CONTAINING THE OS

WHAT'S LEFT?

Vincent Batts @vbatts

$> finger $(whoami)
Login: vbatts                           Name: Vincent Batts
Directory: /home/vbatts                 Shell: /bin/bash
Such mail.
Plan:
OHMAN
$> id -Gn
devel opencontainers docker appc redhat golang slackware

Containers

(Cite: the internet)

Containers

(Cite: The Internet)

Kernel's Guarantee:

DON'T BREAK USERSPACE

But what is there to break?

syscalls (open, read, write, close, exec, fork, mmap, mount, stat, etc.)
signals
ioctl's
prctl's
fcntl's
sysfs
procfs
and more, I'm sure

Share the host's kernel

Containers:

Crashes and Exploits alike

virtualizing by "namespacing" kernel resources and concepts

Isolation by control groups, syscall filtering, and Linux Security Modules (SELinux, apparmor, etc.)

Kernel Namespaces:

mount
IPC (message queues, semaphores, shm)
UTS (hostname)
network
PID
cgroup
user

unshare() docs

Kernel Namespaces: PID

Container Distribution

How many have attempted to configure some open source project?

Discovered it required other projects to be configured first

Which required still more projects to be configured

Only to find a fundamental incompatibility with the distro version

Container Distribution

Root ('/') File System

Approaches:

Tar Archive
Raw Image
rsync
ostree

Standardize the formats (see Open Container Initiative)

What's Left?

Cloud Native application development (see CNCF)

Rather than only shoving "legacy" code in new boxes

Discoverable APIs (see OpenAPIs)

"Scheduled" functionality (see OpenShift and Kubernetes)

intercommunication (see gRPC)

event driven functions (aka "serverless")

intelligent routing (istio and envoy)

trusted pipeline (CI/CD, grafeas, etc)

Cloud

(Cite: the internet)

CONTAINING THE OS

WHAT'S LEFT?

Containers

Containers

Containers:

Kernel Namespaces:

Kernel Namespaces: PID

Container Distribution

Container Distribution

What's Left?

Cloud

Thanks!

Vincent Batts

@vbatts| vbatts@redhat.com