Breakdown container internals chapter

This commit is contained in:
Jerome Petazzoni
2018-04-10 08:41:05 -05:00
parent 96fd2e26fd
commit 17cd67f4d0

View File

@@ -28,15 +28,11 @@ The last item should be done for educational purposes only!
- On Linux, containers rely on "namespaces, cgroups, and some filesystem magic."
(Other features are also involved for security: capabilities, seccomp, LSMs...)
- We are going to explore namespaces and cgroups.
(Filesystems are covered in a dedicated chapter about copy-on-write.)
- Security also requires features like capabilities, seccomp, LSMs...
---
## Namespaces overview
# Namespaces
- Provide processes with their own view of the system.
@@ -601,7 +597,7 @@ Check `man 2 unshare` and `man pid_namespaces` if you want more details.
---
## Control groups
# Control groups
- Control groups provide resource *metering* and *limiting*.
@@ -944,13 +940,13 @@ Killed
---
## Capabilities, seccomp, LSMs...
# Security features
- Namespaces and cgroups are not enough to ensure strong security.
- If we want our containers to actually contain, we need more.
- We need extra mechanisms: capabilities, seccomp, LSMs.
- Capabilities, seccomp, LSMs were already used before containers to harden security.
- These mechanisms were already used before containers to harden security.
- They can be used together with containers.