Understanding and Hardening Linux Containers [pdf]

Obviously the author put a lot of effort into this paper. Hard work shows throughout. Kudos to you sir!<p>Granted I realize the title is &quot;Understanding and Hardening <i>Linux</i> Containers&quot;.<p>However, personally, this just illustrates my frustration and the frustration of others with the Linux world.<p>They exist in their own little echo chamber. Linux was not the first to create &quot;containers&quot; that are secure. There is no inclusion of other solutions outside Linux.<p>The reason other solutions do not have these problems is because the authors actually thought about the problem. And if the Linux camp would simply look outside their echo chamber long enough to see how others solved these problems before them this paper might not have been written.<p>It&#x27;s just simply frustrating to watch Linux reinvent some wheels, poorly, time after time.<p>Flame on!

This..... this is the thing every architect attempting to roll containers out to production needs to read and re read<p>Complexity at scale: Orchestration frameworks (Rancher, MESOS&#x2F;Aurora, Docker Swarm, LXD, OpenStack Containers, Kubernetes&#x2F;Borg, etc) are only recently catching up to the container craze, there are too many competing models to list. Many have questionable or unaudited security or leave major requirements out, such as secret management. While containers may be easy to get working within a workstation or a few servers, scaling them up to production deployment is another challenge altogether, even assuming your application stack can be properly ``containerized&#x27;&#x27;

Exposing &#x2F;dev&#x2F;random in containers does not put the system entropy pool at risk. That claim is repeated twice in the paper, and is false.

&gt; and a number of other systems such as Mirage OS (a reimplementation of Solaris Zones).<p>I&#x27;d say that&#x27;s not entirely correct. At all.

@ 100+ pages, it would be great to get this in mobi or epub format.

&quot;Containers are great. It&#x27;s a shame Linux doesn&#x27;t have any.&quot;

<i>&quot;While Linux Container systems (LXC, Docker, CoreOS Rocket, etc) have undergone fast deployment and development, security knowledge has lagged behind. The number of people focused on container security...seems disproportionately small&quot;</i><p>I agree with this part. Most containers aren&#x27;t running as an unprivileged user. Those environments that do support it only support it in a very limited set of os&#x2F;kernel&#x2F;whatever versions. Somewhat concerning since containers are getting traction almost everywhere.

Harden <i>this</i> container!<p><a href="http:&#x2F;&#x2F;regex.info&#x2F;i&#x2F;pic&#x2F;2005-09-06_16:03.28__00002.jpg" rel="nofollow">http:&#x2F;&#x2F;regex.info&#x2F;i&#x2F;pic&#x2F;2005-09-06_16:03.28__00002.jpg</a><p>Ideas: Cross-linked polymer? Switch to glass? Too heavy. Carbon fiber, epoxy resin composite?

Has there been a writeup of the history of Container technology? How did these features find their way into the Linux kernel in the first place? What was the original motivation? (Sandboxing, I would guess.) Who were the stakeholders who pushed those features, and why?<p>It&#x27;s weird and wonderful that such technology infrastructure arose and such innovation happens. I&#x27;m curious how.

The article contains the best explanation of Linux capabilities that I have seen.<p>Too bad that Docker and other container solutions defaults to rather broad set of capabilities requiring to use things like<p><pre><code> --cap-drop=ALL --cap-add=NET_BIND_SERVICE ... </code></pre> with typical container invocations to minimize a chance of container escape.

And now I wait for a poor soul to summarize those 100 pages in a paragraph or two.