LinuxCon + ContainerCon North America 2016

With the adoption of container orchestration engines like Docker Swarm, Kubernetes and Mesos, it's important to adapt security technologies that scale with growing deployments. If we can isolate workloads with overlays, that's pretty good. If we can seal a container on a host, that's great!

Using open source tools like Kuryr and MidoNet, we can achieve network security for Containers in a simplified, distributed architecture. By removing architectural bottlenecks, Kuryr and MidoNet efficiently implement security policies through the hardened OpenStack Neutron framework for use by Containers in large scale environments.

Containers are mostly understood via docker which, up until version 1.9, did not use user namespaces at all. This leads to all sorts of wild assertions about "security problems" with Containers. This talk will remedy that by explaining what namespaces are, how they are used and how to set up unprivileged Containers with the user namespace. Since namespaces are little understood, we'll begin with the history of namespaces, how they work, the difference between label and mapping namespaces and finally how all namespaces interact with user namespaces and how user namespaces can be used both to deprivilege root and give an ordinary user a container they can enter with an unprivileged root. We'll use build Containers as a demonstration of the latter

Isolation in Docker is mainly accomplished via cgroups and namespaces. User namespaces are the newest namespace to be supported by the Docker engine, and allow users to run Containers as without elevated privileges, which has been a longstanding shortcoming and frequent target of both user frustration and feature requests. In addition, Seccomp support adds a new method of containment for running Containers by providing both whitelist and blacklist based Controls of system calls that are permitted and/or forbidden for containerized processes.

In this session, we’ll look at these new features, examine basics of configuration, and do some live demos to see them in action.

In the last year, Docker has released several features to “help” secure Containers. For anybody who has ever looked at SELinux, AppArmor, or Seccomp, they realize a lot more help is still needed.

As we look at the “hows” and “whys” of creating a security configuration, we’ll spend lots of time in the terminal, looking at tools that ease the workload, as well as tools that assist in troubleshooting. For many this is the pain point – figuring out why their security config isn’t working (or more precisely – isn’t working as expected).

John will be using examples relevant to real world workloads. If time permits, he’ll take audience suggestions for public images to look at, and will work through creating secure profiles with the tools discussed.

NorthSec is one of the biggest on-location security contests (Capture The Flag) in the world.
It's also one of the biggest deployments of LXC, albeit only for a weekend.

It is unique not only because of its size but because of the way it works. Every team gets its own simulation of the real world, including its own fake internet and various fake companies and organizations connected to it. Each edition comes with its own original scenario which drives the event and gets the team going from one challenge to the next, earning points in the process.

Everything is simulated using Containers, several hundreds of them PER TEAM. Those run internet routers or simulate corporate servers. Some are deliberately vulnerable to attacks; some can't ever fail.

In this talk, we'll look at the NorthSec 2016 infrastructure, what it looked like, how it was made and what we learned from it.