Application Sandboxes

Slides:



Advertisements
Similar presentations
Virtual Machine Technology Dr. Gregor von Laszewski Dr. Lizhe Wang.
Advertisements

Lightweight virtual system mechanism Gao feng
Operating-System Structures
PlanetLab Operating System support* *a work in progress.
Linux Boot Up Process Bootstrapping –Bootstrapping is the standard term for “ starting up a computer”. During bootstrapping, the kernel is loaded into.
Chapter 2: Operating-System Structures
TOPIC 1 – SERVER SIDE APPLICATIONS IFS 234 – SERVER SIDE APPLICATION DEVELOPMENT.
Additional SugarCRM details for complete, functional, and portable deployment.
Modern Software Technologies Java™, J2EE™, JSP™, JDBC™ by Radoslav Tr. Ivanov
Presented by Xiaoyu Qin Virtualized Access Control & Firewall Virtualization.
SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.
4P13 Week 1 Talking Points. Kernel Organization Basic kernel facilities: timer and system-clock handling, descriptor management, and process Management.
Android Security Model that Provide a Base Operating System Presented: Hayder Abdulhameed.
Homework 02 NAT 、 DHCP 、 Firewall 、 Proxy. Computer Center, CS, NCTU 2 Basic Knowledge  DHCP Dynamically assigning IPs to clients  NAT Translating addresses.
Linux Exercise. Download and Install the latest CentOS version and latest Ubuntu/Fedora OS. Configure a unique Host Name and a permanent IP Address for.
Host Security Overview Onion concept of security Defense in depth How secure do you need to be? You can only reduce risk Tradeoffs - more security means:
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Docker Overview Automating.

VM vs Container Xen, KVM, VMware, etc. Hardware emulation / paravirtualization Can run different OSs on the same box Dozens of instances OS sprawl problem.
Aaron Corso COSC Spring What is LAMP?  A ‘solution stack’, or package of an OS and software consisting of:  Linux  Apache  MySQL  PHP.
Java & The Android Stack: A Security Analysis Pragati Ogal Rai Mobile Technology Evangelist PayPal, eBay Java.
UNIX Filesystem and Hierarchy AfNOG 2008 Workshop May Rabat, Morocco.
Intro To Virtualization Mohammed Morsi
Linux Kernel Security (SELinux vs AppArmor vs Grsecurity)
Secure remote management with virtualization Daniel P. Berrangé.
Spacewalk + Fedora = 42. What is Spacewalk? A systems management platform designed to provide complete lifecycle management of the operating system and.
Daniel P. Berrangé Principal Software Engineer, Red Hat.
Daniel P. Berrangé KVM Forum Vancouver, libvirt: Why it exists ● Stable: isolation from HV API changes ● Standard: portable across HV ● Simple:
OpenShift & SELinux Dan Walsh Twitter: #rhatdan
Linux Containers and Docker
Computer System Structures
Andrea Chierici Virtualization tutorial Catania 1-3 dicember 2010
Virtualization Mini Summit, Austin 2008 mmm, tasty penguins...
NAT、DHCP、Firewall、FTP、Proxy
Agenda Hardware Virtualization Concepts
Open OnDemand: Open Source General Purpose HPC Portal
application into a Flatpak
Boxify: Full-fledged App Sandboxing for Stock Android
Red Hat partner event The evolution of Linux – From containers to OpenShift PaaS & how to get started Kristijan Walter, Presales engineer Veracomp d.o.o.
London OpenStack Meetup, July 2012 libvirt & KVM with OpenStack Nova
The Architecture of oVirt Node
Linux Containers Overview & Roadmap
Container-based Operating System Virtualization: A scalable, High-performance Alternative to Hypervisors Stephen Soltesz, Herbert Potzl, Marc E. Fiuczynski,
Virtualization with libvirt Kashyap Chamarthy
Case Study 1: UNIX and LINUX
Consulting Services JobScheduler Architecture Decision Template
In-Depth Introduction to Docker
Deploying Dockerized Apps to the Azure Container Service
Containers and Virtualisation
UNIX Filesystem and Hierarchy
SUBMITTED BY: NAIMISHYA ATRI(7TH SEM) IT BRANCH
Drupal VM and Docker4Drupal For Drupal Development Platform
Oracle Solaris Zones Study Purpose Only
Drupal VM and Docker4Drupal as Consistent Drupal Development Platform
Chapter 2: Operating-System Structures
Chapter 2. Malware Analysis in VMs
Introduction to Docker
REDHAT LINUX Training Syllabus
Agenda Intro Why use containers at all? Linux Kernel: a pop of history
Microsoft Ignite NZ October 2016 SKYCITY, Auckland.
IS3440 Linux Security Unit 4 Securing the Linux Filesystem
Chapter 2: System Structures
Operating Systems Lecture 4.
Introduction to Ansible
Intro about Contanier and Docker Technology
Chapter 2: Operating-System Structures
OpenStack Summit Berlin – November 14, 2018
Azure Container Service
Putting your users in a Box
Presentation transcript:

Application Sandboxes Isolate general purpose applications Target specific use cases Variety of approaches Seccomp – Linux syscall restriction Java VM – bytecode verification SELinux – MCS isolation Virtualization – OS separation Multiple layers of defense

Linux Containers What is a container? Most people think LXC We will use libvirt-lxc rather then lxc command set. Linux namespaces

Namespaces pam_namespace - RHEL5/Fedora 6 SELinux sandbox - RHEL6/Fedora 8 Systemd - Fedora 17 UnitFile: PrivateTmp, PrivateNetwork Openshift - RHEL6 Pam_namespace : Private /tmp

Linux Namespaces Mount : mounting/unmounting filesystems UTS : hostname, domainname IPC : SysV message queues, semaphore/shared memory segments Network: IPv4/IPv6 stacks, routing, firewall, proc/net /sys/class/net directory trees, sock Pid: Own set of pids UID: Not implemented yet.

libvirt Standard, simple, secure C API API bindings Perl, Python, Java, etc Mapping to object models SNMP, GObject, CIM, QMF Remote RPC access SSH, TLS, GSSAPI

libvirt-lxc Container virtualization Boot “init” binary sVirt SELinux TE + MCS Firewall ebtables/ip[6]tables Host FS passthrough bind mounts CGroups resource control

libvirt-sandbox API Based on GObject object system Uses libvirt-{glib,gconfig,gobject} Accessible from non-C via introspection All CLI tools built on top of the API FOSDEM 2012: libvirt-sandbox

Example: Server Virtual Hosting Goal: Deploy multiple Apache virtual hosts Strong isolation between virtual hosts Solution: One apache instance per virtual host Run apache inside a sandbox FOSDEM 2012: libvirt-sandbox

virt-sandbox-service virt-sandbox-service create -C -u httpd.service apache1 Config /etc/libvirt-sandbox/service/apache1.sandbox Multiple unit files allowed SystemD unit file /etc/systemd/system/httpd@apache1.service Create state directories or image /var/lib/libvirt/filesystem/apache1 Chroot type directory Examines rpm payload Clone - /var and /etc config Share /usr Allocate unique MCS security label FOSDEM 2012: libvirt-sandbox

virt-sandbox-service virt-sandbox-service start apache1 Starts service from config virt-sandbox-service stop apache1 Stop service virt-sandbox-service connect apache1 Connect admin debug shell to container Virt-sandbox-service execute -C ifconfig apache1 Execute command within container virt-sandbox-service.logrotate /usr/bin/virt-sandbox-service execute -C /etc/cron.daily/logrotate $i

Systemd systemctl start httpd@apache1.service systemctl reload httpd.service Should trigger reload in all httpd@ services ReloadPropagatedFrom=httpd.service Systemctl start httpd@.service Should start all httpd services

Other Use cases Run mock within a container Run customer services on gluster nodes Run mysql within a container OpenShift work loads FOSDEM 2012: libvirt-sandbox

Demo libvirt-0.10.0-0rc0.2.fc18.x86_64 libvirt-sandbox-0.1.0-1.fc18.x86_64 selinux-policy-3.11.1-7.fc18.noarch

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.