docker file system isolation
play

Docker File System Isolation By Darrin Schmitz David Huff - PowerPoint PPT Presentation

Jan 08, 2023 •273 likes •523 views

Docker File System Isolation By Darrin Schmitz David Huff Destiny Velasquez 1 LA-UR-15-25911 Specifications HP ProLiant DL380p Gen8 servers Head node has 32 cores and 32 GB RAM 10 child nodes have 24 cores and 24 GB RAM

  1. Docker File System Isolation By Darrin Schmitz David Huff Destiny Velasquez 1 LA-UR-15-25911

  2. Specifications • HP ProLiant DL380p Gen8 servers • Head node has 32 cores and 32 GB RAM • 10 child nodes have 24 cores and 24 GB RAM • Operating system: CentOS 6.6 • Containers: Docker version 1.6 2 LA-UR-15-25911

  3. Abstract Overview ● Our goal ● Technical difficulties ● Overall, we believe Docker is a good security option, even though there are some security risks involved 3 LA-UR-15-25911

  4. What is a Container? ● Between a virtual machine and a chroot ● Native hardware utilization ● Able to run different operating systems 4 LA-UR-15-25911

  5. Why use Docker? 1. Pre-configures its network bridges 2. Available documentation 3. Portable and recoverable images 5 LA-UR-15-25911

  6. Docker Normal Setup ● Docker bridge directly connected to node ● IP forwarding use ● The IP ranges for the containers are 172.17.0.0/20 ● Daemon configures iptables 6 LA-UR-15-25911

  7. Docker Normal Setup Diagram 7 LA-UR-15-25911

  8. Problems With Default Setup ● Same IP addresses are assigned to different containers on different nodes ● Iptables and bridges are not cleaned up by Docker 8 LA-UR-15-25911

  9. Steps to Create a Docker Network With OpenMPI 1. Install Docker 2. Set up the bridge manually 3. Set up SSH-keys 4. Set up OpenMPI 5. Set up the Docker daemon to give out unique IP-addresses 9 LA-UR-15-25911 https://www.linkedin.com/pulse/docker-containers-kubernetes-smart-ecosystem-solution-yasser-emam

  10. Bridge 10 LA-UR-15-25911

  11. SSH-Keys & OpenMPI & Mounting ● Generate the SSH-keys and place the public key into the authorized-keys file ● Set up the /etc/openmpi/default-openmpi - hostnames file, and set the path to the OpenMPI libraries ● Mounting is as simple as using Dockers –v flag 11 LA-UR-15-25911

  12. Docker Daemon ● The Docker Daemon sets up the bridge ● The IP range for the containers is set up by the daemon ● There is a flag to assign a custom bridge to the daemon 12 LA-UR-15-25911

  13. Docker Hub 13 LA-UR-15-25911 http://jenkins-ci.org/content/official-jenkins-lts-docker-image

  14. Problems With Docker ● Docker’s bridge needs to connect to the switch directly ● Services do not start at the start of the terminal ● Environment variables are not permanent ● IP-addresses cannot be statically set ● /etc/hosts file is constantly being overwritten 14 LA-UR-15-25911

  15. Benchmarks Write dd if=/dev/urandom of=/Yellow/File bs=1024 count=1024000 dd if=/dev/urandom of=/home/File bs=1024 count=1024000 Read dd if=/Yellow/File of=/dev/null bs=1024 dd if=/home/File of=/dev/null bs=1024 15 LA-UR-15-25911

  16. Benchmark Results Relative Read Performance 1.05 1.00 0.95 0.90 0.85 0.80 0.75 0.70 0.65 0.60 Dir on Host Dir mounted in Cont File in /home using Mounted file in / NFS home using NFS 16 LA-UR-15-25911

  17. Benchmark Results Relative Write Performance 1.05 1.00 0.95 0.90 0.85 0.80 0.75 0.70 0.65 0.60 Dir on Host Dir mounted in Cont File in /home using Mounted file in / NFS home using NFS 17 LA-UR-15-25911

  18. CVE’s ● Insecure opening of file-descriptor 1 leading to privilege escalation (CVE-2015-3627) ● Symlink traversal on container respawn allows local privilege escalation (CVE-2015-3629) ● Read/write proc paths allow host modification & information disclosure (CVE-2015-3630) 18 LA-UR-15-25911

  19. Security Risks ● The current version of Docker fixes these security holes ● As of the 14 th of July, 1.7.1 is compatible with CentOS 6.6 ● The isolation provided by Docker is not as robust as the segregation established by hypervisors for virtual machines 19 LA-UR-15-25911

  20. Security Recommendations ● Use containers only on unclassified data/file systems ● Containers run with a whitelisted root ● Access control via SSH Keys ● Set up a password between data locations ● Don’t give root to the user ● Set up user account in the container 20 LA-UR-15-25911

  21. Future Research ● Write a launch script that works with SLURM/Moab to automatically provision the container environment. ● Investigate bind mounts using Lustre and Panasas. ● Investigate using containers in an SELinux environment. 21 LA-UR-15-25911 https://docs.docker.com/

  22. Conclusion ● We met the goal of our project by proving Docker is a lightweight security option ● Although there are some security holes to be concerned about, we’ve provided some security recommendations for Docker ● Docker would be a useful option for separating Yellow and Turquoise data 22 LA-UR-15-25911

  23. References 1. https://sites.google.com/a/ probe.newmexicoconsortium.org/cscnsi-2015- vermilion/ 2. https://www.docker.com/ 3. https://hub.docker.com/ 4. https://nvd.nist.gov/ 23 LA-UR-15-25911

  24. Questions? 24 LA-UR-15-25911

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Fault Isolation and Quick Recovery in Isolation File Systems Lanyue Lu Andrea C. Arpaci-Dusseau

Fault Isolation and Quick Recovery in Isolation File Systems Lanyue Lu Andrea C. Arpaci-Dusseau

Fault Isolation and Quick Recovery in Isolation File Systems Lanyue Lu Andrea C. Arpaci-Dusseau Remzi H. Arpaci-Dusseau University of Wisconsin - Madison 1 File-System Availability Is Critical 2 File-System Availability Is Critical Main

1.76k views • 171 slides
Wharf: Sharing Docker Image in a Distributed File System Chao Zheng, Lukas Rupprecht, Vasily

Wharf: Sharing Docker Image in a Distributed File System Chao Zheng, Lukas Rupprecht, Vasily

Wharf: Sharing Docker Image in a Distributed File System Chao Zheng, Lukas Rupprecht, Vasily Tarasov, Douglas Thain, Mohamed Mohamed, Dimitrios Skourtis, Amit S. Warke and Dean Hildebrand 1 Problem High Network and Storage Overheads 2

759 views • 18 slides
Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y

Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y

Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y install docker s ystemctl start docker systemctl enable docker docker images - Launch pre-canned container: hello-world (busybox is another good

480 views • 4 slides
docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer /

docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer /

docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer / mgoelzer@docker.com / @mgoelzer Docker Inc. docker service is the new docker run docker run nginx 2013-14 docker run -p 3375:2375 swarm ; 2014-15

688 views • 34 slides
Chapter 12: File System Implementation File System Structure File System Implementation

Chapter 12: File System Implementation File System Structure File System Implementation

Chapter 12: File System Implementation File System Structure File System Implementation Directory Implementation Allocation Methods Free-Space Management Efficiency and Performance Recovery Log-Structured File Systems

492 views • 47 slides
~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE SYSTEM MOUNTING PROTECTION EXTERNAL VIEW OF THE FILE MANAGER FILE MANAGEMENT FILE, IS A NAMED AND ORDERED COLLECTION OF INFORMATION COMPUTER SHOULD

341 views • 33 slides
Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable

Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable

Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable Isolation Dan Ports Kevin Grittner MIT Wisconsin Court System Saturday, May 21, 2011 1 Overview Serializable isolation makes it easier to reason

922 views • 60 slides
File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System

File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System

File Systems Chapter 11, 13 OSPP What is a File? What is a Directory? Goals of File System Performance Controlled Sharing Convenience: naming Reliability File System Workload File sizes Are most files small or large?

996 views • 62 slides
CSE 120 File System Interface What the user/programmer sees File System Implementation

CSE 120 File System Interface What the user/programmer sees File System Implementation

Overview CSE 120 File System Interface What the user/programmer sees File System Implementation How it works Summer, 2006 Day 9 File Systems Instructor: Neil Rhodes 2 What is a File? Typical Filesystem Named collection of related

175 views • 5 slides
INTRODUCTION TO DOCKER ADRIAN MOUAT SO WHAT IS DOCKER? SIMILAR TO A LIGHTWEIGHT VM Both

INTRODUCTION TO DOCKER ADRIAN MOUAT SO WHAT IS DOCKER? SIMILAR TO A LIGHTWEIGHT VM Both

INTRODUCTION TO DOCKER ADRIAN MOUAT SO WHAT IS DOCKER? SIMILAR TO A LIGHTWEIGHT VM Both provide isolated environments Docker is much more efficient 64-bit Linux only (currently) CONTAINERIZATION A Docker container is a portable store for a

674 views • 29 slides
File System Implementation Summer 2016 Cornell University Today File allocation Unix

File System Implementation Summer 2016 Cornell University Today File allocation Unix

CS 4410 Operating Systems File System Implementation Summer 2016 Cornell University Today File allocation Unix file system Log-structured file system 2 File system: two design problems User interface: File, directory,

362 views • 21 slides
Docker Provider The Docker provider is used to interact with Docker containers and images. It uses

Docker Provider The Docker provider is used to interact with Docker containers and images. It uses

Docker Provider The Docker provider is used to interact with Docker containers and images. It uses the Docker API to manage the lifecycle of Docker containers. Because the Docker provider uses the Docker API, it is immediately compatible not only

553 views • 34 slides
Distributed File Systems Distributed File Systems A distributed file system (DFS) is a

Distributed File Systems Distributed File Systems A distributed file system (DFS) is a

Distributed File Systems Distributed File Systems A distributed file system (DFS) is a distributed Definitions implementation of a classical time-sharing model of a file Distributed system - A number of loosely coupled system. machines

997 views • 8 slides
Windows File System Efficiency and Stability of a file system are contradicting requirements. How

Windows File System Efficiency and Stability of a file system are contradicting requirements. How

Unit OS8: File System 8.6. Quiz Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Windows File System Efficiency and Stability of a file system are contradicting requirements. How can the

279 views • 11 slides
Distributed Systems - III Open a file, check status on a file, close a file; Read data

Distributed Systems - III Open a file, check status on a file, close a file; Read data

CSE 421/521 - Operating Systems What does Distributed File System Provide? Fall 2011 Provide access to and manipulation of data stored at remote servers using file system interfaces Lecture - XXV What are the file system interfaces?

236 views • 5 slides
File System Thierry Sans (recap) File System Abstraction File system specifics of which disk

File System Thierry Sans (recap) File System Abstraction File system specifics of which disk

File System Thierry Sans (recap) File System Abstraction File system specifics of which disk class it is using It issues block read/write requests to the generic block layer Provide an abstraction Goals Implement an abstraction (files) for

389 views • 37 slides
Presentation Q1(19) Jonas Jarvius, CEO Anders Lundin, CFO STRICTLY PRIVATE AND CONFIDENTIAL

Presentation Q1(19) Jonas Jarvius, CEO Anders Lundin, CFO STRICTLY PRIVATE AND CONFIDENTIAL

Presentation Q1(19) Jonas Jarvius, CEO Anders Lundin, CFO STRICTLY PRIVATE AND CONFIDENTIAL Disclaimer DISCLAIMER THIS PRESENTATION AND ITS CONTENTS ARE CONFIDENTIAL AND ARE NOT FOR RELEASE, PUBLICATION OR DISTRIBUTION, IN WHOLE OR IN PART,

835 views • 12 slides
D8.9 Educational Material for University Studies Sustainable Refurbishing of Historic Buildings

D8.9 Educational Material for University Studies Sustainable Refurbishing of Historic Buildings

D8.9 Educational Material for University Studies Sustainable Refurbishing of Historic Buildings and Relevant Building Physical Aspects based on Case Study 5: Secondary School Htting Innsbruck, Austria The research leading to these results

895 views • 72 slides
OVER ERVIEW IEW OF OF ISO ISO 90 9001 01, , ISO ISO 14 1400 001 1 & & OH OHSA

OVER ERVIEW IEW OF OF ISO ISO 90 9001 01, , ISO ISO 14 1400 001 1 & & OH OHSA

OVER ERVIEW IEW OF OF ISO ISO 90 9001 01, , ISO ISO 14 1400 001 1 & & OH OHSA SAS S 18001 18001 COURSE OBJECTIVES ISO 9001, ISO 14001 & OHSAS 18001 in brief: ISO 9001, ISO 14001 & OHSAS 18001 are among the

177 views • 15 slides
I SO Managem ent system standards - An overview - I SO Managem ent system s W hat are they? W

I SO Managem ent system standards - An overview - I SO Managem ent system s W hat are they? W

I SO Managem ent system standards - An overview - I SO Managem ent system s W hat are they? W hy use them ? Complying with ISO management standards: increases confidence in business relationships, broadens opportunities

544 views • 33 slides
One Person, One Lock Control of Hazardous Energy H&S Program Standard 7-45 Course Code

One Person, One Lock Control of Hazardous Energy H&S Program Standard 7-45 Course Code

One Person, One Lock Control of Hazardous Energy H&S Program Standard 7-45 Course Code 600009 TRACCESS Module - 2017 Control of Hazardous Energy Training BU Specific Group BU Competency Lockout Increasing Competency Group

1.07k views • 37 slides
ARMlock: Hardware-based Fault Isolation for ARM Yajin Zhou , Xiaoguang Wang, Yue Chen, and Zhi

ARMlock: Hardware-based Fault Isolation for ARM Yajin Zhou , Xiaoguang Wang, Yue Chen, and Zhi

ARMlock: Hardware-based Fault Isolation for ARM Yajin Zhou , Xiaoguang Wang, Yue Chen, and Zhi Wang North Carolina State University Xian Jiaotong University Florida State University Software is Complicated and Vulnerable Number of CVEs 17

912 views • 28 slides
PRESENTATION FOR TESTING DIRECTIONS The World Health Organization declared COVID-19 a pandemic on

PRESENTATION FOR TESTING DIRECTIONS The World Health Organization declared COVID-19 a pandemic on

EMERGENCY MANAGEMENT ACT 2005 (WA) ( (a) who enters Westero Australia by disembarking from an afgected aircraft onto land anywhere in Western Australia (including any person who entered Westero Australia in this manner on or afuer 29 June 2020);

268 views • 3 slides
Massive Multitenancy with V8 Isolates Kenton Varda - Tech Lead, Cloudflare Workers The Challenge

Massive Multitenancy with V8 Isolates Kenton Varda - Tech Lead, Cloudflare Workers The Challenge

Massive Multitenancy with V8 Isolates Kenton Varda - Tech Lead, Cloudflare Workers The Challenge 165 Locations and growing Scalability can mean... Traffic (requests) Easy: More locations = more capacity. Tenants (apps) Hard: Every tenant in

812 views • 41 slides

More recommend