I’m here today to spread some Fear Uncertainty and Doubt (FUD) about containers. While Venom has made some headlines about a vulnerability within some open source hypervisors, I’m more interested in the disucsion around container security. Download and listen to the podcast to hear my concerns.

 

 

TechTalk 7 – Venom and containers spreading some FUD
Tagged on:     

One thought on “TechTalk 7 – Venom and containers spreading some FUD

  • May 15, 2015 at 7:05 pm
    Permalink

    Here is someone that made a list for Docker. Docker is probably one of the least in the Linux container space: https://github.com/feiskyer/docker/issues/1

    What is now Parallels with their OpenVZ/Virtuozo/Cloud-product has been doing this for 10 years. Parallels was selling it to hosting providers which sold their Virtual Private Server as a service: thus multiple tenants thus with proper security. Parallels made sure this all worked on Linux. They had a really big patch with changes to the kernel that they depended on. A real cut-throat low-margin business for these service providers.

    Some others used FreeBSD jails. Also see Sun/Oracle Solaris and it’s open source illumos cousin and it’s commercial offerings: SmartOS from Joyent and Nexenta Storage solutions.

    Here is a current random example for a few dollars per month: http://lowendbox.com/blog/hostus-35year-2gb-openvz-in-dallas-los-angeles-or-atlanta/

    This type of business is old as dirt in the world of hosting. 🙂

    Now I’ll save you the story about how the OpenVZ guys with help from others like IBM, Google, Ubuntu, RedHat, Suse, etc. eventually got all the needed features in the mainline Linux kernel…

    But the patch OpenVZ now has for a modern kernel does not include any security features. All the security features OpenVZ needs are all available in the normal mainline Linux kernel.

    The only reason Docker hasn’t included all the security features yet is because they want to support older installations. I think they’ll stop doing that soon enough and start including more features so people can use it with specialized distributions like CoreOS. 1.6 has been released recently. Docker does a release every 2 months. I think 1.7 or 1.8 will have the big improvement that is needed for security: user namespaces. After that only seccomp is left.

    They guys from Ubuntu and Parallels are also pretty far with support for live-migration: http://criu.org/Main_Page It’s usable right now for most workloads. You want live-migration if you want to reboot a machine because of a Linux kernel security upgrade.

    I expect usable Linux kernel will get live security patching in Linux kernel 4.2, 4.0 was released recently. It’s on a release schedule of 2 releases a little less than 5 months. So if you wait 4 months the infrastructure for that will be ready too. That will make it a lot easier to secure things too because there is no reboot.

    So my guess is early next year you’ll have these things in the specialized Linux distributions like CoreOS ?

    Reply

Leave a Reply

%d bloggers like this: