On the Way to Safe Containers by Stephane Graber, Canonical

On the Way to Safe Containers - Stephane Graber, Canonical LXC and now LXD are both container managers with a focus on providing a VM-like, system container experience to their users. Our users therefore expect to be able to do the same things they would in a VM and to have an environment that’s by and large as safe as a VM. Our containers security story is mostly based on the user namespace, on top of which we layer apparmor, seccomp, capabilities, filesystem quotas, qdisc limits and cgroups restrictions. The result is a container which cannot accidentally harm the host, is root safe and if properly configured, cannot trivially DoS the host. This talk will cover all of the above technologies and how they’re used to provide our containers, what their limitations are, how the system can still be abused and some of the proposed fixes for those limitations. About Stéphane Graber Stéphane Graber works as the technical lead for LXD at Canonical Ltd. He is the upstream project leader for LXC and LXD and a freq