Kubernetes is a widely used open-source container orchestration system that helps to reduce workloads when dealing with container management in distributed systems. Its built-in authorization module is enabled by default and provides authorization mechanisms that prevent unauthorized access to resources. However, certain permissions enable their subject to escalate their privileges to a potentially Cluster compromising extent.
Disclaimer: The elaboration associated to this subject results from a Master’s thesis created at SCHUTZWERK in collaboration with Aalen University by Philipp Schmied.
The previous post of the Linux Container Primitives series explains the internals of the cgroup kernel primitive. The following list shows the topics of all scheduled blog posts. It will be updated with the corresponding links once new posts are being released.
An Introduction to Linux Containers Linux Capabilities An Introduction to Namespaces The Mount Namespace and a Description of a Related Information Leak in Docker The PID and Network Namespaces The User Namespace Namespaces Kernel View and Usage in Containerization An Introduction to Control Groups The Network and Block I/O Controllers The Memory, CPU, Freezer and Device Controllers Control Groups Kernel View and Usage in Containerization cgroup Kernel View In the kernel source code, control groups are represented by the cgroup structure defined in linux/cgroup-defs.
Part eight of the linux container series illustrates the purpose of two cgroup resource controllers: Network and Block I/O. The Network controller is used to control network sockets, while the Block controller is being utilized to enable I/O resource usage policies.
Control groups are another major building block of today’s Linux containers. The goal of cgroups is to enable fine-grained control over resources consumed by processes additionally to resource monitoring. This post of our container series informs about the basics regarding this kernel primitive.
Both LXC and Docker apply a standard namespace configuration in case no further configuration is supplied. This post describes the internals of namespaces in the Linux kernel. Also, practical use-cases for namespaces in terms of containerization are considered.
After discussing the PID and network namespaces in Docker, this part of your container series covers one of the most important namespace types in detail – the user namespace. This namespace type introduces mapping user and group IDs and the isolation of capabilities per-namespace. For instance, a process can run with a non-zero UID outside of a user namespace while having a UID of zero in a namespace
After discussing the mount namespace and an information leak issue in Docker, this part of your container series illustrates the PID and network namespace types. By creating a PID namespace, the process ID number space gets isolated. Network namespaces can enable processes to have their own private network stack, including interfaces, routing tables and sockets.
The goal of mount namespaces is to restrict the view of the global file hierarchy by providing each namespace with its own set of mount points. A newly created namespace initially uses a copy of the parent’s mount tree. To add and remove mount points, the mount and umount commands are available. The implementation of these commands had to be modified in order to be aware of namespaces and work in combination with mount namespaces.
Being introduced first in Linux kernel version 2.4.19 in 2002, namespaces define groups of processes that share a common view regarding specific system resources. This ultimately isolates the view on a system resource a group of processes may have, meaning that a process can for instance have its own hostname while the real hostname of the system may have an entirely different value.
Disclaimer: The elaboration associated to this subject results from a Master’s thesis created at SCHUTZWERK in collaboration with Aalen University by Philipp Schmied.
This post of the Linux Container series provides information regarding required fundamentals: Linux capabilities. The following list shows the topics of all scheduled blog posts. It will be updated with the corresponding links once new posts are being released.
An Introduction to Linux Containers Linux Capabilities An Introduction to Namespaces The Mount Namespace and a Description of a Related Information Leak in Docker The PID and Network Namespaces The User Namespace Namespaces Kernel View and Usage in Containerization An Introduction to Control Groups The Network and Block I/O Controllers The Memory, CPU, Freezer and Device Controllers Control Groups Kernel View and Usage in Containerization The traditional way of handling permissions in Linux involves exactly two process types: Privileged and unprivileged processes.
This is the introduction post for the Linux containers blog post series. The following list shows the topics of all scheduled blog posts. It will be updated with the corresponding links once new posts are being released.
An Introduction to Linux Containers Linux Capabilities An Introduction to Namespaces The Mount Namespace and a Description of a Related Information Leak in Docker The PID and Network Namespaces The User Namespace Namespaces Kernel View and Usage in Containerization An Introduction to Control Groups The Network and Block I/O Controllers The Memory, CPU, Freezer and Device Controllers Control Groups Kernel View and Usage in Containerization With the steadily growing spread of containerization now and in the future, it becomes increasingly necessary to properly understand the internals and potential security threats resulting from aspects like kernel vulnerabilities, container misconfigurations and wrong use.