-
Notifications
You must be signed in to change notification settings - Fork 0
/
index.html
221 lines (168 loc) Β· 5.72 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
<!doctype html><head><meta charset="utf-8"/><script>window.REMOTE=1</script><script src="https://tracey.archive.org/eveal.js/eveal.js"></script><title>Safer Containers - Internet Archive 2023/10</title></head><body>
# Safer Containers
# in 8 minutes
## Tracey Jaquith, Rob Keizer
### Internet Archive ποΈ
#### Oct 6, 2023
---
## What's a Container?
- Standardization, abstraction
- Think cargo container for software
- Single built file
- "I want 10 copies of this container"
---
## What's a Container?
- Contains everything needed to run
- Lightweight, not a full virtual machine
- Unique identifier per container ( URI )
- Run anywhere
- Development laptops
- On demand
- Server clusters
---
## How have containers Helped Us?
- We standardized on Docker
- Standardized testing and deployment
- Automated tests are run in containers
- Staging apps run in containers
- Management
- Auditable, repeatable
- Ability to roll complex changes back
- Increased availability (relatively easily)
---
## Deriver Containers
- Creates item `mp3`, `pdf`s, etc.
- Provides isolation
- Limited visibility ( _single_ item dir )
- Unable to corrupt other tasks/files
- Ephemeral storage
- Temporary files are removed automatically
---
## Current risks with Docker π
* Not designed for security, designed for abstraction
* Daemon is single point of failure
* Elevated privileges
- wide blast radius
- ability to read and write other files
- increased risk of breakout (eg shell escape)
---
- Currently using `docker`
- Looking seriously at `podman`
- Fewer moving parts
- Unix philosophy ( do one thing well )
---
- Open Source, permissive license
- Drop in replacement for `docker`
- Supported
- Created & Maintained by RedHat
- [Hundreds of contributors](https://github.com/containers/podman)
- Stable
- v1.0 released in Jan 2019
---
- Can run as user with no privileges
- Can run containers anywhere
- no `docker` daemon
- no `iptables` / routing changes
- May help deriver container start/stop reliability
---
# Demo
"hello world" web page podman container
https://ia601400.us.archive.org/hi.php
<section></section><section style="background-color:black; color:white; white-space:pre; text-align:left; font-size:80%; padding-left:15px; padding-top:0">
```
user: www-priv
podman run --rm mwendler/figlet hello archive
β_ββββββββββ_ _ββββββββββββββββββββββββ_βββββ_
| |__βββ___| | | ___βββββ__ _ _ __ ___| |__ (_)_βββ_____
| '_ \ / _ \ | |/ _ \βββ/β_` | '__/ __| '_ \| \ \ / / _ \
| | | |ββ__/ | | (_) | | (_| | | | (__| | | | |\ V /ββ__/
|_| |_|\___|_|_|\___/βββ\__,_|_|ββ\___|_| |_|_| \_/ \___|
```
</section>
---
* `rootless`
* runs as `www-priv`
* no file r/w access
<section></section><section style="background-color:black; color:white; white-space:pre; text-align:left; font-size:80%; padding-left:15px; padding-top:0">
```
user: www-priv
podman run --rm mwendler/figlet hello archive
β_ββββββββββ_ _ββββββββββββββββββββββββ_βββββ_
| |__βββ___| | | ___βββββ__ _ _ __ ___| |__ (_)_βββ_____
| '_ \ / _ \ | |/ _ \βββ/β_` | '__/ __| '_ \| \ \ / / _ \
| | | |ββ__/ | | (_) | | (_| | | | (__| | | | |\ V /ββ__/
|_| |_|\___|_|_|\___/βββ\__,_|_|ββ\___|_| |_|_| \_/ \___|
```
</section>
---
# Current work
- TV "fixer" catalogd tasks
- r/w _single_ item dir
- running ~300/day
- epub "on the fly" `daisy` format
- rootless container
- (scheduled for release)
---
# The End π¬
Thanks! π
We'd love to talk to anyone interested afterwards
---
# Bonus / After time:
## What is a container platform?
- Software that runs containers
- Handles administrative actions
- `start/stop`, `view logs`, etc.
- Many different flavours
- (`docker`, `podman`, `runc`, `lxc`, `...` )
---
# Bonus / After time:
- [jammy+] `podman` apt/debian pkg
- [focal] opensuse.org distro => `/etc/apt/sources.list.d/`
---
# apt packages
- _podman_
- _uidmap_: maps outside => inside userid/gid
- _slirp4netns_: rootless networking
- _fuse-overlayfs_: rootless file r/w
- _containernetworking-plugins_
---
# UID
podman "rootless" techniques:
- uid maps
- random user uid
- hybrid of "rootfull" & "rootless"
- better network & file r/w performance
---
# Rootless More Info
- [2023 rootless podman user namespaces in plain english](https://blog.podman.io/2023/05/rootless-podman-user-namespaces-in-plain-english/)
- [2023 podman performance root and rootless](https://blog.podman.io/2023/07/podman-performance-root-and-rootless/)
---
## rootless -v- rootfull
rootless slower than rootful:
- networking & storage β must be done in _user space_ instead of _kernel space_
- _storage_:
- older kernels: FUSE filesystem `fuse-overlayfs`
- newer kernels (5.11+, jammy): kernel allows `podman` the `overlayfs` filesystem natively as non-root user
- _networking_: `slirp4netns` manually reassembles & forwards packets to container
- speedup by r/w volume mounts
- OR `podman run --net=host`
- but `opsec` π
---
## rootless -v- rootfull:
## random user id
- `podman run --userns=auto` allows root `podman` to:
- creates container w/ performance advantages of root
- (kernel-native overlayfs & bridge networking)
- runtime security advantages of rootless
- container has no access to the hostβs root user
---
## Future Goals
- Remove *all* elevated privileges
- Simplify architecture
- Lower latency on startup