Explore container security through restricted address spaces in this 30-minute conference talk by IBM experts Mike Rapoport and James Bottomley. Delve into topics such as container images, hardware resolution, vulnerability, and parent namespaces. Examine network namespaces, unmapped management, and related use cases. Gain insights into kernel page tables, direct mapping, and benchmarks. Investigate cache considerations, GFP and Lab exclusives, metadata, and the networking stack. Conclude with testing methodologies and key takeaways for enhancing container security through address space restrictions.
Restricted Address Spaces for Container Security
Overview
Syllabus
Introduction
Container images
Container hardware resolution
Container vulnerability
Parent namespace
Network namespace
Unmapped
Management
Related Use Cases
Kernel Page Tables
Direct Map
Benchmarks
Cache
GFP Exclusive
Lab Exclusive
Metadata
Networking Stack
Conclusion
Testing
Taught by
Linux Foundation
