{"title":"对用户通过用户命名空间共享访问集群容器系统实施全局安全策略","authors":"Ioan Stan, D. Rosner, Ștefan-Dan Ciocîrlan","doi":"10.1109/RoEduNet51892.2020.9324866","DOIUrl":null,"url":null,"abstract":"With the advancement of containerization technologies and the isolation mechanisms provided by the Linux kernel through features like namespaces and cgroups, a question arises whether total isolation in containers (virtual enclave) can provide an increased level of security in all use cases. In the current paper we aim to explore the idea of unifying the container's user namespace with the host system's user namespace, to validate if this approach may increase the overall security in some areas of use. Such an approach can facilitate the implementation of complex access policies with high granularity and reduce the weak points that can lead to privilege-escalation attacks. We will explore how different containerization engines can be configured to support the user namespace unification and we will see why the Singularity containerization engine is a perfect fit for our purposes. In addition, we will propose a concept architecture for an academic cluster that can natively support the enforcement of a unified user access policy among both: underlying nodes and containers running above.","PeriodicalId":140521,"journal":{"name":"2020 19th RoEduNet Conference: Networking in Education and Research (RoEduNet)","volume":"50 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-12-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Enforce a Global Security Policy for User Access to Clustered Container Systems via User Namespace Sharing\",\"authors\":\"Ioan Stan, D. Rosner, Ștefan-Dan Ciocîrlan\",\"doi\":\"10.1109/RoEduNet51892.2020.9324866\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"With the advancement of containerization technologies and the isolation mechanisms provided by the Linux kernel through features like namespaces and cgroups, a question arises whether total isolation in containers (virtual enclave) can provide an increased level of security in all use cases. In the current paper we aim to explore the idea of unifying the container's user namespace with the host system's user namespace, to validate if this approach may increase the overall security in some areas of use. Such an approach can facilitate the implementation of complex access policies with high granularity and reduce the weak points that can lead to privilege-escalation attacks. We will explore how different containerization engines can be configured to support the user namespace unification and we will see why the Singularity containerization engine is a perfect fit for our purposes. In addition, we will propose a concept architecture for an academic cluster that can natively support the enforcement of a unified user access policy among both: underlying nodes and containers running above.\",\"PeriodicalId\":140521,\"journal\":{\"name\":\"2020 19th RoEduNet Conference: Networking in Education and Research (RoEduNet)\",\"volume\":\"50 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2020-12-11\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2020 19th RoEduNet Conference: Networking in Education and Research (RoEduNet)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/RoEduNet51892.2020.9324866\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 19th RoEduNet Conference: Networking in Education and Research (RoEduNet)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/RoEduNet51892.2020.9324866","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Enforce a Global Security Policy for User Access to Clustered Container Systems via User Namespace Sharing
With the advancement of containerization technologies and the isolation mechanisms provided by the Linux kernel through features like namespaces and cgroups, a question arises whether total isolation in containers (virtual enclave) can provide an increased level of security in all use cases. In the current paper we aim to explore the idea of unifying the container's user namespace with the host system's user namespace, to validate if this approach may increase the overall security in some areas of use. Such an approach can facilitate the implementation of complex access policies with high granularity and reduce the weak points that can lead to privilege-escalation attacks. We will explore how different containerization engines can be configured to support the user namespace unification and we will see why the Singularity containerization engine is a perfect fit for our purposes. In addition, we will propose a concept architecture for an academic cluster that can natively support the enforcement of a unified user access policy among both: underlying nodes and containers running above.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
