undefined | Better HN

0 pointstptacek4y ago0 comments

The problem with this jails/zones stuff is that I don't know anyone who seriously trusts jails and zones for real multitenant workloads anyways. The dealbreaker problem remains a shared kernel attack surface between tenants. It's one thing to propose that Zones are better than namespaces (they probably are), but another thing to cross the threshold where the distinction is meaningful in practice.

0 comments

bcantrill4y ago

At Joyent, we deployed public-facing multitenant workloads based on zones (and before that, jails) for many years. We seriously trusted it -- and had serious customers who seriously depended on it. So, now you know someone!

psanford4y ago

To be fair, y'all had some serious vulnerabilities, including zone escapes and arbitrary kernel memory reads, discovered by @benmmurphy.

bcantrill4y ago

Yes, though I would like to believe that Ben's responsible disclosure coupled with our addressing those vulns (and auditing ourselves for similar) reflect exactly that seriousness around multitenant security. And for whatever it's worth, one of those vulnerabilities -- which was a bug in my code! -- very much informed by own thinking about the inherent unsafety of C, underscoring the appeal of Rust. So I am grateful in several dimensions!

1 more reply

tptacekOP4y ago

To this, all I can say is that I spent from 2005-2014, and then from 2016-2020, doing nothing but security evaluations of products, probably about 60% of which were serverside multitenant SAAS systems of one form or another, and I don't remember ever evaluating (or overseeing the evaluation of) a system that relied on Jails or Zones. Lots of Docker! And, until a few years ago, multitenant Docker isolation was an infamous joke! I'm not sticking up for it!

You can look at the recent history of Linux kernel LPEs --- there has been sort of a renaissance because of mobile devices --- and count all the ways any shared-kernel multitenant system would have broken down. At the end of the day, it's not so much about predicting whether your system can get owned up (it can), so much as: "what do I need to do when there is a kernel LPE announced on my platform". If you're doing shared-kernel isolation, the right answer to that question is usually "fire drill". It's not a noodley thought-leadership kind of question; it's a simple, practical concern.

wmf4y ago

There were also tons of providers who trusted Linux containers for VPS hosting.

tptacekOP4y ago

How'd that turn out?

1 more reply

unixhero4y ago

And needless to say it became a billion dollar business, with a great product.

psanford4y ago

They were acquired for $170m.

1 more reply

mixmastamyk4y ago

Security requirements (and awareness) have increased over the years, have they not?

bcantrill4y ago

They definitely have! And we had a (zones-based) public cloud through it all. On that note, Alex Wilson's description of working with Robert Mustacchi on mitigating Meltdown by adding KPTI to illumos[0] definitely merits a read!

[0] https://blog.cooperi.net/a-long-two-months

jchw4y ago

Also, tools for improving Docker for multi-tenant workloads exists, like gVisor. I don’t think equivalents exist for jails/zones really.

tptacekOP4y ago

gVisor isn't a shared-kernel multitenant system; it's essentially kernel emulation. It's a much stronger design.

jchw4y ago

I mostly mean that it is intended to be a solution to run containers from multiple tenants on the same host. Though I do agree, being essentially a kernel in itself, it is a bit in a different wheelhouse. It still is a huge value add that you can implement something like that on top of Docker, imo.

1 more reply

Koshkin4y ago

Similar to Xen?

1 more reply

schoen4y ago

> The dealbreaker problem remains a shared kernel attack surface between tenants.

Also, now, extremely subtle and hard-to-mitigate timing attacks between tenants.

tptacekOP4y ago

In fairness, that's an attack class that's very difficult to eradicate even with virtualization.

j / k navigate · click thread line to collapse

0 comments

bcantrill4y ago

psanford4y ago

To be fair, y'all had some serious vulnerabilities, including zone escapes and arbitrary kernel memory reads, discovered by @benmmurphy.

bcantrill4y ago

1 more reply

tptacekOP4y ago

wmf4y ago

There were also tons of providers who trusted Linux containers for VPS hosting.

tptacekOP4y ago

How'd that turn out?

1 more reply

unixhero4y ago

And needless to say it became a billion dollar business, with a great product.

psanford4y ago

They were acquired for $170m.

1 more reply

mixmastamyk4y ago

Security requirements (and awareness) have increased over the years, have they not?

bcantrill4y ago

[0] https://blog.cooperi.net/a-long-two-months

jchw4y ago

Also, tools for improving Docker for multi-tenant workloads exists, like gVisor. I don’t think equivalents exist for jails/zones really.

tptacekOP4y ago

gVisor isn't a shared-kernel multitenant system; it's essentially kernel emulation. It's a much stronger design.

jchw4y ago

1 more reply

Koshkin4y ago

Similar to Xen?

1 more reply

schoen4y ago

> The dealbreaker problem remains a shared kernel attack surface between tenants.

Also, now, extremely subtle and hard-to-mitigate timing attacks between tenants.

tptacekOP4y ago

In fairness, that's an attack class that's very difficult to eradicate even with virtualization.

j / k navigate · click thread line to collapse