-
Welcome
-
Subscribe to
Privileged actions in unprivileged containers
*One Line Summary
How to selectively allow privileged actions from otherwise unprivileged containers?
Abstract
Unprivileged containers, that is, containers which use a user namespace to map their UIDs and GIDs to an unprivileged range, have very limited kernel privileges.
Those privileges are no higher than what a normal unprivileged user would have on the system and are restricted to the container’s namespaces.
Anything which isn’t owned by the container and isn’t part of a namespace will typically be rejected by the kernel.
Some common examples include:
– Creating device nodes
– Mounting filesystems
– Setting up loop devices
– Raising a process nice level
– Raising the OOM score of a process
In this presentation, we’ll go over the most common sources of frustration and look at a few approaches that could be used for the container runtime to decide whether those privileged actions should be allowed or not.
Presentation Materials
slidesSpeaker
-
Stéphane Graber
Canonical Ltd.- Website: http://www.stgraber.org/
- Twitter: stgraber
Biography
Stéphane Graber works as the technical lead for LXD at Canonical Ltd. He is the upstream project leader for LXC and LXD and a frequent speaker and track leader at the various containers and other Linux related events.
Stéphane is also a long time contributor to the Ubuntu Linux distribution as an Ubuntu Core Developer and he currently sits on the Ubuntu Technical Board.
On his spare time, Stéphane helps organize a yearly security conference and contest in Montréal, Northsec, where his knowledge of Linux and network infrastructure is used to simulate the most complex of environments for the contestants.