{"id":24603,"date":"2017-04-17T09:00:31","date_gmt":"2017-04-17T13:00:31","guid":{"rendered":"https:\/\/sdtimes.com\/?p=24603"},"modified":"2017-04-14T16:39:34","modified_gmt":"2017-04-14T20:39:34","slug":"namespaces-key-container-security","status":"publish","type":"post","link":"https:\/\/sdtimes.com\/containers\/namespaces-key-container-security\/","title":{"rendered":"Namespaces: A key to container security"},"content":{"rendered":"

Everyone is talking about containers these days, but what do containers actually mean for software development? There are many different pieces involved to put a successful containerized application together. SD Times caught up with Liz Rice, technology evangelist for container security specialist Aqua Security, to talk about a very important piece: Namespaces. Rice will be speaking at this week\u2019s DockerCon about namespaces, and what they can do for containers. <\/span><\/p>\n

RELATED CONTENT: <\/b>Controlling software through containers and microservices<\/b><\/a><\/p>\n

SD Times: What are namespaces, and why are they necessary for containers?<\/b>
\nRice: <\/span><\/i>Namespaces are one of the key building blocks that are used to create containers. When you start a process on Linux, you can ask the kernel to give the process its own namespaces, and that means it has a restricted view of what’s going on. So for example when you look at the list of running processes within a container, you only see the ones inside that container and none of the processes running elsewhere on the machine. It’s namespacing that gives the container this constrained view. I’ll be demonstrating exactly how it works in my talk at DockerCon. <\/span><\/p>\n

What are the benefits to using namespaces?<\/b>
\nNamespaces are an incredibly lightweight way to isolate containers from each other. From inside the container, it looks a lot like being inside a virtual machine, but there’s none of the overhead of a hypervisor. Starting a virtual machine can take minutes, whereas starting a container is almost instantaneous. <\/span><\/p>\n

Are there any challenges developers should be aware of when using namespaces? <\/b>
\nThe main challenge is that you don’t have the full isolation that you get with true virtualization, and that does have some security implications. For example, although the container can only see its own running processes, the host machine has a view of everything that is running inside all containers, and – as I’ll show in my talk – all their environment variables. If you’re using environment variables to pass secrets (like, say, database passwords) into your containers, they’ll be accessible from the host machine. That may not be an issue for all users, but it is a serious concern for some. Fortunately there are solutions, including <\/span>Aqua Security<\/span><\/a>, to prevent secrets being leaked to the host through the environment like this. <\/span><\/p>\n

What are the some types of namespaces, and how are they used? <\/b>
\nThere are currently namespaces for the hostname, process IDs, user and group IDs, mounts, networking and inter-process communications. \u00a0Some of these are absolutely essential to containerization, whereas others are only needed in certain circumstances. For example, <\/span>Docker has supported user and group ID mapping since 1.10<\/span><\/a> leveraging the user \/ group namespace, but I think it would be fair to say that it’s only used by a minority as it’s not needed in a lot of use cases. <\/span><\/p>\n

Most people can simply use containers without worrying about the nuts and bolts of how they are put together, but if you’re interested in what’s going on under the covers there are some interesting challenges around the way namespaces interact with each other and with the host.<\/p>\n

What do you hope developers will take away from your talk?<\/b>
\nAs well as namespaces, I’ll be talking about cgroups. If a namespace limits what a container can see, a cgroup limits the resources it can use, like memory or CPU. I’ll be demonstrating all of this by writing my own container in Go, and then I’m going to subject it to a security exploit to test whether I have really isolated my container from the rest of the machine. If you like live coding and demos, and you want to really understand what’s going on when you run code in a container, you should definitely come along.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Everyone is talking about containers these days, but what do containers actually mean for software development? There are many different pieces involved to put a successful containerized application together. SD Times caught up with Liz Rice, technology evangelist for container security specialist Aqua Security, to talk about a very important piece: Namespaces. Rice will be … continue reading<\/a><\/p>\n","protected":false},"author":490,"featured_media":24604,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"om_disable_all_campaigns":false,"cybocfi_hide_featured_image":"","footnotes":"","_links_to":"","_links_to_target":""},"categories":[1],"tags":[2529,10651,737,1141],"coauthors":[],"acf":[],"yoast_head":"\nNamespaces: A key to container security - SD Times<\/title>\n<meta name=\"description\" content=\"Liz Rice, technology evangelist for container security specialist Aqua Security, talks about the importance of container namespaces\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/sdtimes.com\/containers\/namespaces-key-container-security\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Namespaces: A key to container security - SD Times\" \/>\n<meta property=\"og:description\" content=\"Liz Rice, technology evangelist for container security specialist Aqua Security, talks about the importance of container namespaces\" \/>\n<meta property=\"og:url\" content=\"https:\/\/sdtimes.com\/containers\/namespaces-key-container-security\/\" \/>\n<meta property=\"og:site_name\" content=\"SD Times\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/SDTimesD2\" \/>\n<meta property=\"article:published_time\" content=\"2017-04-17T13:00:31+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2017-04-14T20:39:34+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/sdtimes.com\/wp-content\/uploads\/2017\/04\/pexels-photo-47408.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"640\" \/>\n\t<meta property=\"og:image:height\" content=\"426\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Christina Cardoza\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@chriscatdoza\" \/>\n<meta name=\"twitter:site\" content=\"@sdtimes\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Christina Cardoza\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/sdtimes.com\/containers\/namespaces-key-container-security\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/sdtimes.com\/containers\/namespaces-key-container-security\/\"},\"author\":{\"name\":\"Christina Cardoza\",\"@id\":\"https:\/\/sdtimes.com\/#\/schema\/person\/8291872d437355f6b12cbcd6857a1972\"},\"headline\":\"Namespaces: A key to container security\",\"datePublished\":\"2017-04-17T13:00:31+00:00\",\"dateModified\":\"2017-04-14T20:39:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/sdtimes.com\/containers\/namespaces-key-container-security\/\"},\"wordCount\":629,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/sdtimes.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/sdtimes.com\/containers\/namespaces-key-container-security\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/sdtimes.com\/wp-content\/uploads\/2017\/04\/pexels-photo-47408.jpeg\",\"keywords\":[\"containers\",\"namespaces\",\"software\",\"software development\"],\"articleSection\":[\"Latest News\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/sdtimes.com\/containers\/namespaces-key-container-security\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/sdtimes.com\/containers\/namespaces-key-container-security\/\",\"url\":\"https:\/\/sdtimes.com\/containers\/namespaces-key-container-security\/\",\"name\":\"Namespaces: A key to container security - SD Times\",\"isPartOf\":{\"@id\":\"https:\/\/sdtimes.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/sdtimes.com\/containers\/namespaces-key-container-security\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/sdtimes.com\/containers\/namespaces-key-container-security\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/sdtimes.com\/wp-content\/uploads\/2017\/04\/pexels-photo-47408.jpeg\",\"datePublished\":\"2017-04-17T13:00:31+00:00\",\"dateModified\":\"2017-04-14T20:39:34+00:00\",\"description\":\"Liz Rice, technology evangelist for container security specialist Aqua Security, talks about the importance of container namespaces\",\"breadcrumb\":{\"@id\":\"https:\/\/sdtimes.com\/containers\/namespaces-key-container-security\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/sdtimes.com\/containers\/namespaces-key-container-security\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/sdtimes.com\/containers\/namespaces-key-container-security\/#primaryimage\",\"url\":\"https:\/\/sdtimes.com\/wp-content\/uploads\/2017\/04\/pexels-photo-47408.jpeg\",\"contentUrl\":\"https:\/\/sdtimes.com\/wp-content\/uploads\/2017\/04\/pexels-photo-47408.jpeg\",\"width\":640,\"height\":426},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/sdtimes.com\/containers\/namespaces-key-container-security\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/sdtimes.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Namespaces: A key to container security\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/sdtimes.com\/#website\",\"url\":\"https:\/\/sdtimes.com\/\",\"name\":\"SD Times\",\"description\":\"Software Development News\",\"publisher\":{\"@id\":\"https:\/\/sdtimes.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/sdtimes.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/sdtimes.com\/#organization\",\"name\":\"SD Times\",\"url\":\"https:\/\/sdtimes.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/sdtimes.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/sdtimes.com\/wp-content\/uploads\/2014\/05\/deafaultlogo.png\",\"contentUrl\":\"https:\/\/sdtimes.com\/wp-content\/uploads\/2014\/05\/deafaultlogo.png\",\"width\":225,\"height\":90,\"caption\":\"SD Times\"},\"image\":{\"@id\":\"https:\/\/sdtimes.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/SDTimesD2\",\"https:\/\/x.com\/sdtimes\",\"https:\/\/www.linkedin.com\/company\/sdtimes\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/sdtimes.com\/#\/schema\/person\/8291872d437355f6b12cbcd6857a1972\",\"name\":\"Christina Cardoza\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/sdtimes.com\/#\/schema\/person\/image\/66d89d09eb7f22eba27a82092a3bae8e\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/940fd7e02753c2aff1d037c42e0603ac?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/940fd7e02753c2aff1d037c42e0603ac?s=96&d=mm&r=g\",\"caption\":\"Christina Cardoza\"},\"description\":\"Christina Cardoza is the News Editor of SD Times. She is responsible for the oversight of the daily news published to the website as well as the company's weekly newsletter, News on Monday. She covers agile, DevOps, AI, machine learning, mixed reality and software security. She is an undeniable nerd who loves Marvel comics and Star Wars. On Follow her on Twitter at @chriscatdoza!\",\"sameAs\":[\"https:\/\/x.com\/chriscatdoza\"],\"url\":\"https:\/\/sdtimes.com\/author\/christina-mulligan\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Namespaces: A key to container security - SD Times","description":"Liz Rice, technology evangelist for container security specialist Aqua Security, talks about the importance of container namespaces","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/sdtimes.com\/containers\/namespaces-key-container-security\/","og_locale":"en_US","og_type":"article","og_title":"Namespaces: A key to container security - SD Times","og_description":"Liz Rice, technology evangelist for container security specialist Aqua Security, talks about the importance of container namespaces","og_url":"https:\/\/sdtimes.com\/containers\/namespaces-key-container-security\/","og_site_name":"SD Times","article_publisher":"https:\/\/www.facebook.com\/SDTimesD2","article_published_time":"2017-04-17T13:00:31+00:00","article_modified_time":"2017-04-14T20:39:34+00:00","og_image":[{"width":640,"height":426,"url":"https:\/\/sdtimes.com\/wp-content\/uploads\/2017\/04\/pexels-photo-47408.jpeg","type":"image\/jpeg"}],"author":"Christina Cardoza","twitter_card":"summary_large_image","twitter_creator":"@chriscatdoza","twitter_site":"@sdtimes","twitter_misc":{"Written by":"Christina Cardoza","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/sdtimes.com\/containers\/namespaces-key-container-security\/#article","isPartOf":{"@id":"https:\/\/sdtimes.com\/containers\/namespaces-key-container-security\/"},"author":{"name":"Christina Cardoza","@id":"https:\/\/sdtimes.com\/#\/schema\/person\/8291872d437355f6b12cbcd6857a1972"},"headline":"Namespaces: A key to container security","datePublished":"2017-04-17T13:00:31+00:00","dateModified":"2017-04-14T20:39:34+00:00","mainEntityOfPage":{"@id":"https:\/\/sdtimes.com\/containers\/namespaces-key-container-security\/"},"wordCount":629,"commentCount":0,"publisher":{"@id":"https:\/\/sdtimes.com\/#organization"},"image":{"@id":"https:\/\/sdtimes.com\/containers\/namespaces-key-container-security\/#primaryimage"},"thumbnailUrl":"https:\/\/sdtimes.com\/wp-content\/uploads\/2017\/04\/pexels-photo-47408.jpeg","keywords":["containers","namespaces","software","software development"],"articleSection":["Latest News"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/sdtimes.com\/containers\/namespaces-key-container-security\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/sdtimes.com\/containers\/namespaces-key-container-security\/","url":"https:\/\/sdtimes.com\/containers\/namespaces-key-container-security\/","name":"Namespaces: A key to container security - SD Times","isPartOf":{"@id":"https:\/\/sdtimes.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/sdtimes.com\/containers\/namespaces-key-container-security\/#primaryimage"},"image":{"@id":"https:\/\/sdtimes.com\/containers\/namespaces-key-container-security\/#primaryimage"},"thumbnailUrl":"https:\/\/sdtimes.com\/wp-content\/uploads\/2017\/04\/pexels-photo-47408.jpeg","datePublished":"2017-04-17T13:00:31+00:00","dateModified":"2017-04-14T20:39:34+00:00","description":"Liz Rice, technology evangelist for container security specialist Aqua Security, talks about the importance of container namespaces","breadcrumb":{"@id":"https:\/\/sdtimes.com\/containers\/namespaces-key-container-security\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/sdtimes.com\/containers\/namespaces-key-container-security\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/sdtimes.com\/containers\/namespaces-key-container-security\/#primaryimage","url":"https:\/\/sdtimes.com\/wp-content\/uploads\/2017\/04\/pexels-photo-47408.jpeg","contentUrl":"https:\/\/sdtimes.com\/wp-content\/uploads\/2017\/04\/pexels-photo-47408.jpeg","width":640,"height":426},{"@type":"BreadcrumbList","@id":"https:\/\/sdtimes.com\/containers\/namespaces-key-container-security\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/sdtimes.com\/"},{"@type":"ListItem","position":2,"name":"Namespaces: A key to container security"}]},{"@type":"WebSite","@id":"https:\/\/sdtimes.com\/#website","url":"https:\/\/sdtimes.com\/","name":"SD Times","description":"Software Development News","publisher":{"@id":"https:\/\/sdtimes.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/sdtimes.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/sdtimes.com\/#organization","name":"SD Times","url":"https:\/\/sdtimes.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/sdtimes.com\/#\/schema\/logo\/image\/","url":"https:\/\/sdtimes.com\/wp-content\/uploads\/2014\/05\/deafaultlogo.png","contentUrl":"https:\/\/sdtimes.com\/wp-content\/uploads\/2014\/05\/deafaultlogo.png","width":225,"height":90,"caption":"SD Times"},"image":{"@id":"https:\/\/sdtimes.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/SDTimesD2","https:\/\/x.com\/sdtimes","https:\/\/www.linkedin.com\/company\/sdtimes\/"]},{"@type":"Person","@id":"https:\/\/sdtimes.com\/#\/schema\/person\/8291872d437355f6b12cbcd6857a1972","name":"Christina Cardoza","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/sdtimes.com\/#\/schema\/person\/image\/66d89d09eb7f22eba27a82092a3bae8e","url":"https:\/\/secure.gravatar.com\/avatar\/940fd7e02753c2aff1d037c42e0603ac?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/940fd7e02753c2aff1d037c42e0603ac?s=96&d=mm&r=g","caption":"Christina Cardoza"},"description":"Christina Cardoza is the News Editor of SD Times. She is responsible for the oversight of the daily news published to the website as well as the company's weekly newsletter, News on Monday. She covers agile, DevOps, AI, machine learning, mixed reality and software security. She is an undeniable nerd who loves Marvel comics and Star Wars. On Follow her on Twitter at @chriscatdoza!","sameAs":["https:\/\/x.com\/chriscatdoza"],"url":"https:\/\/sdtimes.com\/author\/christina-mulligan\/"}]}},"_links":{"self":[{"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/posts\/24603"}],"collection":[{"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/users\/490"}],"replies":[{"embeddable":true,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/comments?post=24603"}],"version-history":[{"count":1,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/posts\/24603\/revisions"}],"predecessor-version":[{"id":24605,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/posts\/24603\/revisions\/24605"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/media\/24604"}],"wp:attachment":[{"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/media?parent=24603"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/categories?post=24603"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/tags?post=24603"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/coauthors?post=24603"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}