Presentation is loading. Please wait.

Presentation is loading. Please wait.

Application Sandboxes

Published byKelley Grant Modified over 6 years ago

Similar presentations

Presentation on theme: "Application Sandboxes"— Presentation transcript:

1

2 Application Sandboxes
Isolate general purpose applications Target specific use cases Variety of approaches Seccomp – Linux syscall restriction Java VM – bytecode verification SELinux – MCS isolation Virtualization – OS separation Multiple layers of defense

3 Linux Containers What is a container? Most people think LXC
We will use libvirt-lxc rather then lxc command set. Linux namespaces

4 Namespaces pam_namespace - RHEL5/Fedora 6
SELinux sandbox - RHEL6/Fedora 8 Systemd - Fedora 17 UnitFile: PrivateTmp, PrivateNetwork Openshift - RHEL6 Pam_namespace : Private /tmp

5 Linux Namespaces Mount : mounting/unmounting filesystems
UTS : hostname, domainname IPC : SysV message queues, semaphore/shared memory segments Network: IPv4/IPv6 stacks, routing, firewall, proc/net /sys/class/net directory trees, sock Pid: Own set of pids UID: Not implemented yet.

6 libvirt Standard, simple, secure C API API bindings
Perl, Python, Java, etc Mapping to object models SNMP, GObject, CIM, QMF Remote RPC access SSH, TLS, GSSAPI

7 libvirt-lxc Container virtualization Boot “init” binary
sVirt SELinux TE + MCS Firewall ebtables/ip[6]tables Host FS passthrough bind mounts CGroups resource control

8 libvirt-sandbox API Based on GObject object system
Uses libvirt-{glib,gconfig,gobject} Accessible from non-C via introspection All CLI tools built on top of the API FOSDEM 2012: libvirt-sandbox

9 Example: Server Virtual Hosting
Goal: Deploy multiple Apache virtual hosts Strong isolation between virtual hosts Solution: One apache instance per virtual host Run apache inside a sandbox FOSDEM 2012: libvirt-sandbox

10 virt-sandbox-service
virt-sandbox-service create -C -u httpd.service apache1 Config /etc/libvirt-sandbox/service/apache1.sandbox Multiple unit files allowed SystemD unit file Create state directories or image /var/lib/libvirt/filesystem/apache1 Chroot type directory Examines rpm payload Clone - /var and /etc config Share /usr Allocate unique MCS security label FOSDEM 2012: libvirt-sandbox

11 virt-sandbox-service
virt-sandbox-service start apache1 Starts service from config virt-sandbox-service stop apache1 Stop service virt-sandbox-service connect apache1 Connect admin debug shell to container Virt-sandbox-service execute -C ifconfig apache1 Execute command within container virt-sandbox-service.logrotate /usr/bin/virt-sandbox-service execute -C /etc/cron.daily/logrotate $i

12 Systemd systemctl start httpd@apache1.service
systemctl reload httpd.service Should trigger reload in all services ReloadPropagatedFrom=httpd.service Systemctl start Should start all httpd services

13 Other Use cases Run mock within a container
Run customer services on gluster nodes Run mysql within a container OpenShift work loads FOSDEM 2012: libvirt-sandbox

14 Demo libvirt rc0.2.fc18.x86_64 libvirt-sandbox fc18.x86_64 selinux-policy fc18.noarch

Download ppt "Application Sandboxes"

Similar presentations

Virtual Machine Technology Dr. Gregor von Laszewski Dr. Lizhe Wang.

Virtual Machine Technology Dr. Gregor von Laszewski Dr. Lizhe Wang.
Lightweight virtual system mechanism Gao feng

Lightweight virtual system mechanism Gao feng
Operating-System Structures

Operating-System Structures
PlanetLab Operating System support* *a work in progress.

PlanetLab Operating System support* *a work in progress.
Linux Boot Up Process Bootstrapping –Bootstrapping is the standard term for “ starting up a computer”. During bootstrapping, the kernel is loaded into.

Linux Boot Up Process Bootstrapping –Bootstrapping is the standard term for “ starting up a computer”. During bootstrapping, the kernel is loaded into.
Chapter 2: Operating-System Structures

Chapter 2: Operating-System Structures
TOPIC 1 – SERVER SIDE APPLICATIONS IFS 234 – SERVER SIDE APPLICATION DEVELOPMENT.

TOPIC 1 – SERVER SIDE APPLICATIONS IFS 234 – SERVER SIDE APPLICATION DEVELOPMENT.
Additional SugarCRM details for complete, functional, and portable deployment.

Additional SugarCRM details for complete, functional, and portable deployment.
Modern Software Technologies Java™, J2EE™, JSP™, JDBC™ by Radoslav Tr. Ivanov - 12835.

Modern Software Technologies Java™, J2EE™, JSP™, JDBC™ by Radoslav Tr. Ivanov
Www.infotech.monash.edu.au Presented by Xiaoyu Qin 21637881 Virtualized Access Control & Firewall Virtualization.

Presented by Xiaoyu Qin Virtualized Access Control & Firewall Virtualization.
SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.

SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.
4P13 Week 1 Talking Points. Kernel Organization Basic kernel facilities: timer and system-clock handling, descriptor management, and process Management.

4P13 Week 1 Talking Points. Kernel Organization Basic kernel facilities: timer and system-clock handling, descriptor management, and process Management.
Android Security Model that Provide a Base Operating System Presented: Hayder Abdulhameed.

Android Security Model that Provide a Base Operating System Presented: Hayder Abdulhameed.
Homework 02 NAT 、 DHCP 、 Firewall 、 Proxy. Computer Center, CS, NCTU 2 Basic Knowledge  DHCP Dynamically assigning IPs to clients  NAT Translating addresses.

Homework 02 NAT 、 DHCP 、 Firewall 、 Proxy. Computer Center, CS, NCTU 2 Basic Knowledge  DHCP Dynamically assigning IPs to clients  NAT Translating addresses.
Linux Exercise. Download and Install the latest CentOS version and latest Ubuntu/Fedora OS. Configure a unique Host Name and a permanent IP Address for.

Linux Exercise. Download and Install the latest CentOS version and latest Ubuntu/Fedora OS. Configure a unique Host Name and a permanent IP Address for.
Host Security Overview Onion concept of security Defense in depth How secure do you need to be? You can only reduce risk Tradeoffs - more security means:

Host Security Overview Onion concept of security Defense in depth How secure do you need to be? You can only reduce risk Tradeoffs - more security means:
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Docker Overview Automating.

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Docker Overview Automating.

VM vs Container Xen, KVM, VMware, etc. Hardware emulation / paravirtualization Can run different OSs on the same box Dozens of instances OS sprawl problem.

VM vs Container Xen, KVM, VMware, etc. Hardware emulation / paravirtualization Can run different OSs on the same box Dozens of instances OS sprawl problem.
Aaron Corso COSC356-001 Spring 2012. What is LAMP?  A ‘solution stack’, or package of an OS and software consisting of:  Linux  Apache  MySQL  PHP.

Aaron Corso COSC Spring What is LAMP?  A ‘solution stack’, or package of an OS and software consisting of:  Linux  Apache  MySQL  PHP.

Similar presentations

Ads by Google