Don’t miss the Linux Security Summit, be sure to register now! 
Back To Schedule
Thursday, August 25 • 14:45 - 15:30
Securing Filesystem Images for Unprivileged Containers - James Bottomley, IBM

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

User Namespaces are an essential tool of container security because they allow apparently privileged (root) execution within a container, while the executing entity is really unprivileged as the host (linux kernel) sees it. Unfortunately, the current cost of using user namespaces is that filesystem writes have to be at the identity seen by the kernel (the unprivileged uid/gid) rather than by the identity the container thinks it has. This is all fine and dandy until we want to share images and archives (even simple tar archives) amongst containers. Having the filesystem identity be the same as the container identity is essential for this sharing and is currently broken. There are at least three mechanisms currently proposed for fixing this: shiftfs (by the author), userns portable roots and filesystem mappings. We'll discuss the pros and cons of each of these approaches.

avatar for James Bottomley

James Bottomley

Distinguished Engineer, IBM
James Bottomley is a Distinguished Engineer at IBM Research where he works on Cloud and Container technology. He is also Linux Kernel maintainer of the SCSI subsystem. He has been a Director on the Board of the Linux Foundation and Chair of its Technical Advisory Board. He went to... Read More →

Thursday August 25, 2016 14:45 - 15:30 EDT
Harbour C