Name: A New Way to Combine Containers and Hypervisors with Xen - Dimitri Stiliadis, Aporeto
Start: 2016-08-22T11:45:00-0400
End: 2016-08-22T12:35:00-0400

August 22nd - 24th in Toronto, Canada
Register Now for LinuxCon+ContainerCon North America 2016!

Back To Schedule

A New Way to Combine Containers and Hypervisors with Xen - Dimitri Stiliadis, Aporeto

Linux Containers’ isolation capabilities are under scrutiny because of growing runtime usage. Best practices recommend avoiding multitenant deployments as POSIX has a large attack surface. Although the proper usage of MAC, seccomp and CAP reduces the attack surface, there are limited production deployments of these technologies given their management complexity.

Clear Containers and similar approaches propose to solve this problem by running Containers as KVM VMs. While more secure, these approaches require HW abstraction to enable multitenancy.

We propose a new method based on Xen paravirtualization that combines strengths of namespaces and hypervisor isolation. This approach enhances security by virtualizing POSIX and allowing a minimalistic subset of syscalls to be handled by a hypervisor-type entity. Most syscalls execute within a confined kernel to harden the system.

Speakers

Dimitri Stiliadis

CTO, Aporeto Inc

Dimitri Stiliadis is the Founder and CEO of Aporeto and was the Founder and CTO of Nuage Networks (Nokia). He has a multi-disciplinary background in distributed systems, security, and networking. He has held several leading roles in Bell Labs Research and received a PhD in computer... Read More →

Monday August 22, 2016 11:45am - 12:35pm EDT
Harbour A

Developer View all ContainerCon Sessions

Skill Level Advanced
Tags Container, Virtualization

LinuxCon + ContainerCon North America 2016

Dimitri Stiliadis

Attendees (28)

LinuxCon + ContainerCon North America 2016

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Dimitri Stiliadis

Attendees (28)