Who Wants to Allow Arbitrary Code Execution on Their Boxes? We Do It Every Day. presented at ShmooCon 2017

by Brian Redbeard, Brad Ison,

Summary : As users of Linux containerization have become well aware, it provides a rapid deployment mechanism for consistent environments and immutable infrastructure. As attackers have become well aware, most users do not audit the containers they run and with a shared Kernel and root privileges many things are possible.
At CoreOS we eschewed the dominant paradigm, Docker, due to what we felt were inconsistencies in its security story. This led to the development of rkt (née ‘rocket’) which builds upon the ideas of LXC, Docker, and containerization systems from the past while adding support for run time choice between containerization and virtualization.
Using rkt users can make a decision at run time whether a “container” should truly be run as a Linux based container through the traditional mechanisms of namespaces, cgroups, and SELinux or whether these should be layered with an additional kernel, allowing for increased run time isolation.
Best of all, rkt is available as free/libre open source software and has been battle tested in our production for over two years. In this talk we will outline how we use these technologies in production to secure our environment.
CoreOS is a distributed systems company focusing on automatically updating infrastructure achieved through the use of Kubernetes and Linux containerization. Redbeard has been an [ab]user of Linux since the 90s and has specialized in the administration of large scale distributed systems. He now runs the global infrastructure and SRE teams at CoreOS. Brad is a site reliability engineer at CoreOS ensuring sensible deployments of Kubernetes and a specialist on the container registry “Quay.io”.