overlayfs and containers

Overlayfs And Containers Miklos Szeredi, Red Hat Vivek Goyal, Red - PowerPoint PPT Presentation

Dec 14, 2023 •472 likes •966 views

Overlayfs And Containers Miklos Szeredi, Red Hat Vivek Goyal, Red Hat Introduction to overlayfs Union or? Union: all layers made equal How do you take the union of two files? Or a file and a directory? NO! Layers cant be

  1. Overlayfs And Containers Miklos Szeredi, Red Hat Vivek Goyal, Red Hat

  2. Introduction to overlayfs

  3. Union or…? Union: all layers made equal ● How do you take the union of two files? ● Or a file and a directory? ● NO! Layers can’t be treated equal ●

  4. ...overlay! Layer upon layer upon layer… ● Only upper layer can be modified ● copy-up (exception: directory contents) ○ Objects in one layer cover up objects with the same name in layer(s) below ● Exception: directories, which are merged ● Exception for the exception: opaque directories ● One more exception: whiteout ● covers up anything and makes it look like nothing ○

  5. Design Userspace API (most important!) ● No new object types ○ Whiteout -> char dev with 0/0 device number ■ Opaque dir -> xattr ■ Make it as simple as possible (and not a bit simpler) ● Most of the logic is in a separate filesystem module ○ Some VFS impact but not much; some FS impact but not much ○ Upstream early ● It doesn’t have to do everything right; features can be added later... ○

  6. Implementation Separate cache for the overlay directory tree ● Allows less impact on VFS/FS ○ BUT bad for memory use ○ Shared cache for the file contents ● Copy-up when opened for write (may be too early) ○ Ugliness when copy-up happens while file is already open read-only ○ BUT great for performance and memory use ○ Limitations ● modifying lower layer -> don’t care ○ Not (yet) a “POSIX” filesystem (st_dev/ino quirks, directory rename, hard link copy-up, etc) ○

  7. Features added later Multiple lower layers ● Renaming directories ● SELinux ● POSIX ACL ● File locking ●

  8. Features (work in progress) RW-RO file consistency after copy-up ● Just need to fix this case up in VFS ○ Fix st_dev, constant st_ino/d_ino ● Store inode number for copied up files ○ Finding a common ino space for different underlying filesystems ○ Hard link copy up ● Should be very rare ○ Can use a global database for storing inode numbers of copied up hard links ○

  9. overlayfs usage in docker

  10. overlay graph driver Container 1 Confined Process merged dir (rootfs) hard links lower lower lower upper dir dir 1 dir 2 dir N Image Image Image Container Layer 1 Layer 2 Layer N writable dir docker daemon option --storage-driver=overlay Overlay supported single lower directory Hard links created between image layers Higher inode utilization

  11. overlay2 graph driver Container 1 Confined Process merged dir (rootfs) lower lower lower upper dir dir 1 dir 2 dir N Image Image Image Container Layer 1 Layer 2 Layer N writable dir docker daemon option --storage-driver=overlay2 overlayfs should support multiple lower dirs No hardlinks and dir creation in every layer Better inode utilization

  12. Container security and overlayfs

  13. How do we handle access permissions? DAC(Ownership/Permissions) MAC (SELinux)

  14. An example setup Container 1 Container 2 Confined Confined Process 1 Process 2 merged merged lower dir upper dir 1 upper dir 2 Image Layer Two containers sharing lower dir with separate upper dir

  15. Escaped container process writes to image dir/files Container 1 Container 2 Confined Escaped Confined Process 1 Process 1 Process 2 merged merged lower dir upper dir 1 upper dir 2 Image Layer -rw-r--r--. root root /etc/passwd DAC allows writing to /etc/passwd

  16. Security goal 1 Container 1 Container 2 Confined Escaped Confined Process 1 Process 1 Process 2 merged merged lower dir upper dir 1 upper dir 2 Image Layer -rw-r--r--. root root /etc/passwd Do not allow writing to image dir/files

  17. Allow access through overlay mount point open(foo.txt, O_RDWR) Overlay mount lower/foo.txt upper/

  18. Deny write access on underlying file open(foo.txt, O_RDWR) Overlay mount lower/foo.txt upper/

  19. DAC allows access through both paths (When root inside container is root outside) open(foo.txt, O_RDWR) Overlay mount lower/foo.txt upper/ -rw-r--r--. root root

  20. Read only label on lower files open(foo.txt, O_RDWR) system_u:system_r:container_t:s0:c16,c585 Overlay mount lower/foo.txt upper/ system_u:object_r:container_share_t:s0

  21. Use context mount option for overlay open(foo.txt, O_RDWR) system_u:system_r:container_t:s0:c16,c585 Overlay mount (context=label) system_u:object_r:container_file_t:s0:c16,c585 lower/foo.txt upper/ system_u:object_r:container_share_t:s0 mount -t overlay -o context=”system_u:object_r:container_file_t:s0:c16,c585”.... merged/

  22. That did not work

  23. Access permission checks in overlay inode_permission() overlay inode MAC context label real inode DAC + MAC (real label)

  24. Read only label on lower file open(foo.txt, O_RDWR) system_u:system_r:container_t:s0:c16,c585 merged/foo.txt system_u:object_r:container_file_t:s0:c16,c585 lower/foo.txt upper/ -rw-r--r--. root root system_u:object_r:container_share_t:s0

  25. Process Overlay inode check open(foo.txt, O_RDWR) system_u:system_r:container_t:s0:c16,c585 Process MAY_WRITE merged/foo.txt system_u:object_r:container_file_t:s0:c16,c585 lower/foo.txt upper/ -rw-r--r--. root root system_u:object_r:container_share_t:s0

  26. Process lower inode DAC check open(foo.txt, O_RDWR) system_u:system_r:container_t:s0:c16,c585 Process MAY_WRITE merged/foo.txt system_u:object_r:container_file_t:s0:c16,c585 Process MAY_WRITE lower/foo.txt upper/ -rw-r--r--. root root system_u:object_r:container_share_t:s0

  27. Process lower inode MAC check open(foo.txt, O_RDWR) system_u:system_r:container_t:s0:c16,c585 Process MAY_WRITE merged/foo.txt system_u:object_r:container_file_t:s0:c16,c585 Process MAY_WRITE lower/foo.txt upper/ -rw-r--r--. root root system_u:object_r:container_share_t:s0

  28. What if we don’t do WRITE checks on lower inode

  29. But that will break DAC DAC checks happen only at real inode open(foo.txt, O_RDWR) merged/ Copy Up lower/foo.txt upper/foo.txt -r--r--r--. root root -r--r--r--. root root

  30. Why not do DAC checks on both inodes open(foo.txt, O_RDWR) merged/foo.txt -r--r--r--. root root Copy Up lower/foo.txt upper/ -r--r--r--. root root

  31. That kind of worked but...

  32. Certain overlayfs operations failed MAC checks

  33. Certain overlayfs operations fail MAC checks File creation over whiteout

  34. Certain overlayfs operations fail MAC checks File creation over whiteout Use mounter’s creds for privileged operations

  35. Two Levels of Permission Checks inode_permission() Overlay inode is checked with ● creds of task Underlying inode is checked ● DAC +MAC with creds of mounter overlay inode (Caller Certain privileged operations ● context label Creds) are done with the creds of mounter real inode DAC + MAC Mounter (real label) Creds

  36. Two levels of checks open(foo.txt, O_RDWR) system_u:system_r:container_t:s0:c16,c585 merged/foo.txt -rw-r--r--. root root system_u:object_r:container_file_t:s0:c16,c585 lower/foo.txt upper/ -rw-r--r--. root root system_u:object_r:container_share_t:s0

  37. Process Overlay inode check open(foo.txt, O_RDWR) system_u:system_r:container_t:s0:c16,c585 Process MAY_WRITE merged/foo.txt -rw-r--r--. root root system_u:object_r:container_file_t:s0:c16,c585 lower/foo.txt upper/ -rw-r--r--. root root system_u:object_r:container_share_t:s0

  38. Mounter real lower inode check open(foo.txt, O_RDWR) system_u:system_r:container_t:s0:c16,c585 Process MAY_WRITE merged/foo.txt -rw-r--r--. root root system_u:object_r:container_file_t:s0:c16,c585 Mounter MAY_READ lower/foo.txt upper/ -rw-r--r--. root root system_u:object_r:container_share_t:s0

  39. First requirement met

  40. Escaped process accesses other container’s data Container 1 Container 2 Confined Confined Escaped Process 1 Process 2 Process 1 merged merged lower dir upper dir 1 upper dir 2 Image Layer -rw-r--r--. root root /etc/data.txt Container1 accesses container2’s data

  41. Security goal 2 Container 1 Container 2 Confined Confined Escaped Process 1 Process 2 Process 1 merged merged lower dir upper dir 1 upper dir 2 Image Layer -rw-r--r--. root root /etc/data.txt One container should not be able to access other container’s data

  42. Label upper files for container access only open(foo.txt, O_RDWR) system_u:system_r:container_t:s0:c16,c585 merged/ system_u:object_r:container_file_t:s0:c16,c585 lower/foo.txt upper/ -rw-r--r--. root root system_u:object_r:container_share_t:s0

  43. Label upper files for container access only open(foo.txt, O_RDWR) system_u:system_r:container_t:s0:c16,c585 merged/ system_u:object_r:container_file_t:s0:c16,c585 lower/foo.txt upper/foo.txt -rw-r--r--. root root -rw-r--r--. root root system_u:object_r:container_share_t:s0 system_u:object_r:container_file_t:s0:c16,c585

  44. One container can’t access data of another container open(foo.txt, O_RDWR) open(foo.txt, O_RDWR) system_u:system_r:container_t:s0:c16,c585 system_u:system_r:container_t:s0:c548,c591 merged/ system_u:object_r:container_file_t:s0:c16,c585 lower/foo.txt upper/foo.txt -rw-r--r--. root root -rw-r--r--. root root system_u:object_r:container_share_t:s0 system_u:object_r:container_file_t:s0:c16,c585

Recommend

Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com

Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com

Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com Containers are great Containers are resource efficient Containers make deployment easy Containers can be monitored easily Containers are secure But are

508 views • 38 slides
Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are not going to be the answer to preventing your application from being compromised, but they can limit the damage from a compromise. How do

823 views • 25 slides
Herd of Containers Sad DIF Database Engineer Herd of Containers: PostgreSQL in containers at

Herd of Containers Sad DIF Database Engineer Herd of Containers: PostgreSQL in containers at

Herd of Containers Sad DIF Database Engineer Herd of Containers: PostgreSQL in containers at BlaBlaCar pgDay Paris, Mar 15, 2018 BlaBlaCar Overview Todays agenda PostgreSQL usage at BlaBlaCar Switching to a new implementation

844 views • 40 slides
Matthias Sohn Adel Zaalouk SAP From Containers to Kubernetes From Containers to Kubernetes

Matthias Sohn Adel Zaalouk SAP From Containers to Kubernetes From Containers to Kubernetes

Matthias Sohn Adel Zaalouk SAP From Containers to Kubernetes From Containers to Kubernetes Container Container Runtime Host OS VM From Containers to Kubernetes Container Container Runtime Host OS VM From Containers to Kubernetes

1.72k views • 135 slides
Everything you need to know about Containers Security Track Containers Jos Manuel Ortega

Everything you need to know about Containers Security Track Containers Jos Manuel Ortega

Everything you need to know about Containers Security Track Containers Jos Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container

807 views • 57 slides
Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs

Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs

Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs Google Wisdom: VMs and Containers are similar but different Try running containers in VMs for security Containers are best for scale-out

314 views • 17 slides
SUSE Containers as a Service Platform 53 53 Why Do You Want to Invest in Containers? 54 54

SUSE Containers as a Service Platform 53 53 Why Do You Want to Invest in Containers? 54 54

SUSE Containers as a Service Platform 53 53 Why Do You Want to Invest in Containers? 54 54 What are Containers? A package/image that can be deployed anywhere (thats running a Linux Kernel) Developers create a layered image of their

996 views • 53 slides
Containers in the Enterprise Avoiding the Kobayashi Maru Agenda Containers Bring Change

Containers in the Enterprise Avoiding the Kobayashi Maru Agenda Containers Bring Change

Containers in the Enterprise Avoiding the Kobayashi Maru Agenda Containers Bring Change An Approach Required Software Processes Cultural Changes Additional Concerns Lessons Learned Why This Talk? Containers are

678 views • 49 slides
Persistent storage for Containers Anil Degwekar What are we talking about? Containers have

Persistent storage for Containers Anil Degwekar What are we talking about? Containers have

Persistent storage for Containers Anil Degwekar What are we talking about? Containers have become popular replacing many Physical / Virtual Machine use cases But: The persistent storage problem for containers is still not fully solved

1.01k views • 17 slides
Cloud Native and Container Technology Landscape Chris Aniszczyk (@cra) Rise of Containers and

Cloud Native and Container Technology Landscape Chris Aniszczyk (@cra) Rise of Containers and

Cloud Native and Container Technology Landscape Chris Aniszczyk (@cra) Rise of Containers and Cloud Native Computing! Google running 2B+ containers per week! Internet scale companies are running containers too: Facebook, Twitter,

1.8k views • 49 slides
Containers, VMs, and Clouds: Containers & Clouds & VMs: OH My Oh My! Mike Coleman,

Containers, VMs, and Clouds: Containers & Clouds & VMs: OH My Oh My! Mike Coleman,

Containers, VMs, and Clouds: Containers & Clouds & VMs: OH My Oh My! Mike Coleman, Technology Evangelist Docker @mikegcoleman Who Am I? Technology evangelist at Docker Former: Puppet, VMware, MSFT, Intel, and HP First

390 views • 25 slides
SAMPLES OF MIXED CONTAINERS Maximum Recovery Minimum Waste TM MIXED CONTAINER RECYCLING

SAMPLES OF MIXED CONTAINERS Maximum Recovery Minimum Waste TM MIXED CONTAINER RECYCLING

SAMPLES OF MIXED CONTAINERS Maximum Recovery Minimum Waste TM MIXED CONTAINER RECYCLING Recycle your Tin, Glass, Metal and Plastic Recycle your Tin, Glass, Metal and Plastic Containers in one recycling bin. Containers in one recycling

331 views • 22 slides
SERVERLESS + CONTAINERS = MODERN CLOUD APPLICATIONS Donna Malayeri Product Manager, Pulumi

SERVERLESS + CONTAINERS = MODERN CLOUD APPLICATIONS Donna Malayeri Product Manager, Pulumi

SERVERLESS + CONTAINERS = MODERN CLOUD APPLICATIONS Donna Malayeri Product Manager, Pulumi @PulumiCorp @lindydonna SERVERLESS AND CONTAINERS Tradeoff between control and productivity Containers give you full control over your compute

720 views • 40 slides
Unprivileged GPU containers on a LXD cluster GPU-enabled system containers at scale Stphane

Unprivileged GPU containers on a LXD cluster GPU-enabled system containers at scale Stphane

Unprivileged GPU containers on a LXD cluster GPU-enabled system containers at scale Stphane Graber Christian Brauner LXD project leader LXD maintainer @stgraber @brau_ner https://stgraber.org https://brauner.io

394 views • 12 slides
Fairport Containers Supporting the Charity Retail Sector www.fairportcontainers.co.uk

Fairport Containers Supporting the Charity Retail Sector www.fairportcontainers.co.uk

Fairport Containers Supporting the Charity Retail Sector www.fairportcontainers.co.uk Introductions David Porter Fairport Containers Director Steve Collinson Managing Director Fairport Containers Ltd Tam Unsworth Recycling Banks

552 views • 28 slides
Containers for Java: Optimizing your applications Mofe Salami Developer Advocate Containers

Containers for Java: Optimizing your applications Mofe Salami Developer Advocate Containers

Containers for Java: Optimizing your applications Mofe Salami Developer Advocate Containers are great! App 1 App 2 App 3 Bins/Libs Bins/Libs Bins/Libs App 1 App 2 App 3 Guest OS Guest OS Guest OS Bins/Libs Bins/Libs Bins/Libs

565 views • 39 slides
Flow A Multithreaded KPN language Mitchell Gouzenko | Hyonjee Joo | Adam Chelminski | Zach

Flow A Multithreaded KPN language Mitchell Gouzenko | Hyonjee Joo | Adam Chelminski | Zach

Flow A Multithreaded KPN language Mitchell Gouzenko | Hyonjee Joo | Adam Chelminski | Zach Gleicher A Determinism in KPNs Determinism is important - there are many subtle ways to break it Mutable global variables Mutable

802 views • 38 slides
A Technique for Enabling and Supporting Debugging of Field Failures James Clause and Alessandro

A Technique for Enabling and Supporting Debugging of Field Failures James Clause and Alessandro

A Technique for Enabling and Supporting Debugging of Field Failures James Clause and Alessandro Orso Georgia Institute of Technology This work was supported in part by NSF awards CCF-0541080 and CCR-0205422 to Georgia Tech. 1 3 Field

1.1k views • 80 slides
The Design, Implementation and Evaluation of a Pluggable Type Checker for Thread-Locality in Java

The Design, Implementation and Evaluation of a Pluggable Type Checker for Thread-Locality in Java

The Design, Implementation and Evaluation of a Pluggable Type Checker for Thread-Locality in Java By: Amanj Sherwany 2011 http://www.amanj.me Background Loci is a static checker for thread- Informationsteknologi locality for Java-like

931 views • 50 slides
Implementing Algorithms in C++ Biostatistics 615/815 . . . . . . . FET . HelloWorld .

Implementing Algorithms in C++ Biostatistics 615/815 . . . . . . . FET . HelloWorld .

. Summary Januray 11th, 2011 Biostatistics 615/815 - Lecture 2 Hyun Min Kang Januray 11th, 2011 Hyun Min Kang Implementing Algorithms in C++ Biostatistics 615/815 . . . . . . . FET . HelloWorld . . . . . . . . . Data Types

1.18k views • 43 slides
Perspec ectives es from om t the FOO Surf rface Waves Work rking Group Mark Hemer (CSIRO)

Perspec ectives es from om t the FOO Surf rface Waves Work rking Group Mark Hemer (CSIRO)

Perspec ectives es from om t the FOO Surf rface Waves Work rking Group Mark Hemer (CSIRO) Daryl Metters (Qld DSITI) Alex Babanin (Univ. Melb) Tim Moltmann (IMOS) Paul Boswood (Qld DSITI) Roger Proctor (IMOS) Diana Greenslade (BoM)

304 views • 14 slides
Resumable Java Bytecode Process Mobility for the JVM Jan Pedersen and Brian Kauke Overview The

Resumable Java Bytecode Process Mobility for the JVM Jan Pedersen and Brian Kauke Overview The

Resumable Java Bytecode Process Mobility for the JVM Jan Pedersen and Brian Kauke Overview The ProcessJ language Transparent process mobility Implementing mobility in the Java/JCSP translation Intro to ProcessJ ProcessJ is a new

285 views • 25 slides
B A C D B A The existential question Why OSGi? Hello World is not a

B A C D B A The existential question Why OSGi? Hello World is not a

OSGi enRoute An Development Chain for OSGi B A C D B A The existential question Why OSGi? Hello World is not a benchmark Dev Chain Language Small versus Large dynamic Java & languages OSGi cost of change

878 views • 71 slides
On The Use Of An Algebraic Language Interface For Waveform Definition Michael L Dickens and

On The Use Of An Algebraic Language Interface For Waveform Definition Michael L Dickens and

On The Use Of An Algebraic Language Interface For Waveform Definition Michael L Dickens and J Nicholas Laneman WINNF11US 2011-Dec-02 Thursday, November 17, 2011 Overview ! Blocks versus Buffers ! Problem ! Saline Implementation !

475 views • 43 slides

More recommend