Network Reliability Engineering Community

Options for securing Linux containers

Today during the weekly standup meeting, we mentioned some future efforts for securing containers where users get a shell and are supposedly able to behave in dangerous ways.

I’ve had a look, a while back, at KataContainers as well as KubeVirt, which may offer some benefits. FireCracker was also mentioned.

Is there a way to formalize those efforts, like a documented mini-project ?

MP3 is the right place for this. I just created a forum category to discuss these things, and took the liberty of moving this topic to that location. See the pinned topic there for links to all current proposals.

I’ve discussed KataContainers with Eric Adams from Intel at OSSummit in Lyon. It seems KataContainers could be a really good option to secure the “classical” Linux containers by wrapping them with a VM (qemu, for instance, but other options are available).

He described the process of tuning what kind of images may be customized, if the default ones running clearlinux aren’t the best choice. An example of how to build a specific kernel or rootfs is documented in their Use Case docs, like https://github.com/kata-containers/documentation/blob/master/use-cases/using-Intel-QAT-and-kata.md

I think this could be tested for Antidote, where every Pod could typically be wrapped by such a VM.

AFAIU, it seems qemu can be replaced by firecracker as the underlying virtualizer, but I’m not so sure what kind of benefits/drawbacks we could have for Antidote.

Hope this helps,