Container security: Do containers actually contain? Should you care? - 2015 Red Hat Summit
HTML-код
- Опубликовано: 1 окт 2024
- Daniel Walsh - Mr SELinux, Red Hat
As container use gains popularity, container security is more important than ever. This talk is split into 4 parts detailing security measures in containers, signing, authentication and authorization with the daemon, and mandatory access control.
In this session, you will:
-Learn about the security measures in container management that control what processes within a container can do, and hear about upcoming security enhancements to containers.
-See how container images are signed.
-Discover authentication updates being made to the server to control who’s able to manipulate a container, and learn how developers are splitting functions that an authenticated user is allowed to do on the server.
-Learn how SELinux works and how it works with Docker. 
Наука
Backward-compatibility is backward socioeconomic mentality of tuning and patching,
rather not R&D thus replacing engineers with copycats - who exponentiate compexity.
Jim Keller, a prominent CPU design-leader, states that a 5-years cycle of redesign from scratch makes sense for CPUs ... so what about OS fundamentals, then?
ruclips.net/video/Nb2tebYAaOA/видео.html
Sadly the camera focussed too often on the speaker and some slides were not shown or were shown far too quickly.
Cool Dan! love your work and talk...way to go...cheers mate.
I enjoyed your systemd talk last June. I noticed you went to Holy Cross and WPI I worked at Holy Cross and lived on Salisbury Street about a mile from WPI. We are implementing containers here at Honda, thanks again for clearing up these topics
Do *you* have pigs in a park?
Video jsem neviděl, ale když jsem četl u nspawnu, že securita ještě není moc doladěná, tak jsem si myslel, že je to takové to klasické co se týká všech kontejnerů. No a v stačilo si dát v nspawnu cat /proc/mounts a bylo celkem jasné, jak moc je ta bezpečnost nedoladěná. Tím nehodnotím, jestli je to dobře nebo špatně, ale člověk by měl znát co všechno to propustí dovnitř kontejneru.
Nspawn byl vytvořen pro testovani systemd. Do budoucna by se ale mohl pouzivat do produkce. Ambice takove nemel, ale vypada to, ze se uchyti.
To je možné, já jej používám na testování aplikací, které vyžadují nějaké jiné nastavení systému než má aktuálně hostitel. Po testování následuje btrfs sub del. Na bezpečnostní oddělení bych asi žádný kontejner nepoužil.
Containers don't contain...but if you get it from RHEL it does...seriously ?
+Vasu Thiyagarajan That is not what he is saying at all. I think you need to listen more carefully. He is saying that it is naive to think that containers truly contain all by themselves. SELinux improves security significantly and Red Hat is working with the community to add things like SECCOMP and User Name Spaces to improve this further.
So if you're blindly using containers thinking it's secure, you're wrong. If you're using the Red Hat ecosystem, Red Hat is helping you to fill the gaps. Not saying you can't do it with other platforms, but there is a lot to know and Red Hat has the most engineers and security resources to ensure the gaps are identified and filled. And we submit for the government security certifications (CC, FIPS, etc) so there are additional audits and eyeballs critiquing the platform.
Thanks for clarification
this is awesome training !
Great talk.
awa fjg