access to this work is restricted to SUSE employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of SUSE. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. SUSE makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for SUSE products remains at the sole discretion of SUSE. Further, SUSE reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All SUSE marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.