« Previous 1 2 3 4
Create secure simple containers with the systemd tools Nspawnd and Portabled
Isolation Ward
Conclusions
Very few admins are aware of the systemd components Nspawnd and Portabled discussed in this article, and this cluelessness is a mistake, despite your opinion of systemd. If you use one of today's major distributions, chances are you have a setup with systemd. If it is already in place, why not just use it?
Both tools presented here offer genuine added value. Chroot is now considered insecure, and for good reason: Several scenarios have been documented for breaking out of a chroot environment. Namespaces in the Linux kernel are not only more modern, but also far more focused on security, where they offer considerable benefits. If you want to isolate applications, either from each other or from the rest of the system, without having to deal with the complexity of Docker or Podman, it is a very good idea to take a closer look at the systemd add-on Nspawnd.
The same goes for Portabled. Strictly speaking, the idea behind it is nothing other than what the major vendors are currently pursuing with their container strategies. Instead of the dependency hell of the usual package managers, cleanly defined container images contain just the bare necessities and otherwise have no external dependencies. Portabled can be forgiven for not following the container mantra "a microarchitecture application in a container" – especially against the background that Portabled is more likely to be used in classic environments in most cases anyway. In return, you can look forward to more convenience, enhanced security, and better administrability.
Anyone who is concerned about isolating services and securing their systems should definitely have these two standard systemd functions on their radar.
Infos
- Docker architecture: https://docs.docker.com/get-started/overview/
- "Private networking per-process in Linux" by Ivan Zahariev: https://blog.famzah.net/2014/06/05/private-networking-per-process-in-linux/
- mkosi: https://github.com/systemd/mkosi
« Previous 1 2 3 4
Buy this article as PDF
(incl. VAT)