COMP 3000 Operating Systems
Containerization and Virtualization (part 1)
Lianying Zhao
More Thinking about the Process Abstraction
• Isolation: for reliability (fault containment) and security • Who determines the access?→too coarse-grained
• Is it too fine-grained in terms of scope?
• Recall the idea of having shared objects (aka dynamic libraries)
• To avoid having duplicate copies of the same libraries
• So, intuitively the process isolation cuts at the sharing boundary (not true)
• What if isolation is needed to include multiple processes, communication and files as well?
• Then what?
COMP 3000 (Winter 2021) 2
Scenarios of Testing and Deploying Applications
• Sandboxing
• I want to test/evaluate an application that involves multiple executables/processes,
files in the file system and network communication.
• The code might be buggy or even malicious
• Automated deployment
• I want to deploy instances of my application in a large scale, with minimum human
intervention
• Each involves dependencies and specific setup
• Lifting existing applications into cloud architectures • Also see: microservices
COMP 3000 (Winter 2021) 3
Virtual Machines at a Glance
A bit more detailed explanation later if time permits
• Virtualization in a broad sense is to create a virtual version of something, without changing the nature
• Virtual versions of the CPU
• Virtual versions of memory
• Virtual networks, e.g., VLAN and VPN
• Virtual machines: The original idea is to logically divide the computer
• Must be a complete “machine”, e.g., can run an OS inside
• Has evolved a lot over time, e.g., JVM, sometimes referred to as application virtual machines
• Can be for either partitioning or aggregation of resources
COMP 3000 (Winter 2021) 4
Containerization vs. Virtualization
COMP 3000 (Winter 2021) 5
Then What are Containers?
There is no data structure in the kernel representing a container. A container is a userspace construct
COMP 3000 (Winter 2021) 6
Building Blocks
• Control groups (Cgroups)
• Resource limiting and metering
• Namespaces
• Like isolation through visibility, creating a different view
• Kernel capabilities
• Fine-grained access control, like a breakdown of root privileges
• SELinux, AppArmor, seccomp
COMP 3000 (Winter 2021) 7
Some Thinking about Access Control
• Granularity
• There are much more operations other than read/write/execute
• E.g., binding to network port numbers lower than 1024 • Android permissions
• DAC vs. MAC
• Per-user vs. per-process
COMP 3000 (Winter 2021) 20
Kernel Capabilities
• Recall the difference between the root user and the kernel mode • The kernel determines hot to enforce access control
• The root privilege is just one way
• Analogous to tickets or tokens
• Object – what resource is this concerned about?
• Subject – who is making the attempt? • Rights – operations in question
Again, you can check the include/linux/cred.h in Tutorial 7.
• Command capsh and getpcaps
COMP 3000 (Winter 2021) 9
What’s the Capability Counterpart of setuid? • Isn’t leaving a root-owned file the root privilege too risky?
• File capabilities
• As part of the extended attributes (in security.capability) • Capabilities that are granted when the file is executed
• Commands getcap and setcap
• Need capability CAP_SETFCAP to set file capabilities
COMP 3000 (Winter 2021) 10
Kernel Capabilities – Examples
• CAP_NET_BIND_SERVICE
• Whether the process can bind a socket to ports less than 1024
• CAP_NET_RAW
• Access to raw socket, e.g., constructing arbitrary packets
• CAP_DAC_OVERRIDE
• Whether the process can bypass file read, write, and execute permission checks
• CAP_CHOWN (corresponding to chown) and CAP_KILL (corresponding to kill)
• Capabilities are per-thread/process
COMP 3000 (Winter 2021) 11
COMP 3000 Operating Systems
Misc.
COMP 3000 (Winter 2021) 12
Final Exam
• Open book
• Any course material, notes, online documentation
• Same format as midterm
• More questions, but also more time per question
• Two hours
• April 27, 2021 (according to SES)
• Collaboration with any individual/organization is NOT allowed • Randomized/targeted interviews
COMP 3000 (Winter 2021) 13