Merge remote-tracking branch 'remotes/origin/devel/dengler/sec_ext201604'

1 files changed, 132 insertions, 0 deletions

diff --git a/security/advanced/frm_namespace_container.tex b/security/advanced/frm_namespace_container.tex
new file mode 100644
index 0000000..4e53733
--- /dev/null
+++ b/security/advanced/frm_namespace_container.tex
@@ -0,0 +1,132 @@
+% ----------------------------
+\subsubsection{Namespaces}
+
+\begin{frame}[fragile]
+\frametitle{Namespaces}
+\begin{itemize}
+\item Mount: \\
+      Provide different filesystem
+\item IPC: \\
+      Provide isolated inter process communication entities
+\item Network: \\
+      Provide isolated networking environment
+\item User: \\
+      Provide different User/UID mapping
+\item UTS: \\
+      Provide different hostname
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Container}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Containers}
+\begin{itemize}
+\item Application Isolation
+\item Lightweight Virtualisation
+\item Based on cgroups and namespaces
+\item Easy namespace configuration and management
+\item Projects:
+ \begin{itemize}
+ \item Docker
+ \item Linux-VServer
+ \item OpenVZ
+ \item Linux Container (LXC)
+ \item \dots
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{LXC Handling}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Linux Containers (LXC)}
+\begin{beamerboxesrounded}[shadow=true]{Start/Stop container:}
+\begin{tiny}
+\begin{verbatim}
+# Start: Better for single commands
+lxc-execute -n cont_name [-f config] /bin/bash
+# Start: Better for container systems
+lxc-start -n cont_name [-f config]
+
+# Stop container
+lxc-stop -n foo
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+
+\begin{beamerboxesrounded}[shadow=true]{Control container:}
+\begin{tiny}
+\begin{verbatim}
+# Pause/resume container (controlling group of processes)
+lxc-freeze -n cont_name
+lxc-unfreeze -n cont_name
+
+# Monitor container states
+lxc-monitor -n cont_name
+
+# Attach to container console
+lxc-console -n cont_name
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Linux Container (LXC): Configuration I}
+\begin{beamerboxesrounded}[shadow=true]{Networking example:}
+\begin{tiny}
+\begin{verbatim}
+lxc.utsname = myhostname
+lxc.network.type = veth
+lxc.network.flags = up
+lxc.network.link = br0
+lxc.network.name = eth0
+lxc.network.hwaddr = 4a:49:43:49:79:bf
+lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Linux Container (LXC): Configuration II}
+\begin{beamerboxesrounded}[shadow=true]{Controlgroup example:}
+\begin{tiny}
+\begin{verbatim}
+lxc.cgroup.cpuset.cpus = 0,1
+lxc.cgroup.devices.deny = a
+lxc.cgroup.devices.allow = c 1:3 rw
+lxc.cgroup.devices.allow = b 8:0 rw
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Summary}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Container: Summary}
+\begin{itemize}
+\item lightweight virtualization
+\item isolation of applications
+\item hide system resources/configuration
+\item Problems:
+ \begin{itemize}
+ \item shared kernel
+ \item robustness against attacks
+ \end{itemize}
+\item Solution:
+ \begin{itemize}
+ \item combination of namespaces with Mandatory Access Control (MAC)
+ \end{itemize}
+\end{itemize}
+\end{frame}