diff options
| author | Holger Dengler <dengler@linutronix.de> | 2016-10-21 10:03:14 +0200 |
|---|---|---|
| committer | Holger Dengler <dengler@linutronix.de> | 2016-10-21 10:03:14 +0200 |
| commit | 9b99d6e81c761cf8208a0ae3a17e5bc12084fac7 (patch) | |
| tree | 41c0d0c4702f2a585fc57693d48c97a40b9c1c61 /security | |
| parent | 16a8a2f09197f88867d6e0a665f81b95445847c7 (diff) | |
security: namespaces: Add intro slide, other updates
Signed-off-by: Holger Dengler <dengler@linutronix.de>
Diffstat (limited to 'security')
| -rw-r--r-- | security/advanced/frm_namespace_container.tex | 90 |
1 files changed, 73 insertions, 17 deletions
diff --git a/security/advanced/frm_namespace_container.tex b/security/advanced/frm_namespace_container.tex index 4e53733..c63b6b2 100644 --- a/security/advanced/frm_namespace_container.tex +++ b/security/advanced/frm_namespace_container.tex @@ -1,4 +1,35 @@ % ---------------------------- +\subsubsection{How to isolate Applications} + +\begin{frame}[fragile] +\frametitle{How to isolate Applications} +\begin{itemize} +\item System Information via Kernel API + \begin{itemize} + \item Syscalls + \item PseudoFS (e.g. /proc and /sys) + \item Filesystem tree + \item Network Infrastructure (interfaces, components) + \end{itemize} +\item Namespaces + \begin{itemize} + \item Reduction of System Scope + \item System View Virtualization + \end{itemize} +\item Controlgroup + \begin{itemize} + \item Partitioning of System Resources (CPU time, Memory, etc.) + \end{itemize} +\item Container + \begin{itemize} + \item Configuration Tools + \item Use Namespaces and Controlgroups + \item Application in a Box + \end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- \subsubsection{Namespaces} \begin{frame}[fragile] @@ -46,7 +77,7 @@ \begin{frame}[fragile] \frametitle{Linux Containers (LXC)} \begin{beamerboxesrounded}[shadow=true]{Start/Stop container:} -\begin{tiny} +\begin{scriptsize} \begin{verbatim} # Start: Better for single commands lxc-execute -n cont_name [-f config] /bin/bash @@ -56,11 +87,11 @@ lxc-start -n cont_name [-f config] # Stop container lxc-stop -n foo \end{verbatim} -\end{tiny} +\end{scriptsize} \end{beamerboxesrounded} \begin{beamerboxesrounded}[shadow=true]{Control container:} -\begin{tiny} +\begin{scriptsize} \begin{verbatim} # Pause/resume container (controlling group of processes) lxc-freeze -n cont_name @@ -72,7 +103,7 @@ lxc-monitor -n cont_name # Attach to container console lxc-console -n cont_name \end{verbatim} -\end{tiny} +\end{scriptsize} \end{beamerboxesrounded} \end{frame} @@ -80,9 +111,18 @@ lxc-console -n cont_name \begin{frame}[fragile] \frametitle{Linux Container (LXC): Configuration I} \begin{beamerboxesrounded}[shadow=true]{Networking example:} -\begin{tiny} +\begin{scriptsize} \begin{verbatim} +# +# new hostname for container +# lxc.utsname = myhostname + +# +# Network vistualization +# - private segment in container +# - connected via br0 to device network +# lxc.network.type = veth lxc.network.flags = up lxc.network.link = br0 @@ -90,7 +130,7 @@ lxc.network.name = eth0 lxc.network.hwaddr = 4a:49:43:49:79:bf lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255 \end{verbatim} -\end{tiny} +\end{scriptsize} \end{beamerboxesrounded} \end{frame} @@ -98,14 +138,30 @@ lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255 \begin{frame}[fragile] \frametitle{Linux Container (LXC): Configuration II} \begin{beamerboxesrounded}[shadow=true]{Controlgroup example:} -\begin{tiny} +\begin{scriptsize} \begin{verbatim} -lxc.cgroup.cpuset.cpus = 0,1 +# +# new hostname for container +# +lxc.utsname = myhostname + +# +# schedule container processes only on CPU 3 and 4 +# +lxc.cgroup.cpuset.cpus = 3,4 + +# +# Deny access to device nodes other than +# - /dev/null (c, 1, 3) +# - /dev/urandom (c, 1, 3) +# - /dev/sda5 (b, 8, 5) +# lxc.cgroup.devices.deny = a lxc.cgroup.devices.allow = c 1:3 rw -lxc.cgroup.devices.allow = b 8:0 rw +lxc.cgroup.devices.allow = c 1:9 ro +lxc.cgroup.devices.allow = b 8:5 rw \end{verbatim} -\end{tiny} +\end{scriptsize} \end{beamerboxesrounded} \end{frame} @@ -116,17 +172,17 @@ lxc.cgroup.devices.allow = b 8:0 rw \begin{frame}[fragile] \frametitle{Container: Summary} \begin{itemize} -\item lightweight virtualization -\item isolation of applications -\item hide system resources/configuration -\item Problems: +\item Lightweight Virtualization +\item Isolation of Applications +\item Hide System Resources/Configuration +\item Common: \begin{itemize} - \item shared kernel - \item robustness against attacks + \item Shared Kernel \end{itemize} \item Solution: \begin{itemize} - \item combination of namespaces with Mandatory Access Control (MAC) + \item Viewability between Applications + \item Sandbox (in combination with MAC) \end{itemize} \end{itemize} \end{frame} |