SlideShare a Scribd company logo

ISC HPCW talks

A
Akihiro Suda

The document discusses rootless Docker daemon (dockerd) and its advantages for cloud-native and HPC environments, especially in mitigating vulnerabilities. It covers user namespaces, how rootless builds work with BuildKit, and the specifications of the Open Containers Initiative (OCI) for container image representation and distribution. Additionally, it highlights unresolved issues and comparisons with other tools like Kaniko for building container images in a non-root environment.

Software
1 of 19
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Copyright©2019 NTT Corp. All Rights Reserved. Akihiro Suda ( @_AkihiroSuda_ ) NTT Software Innovation Center My ISC HPCW Talks 1. Current state of rootless dockerd 2. Rootless build with BuildKit 3. OCI Image Spec & Distribution 5th Annual High Performance Container Workshop, ISC (June 20, 2019)
Copyright©2019 NTT Corp. All Rights Reserved. Akihiro Suda ( @_AkihiroSuda_ ) NTT Software Innovation Center Current state of rootless dockerd 5th Annual High Performance Container Workshop, ISC (June 20, 2019)
3
 Copyright©2019 NTT Corp. All Rights Reserved. What is rootless dockerd? • Run Docker daemon (and also containers of course) as a non-root user • Don’t confuse with: • sudo • usermod -aG docker penguin • docker run --user • dockerd --userns-remap • Experimentally supported since Docker v19.03 https://get.docker.com/rootless Image: https://xkcd.com/149/
4
 Copyright©2019 NTT Corp. All Rights Reserved. Why? • For Cloud-Native envs: • To mitigate potential vulnerability of container runtimes and orchestrator • For HPC envs: • To run containers without the risk of breaking other users environments
5
 Copyright©2019 NTT Corp. All Rights Reserved. How it works: User Namespaces • User namespaces allow non-root users to pretend to be the root • Root-in-UserNS can have “fake” UID 0 and also create other namespaces (MountNS, NetNS..) • Unlike Singularity, NetNS can be unshared • By using either usermode TCP/IP stack (VPNKit, slirp4netns) or SETUID binary (lxc-user-nic)
6
 Copyright©2019 NTT Corp. All Rights Reserved. System requirements: /etc/{subuid,subgid} • If /etc/subuid contains “1001:100000:65536” • Having 65536 sub-users should be enough for most containers 0 1001 100000 165535 232Host UserNS primary user sub-users start sub-users length 0 1 65536
7
 Copyright©2019 NTT Corp. All Rights Reserved. Unresolved issues (Contribution wanted!) • Hard to maintain subuid & subgid in LDAP/AD envs • NSS module is being under discussion https://github.com/shadow-maint/shadow/issues/154 • Single-mapping mode w/o subuid & subgid is also under discussion • uses ptrace and xattrs (slow!) • seccomp could be used for acceleration https://github.com/rootless-containers/runrootless
8
 Copyright©2019 NTT Corp. All Rights Reserved. Unresolved issues (Contribution wanted!) • Lacks cgroup • cgroup2 (unified-mode) supports unprivileged mode but migration may take a few years… or even more • For cgroup1, pam_cgfs could be used instead, but not available in Fedora / RHEL due to a security concern • Kernel / VM / HW may have vulns • Not suitable for real multi-tenancy • gVisor might able to mitigate some of them
Copyright©2019 NTT Corp. All Rights Reserved. Akihiro Suda ( @_AkihiroSuda_ ) NTT Software Innovation Center Rootless build with BuildKit 5th Annual High Performance Container Workshop, ISC (June 20, 2019)
10
 Copyright©2019 NTT Corp. All Rights Reserved. What is BuildKit? • Next-generation docker build with focus on performance and security • Accurate dependency analysis • Concurrent execution of independent instructions • Support injecting secret files... • Integrated to Docker since v18.06 (export DOCKER_BUILDKIT=1) • Non-Docker standalone BuildKit is also available • Works with Podman and CRI-O as well :P
11
 Copyright©2019 NTT Corp. All Rights Reserved. Rootless mode • Rootless mode allows building images as a non-root user • Dockerfile RUN instructions are executed as a “fake root” in UserNS (So apt-get/yum works!) • Produces Docker image / OCI image / raw tarball • Compatible with Rootless Docker / Rootless Podman / … whatever • Even works inside a container • Good for distributed CI/CD on Kubernetes • Works with default securityContext configuration (but seccomp and AppArmor needs to be disabled for nesting containers)
12
 Copyright©2019 NTT Corp. All Rights Reserved. Rootless BuildKit vs kaniko • https://github.com/GoogleContainerTools/kaniko • Kaniko runs as the root but “unprivileged” • No need to disable seccomp and AppArmor because kaniko doesn’t nest containers on the kaniko container itself • Kaniko might be able to mitigate some vuln that Rootless BuildKit cannot mitigate - and vice versa • Rootless BuildKit might be weak against kernel vulns • Kaniko might be weak against runc vulns
Copyright©2019 NTT Corp. All Rights Reserved. Akihiro Suda ( @_AkihiroSuda_ ) NTT Software Innovation Center OCI Image Spec & Distribution 5th Annual High Performance Container Workshop, ISC (June 20, 2019)
14
 Copyright©2019 NTT Corp. All Rights Reserved. Open Containers Initiative Specifications • OCI Runtime Spec • How to create container from config JSON and rootfs dir • Based on Docker libcontainer (now runc) • OCI Image Spec • How to represent image layers for OCI runtimes • Based on Docker Image Manifest V2, Schema 2 • OCI Distribution Spec • How to distribute OCI images • Based on Docker Registry HTTP API
15
 Copyright©2019 NTT Corp. All Rights Reserved. Image layout /blobs/sha256/e692418e... /blobs/sha256/b5b2b2c5... /blobs/sha256/61be55a8... /blobs/sha256/3c3a4604... /blobs/sha256/3c3a4604... JSON JSON tar.gz tar.gz tar.gz Manifest • Merkle DAG structure ensures reproducibility of docker pull foo@sha256:e692418e… Container Config AUFS layer archives (for each Dockerfile FROM and RUN) v1.0Manifest list latest
16
 Copyright©2019 NTT Corp. All Rights Reserved. Image layout latest amd64 /blobs/sha256/e692418e... /blobs/sha256/b5b2b2c5... /blobs/sha256/61be55a8... /blobs/sha256/3c3a4604... /blobs/sha256/3c3a4604... JSON JSON tar.gz tar.gz tar.gz JSON Manifest list Manifest • Supports multi-arch (use BuildKit to build) Container Config latest arm64 AUFS layer archives (for each Dockerfile FROM and RUN)
17
 Copyright©2019 NTT Corp. All Rights Reserved. Image layout latest Ice Lake /blobs/sha256/e692418e... /blobs/sha256/b5b2b2c5... /blobs/sha256/61be55a8... /blobs/sha256/3c3a4604... /blobs/sha256/3c3a4604... JSON JSON tar.gz tar.gz tar.gz JSON Manifest list Manifest • And even multi-microarchitectures via qnib/metahub • https://metahub.qnib.org Container Config latest Broadwell Tesla M60 AUFS layer archives (for each Dockerfile FROM and RUN)
18
 Copyright©2019 NTT Corp. All Rights Reserved. Post-OCI image format? • Issues of current OCI v1 • Too coarse deduplication granularity • Containers cannot be started until the entire image is pulled • An alternative: CernVM-FS • Supports file-level deduplication rather than layer-level • Files are lazy-pulled on demand using FUSE • Integrating CernVM-FS to containerd is under discussion https://github.com/containerd/containerd/issues/2943
19
 Copyright©2019 NTT Corp. All Rights Reserved. Post-OCI image format? • ”OCI v2” https://github.com/openSUSE/umoci/issues/256 • Much finer deduplication granularity • No implementation yet • Container Registry Filesystem https://github.com/google/crfs • Focus on lazy-pulling CI images • IPCS https://github.com/hinshun/ipcs • IPFS integration for containerd

More Related Content

PDF
Comparing Next-Generation Container Image Building Tools
Akihiro Suda
 
PDF
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
Akihiro Suda
 
PDF
[KubeCon NA 2020] containerd: Rootless Containers 2020
Akihiro Suda
 
PDF
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
Akihiro Suda
 
PDF
[KubeCon EU 2020] containerd Deep Dive
Akihiro Suda
 
PDF
[KubeConEU] Building images efficiently and securely on Kubernetes with BuildKit
Akihiro Suda
 
PDF
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
Akihiro Suda
 
PDF
Rootless Containers
Akihiro Suda
 
Comparing Next-Generation Container Image Building Tools
Akihiro Suda
 
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
Akihiro Suda
 
[KubeCon NA 2020] containerd: Rootless Containers 2020
Akihiro Suda
 
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
Akihiro Suda
 
[KubeCon EU 2020] containerd Deep Dive
Akihiro Suda
 
[KubeConEU] Building images efficiently and securely on Kubernetes with BuildKit
Akihiro Suda
 
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
Akihiro Suda
 
Rootless Containers
Akihiro Suda
 

What's hot (20)

PDF
Rootless Containers & Unresolved issues
Akihiro Suda
 
PDF
Rootless Kubernetes
Akihiro Suda
 
PPTX
Usernetes: Kubernetes as a non-root user
Akihiro Suda
 
PDF
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
Akihiro Suda
 
PDF
The State of Rootless Containers
Akihiro Suda
 
PDF
[DockerCon 2019] Hardening Docker daemon with Rootless mode
Akihiro Suda
 
PDF
[FOSDEM 2020] Lazy distribution of container images
Akihiro Suda
 
PDF
Upstate DevOps - Containers 101 - March 28, 2019
Allen Vailliencourt
 
ODP
Docker engine - Indroduc
Al Gifari
 
PDF
SCALE 2011 Deploying OpenStack with Chef
Matt Ray
 
PDF
Introduction and Deep Dive Into Containerd
Kohei Tokunaga
 
PPTX
Java applications containerized and deployed
Anthony Dahanne
 
PPTX
A deep dive into container technology - Vietnam Web Summit 2020 (18/12/2020)
Dam Viet
 
PDF
Faster Container Image Distribution on a Variety of Tools with Lazy Pulling
Kohei Tokunaga
 
PDF
containerdの概要と最近の機能
Kohei Tokunaga
 
PPTX
Secure container: Kata container and gVisor
Ching-Hsuan Yen
 
PPTX
Docker open stack boston
dotCloud
 
PDF
Docker and OpenStack Boston Meetup
Kamesh Pemmaraju
 
PDF
P2P Container Image Distribution on IPFS With containerd and nerdctl
Kohei Tokunaga
 
PDF
App container rkt
Xiaofeng Guo
 
Rootless Containers & Unresolved issues
Akihiro Suda
 
Rootless Kubernetes
Akihiro Suda
 
Usernetes: Kubernetes as a non-root user
Akihiro Suda
 
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
Akihiro Suda
 
The State of Rootless Containers
Akihiro Suda
 
[DockerCon 2019] Hardening Docker daemon with Rootless mode
Akihiro Suda
 
[FOSDEM 2020] Lazy distribution of container images
Akihiro Suda
 
Upstate DevOps - Containers 101 - March 28, 2019
Allen Vailliencourt
 
Docker engine - Indroduc
Al Gifari
 
SCALE 2011 Deploying OpenStack with Chef
Matt Ray
 
Introduction and Deep Dive Into Containerd
Kohei Tokunaga
 
Java applications containerized and deployed
Anthony Dahanne
 
A deep dive into container technology - Vietnam Web Summit 2020 (18/12/2020)
Dam Viet
 
Faster Container Image Distribution on a Variety of Tools with Lazy Pulling
Kohei Tokunaga
 
containerdの概要と最近の機能
Kohei Tokunaga
 
Secure container: Kata container and gVisor
Ching-Hsuan Yen
 
Docker open stack boston
dotCloud
 
Docker and OpenStack Boston Meetup
Kamesh Pemmaraju
 
P2P Container Image Distribution on IPFS With containerd and nerdctl
Kohei Tokunaga
 
App container rkt
Xiaofeng Guo
 
Ad

Similar to ISC HPCW talks (20)

PDF
DCSF19 Hardening Docker daemon with Rootless mode
Docker, Inc.
 
PDF
Build and run applications in a dockerless kubernetes world
Jorge Morales
 
PDF
Linux Containers and Docker SHARE.ORG Seattle 2015
Filipe Miranda
 
PDF
Using Docker with OpenStack - Hands On!
Adrian Otto
 
PDF
Container Runtimes: Comparing and Contrasting Today's Engines
Phil Estes
 
PDF
Containers without docker | DevNation Tech Talk
Red Hat Developers
 
PDF
Building Containers: How Many Ways Are Too Many?
Vietnam Open Infrastructure User Group
 
PDF
Docker 0.11 at MaxCDN meetup in Los Angeles
Jérôme Petazzoni
 
PDF
Build and run applications in a dockerless kubernetes world - DevConf India 18
Jorge Morales
 
PDF
Docker and-containers-for-development-and-deployment-scale12x
rkr10
 
PPTX
Central Iowa Linux Users Group: November Meeting -- Container showdown
Andrew Denner
 
PDF
Docker_AGH_v0.1.3
Witold 'Ficio' Kopel
 
PDF
Navigating container technology for enhanced security by Niklas Saari
Metosin Oy
 
PDF
Docker Introduction + what is new in 0.9
Jérôme Petazzoni
 
PDF
Docker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQ
Jérôme Petazzoni
 
PDF
Docker from scratch
Michał Wójtowicz
 
PDF
Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies
Daniel Oh
 
PDF
Introduction to Containers - From Docker to Kubernetes and everything in between
All Things Open
 
PPTX
SummerStudent17_HandsOn Data Cloud Computing.pptx
ssuserb53446
 
PDF
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
dotCloud
 
DCSF19 Hardening Docker daemon with Rootless mode
Docker, Inc.
 
Build and run applications in a dockerless kubernetes world
Jorge Morales
 
Linux Containers and Docker SHARE.ORG Seattle 2015
Filipe Miranda
 
Using Docker with OpenStack - Hands On!
Adrian Otto
 
Container Runtimes: Comparing and Contrasting Today's Engines
Phil Estes
 
Containers without docker | DevNation Tech Talk
Red Hat Developers
 
Building Containers: How Many Ways Are Too Many?
Vietnam Open Infrastructure User Group
 
Docker 0.11 at MaxCDN meetup in Los Angeles
Jérôme Petazzoni
 
Build and run applications in a dockerless kubernetes world - DevConf India 18
Jorge Morales
 
Docker and-containers-for-development-and-deployment-scale12x
rkr10
 
Central Iowa Linux Users Group: November Meeting -- Container showdown
Andrew Denner
 
Docker_AGH_v0.1.3
Witold 'Ficio' Kopel
 
Navigating container technology for enhanced security by Niklas Saari
Metosin Oy
 
Docker Introduction + what is new in 0.9
Jérôme Petazzoni
 
Docker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQ
Jérôme Petazzoni
 
Docker from scratch
Michał Wójtowicz
 
Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies
Daniel Oh
 
Introduction to Containers - From Docker to Kubernetes and everything in between
All Things Open
 
SummerStudent17_HandsOn Data Cloud Computing.pptx
ssuserb53446
 
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
dotCloud
 
Ad

More from Akihiro Suda (20)

PDF
20250617 [KubeCon JP 2025] containerd - Project Update and Deep Dive.pdf
Akihiro Suda
 
PDF
20250616 [KubeCon JP 2025] VexLLM - Silence Negligible CVE Alerts Using LLM.pdf
Akihiro Suda
 
PDF
20250403 [KubeCon EU] containerd - Project Update and Deep Dive.pdf
Akihiro Suda
 
PDF
20250403 [KubeCon EU Pavilion] containerd.pdf
Akihiro Suda
 
PDF
20250402 [KubeCon EU Pavilion] Lima.pdf_
Akihiro Suda
 
PDF
20241115 [KubeCon NA Pavilion] Lima.pdf_
Akihiro Suda
 
PDF
20241113 [KubeCon NA Pavilion] containerd.pdf
Akihiro Suda
 
PDF
【情報科学若手の会 (2024/09/14】なぜオープンソースソフトウェアにコントリビュートすべきなのか
Akihiro Suda
 
PDF
【Vuls祭り#10 (2024/08/20)】 VexLLM: LLMを用いたVEX自動生成ツール
Akihiro Suda
 
PDF
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
Akihiro Suda
 
PDF
20240321 [KubeCon EU Pavilion] Lima.pdf_
Akihiro Suda
 
PDF
20240320 [KubeCon EU Pavilion] containerd.pdf
Akihiro Suda
 
PDF
20240201 [HPC Containers] Rootless Containers.pdf
Akihiro Suda
 
PDF
[Podman Special Event] Kubernetes in Rootless Podman
Akihiro Suda
 
PDF
[KubeConNA2023] Lima pavilion
Akihiro Suda
 
PDF
[KubeConNA2023] containerd pavilion
Akihiro Suda
 
PDF
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
Akihiro Suda
 
PDF
[CNCF TAG-Runtime] Usernetes Gen2
Akihiro Suda
 
PDF
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
Akihiro Suda
 
PDF
The internals and the latest trends of container runtimes
Akihiro Suda
 
20250617 [KubeCon JP 2025] containerd - Project Update and Deep Dive.pdf
Akihiro Suda
 
20250616 [KubeCon JP 2025] VexLLM - Silence Negligible CVE Alerts Using LLM.pdf
Akihiro Suda
 
20250403 [KubeCon EU] containerd - Project Update and Deep Dive.pdf
Akihiro Suda
 
20250403 [KubeCon EU Pavilion] containerd.pdf
Akihiro Suda
 
20250402 [KubeCon EU Pavilion] Lima.pdf_
Akihiro Suda
 
20241115 [KubeCon NA Pavilion] Lima.pdf_
Akihiro Suda
 
20241113 [KubeCon NA Pavilion] containerd.pdf
Akihiro Suda
 
【情報科学若手の会 (2024/09/14】なぜオープンソースソフトウェアにコントリビュートすべきなのか
Akihiro Suda
 
【Vuls祭り#10 (2024/08/20)】 VexLLM: LLMを用いたVEX自動生成ツール
Akihiro Suda
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
Akihiro Suda
 
20240321 [KubeCon EU Pavilion] Lima.pdf_
Akihiro Suda
 
20240320 [KubeCon EU Pavilion] containerd.pdf
Akihiro Suda
 
20240201 [HPC Containers] Rootless Containers.pdf
Akihiro Suda
 
[Podman Special Event] Kubernetes in Rootless Podman
Akihiro Suda
 
[KubeConNA2023] Lima pavilion
Akihiro Suda
 
[KubeConNA2023] containerd pavilion
Akihiro Suda
 
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
Akihiro Suda
 
[CNCF TAG-Runtime] Usernetes Gen2
Akihiro Suda
 
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
Akihiro Suda
 
The internals and the latest trends of container runtimes
Akihiro Suda
 

Recently uploaded (20)

PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PDF
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PPTX
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PPTX
CHAPTER 12 - CYBER SECURITY AND FUTURE SKILLS (1) (1).pptx
AnujKumar530915
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
AI in Product Development-omnex systems
omnex systems
 
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
CHAPTER 12 - CYBER SECURITY AND FUTURE SKILLS (1) (1).pptx
AnujKumar530915
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 

ISC HPCW talks

  • 1. Copyright©2019 NTT Corp. All Rights Reserved. Akihiro Suda ( @_AkihiroSuda_ ) NTT Software Innovation Center My ISC HPCW Talks 1. Current state of rootless dockerd 2. Rootless build with BuildKit 3. OCI Image Spec & Distribution 5th Annual High Performance Container Workshop, ISC (June 20, 2019)
  • 2. Copyright©2019 NTT Corp. All Rights Reserved. Akihiro Suda ( @_AkihiroSuda_ ) NTT Software Innovation Center Current state of rootless dockerd 5th Annual High Performance Container Workshop, ISC (June 20, 2019)
  • 3. 3
 Copyright©2019 NTT Corp. All Rights Reserved. What is rootless dockerd? • Run Docker daemon (and also containers of course) as a non-root user • Don’t confuse with: • sudo • usermod -aG docker penguin • docker run --user • dockerd --userns-remap • Experimentally supported since Docker v19.03 https://get.docker.com/rootless Image: https://xkcd.com/149/
  • 4. 4
 Copyright©2019 NTT Corp. All Rights Reserved. Why? • For Cloud-Native envs: • To mitigate potential vulnerability of container runtimes and orchestrator • For HPC envs: • To run containers without the risk of breaking other users environments
  • 5. 5
 Copyright©2019 NTT Corp. All Rights Reserved. How it works: User Namespaces • User namespaces allow non-root users to pretend to be the root • Root-in-UserNS can have “fake” UID 0 and also create other namespaces (MountNS, NetNS..) • Unlike Singularity, NetNS can be unshared • By using either usermode TCP/IP stack (VPNKit, slirp4netns) or SETUID binary (lxc-user-nic)
  • 6. 6
 Copyright©2019 NTT Corp. All Rights Reserved. System requirements: /etc/{subuid,subgid} • If /etc/subuid contains “1001:100000:65536” • Having 65536 sub-users should be enough for most containers 0 1001 100000 165535 232Host UserNS primary user sub-users start sub-users length 0 1 65536
  • 7. 7
 Copyright©2019 NTT Corp. All Rights Reserved. Unresolved issues (Contribution wanted!) • Hard to maintain subuid & subgid in LDAP/AD envs • NSS module is being under discussion https://github.com/shadow-maint/shadow/issues/154 • Single-mapping mode w/o subuid & subgid is also under discussion • uses ptrace and xattrs (slow!) • seccomp could be used for acceleration https://github.com/rootless-containers/runrootless
  • 8. 8
 Copyright©2019 NTT Corp. All Rights Reserved. Unresolved issues (Contribution wanted!) • Lacks cgroup • cgroup2 (unified-mode) supports unprivileged mode but migration may take a few years… or even more • For cgroup1, pam_cgfs could be used instead, but not available in Fedora / RHEL due to a security concern • Kernel / VM / HW may have vulns • Not suitable for real multi-tenancy • gVisor might able to mitigate some of them
  • 9. Copyright©2019 NTT Corp. All Rights Reserved. Akihiro Suda ( @_AkihiroSuda_ ) NTT Software Innovation Center Rootless build with BuildKit 5th Annual High Performance Container Workshop, ISC (June 20, 2019)
  • 10. 10
 Copyright©2019 NTT Corp. All Rights Reserved. What is BuildKit? • Next-generation docker build with focus on performance and security • Accurate dependency analysis • Concurrent execution of independent instructions • Support injecting secret files... • Integrated to Docker since v18.06 (export DOCKER_BUILDKIT=1) • Non-Docker standalone BuildKit is also available • Works with Podman and CRI-O as well :P
  • 11. 11
 Copyright©2019 NTT Corp. All Rights Reserved. Rootless mode • Rootless mode allows building images as a non-root user • Dockerfile RUN instructions are executed as a “fake root” in UserNS (So apt-get/yum works!) • Produces Docker image / OCI image / raw tarball • Compatible with Rootless Docker / Rootless Podman / … whatever • Even works inside a container • Good for distributed CI/CD on Kubernetes • Works with default securityContext configuration (but seccomp and AppArmor needs to be disabled for nesting containers)
  • 12. 12
 Copyright©2019 NTT Corp. All Rights Reserved. Rootless BuildKit vs kaniko • https://github.com/GoogleContainerTools/kaniko • Kaniko runs as the root but “unprivileged” • No need to disable seccomp and AppArmor because kaniko doesn’t nest containers on the kaniko container itself • Kaniko might be able to mitigate some vuln that Rootless BuildKit cannot mitigate - and vice versa • Rootless BuildKit might be weak against kernel vulns • Kaniko might be weak against runc vulns
  • 13. Copyright©2019 NTT Corp. All Rights Reserved. Akihiro Suda ( @_AkihiroSuda_ ) NTT Software Innovation Center OCI Image Spec & Distribution 5th Annual High Performance Container Workshop, ISC (June 20, 2019)
  • 14. 14
 Copyright©2019 NTT Corp. All Rights Reserved. Open Containers Initiative Specifications • OCI Runtime Spec • How to create container from config JSON and rootfs dir • Based on Docker libcontainer (now runc) • OCI Image Spec • How to represent image layers for OCI runtimes • Based on Docker Image Manifest V2, Schema 2 • OCI Distribution Spec • How to distribute OCI images • Based on Docker Registry HTTP API
  • 15. 15
 Copyright©2019 NTT Corp. All Rights Reserved. Image layout /blobs/sha256/e692418e... /blobs/sha256/b5b2b2c5... /blobs/sha256/61be55a8... /blobs/sha256/3c3a4604... /blobs/sha256/3c3a4604... JSON JSON tar.gz tar.gz tar.gz Manifest • Merkle DAG structure ensures reproducibility of docker pull foo@sha256:e692418e… Container Config AUFS layer archives (for each Dockerfile FROM and RUN) v1.0Manifest list latest
  • 16. 16
 Copyright©2019 NTT Corp. All Rights Reserved. Image layout latest amd64 /blobs/sha256/e692418e... /blobs/sha256/b5b2b2c5... /blobs/sha256/61be55a8... /blobs/sha256/3c3a4604... /blobs/sha256/3c3a4604... JSON JSON tar.gz tar.gz tar.gz JSON Manifest list Manifest • Supports multi-arch (use BuildKit to build) Container Config latest arm64 AUFS layer archives (for each Dockerfile FROM and RUN)
  • 17. 17
 Copyright©2019 NTT Corp. All Rights Reserved. Image layout latest Ice Lake /blobs/sha256/e692418e... /blobs/sha256/b5b2b2c5... /blobs/sha256/61be55a8... /blobs/sha256/3c3a4604... /blobs/sha256/3c3a4604... JSON JSON tar.gz tar.gz tar.gz JSON Manifest list Manifest • And even multi-microarchitectures via qnib/metahub • https://metahub.qnib.org Container Config latest Broadwell Tesla M60 AUFS layer archives (for each Dockerfile FROM and RUN)
  • 18. 18
 Copyright©2019 NTT Corp. All Rights Reserved. Post-OCI image format? • Issues of current OCI v1 • Too coarse deduplication granularity • Containers cannot be started until the entire image is pulled • An alternative: CernVM-FS • Supports file-level deduplication rather than layer-level • Files are lazy-pulled on demand using FUSE • Integrating CernVM-FS to containerd is under discussion https://github.com/containerd/containerd/issues/2943
  • 19. 19
 Copyright©2019 NTT Corp. All Rights Reserved. Post-OCI image format? • ”OCI v2” https://github.com/openSUSE/umoci/issues/256 • Much finer deduplication granularity • No implementation yet • Container Registry Filesystem https://github.com/google/crfs • Focus on lazy-pulling CI images • IPCS https://github.com/hinshun/ipcs • IPFS integration for containerd