Presenters
Source
🚀 Delegating Privileges to Containers: A Deep Dive with Cuber & VFS 🌐🛠️
Containerization has revolutionized how we build and deploy applications, but when virtual machines (VMs) enter the picture, things get a bit more complicated. How do you share files between a VM and its host while maintaining robust security? That’s the challenge Alich (Cuber maintainer) and Herman tackled in a fascinating presentation exploring privilege delegation within the Cuber environment. Let’s dive in!
The Challenge: Sharing Files Securely 🎯
Sharing file systems between VMs and their hosts is a common need. However, this often requires privileged operations – essentially, granting access that could compromise security. The team behind Cuber – a Kubernetes extension for managing VMs – set out to find a solution that avoids granting full root privileges while still enabling this critical functionality. It’s a delicate balancing act, and as you’re about to see, it’s not as straightforward as you might think!
The Tech Stack: Cuber, VFS, and the OCI Runtime 👨💻
Let’s quickly introduce the key players:
- Cuber: Think of Cuber as an extension to Kubernetes, specifically designed to manage virtual machines. It allows you to treat VMs like containers, simplifying their deployment and management.
- VFS (Virtual File System): This component is the hero of our story. It’s responsible for enabling that file system sharing between the VM and the host.
- OCI Runtime: The underlying container runtime, the foundation upon which everything is built.
Solutions Explored: A Journey of Trials and Tribulations 💡
The team didn’t just jump to their current solution. They experimented with several approaches, each with its own set of challenges. Let’s take a look at what they tried and why it didn’t quite work out.
- Capd Search (Sidecar): Initially, a sidecar container seemed promising. This approach involves a separate container running alongside the main container, responsible for managing capabilities. However, the team ran into a roadblock: cluster-wide security profiles often prevent granting the necessary capabilities, even within a pod. Plus, the possibility of users gaining access to the sidecar container itself introduced a new security concern.
- Second Notifiers: This Kubernetes mechanism allows for monitoring and potentially modifying container system calls. Unfortunately, this approach presented some significant limitations:
- Monitoring Process Restart Issues: When the monitoring process restarts, the file descriptor is lost. Recovering from this loss requires a mechanism that’s currently unavailable.
- Kernel Limitations: The system can’t recover system call requests that are already in progress when the monitoring process dies. This is a critical limitation when dealing with ongoing file system operations.
The Current Solution: The Dispatcher – A Necessary Compromise 🤖
After exploring the alternatives, the team landed on a solution they call the “Dispatcher.” While it works, it’s not without its compromises:
- A privileged process is launched within the VFS container.
- This process then joins the namespaces and cgroups of the target container (also a VFS container). Essentially, it integrates itself into the target container’s environment.
- It reparents the main process of the target container, taking control of its execution.
- Finally, it forwards standard output and input, enabling communication between the VM and the host.
Why is this a compromise? Because it breaks the standard Open Container Initiative (OCI) container boundaries. This means the solution deviates from the expected behavior of containers and introduces a dummy process within the container. It’s a workaround born out of necessity.
Looking Ahead: A Secure Future for File Sharing ✨📡
The team isn’t content with the current Dispatcher solution. Their ultimate goal is to leverage secure file handles within the kernel. This would significantly simplify the privilege delegation process, eliminating the need for the Dispatcher altogether. They are actively awaiting improvements to both the kernel and Kubernetes to make this vision a reality.
Key Takeaways 💾
- Balancing security and functionality in containerized environments, especially when dealing with VMs, is a complex challenge.
- Sometimes, compromises are necessary to achieve the desired functionality.
- The team’s work highlights the ongoing evolution of container technology and the constant search for more secure and efficient solutions.
The presentation was a fascinating glimpse into the challenges of building and maintaining complex container orchestration systems. It’s a testament to the dedication of the Cuber team and a reminder that innovation often requires navigating difficult tradeoffs.