Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
Don’t miss the Linux Security Summit, be sure to register now! 
View analytic
Thursday, August 25 • 14:45 - 15:30
Securing Filesystem Images for Unprivileged Containers - James Bottomley, IBM

Sign up or log in to save this to your schedule and see who's attending!

User Namespaces are an essential tool of container security because they allow apparently privileged (root) execution within a container, while the executing entity is really unprivileged as the host (linux kernel) sees it. Unfortunately, the current cost of using user namespaces is that filesystem writes have to be at the identity seen by the kernel (the unprivileged uid/gid) rather than by the identity the container thinks it has. This is all fine and dandy until we want to share images and archives (even simple tar archives) amongst containers. Having the filesystem identity be the same as the container identity is essential for this sharing and is currently broken. There are at least three mechanisms currently proposed for fixing this: shiftfs (by the author), userns portable roots and filesystem mappings. We'll discuss the pros and cons of each of these approaches.

Speakers
avatar for James Bottomley

James Bottomley

Distinguished Engineer, IBM
James Bottomley is a Distinguished Engineer at IBM Research where he works on Cloud and Container technology. He is also Linux Kernel maintainer of the SCSI subsystem. He has been a Director on the Board of the Linux Foundation and Chair of its Technical Advisory Board. He went to university at Cambridge for both his undergraduate and doctoral degrees after which he joined AT&T Bell labs to work on Distributed Lock Manager technology for... Read More →


Thursday August 25, 2016 14:45 - 15:30
Harbour C

Attendees (8)