In the past few years there have been a fair few CVEs in container runtimes and container orchestration tools, often relating to container breakouts or otherwise attacking the host. In this talk, we will go through why it appears to be difficult to create secure container runtimes and some steps that are being taken by popular runtimes to try to avoid these sorts of issues in the future (on both sides of the kernel-userspace boundary).

Aleksa Sarai is a core developer and maintainer of runc and umoci, contributor to the Open Container Initiative specifications, and a Linux kernel contributor. He works on the containers team at SUSE, maintaining various core parts of the lower levels of the containers stack and related software for both SUSE Linux Enterprise and openSUSE; he is also committed to working in the open, and is a strong proponent of Free Software.

Captured on 25-26 July, 2019 at the SMC Centre. Sydney, Australia

Securing Container Runtimes -- How Hard Can It Be?