[HN Gopher] Barco: Linux Containers from Scratch in C
___________________________________________________________________
Barco: Linux Containers from Scratch in C
Author : lcvln
Score : 106 points
Date : 2023-08-06 19:47 UTC (3 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| shortrounddev2 wrote:
| Very cool, I was thinking of doing something similar in windows
| semiquaver wrote:
| What is the underlying isolation technology that would be used
| in windows?
| lcvln wrote:
| barco is a project I worked on to learn more about Linux
| containers and the Linux kernel, based on other guides on the
| internet.
| intelVISA wrote:
| awesome, thx for sharing this :)
| zamalek wrote:
| > barco enforces a minimal set of restrictions to run untrusted
| code, which is not recommended for production use, where a more
| robust solution should be used.
|
| Aren't containers never suitable for running untrusted code? You
| need AppArmor, bwrap, or similar AFAIK.
| charcircuit wrote:
| >Aren't containers never suitable for running untrusted code?
|
| They are suitable provided the kernel is secure.
| cyphar wrote:
| This is tautologically true -- "Is X secure? Yes, assuming
| the technology X uses is secure."
|
| The more nuanced answer is that containers have several
| layers of protections (seccomp, LSMs, user namespaces,
| namespaces, cgroups, capabilities, and standard process
| permissions by running as an unprivileged user) which all act
| together to help protect against container attacks. It's not
| perfect, but most container breakout attacks we've had so far
| are related to when container runtimes have to operate on a
| container during process setup (IMHO because the process for
| creating a container process is far from atomic) -- some of
| these attacks were enabled by kernel bugs which we went and
| fixed as well. It is very difficult to break out of a
| container once it has been configured and left alone.
| loeg wrote:
| I would probably point at a virtual machine for a convenient
| place to run untrusted code. It's not perfect -- there are VM
| escapes -- but it's more convenient than a dedicated, air-
| gapped machine.
| CameronNemo wrote:
| GKE runs every kubelet in its own gvisor-like userspace
| hypervisor.
|
| https://cloud.google.com/blog/products/containers-
| kubernetes...
| cyphar wrote:
| bwrap is a container and AppArmor is used by basically every
| container runtime if the system is using AppArmor (otherwise
| they use SELinux). Seccomp is also enabled by default, and I
| would argue it is a more significant protection against
| container breakouts because it protects against kernel 0-days
| as well and doesn't rely on LSM hooks to block operations. The
| real question is whether you are using user namespaces.
|
| Jessica Frazelle ran a public bug bounty to break out of a
| container image that is properly secured, and as far as I know
| nobody collected the bounty. The website isn't up at the
| moment, maybe she took it down. https://contained.af/
| jppittma wrote:
| Sounds like free money to me. You just press Ctrl+D, and
| you're out.
| cyphar wrote:
| Sadly that doesn't help you get access to the flag file you
| need to collect the bounty. ;)
| gjkood wrote:
| Your project is not in the same space but do you forsee any
| conflicts with the name regarding copyrights, trademarks etc with
| Barco, Inc. [1], the projector/display company?
|
| [1] https://www.barco.com/en
| CameronNemo wrote:
| _Please don 't complain about tangential annoyances--e.g.
| article or website formats, name collisions, or back-button
| breakage. They're too common to be interesting._
| Philpax wrote:
| GP was asking if it could cause an issue for the OP, not
| complaining about an annoyance. It's something that the OP
| may want to address.
| CameronNemo wrote:
| I still think it is tangential. The author stated that they
| wrote this project to learn. The readme says that it is not
| intended for production use and that there is no networking
| set up in the containers.
|
| With that context, I doubt that name collisions outside of
| the containers space are top of mind.
| lcvln wrote:
| barco really just means "hay barrack" in my native
| language -\\_(tsu)_/-
___________________________________________________________________
(page generated 2023-08-06 23:00 UTC)