Visit the OpenStack Summit page for the latest news, registration and hotels.
Monday, November 3 • 14:30 - 15:10
Using Containers Without Risking Your *aas (Canonical)

Sign up or log in to save this to your schedule and see who's attending!

It is not generally considered safe to run untrusted code in a container as uid 0.  You might have seen that in fine print at the bottom of a slide deck after being blown away by the long list of reasons that containers are totally awesome.

Luckily, that fine print is now a historical artifact.

User Namespaces are a feature added to the linux kernel in version 3.13.  They allow for the root user inside the container to be an unprivileged user outside.  This allows running of init or other process that expect to be run as root without risk.

The talk will describe how to use user namespaces and other linux security tools such as seccomp and LSM to safely run untrusted code inside a container.  It will also discuss how techniques are used by the granite nova driver to provide secure containers via openstack compute api.


Serge Hallyn

Ubuntu Server Team, Canonical
Serge Hallyn works for Canonical as a member of the Ubuntu Server team, with a particular focus on the virtualization stack. He has been involved with containers since the first upstream kernel patches for uts and pid namespaces. He was involved with LSM from the start, is listed... Read More →
avatar for Scott Moser

Scott Moser

Ubuntu Server Team
Scott Moser is a member of the Ubuntu Server and Openstack Team.  He has been involved in Openstack since around Cactus time frame.  He is maintainer of cloud-init, and has had a focal role in the production of the Official Ubuntu Cloud Images.

Monday November 3, 2014 14:30 - 15:10
Room 243

Attendees (0)