Explore the intricacies of container security in this 38-minute conference talk by Stephane Graber from Canonical. Delve into the security mechanisms employed by LXC and LXD to provide a VM-like experience for system containers. Learn about user namespaces, AppArmor, seccomp, capabilities, filesystem quotas, qdisc limits, and cgroups restrictions. Understand how these technologies work together to create containers that cannot harm the host, are root-safe, and resist DoS attacks when properly configured. Examine the limitations of current security measures, potential system vulnerabilities, and proposed solutions. Gain insights from Graber's expertise as the technical lead for LXD at Canonical and project leader for LXC and LXD. The talk covers an introduction to LXI, security aspects, resource and global limits, checkpoint restore functionality, and includes a demonstration of container restoration.
On the Way to Safe Containers - Security and Resource Management in LXC and LXD
Overview
Syllabus
Intro
What is LXI
Security
Resource Limits
Global Limits
Checkpoint Restore
Demo
Restore Containers
Recap
Taught by
Linux Foundation
Tags
Related Courses
-
Using Linux Primitives to Build Your Own Containers
-
State of the User Namespace - Privileged Containers and Security Implications
-
Making Containers Safer - Security Features and New Developments
-
Introduction to Docker Hacking
-
5 Years of Providing Root Shells - Security Challenges in Container Services
-
Securing Filesystem Images for Unprivileged Containers
