Faculty of Science and Information Technology > Software Engineering

Namespaces: A key to container security

(1/1)

farzanaSadia:
SD Times: What are namespaces, and why are they necessary for containers?
Rice: Namespaces are one of the key building blocks that are used to create containers. When you start a process on Linux, you can ask the kernel to give the process its own namespaces, and that means it has a restricted view of what’s going on. So for example when you look at the list of running processes within a container, you only see the ones inside that container and none of the processes running elsewhere on the machine. It’s namespacing that gives the container this constrained view. I’ll be demonstrating exactly how it works in my talk at DockerCon.

What are the benefits to using namespaces?
Namespaces are an incredibly lightweight way to isolate containers from each other. From inside the container, it looks a lot like being inside a virtual machine, but there’s none of the overhead of a hypervisor. Starting a virtual machine can take minutes, whereas starting a container is almost instantaneous.

Are there any challenges developers should be aware of when using namespaces?
The main challenge is that you don’t have the full isolation that you get with true virtualization, and that does have some security implications. For example, although the container can only see its own running processes, the host machine has a view of everything that is running inside all containers, and – as I’ll show in my talk – all their environment variables. If you’re using environment variables to pass secrets (like, say, database passwords) into your containers, they’ll be accessible from the host machine. That may not be an issue for all users, but it is a serious concern for some. Fortunately there are solutions, including Aqua Security, to prevent secrets being leaked to the host through the environment like this.

What are the some types of namespaces, and how are they used?
There are currently namespaces for the hostname, process IDs, user and group IDs, mounts, networking and inter-process communications.  Some of these are absolutely essential to containerization, whereas others are only needed in certain circumstances. For example, Docker has supported user and group ID mapping since 1.10 leveraging the user / group namespace, but I think it would be fair to say that it’s only used by a minority as it’s not needed in a lot of use cases.

Most people can simply use containers without worrying about the nuts and bolts of how they are put together, but if you’re interested in what’s going on under the covers there are some interesting challenges around the way namespaces interact with each other and with the host.

What do you hope developers will take away from your talk?
As well as namespaces, I’ll be talking about cgroups. If a namespace limits what a container can see, a cgroup limits the resources it can use, like memory or CPU. I’ll be demonstrating all of this by writing my own container in Go, and then I’m going to subject it to a security exploit to test whether I have really isolated my container from the rest of the machine. If you like live coding and demos, and you want to really understand what’s going on when you run code in a container, you should definitely come along.

Navigation

[0] Message Index

Go to full version