LinuxCon NA: A New Way to Combine Containers and Hypervisors with Xen - Stefano Stabellini & Dimitri Stiliadis, Aporeto's Event
LinuxCon NA: A New Way to Combine Containers and Hypervisors with Xen - Stefano Stabellini & Dimitri Stiliadis, Aporeto
Linux Containers’ isolation capabilities are under scrutiny because of growing runtime usage. Best practices recommend avoiding multitenant deployments as POSIX has a large attack surface. Although the proper usage of MAC, seccomp and CAP reduces the attack surface, there are limited production deployments of these technologies given their management complexity.
Clear Containers and similar approaches propose to solve this problem by running Containers as KVM VMs. While more secure, these approaches require HW abstraction to enable multitenancy.
We propose a new method based on Xen paravirtualization that combines strengths of namespaces and hypervisor isolation. This approach enhances security by virtualizing POSIX and allowing a minimalistic subset of syscalls to be handled by a hypervisor-type entity. Most syscalls execute within a confined kernel to harden the system.
More at http://lcccna2016.sched.org/event/7JVR/a-new-way-to-combine-containers-and-hypervisors-with-xen-stefano-stabellini-dimitri-stiliadis-aporeto