It seems like there’s a new way to run containers every week. The advantages and drawbacks of each approach are argued about on mailing lists, in IRC channels, and in person, around the world. However, the largest amount of confusion seems to be around security.
Launching secure containers
I’ve written about launching secure containers on this blog many times before:
- Launch secure LXC containers on Fedora 20 using SELinux and sVirt
- Improving LXC template security
- Try out LXC with an Ansible playbook
- CoreOS vs. Project Atomic: A Review
However, my goal this time around was to do something more comprehensive and slightly more formal. After getting my GSEC and GCUX certifications from SANS/GIAC, there was an option to enhance the certification to a gold status by writing a peer-reviewed research paper on a topic related to the exam. It was a great experience to go through the review process and get feedback on the technical material as well as the structure of the paper itself.
Without further ado, here are links to the Securing Linux Containers paper:
- PDF version without watermarks
- PDF version from SANS (has some watermarks and SANS/GIAC extra pages)
The paper is written for readers who have some level of familiarity with Linux and some virtualization technologies. It’s a useful paper even for people who haven’t worked with containers.
It starts with an overview of Linux containers and how they differ from other types of virtualization, such as KVM or Xen. From there, it covers how to secure the host system underneath the containers and how to provide security within the containers themselves. There’s also a section on how to start a simple container on CentOS 7 and inspect the security controls inside and outside the container.
I’m also very proud to announce that the paper is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License (CC-BY-SA). You are free to quote it as much as you like (even for commercial purposes), but I’d ask that you maintain the same license and attribute me as the author.
This paper wouldn’t have been possible without some serious help from these awesome people:
- Richard Carbone was my advisor from SANS and he helped tremendously
- Dan Walsh reviewed the content and gave me several pointers on topics to add and adjust
- Paul Voccio, Antony Messerli, and Brad McConnell from Rackspace also provided feedback
- My mother, Neta Greene, is the best educator I know and she fueled my interest in writing and sharing with others
Please let me know if you spot any errors or areas that need clarification. This is one of my favorite topics and I enjoy talking about it. Find me on Freenode IRC as mhayden and I’ll be glad to talk more there.