Simulating the Using Unprivileged LXC Container

Stéphane Graber

Software engineer for Ltd. Upstream maintainer of LXC. Infrastructure/network guy for NorthSec. LinuxCon North America 2014, Chicago Introduction

Introduction The biggest on-site capture the flag security contest in North America!

Organized over a weekend in Montreal with participants coming from Canada and the US.

26 teams for a total of over 200 participants, organized by a staff of 20 and some help from volunteers.

https://www.nsec.io

NorthSec 2014 NorthSec 2014: The map of our Internet Internet in a bottle

Why? ➔ Very recent kernel 3.13 for basic functionalities, 3.16 for advanced networking.

➔ Reasonably recent LXC LXC 1.0 is required for unprivileged containers. LXC 1.0.1 (also known as the NorthSec edition) or higher is recommended.

➔ Reasonably recent distro 14.04 LTS for example. Needs a very recent version of shadow (newuidmap, newgidmap). Good cgroup setup support (such as using cgmanager).

➔ Our Internet generator

How? Sure!

Let’s create some Internetz!

Can we see it?

Beware of the bugs!

It can’t always go smoothly ➔ Javascript… We really need to fix that map...

➔ Partial distributed You never have enough routers!

➔ Monitoring Bandwidth usage per link, per AS, per IX, BGP session monitoring, ...

➔ Making it more authentic More carriers, more routers, more exchanges, whois services, looking glass, domain registrars, maybe some way to import data from the real thing? …

Simulate BGP hijacking, countries going dark, fibers getting cut, links and datacenters being tapped, ...

What’s next? git clone git://github.com/nsec/the-internet

How do I get my own? Stéphane Graber [email protected] [email protected] https://www.stgraber.org

LXC https://www.linuxcontainers.org https://github.com/lxc

NorthSec https://www.nsec.io https://github.com/nsec ? Questions anyone?