Sarathy w 0340 Secure Linux Containers Roadmap

8/10/2019 Sarathy w 0340 Secure Linux Containers Roadmap

1/33

Linux Containers Overview &

RoadmapBhavna SarathySenior Product Manager, Red Hat

Dan WalshSenior Principal Software Engineer, Red Hat

June ! !"#


2/33

Key elements of Linux Containers

Process Isolation

SecurityResourceManagement

Management


3/33

Linux Container Architecture


4/33

Red Hat Enterprise LinuxContainer Architecture

Linux Kernel

Hardware


5/33


Linux Kernel

Hardware (Intel, AM!

"ames#aces


6/33

NamespacesProcess Isolation

Mount$ mounting%unmounting &ilesystems

UTS$ hostname, domainname!C$ Sys' message ueues, sema#hore%shared memory segmentsNet"or#$ IP)*%IP)+ stacs, routing, &irewall!$% Pri)ate %#roc, multi#le #id -.s

User%(/I! 0ust showing u# in the Kernel now12 "ot #lanning on su##orting in RH3L41


7/33

Namespace Use

#am5names#ace 6 RH3L7%+

S3Linux sand8ox 6 RH3L+

System 6 9edora -4 /nit9ile$ Pri)ate:m#, Pri)ate"etwor

;#enshi&t 6 RH3L+

Pam5names#ace $ Pri)ate %tm#

Process Isolation


8/33


Linux Kernel


"ames#aces Cgrou#s


9/33

"ames#aces

Resource Mana&ement "ith C&roups

Memory "etwor


10/33

C&roup Use

Li8)irt%emu 2 RH3L+

;#enShi&t 6 RH3L+

System 6 9edora -= /nit9ile$ Control>rou#?

Red Hat Storage Ser)er

>luster 6 RH3L+

Resource

Management


11/33


Linux Kernel


"ames#aces Cgrou#s S3Linux


12/33

SELinux Use

:argeted 6 RH3L*

MLS 2 RH3L7

:argeted%MCS 6 RH3L+ s'irt

;#enShi&t

sand8ox 6@

Security


13/33


Linux Kernel



Li8)irt

"etwor

e)ices


14/33


Linux Kernel



Li8)irt

"etwor

e)ices


15/33


Linux Kernel



Li8)irt

ContainersContainers

"etwor

e)ices


16/33

Li'(irt Use

Li8)irt 6 RH3L7, RH3L+

Launch 'irtual Machines

Li8)irt6lxc 2 RH3L+1* Launch Containers

Management


17/33

Linux ContainerUse Cases

Process Isolation

Security ResourceManagement

Management


18/33

Containers use cases

Shared RH3L Host So&tware>eneric A##lication Container

Systemd A##lication Container


19/33

Containers use cases

Shared RH3L Host So&tware>eneric A##lication Container

Systemd A##lication Container

/nshared ;S So&twareChroot A##lication Container


20/33

)eneric Application Container

)irt6sand8ox6ser)ice

Li8)irt

li8)irt6lxc

Anycommand

!lanned forRHEL *+,


21/33

Systemd Application Container

systemd


Li8)irt

li8)irt6lxc

systemd /nit &ile

!lanned forRHEL *+,


22/33

Chroot Application Container


Li8)irt

li8)irt6lxc

Any CommandIn Chroot

Support T-$

in RHEL *+.


23/33

-ooted /S Container


Li8)irt

li8)irt6lxc

%s8in%init


24/33

-ooted /S Containers


Li8)irt

li8)irt6lxc

%s8in%init

Not supported000Use

K1M


25/33

Containers (s K1M 1irtuali2ation

hen should I use containers and when should I use K'MB


26/33

Containers (s K1M 1irtuali2ation

Startu# and shutdown s#eed

3ase o& Maintainance3asy to createSystem6wide changes )isi8le in each container

9or RH3L Shared ;S ContainersScala8ility$ "um8er o& containers

Process Memory Sharing


27/33


28/33

Linux Containers % Scala'ility

How many containers can you runB:heoritical

Scales to + containers and -D 8ind mounts o& root&ilesystem directories

Practical

Running real worloads, containers doing wor in#arallel


29/33

Linux Containers $emo


30/33

3uture

Seccom# 2 Linux syscall restriction


31/33

EuestionsB

R l d S i S i


32/33

Related Summit Sessions

Managing S3Linux in the 3nter#rise

2 ed *$7 #m, Rm F-DSecure e)elo#ment Practices

2 :hu -$D #m, Rm F+

/nder the Hood o& ;#enShi&t, :ur8ocharged 8y RH3L

2 :hu F$* #m, Rm F*

K'M Hy#er)isor Roadma# G :echnology /#date

2 :hu -$*am, Rm F*

Hy#er)isor :echnology Com#arison G Migration2 9ri $*7am, Rm F-F


33/33

Contact nfo

$an 4alsh

3mail$ dwalshredhat1com

Sarathy w 0340 Secure Linux Containers Roadmap

Documents

Transcript of Sarathy w 0340 Secure Linux Containers Roadmap