Introduction to Containers
Containers versus Virtual Machines
| Containers | Virtual Machines | |
|---|---|---|
| Isolation | Good | Great |
| Kernel | Same as Host OS | Has own Kernel |
| Performance | Native Performance | Emulated/Virtualized Hardware |
| Resource Usage | Small, Dynamic | Large, Preallocated Resources |
| Ease of use | Easy to setup & change | Harder to setup, easy to change |
| Environment | Deterministic | Deviates (Updates, Configuration) |
| Quantity | Large Amount | Limited Amount |
Containers are usually used for one application or service. Virtual Machines handle many applications or services.
How are containers setup on Linux?
Linux features for resource restrictions and isolations 1
- cgroups
- Namespaces (PID, NET, IPC, MNT, UTS, USER, TIME)
- Secure Computing Mode (seccomp)
- Apparmor and SELinux
How are containers setup on Windows?
Windows features for resource restrictions and isolations 2
- Job Objects
- Namespaces (Object, Process Table, Networking)
Linux containers can be run through the Windows Subsystem for Linux. This means you will lose the raw performance advantages of containers.
Open Container Initiative (OCI)
Specification for how containers images are formatted and run. Used by…
- Docker
- Podman
- systemd-nspawn
- Kubernetes
Linux Containers (LXC)
What if you want the permanence of a Virtual Machine but the performance of a Container?
- Not OCI compatible
- Used in Proxmox
Creating an OCI Container Image
What makes a container
Containers need to contain all Linux system files wanted by the software being used within the containers, such as libraries and dependencies.
Generating an Image
OCI Images are created most often through using a Dockerfile. This file contains the stages to take a base OS, and transform it into your desired usecase.
Optionally, there may be a build stage that doesn’t get pushed to the resulting image, for when software needs to be built.
These images are stored in layers, so containers can build on other containers, and share mutual data.
Docker Container Registry / Github Container Registry
Containers can be stored locally, or uploaded to the internet for other people to download.
- hub.docker.com (Default)
- ghcr.io
Container Security
System Calls
Containers share the same kernel as the host, therefore syscalls are restricted through namespaces and seccomp.
List namespaces with lsns.
gVisor
Google wasn’t happy with that and made their own sandbox which sits between the container and the kernel, limiting syscalls.
Image Security
When using other people’s containers, you have to trust whoever made them to not embed malware.
Some containers were built a long time ago and some software may have vulnerabilities.
Blindly updating images can be a problem if the container registry uploader’s account is compromised
NIST’s Application Container Security Guide 3
- API keys / Secrets should never be stored inside the image
- Use virtual networks with restricted access
- Properly secure container orchestration software
Container Orchestration Software
Handles
- Multiple Machines
- Deployment
- Management
- Monitoring
- Resource Allocation
Kubernetes, Docker Swarm, Rancher, Portainer, Nomad, etc…