name: Containers class: center, middle, cyan
--- class: center, middle, azure .left-column[ ### Chi? ] .right-column[ ##"Palinuro" Parrot Security
Caine Forensics
Debian PKG-Security
Varie ed eventuali
.
] --- class: center, middle, azure .left-column[ ### Chi? ] .right-column[ ##"Palinuro" Parrot Security
Caine Forensics
Debian PKG-Security
Varie ed eventuali
####Per mamma e papĂ : Lorenzo Faletra ] --- class: center,middle,orange # Containers
--- class: center,middle,dark ## Cenni sulla virtualizzazione --- class: center,middle,dark ### 1) Language Virtual Machines ### 2) ABI Virtual Machines ### 3) System Virtual Machines --- class: center,middle,dark ## Language Virtual Machines * JAVA JVM * Python Virtual Machine (CPython/PYPY) * Parrot VM (Perl 6) * .net CRL / MONO --- class: center,middle,dark ## ABI Virtual Machines * QEMU user suite * Cross Architecture chroots * Debian Sbuild --- class: center,middle,dark ## System Virtual Machines ### Astrazione di: * computing (CPU/RAM) * storage * network ### Tecnologie: * QEMU system / KVM * Virtualbox * VMVare --- class: center,middle,dark ##Problemi della virtualizzazione
* Computing Performance * In-file storage performance * Resources sharing (ballooning) * Nested security * Provisioning workflow --- class: center,middle,azure ### Quanto sono differenti i container? --- class: center,middle,azure # Computing performance ### Stesso kernel, userland multipli ### VelocitĂ 100% nativa --- class: center,middle,azure # Storage performance ### File, Cartelle, Subvolumes ### Remotes, in-memory overlays --- class: center,middle,azure # Resources Sharing ### Processi nativi su memoria condivisa --- class: center,middle,azure # Nested Security ### Unprivileged containers --- class: center,middle,azure # Provisioning ### templates, fast deployment --- class: center,middle ## Sotto il cofano --- class: center,middle ## Sotto il cofano (Lato Kernel) * Namespaces * Cgroups * Seccomp --- class: middle ## Namespaces * MNT - Mount namespaces * PID - Process ID namespaces * USER - User ID namespaces * NET - Network namespaces * IPC - Inter-process communication namespaces * UTS - hostname/domain namespaces * CGROUP - Resource control groups (external) --- class: middle ## CGroups * Resource limiting (CPU/RAM/STORAGE) * Resource isolation (Namespaces) * Prioritization (NICE/IO) * Accounting (Usage logging / billing) --- class: center,middle ## Seccomp #### Syscall isolation * exit() * sigreturn() * read() * write() --- class: center,middle ## Seccomp-bpf ### Selezione granulare delle syscall consentite --- class: center,middle ## Apparmor ### Selezione granulare di accesso alle risorse --- class: center,middle,gray ## Primo contatto - firejail
--- class: center,middle,gray ## firejail Firejail nasce per fare sandboxing di processi mediante Apparmor, seccomp, cgroups e namespaces.
--- class: center,middle,gray ## firejail
--- class: center,middle,gray ## firejail
--- class: center,middle,gray ## firejail
--- class: center,gray ### Prova pratica --- class: center,middle,azure ## Continerizzazione pura
--- class: middle,azure ## Docker Docker nasce per usare le tecnologie di containerizzazione per fare fast deployment di microservizi (un processo per ogni container).
--- class: center,middle,azure ## Parrot-core docker template
--- class: center,middle,azure ## Parrot-core Dockerfile
--- class: center,middle,azure ## Parrot Dockerfile
--- class: center,azure ### Prova pratica --- class: center,middle,orange ## Soluzione ibrida - LXD
--- class: center,middle,orange ## Soluzione ibrida - LXD LXD nasce per offrire una tecnologia di containerizzazione utilizzabile come una virtual machine classica, orchestrando LXC e consentendo di automatizzare setup multinode e multisite molto sofisticati.
--- class: center,orange
### Tooling semplificato da CLI o REST API --- class: center,orange
### Gestione avanzata di
computing e networking (namespaces e cgroups) --- class: center,orange
### Funzioni avanzate per lo storage
grazie a BTRFS --- class: center,middle,orange
## Clustering ### Multinode e Multisite --- class: center,middle,orange
## Snapshotting
cloning e live-migration --- class: center,orange ### Prova pratica --- class: center, middle