multi-tenancy virtualization - fedora people · multi-tenancy virtualization challenges &...
TRANSCRIPT
![Page 1: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/1.jpg)
![Page 2: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/2.jpg)
Multi-tenancy Virtualization
Challenges & Solutions
Daniel J Walsh Mr SELinux, Red HatDate 06.28.12
![Page 3: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/3.jpg)
What is Cloud?
![Page 4: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/4.jpg)
What is IaaS?
IaaS = Infrastructure-as-a-Service
![Page 5: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/5.jpg)
What is PaaS?
PaaS = Platform-as-a-Service(AKA, a Cloud Application Platform)
Code Deploy Enjoy
Save Time and MoneyCode your app
Push-button Deploy, and your App is
running in the Cloud!
![Page 6: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/6.jpg)
OpenShift is PaaS by Red Hat
![Page 7: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/7.jpg)
What should you look for when choosing where to live?
cgroups
![Page 8: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/8.jpg)
Alicia Nijdam Flickr :Attribution 2.0 Generic (CC BY 2.0)
Quality???
![Page 9: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/9.jpg)
Quality!!!
![Page 10: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/10.jpg)
Broad ISV Choice Database Choice
Red Hat Enterprise Linuxcertified on more platformsthan any other OS — from
desktop to mainframe
![Page 11: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/11.jpg)
Red Hat Enterprise Linux is Rock Solid
● Systems to 108 cores,2 TB RAM, 16 I/O slots
● Designed to scale to 4,096 cores and up to 64 TB RAM
● Industry benchmarks show near-linear scaling to 64+ cores
● Resource management: cGroups
● Integrated hypervisor● Migrate VMs
regardless of hardware
Self healing, automaticisolation of CPU/RAM
Improved hardwareawareness of multi-core
and NUMA
Energy efficientpower management
features
![Page 12: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/12.jpg)
Maintenance ???
![Page 13: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/13.jpg)
Maintenance of the BuildingMaintenance !!!
nayukim Flickr :Attribution 2.0 Generic (CC BY 2.0)
![Page 14: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/14.jpg)
Red Hat Enterprise Linux Updates are Great!!!
DON'T RIP out/replace Foundation but repair/Improve it.
● Released once or twice a year
● Bug fixes and hardware enablement
● New features in minor releases exception
● Extended Update Support (EUS) program.
● Security/Bugfixes for high-priority issues released asynchronously and don't wait for minor releases.
● Why risk your data with Knock-Offs
![Page 15: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/15.jpg)
External Security ???
ogimogi Flickr :Attribution 2.0 Generic (CC BY 2.0)
![Page 16: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/16.jpg)
External Security !!!
![Page 17: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/17.jpg)
Privileged & Confidential
Red Hat Security Response Team
● Goal● Quickly address security issues that arise in products
● Established over 11 years, members span 10 countries
● Monitor vulnerabilities/threats from public/private sources
● Triage vulnerability severity and determine fix strategy● Produce communications to customers ● Manage process to get the right fix out at the right time
● 99.7% response within one business day of receipt
![Page 18: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/18.jpg)
How we find out about the vulnerabilities
Vulnerability clearing centers such as CERT/CC
Mitre CVE project
Individual (issue tracker, bugzilla, secalert)
Relationship with peer vendors
Red Hat found the flaw
Relationship with upstream project
Monitoring public mailing lists and sites
1%
7%
11%
11%
12%
16%
42%
data: 12 months to March 1 2012, 733 vulnerabilities
36% of the vulnerabilities reported to us in advance of public disclosure
![Page 19: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/19.jpg)
Internal SecurityControlling Tenants
nayukim Flickr :Attribution 2.0 Generic (CC BY 2.0)
![Page 20: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/20.jpg)
ktow Flickr :Attribution 2.0 Generic (CC BY 2.0)
i
Internal SecuritySame Tools?
![Page 21: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/21.jpg)
Hypervisor Vulnerabilities
● Hypervisor == All code used to run tenants● Not theoretical● Potentially Huge Payoffs● Xen Already Compromosed
● Even Red Hat Entreprise Linux 5
● Google “vmware vulnerabilies” - 500,000 Hits● Big topic at Black Hat conference
![Page 22: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/22.jpg)
Linux Kernel
VM 1 VM 2 VM 3
Virtual machine processes all have equal access to the
system...
Image1 Image2 Image3 ImageN
![Page 23: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/23.jpg)
Linux Kernel
VM 1
WebVM 2 VM 3
...if application on virtual machine is attacked...
Image1 Image2 Image3 ImageN
![Page 24: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/24.jpg)
Linux Kernel
VM 1VM 2 VM 3
...compromised...
Web
Image1 Image2 Image3 ImageN
![Page 25: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/25.jpg)
Linux Kernel
VM 1VM 2 VM 3
...and gets a privilege escalation...
Web
Image1 Image2 Image3 ImageN
![Page 26: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/26.jpg)
Linux Kernel
VM 1VM 2 VM 3
.. and your machine has a Hypervisor Vulnerability ...
Web
Image1 Image2 Image3 ImageN
![Page 27: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/27.jpg)
Linux Kernel
VM 1VM 2 VM 3
.. But not just the running VM's and host, but all images ...
Web
Image1 Image2 Image3 ImageN
![Page 28: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/28.jpg)
Popular Science Magazine April 2011
![Page 29: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/29.jpg)
SELinux to the rescue
SELinux is all about labeling
SELinux – All Processes get labels
KVM VM's are processes!!!
SELINUX – All Files/Devices Get Labels
KVM Virtual images are stored on files/devices!!!!
SELinux Policy:● Governs Process Labels access to Process/File Labels.
Kernel Enforces these Rules.
![Page 30: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/30.jpg)
Linux Kernel
VM 1 VM 2 VM 3
Virtual machine processes all have equal access to the
system...
Image1 Image2 Image3 ImageN
![Page 31: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/31.jpg)
Linux Kernel
VM 1
WebVM 2 VM 3
...if application on virtual machine is attacked...
Image1 Image2 Image3 ImageN
![Page 32: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/32.jpg)
Linux Kernel
VM 1VM 2 VM 3
...compromised...
Web
Image1 Image2 Image3 ImageN
![Page 33: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/33.jpg)
Linux Kernel
VM 1VM 2 VM 3
Web
Image1 Image2 Image3 ImageN
SELinux Force Fields...
![Page 34: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/34.jpg)
![Page 35: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/35.jpg)
http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/svirt.ogv
Svirt Demo
![Page 36: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/36.jpg)
stevendepolo Flickr :Attribution-NoDerivs 2.0 Generic (CC BY-ND 2.0)
Shared Resources !
![Page 37: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/37.jpg)
Sharing Resources
stevendepolo Flickr :Attribution 2.0 Generic (CC BY 2.0)
Shared Resources !
![Page 38: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/38.jpg)
Control Group Overview● Control Group is a generic framework where several "resource type of controllers"
can be plugged into and managed different resources of the system such as process scheduling, memory allocation, network traffic, or IO bandwidth.
● Two types of control mechanisms
● Proportional and Maximum Bandwidth Control● Controller Types Supported
● CPU/CPUset, Memory, Networking, Block IO, etc.
. RHEL6.2 RHEL6.3+ RHEL 7+
CPU Proportional &Maximal
Proportional &Maximal
Proportional &Maximal
Memory Maximal only Maximal only Maximal only
Networking Proportional &Maximal
Proportional &Maximal
Proportional &Maximal
Block IO Proportional &Maximal
Proportional &Maximal
Maximal [Proportional bandwidth will not work by default]
![Page 39: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/39.jpg)
Resource Management: Control Groups
Ability to manage large system resources effectively
Control groups (cgroups) for CPU/Memory/Network/Disk
Benefit: guarantee Quality of Service & dynamic resource allocation
Ideal for managing any multi-application environment
From backup jobs to the Cloud
![Page 40: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/40.jpg)
Cgroups Demo
● http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/cgroups.ogv
![Page 41: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/41.jpg)
Internal Security Futures
![Page 42: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/42.jpg)
SECCOMP/Libseccomp
● Selectively disable syscalls with seccomp● ~312 syscalls/x86_64, not including x86● Most applications use subset of all the syscalls● Reduces chance of kernel exploitation if app is exploited
● Some syscalls are “riskier” than others● Not fully protected by LSM/SELinux● History of vulnerabilities due to syscall complexity
● libseccomp makes seccomp easy to use● Simple architecture independent API for developers
![Page 43: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/43.jpg)
Secure Linux Application Containers
● Run hundreds of servers simultaneously● Similar to Openshift
● Little overhead
● SELinux protections built in
● Uses all Namespaces
![Page 44: Multi-tenancy Virtualization - Fedora People · Multi-tenancy Virtualization Challenges & Solutions Daniel J Walsh Mr SELinux, Red Hat Date 06.28.12](https://reader033.vdocuments.net/reader033/viewer/2022042215/5ebbb5b2681faa47d369d568/html5/thumbnails/44.jpg)
Verifying the Boot Sequence
● UEFI Secure Boot
● Trusted Boot● TXT● TPM