diff options
| author | Holger Dengler <dengler@linutronix.de> | 2016-05-08 20:29:44 +0200 |
|---|---|---|
| committer | Holger Dengler <dengler@linutronix.de> | 2016-05-13 15:03:57 +0200 |
| commit | baf3f49b58ef2cee3304d00be49692368ad17a7f (patch) | |
| tree | 84be5798e27f8455d24a73e51e53e090026835c4 /security | |
| parent | 90d6ef0ad3278ee5e0eef2a57f03af891e03760f (diff) | |
sec: Add namespace/container slides
Signed-off-by: Holger Dengler <dengler@linutronix.de>
Diffstat (limited to 'security')
| -rw-r--r-- | security/advanced/Makefile | 1 | ||||
| -rw-r--r-- | security/advanced/frm_namespace_container.tex | 132 | ||||
| -rw-r--r-- | security/advanced/pres_namespace_container.tex | 20 |
3 files changed, 153 insertions, 0 deletions
diff --git a/security/advanced/Makefile b/security/advanced/Makefile index d785f51..2bb84de 100644 --- a/security/advanced/Makefile +++ b/security/advanced/Makefile @@ -3,3 +3,4 @@ obj-$(CONFIG_SECURITY_ADV) += pres_capability.pdf obj-$(CONFIG_SECURITY_ADV) += pres_exploit.pdf obj-$(CONFIG_SECURITY_ADV) += pres_process_thread.pdf obj-$(CONFIG_SECURITY_ADV) += pres_multiuser_dac.pdf +obj-$(CONFIG_SECURITY_ADV) += pres_namespace_container.pdf diff --git a/security/advanced/frm_namespace_container.tex b/security/advanced/frm_namespace_container.tex new file mode 100644 index 0000000..4e53733 --- /dev/null +++ b/security/advanced/frm_namespace_container.tex @@ -0,0 +1,132 @@ +% ---------------------------- +\subsubsection{Namespaces} + +\begin{frame}[fragile] +\frametitle{Namespaces} +\begin{itemize} +\item Mount: \\ + Provide different filesystem +\item IPC: \\ + Provide isolated inter process communication entities +\item Network: \\ + Provide isolated networking environment +\item User: \\ + Provide different User/UID mapping +\item UTS: \\ + Provide different hostname +\end{itemize} +\end{frame} + +% ---------------------------- +\subsubsection{Container} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Containers} +\begin{itemize} +\item Application Isolation +\item Lightweight Virtualisation +\item Based on cgroups and namespaces +\item Easy namespace configuration and management +\item Projects: + \begin{itemize} + \item Docker + \item Linux-VServer + \item OpenVZ + \item Linux Container (LXC) + \item \dots + \end{itemize} +\end{itemize} +\end{frame} + +% ---------------------------- +\subsubsection{LXC Handling} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Linux Containers (LXC)} +\begin{beamerboxesrounded}[shadow=true]{Start/Stop container:} +\begin{tiny} +\begin{verbatim} +# Start: Better for single commands +lxc-execute -n cont_name [-f config] /bin/bash +# Start: Better for container systems +lxc-start -n cont_name [-f config] + +# Stop container +lxc-stop -n foo +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} + +\begin{beamerboxesrounded}[shadow=true]{Control container:} +\begin{tiny} +\begin{verbatim} +# Pause/resume container (controlling group of processes) +lxc-freeze -n cont_name +lxc-unfreeze -n cont_name + +# Monitor container states +lxc-monitor -n cont_name + +# Attach to container console +lxc-console -n cont_name +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Linux Container (LXC): Configuration I} +\begin{beamerboxesrounded}[shadow=true]{Networking example:} +\begin{tiny} +\begin{verbatim} +lxc.utsname = myhostname +lxc.network.type = veth +lxc.network.flags = up +lxc.network.link = br0 +lxc.network.name = eth0 +lxc.network.hwaddr = 4a:49:43:49:79:bf +lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255 +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Linux Container (LXC): Configuration II} +\begin{beamerboxesrounded}[shadow=true]{Controlgroup example:} +\begin{tiny} +\begin{verbatim} +lxc.cgroup.cpuset.cpus = 0,1 +lxc.cgroup.devices.deny = a +lxc.cgroup.devices.allow = c 1:3 rw +lxc.cgroup.devices.allow = b 8:0 rw +\end{verbatim} +\end{tiny} +\end{beamerboxesrounded} +\end{frame} + +% ---------------------------- +\subsubsection{Summary} + +% ---------------------------- +\begin{frame}[fragile] +\frametitle{Container: Summary} +\begin{itemize} +\item lightweight virtualization +\item isolation of applications +\item hide system resources/configuration +\item Problems: + \begin{itemize} + \item shared kernel + \item robustness against attacks + \end{itemize} +\item Solution: + \begin{itemize} + \item combination of namespaces with Mandatory Access Control (MAC) + \end{itemize} +\end{itemize} +\end{frame} diff --git a/security/advanced/pres_namespace_container.tex b/security/advanced/pres_namespace_container.tex new file mode 100644 index 0000000..7572b0c --- /dev/null +++ b/security/advanced/pres_namespace_container.tex @@ -0,0 +1,20 @@ +\input{configpres} + +% ---------------------------- +\subsection{Linux Namespaces} + +\title{Linux Namespaces} +\maketitle + +% ---------------------------- +\begin{frame} +\frametitle{Overview} +\tableofcontents +\end{frame} + +% ---------------------------- +\input{security/advanced/frm_namespace_container.tex} + +% ---------------------------- +\subsection*{} +\input{tailpres} |