Containers for the underprivileged
A whole host of persistent concerns around container security can be sidestepped if the container manager itself, not just the services inside the container, can be run without host root privilege. User namespaces allow containerized services, that otherwise require root, to be run in the container without host root privilege. However at least a part of the container manager still needs to run as root.
The main reason for the container manager to require root privilege is container networking. Providing network connectivity to a container currently involves extending host's network "into" the container through a set of virtual network artifacts -- a virtual patch cable, namely veth-pair and a virtual network switch, namely Linux bridge. Manipulating these artifacts requires privilege.
But if we step back a bit, an unprivileged user on the host is allowed to access the host network. But the same user is unable to carry that access into the container that they already own. Once the network namespace is unshared and the process is placed within the artificial boundaries of the new network namespace, it looses all network connectivity and additional privilege becomes necessary to plumb host network into the container. Containers should really be no different in their privilege footprint than the applications they host.
In this talk, I'll discuss how a fundamental problem with the design of network namespaces caused us to end up in this situation and how AppSwitch effectively addresses that problem, enabling the container manager to be run without root privilege.
USA. San Jose
CTO and cofounder
Dinesh Subhraveti is a scientist, a repeat entrepreneur and an inventor of container virtualization, currently serving as the CTO and founder at AppOrbit. He developed the core principles that underlie the container abstraction as a part of his Ph.D. Published in 2002, his work showed for the very first time that enterprise applications could be live-migrated using that abstraction. Based on his original implementation, he drove the development of the industry’s first container live-migration product at Meiosys, the company behind LXC that IBM acquired in 2005. Dinesh authored numerous research papers in the areas of operating systems, virtualization and storage. He holds a Ph.D. in computer science from Columbia University.