Defensively designed container runtimes

Session information has not yet been published for this event.

*

One Line Summary

In this talk we will present current roadblocks to a more
defensive design that affect all container runtimes.

Abstract

In contrast to other operating systems the Linux kernel does not attempt to define what a container is. Rather than implementing a first-class container object in the kernel itself Linux exposes various interfaces to user space that can be combined in various ways to define a container. This gives user space the flexibility to work with different container concepts and is one explanation for the variety of container runtimes out there. This liberty is one of the strengths of Linux when implementing a container runtime, and has lead to the usage of these interfaces in non-container contexts such as web browsers. However, a lot of the interfaces that are used in creating containers were not necessarily designed with containers in mind. Additionally, it is not always obvious how the various containerization interfaces are to be combined to guarantee a secure container runtime implementation. The consequence of this conceptual liberty is that there are multiple classes of theoretical vulnerabilities that affect container runtimes such as runC and LXC. In this talk we will present current roadblocks to a more defensive design that affect all container runtimes. Furthermore, we will look at specific roadblocks that are inherent to the design of LXC and runC to open the floor to discussions on topics of runtime design as well as discussions of alternative solutions to some of the roadblocks identified in this talk. In addition, we hope to open the door to even more discussions between container runtimesand kernel containerization primitives.

Tags

kernel, containers, runtimes

Speakers

  • Brauner

    Christian Brauner

    Canonical Ltd.

    Biography

    Christian Brauner is a core developer and maintainer of the LXD and LXC projects. He works mostly upstream as part of the Ubuntu Server team on lower-level problems. He’s been active in the open source community for a long time and is a frequent speaker at various large Linux events; he is also strongly committed to working in the open, and a strong proponent of Free Software.

  • Profile

    Aleksa Sarai

    SUSE LLC

    Biography

    Aleksa Sarai is a core developer and maintainer of runc and umoci, contributor to the Open Container Initiative specifications, and a long-time contributor to Docker. In addition, he’s contributed to the Linux kernel as part of his work on containers. He works on the Kubernetes core team at SUSE, maintaining various core parts of the lower levels of the Kubernetes stack and related software for both SUSE Linux Enterprise and openSUSE; he is also committed to working in the open, and is a strong proponent of Free Software.