Explore the intricacies of unprivileged containers in this 54-minute conference talk by Christian Brauner from Canonical. Delve into the fundamentals of containers, their limitations, and the complexities surrounding syscalls. Gain insights into syscall conventions, seccomp, and kernel policies. Understand the process of intercepting system calls and the role of container managers. Examine common problems associated with syscalls, including race conditions, through practical demonstrations. Conclude with a discussion on critical security aspects, enhancing your knowledge of container technology and its practical applications.
Overview
Syllabus
Intro
Christian Brauner
Outline
What are containers
Limitations
syscalls
syscall conventions
seccomp
seccomp explained
syscall decision
kernel policy
intercept system calls
interception diagram
container manager
problems with syscall
race condition
demo
questions
security aspects
Taught by
Linux Foundation
Tags
Related Courses
-
Syscall Supervision in User Namespaces and Unprivileged Containers
-
Improving Container Security with System Call Interception
-
State of the User Namespace - Privileged Containers and Security Implications
-
Making Containers Safer - Security Features and New Developments
-
What Have Syscalls Done for You Lately? - Exploring Container Security
-
Bringing Containers to Enterprise: Security Challenges and Solutions
