On 12/1/2015 10:16 AM, Neil Davies wrote: > Jeffrey > > I'm not certain I agree with the security logic. It rather reduces some of > the deployment use-cases (and hence > the potential economic value). > > There are several scenarios where you want the security information _inside_ > the ‘container', this makes the > container (say a VM of some kind) more mobile. > > It also depends on the trust structure - it is not always going to be the > case that the outer system is deemed > more privileged that the inner one - telco’s are looking to “sell” containers > in their networks (part of NFV) in that > case you would want your container to hold the secret information. > > Neil
People sell a lot of things that are inappropriate. A Container is not
a recursive virtual machine. It doesn't have the security isolation
that a virtual machine can obtain from the processors. Containers are
an alternative light-weight packaging model that relies upon namespace
virtualization to permit applications and data to be packaged, deployed,
replaced, and replicated across operating system images that might not
be identical. Containers are intended to separate the management of
application functions from the management of the operating systems on
which they are executed. However, one thing they do not provide is a
security barrier.
If you need the inner to be more privileged than the outer, then you
must be using recursive virtual machines with processor support for
isolation.
I would not for example put an OpenAFS server running as a Container
onto a host that I do not control. To do so would be to expose the
cell-wide AFS key to the entity that controls the host. Deploying
OpenAFS binaries as a Container so that I can easily transition and
rollback OpenAFS releases without requiring whole VM snapshots is a
perfectly reasonable thing to do if:
1. I control the host OS
2. I am willing to pay the overhead costs of increased latency
for network and disk I/O caused by the namespace virtualization
I simply do not see Containers as a method of securely deploying
applications with keys independent of controlling the host the Container
is executing on.
Jeffrey Altman
<<attachment: jaltman.vcf>>
smime.p7s
Description: S/MIME Cryptographic Signature
