From 17cd67f4d0ee963dd070b761ade0711f07b57ff9 Mon Sep 17 00:00:00 2001 From: Jerome Petazzoni Date: Tue, 10 Apr 2018 08:41:05 -0500 Subject: [PATCH] Breakdown container internals chapter --- slides/intro/Namespaces_Cgroups.md | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/slides/intro/Namespaces_Cgroups.md b/slides/intro/Namespaces_Cgroups.md index 430ed729..c27fae3a 100644 --- a/slides/intro/Namespaces_Cgroups.md +++ b/slides/intro/Namespaces_Cgroups.md @@ -28,15 +28,11 @@ The last item should be done for educational purposes only! - On Linux, containers rely on "namespaces, cgroups, and some filesystem magic." - (Other features are also involved for security: capabilities, seccomp, LSMs...) - -- We are going to explore namespaces and cgroups. - - (Filesystems are covered in a dedicated chapter about copy-on-write.) +- Security also requires features like capabilities, seccomp, LSMs... --- -## Namespaces overview +# Namespaces - Provide processes with their own view of the system. @@ -601,7 +597,7 @@ Check `man 2 unshare` and `man pid_namespaces` if you want more details. --- -## Control groups +# Control groups - Control groups provide resource *metering* and *limiting*. @@ -944,13 +940,13 @@ Killed --- -## Capabilities, seccomp, LSMs... +# Security features - Namespaces and cgroups are not enough to ensure strong security. -- If we want our containers to actually contain, we need more. +- We need extra mechanisms: capabilities, seccomp, LSMs. -- Capabilities, seccomp, LSMs were already used before containers to harden security. +- These mechanisms were already used before containers to harden security. - They can be used together with containers.