Tycho Andersen

Running application containers within Kubernetes presents a challenge to the operator for quickly handling security updates - every container must be patched, rebuilt and re-tested, and then updated separately. The slowest dev turnaround of all your containers is the fastest you can fully update your cluster.

However, for many fixes, the application likely will not care which compatible version of a system library it is using. Using AtomFS, operators can update individual libraries inside app containers without a rebuild. Containers using an AtomFS storage backend can simply be restarted after a fix is applied, and they will see it reflected in their filesystems.

The AtomFS storage backend requires minor changes to your container runtime, and we demonstrate it with the LXC runtime and crio-lxc, an adapter to enable using LXC-based containers in Kubernetes using CRI-O.

In this talk Tycho will cover how AtomFS works, what changes are needed to make application container builds work with AtomFS, and fix an exploit live without a rebuild.

Operators today have a problem when they want to update application containers: they have to go ask the developers to re-build and re-test the container. That's because application containers today are a bit-for-bit representation of the container that the developer ran.

An insight here is that applications probably don't care about which versions of what libraries are in use: any reasonable libc, python3, ssl, etc. will do. But today, to fix a CVE in SSL, an entire container rebuild is required.

Enter AtomFS. AtomFS is an entirely userspace tool designed to allow operators to update individual libraries inside app containers. In this talk Tycho will cover how the tooling works, as well as what changes are needed to make application container builds work with AtomFS.

In this talk, I will describe SECCOMPUSERNOTIF, a new seccomp return type under development to forward syscalls to another userspace daemon. This would allow container engines to transparently hook syscalls like mount or modprobe, enabling applications inside containers to use these syscalls without modification.

I'll give a brief overview of how we're (LXD) planning to (or hopefully by FOSDEM actually) using p.haul.