Don’t miss the Linux Security Summit, be sure to register now! 
Back To Schedule
Thursday, August 25 • 16:30 - 17:15
On the Way to Safe Containers - Stephane Graber, Canonical

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

LXC and now LXD are both container managers with a focus on providing a VM-like, system container experience to their users. Our users therefore expect to be able to do the same things they would in a VM and to have an environment that's by and large as safe as a VM.

Our containers security story is mostly based on the user namespace, on top of which we layer apparmor, seccomp, capabilities, filesystem quotas, qdisc limits and cgroups restrictions. The result is a container which cannot accidentally harm the host, is root safe and if properly configured, cannot trivially DoS the host.

This talk will cover all of the above technologies and how they're used to provide our containers, what their limitations are, how the system can still be abused and some of the proposed fixes for those limitations.

avatar for Stéphane Graber

Stéphane Graber

Software Engineer, Canonical Ltd.
Stéphane Graber works as the technical lead for LXD at Canonical Ltd. He is the upstream project leader for LXC and LXD and a frequent speaker and track leader at the various containers and other Linux related events.Stéphane is also a long time contributor to the Ubuntu Linuxdistribution... Read More →

Thursday August 25, 2016 16:30 - 17:15 EDT
Harbour C