Cgroups for the best
Using container technologies as a PaaS provider
@m4d_zYou Wanna Use
Microservices
Reminder: Microservices
Microservices
Do You Need Microservices?
When not using them?
The Multi-Languages Architecture
Isolation Benefits
You may think that Isolation means Containers
like k8s, LXC/Jails, Virtual Machines…
but You’re Wrong
The POSIX Basics
You do not need containers
You need a safe isolation system
The Underlying Technology: Cgroups
Running On Your Own
We built a Cloud Platform
before the Cloud Era,
15 years ago
Cloud Definition
Cgroups Based Isolation
# ls -l /sys/fs/cgroup/system.slice/container.service/users/intranet/proxy/apache.upstream
-r--r--r-- 1 root root 0 Apr 13 14:37 cgroup.controllers
-r--r--r-- 1 root root 0 Apr 13 14:37 cgroup.events
-rw-r--r-- 1 root root 0 Apr 13 14:37 cgroup.freeze
-rw-r--r-- 1 root root 0 Apr 13 14:37 cgroup.max.depth
-rw-r--r-- 1 root root 0 Apr 13 14:37 cgroup.max.descendants
-rw-r--r-- 1 root root 0 Apr 13 14:37 cgroup.procs
-r--r--r-- 1 root root 0 Apr 13 14:37 cgroup.stat
-rw-r--r-- 1 root root 0 Apr 13 14:37 cgroup.subtree_control
-rw-r--r-- 1 root root 0 Apr 13 14:37 cgroup.threads
-rw-r--r-- 1 root root 0 Apr 13 14:37 cgroup.type
...
# cat /sys/fs/cgroup/[...]/apache.upstream/cgroup.procs
986352
1297585
1297586
1297587
3598699
Setting the Limits
# cat /sys/fs/cgroup/[...]/apache.upstream/memory.max
4294967296
Orchestrating: Running the Containers
Interfacing: PAM and iptables
Bonus
Patching the Kernel
prevents iptables use
diff -ru linux-5.10.1/net/ipv4/af_inet.c linux-5.10.1~/sources/net/ipv4/af_inet.c
--- linux-5.10.1/net/ipv4/af_inet.c 2020-12-14 19:33:01.000000000 +0100
+++ linux-5.10.1~/net/ipv4/af_inet.c 2020-12-16 15:16:26.195915654 +0100
@@ -464,10 +464,23 @@
struct sockaddr_in *addr = (struct sockaddr_in *)uaddr;
struct inet_sock *inet = inet_sk(sk);
struct net *net = sock_net(sk);
- unsigned short snum;
+ unsigned short snum = ntohs(addr->sin_port);
int chk_addr_ret;
u32 tb_id = RT_TABLE_LOCAL;
int err;
+ int gid = current_gid().val;
+
+ if (gid >= 2000 && addr->sin_port) {
+ int ad_requested_ip = ntohl(addr->sin_addr.s_addr);
+ int ad_private_ip = 0x7f000000 | gid;
+
+ if (ad_requested_ip == INADDR_ANY && snum >= 8000 && snum < 8300)
+ addr->sin_addr.s_addr = htonl(ad_private_ip);
+ else if ((ad_requested_ip & 0xff000000) == 0x7f000000 &&
+ (ad_requested_ip & 0x00ffffff) != gid &&
+ (ad_requested_ip & 0x00ffffff) >= 2000)
+ return -EACCES;
+ }
Bonus
Forbid process read-access
to other users
Going Further: Namespaces
POSIX & Cgroups instead of Containers ?
mkdir
& tee
You don’t explicitely need
k8s or whatever
You need fair Isolation
on a reliable Platform
Be ready for the Future now
The Wasm-Serverless
based Architecture 🥳
https://talks.m4dz.net/cgroups/en/ Available under licence CC BY-SA 4.0
m4dz, CC BY-SA 4.0
Courtesy of Unsplash and Pexels contributors
Powered by Reveal.js
Source code available at
https://git.madslab.net/talks