Simulating the Internet Using Unprivileged LXC Container Stéphane Graber <[email protected]> Software engineer for Canonical Ltd. Upstream maintainer of LXC. Infrastructure/network guy for NorthSec. LinuxCon North America 2014, Chicago Introduction Introduction The biggest on-site capture the flag security contest in North America! Organized over a weekend in Montreal with participants coming from Canada and the US. 26 teams for a total of over 200 participants, organized by a staff of 20 and some help from volunteers. https://www.nsec.io NorthSec 2014 NorthSec 2014: The map of our Internet Internet in a bottle Why? ➔ Very recent Linux kernel 3.13 for basic functionalities, 3.16 for advanced networking. ➔ Reasonably recent LXC LXC 1.0 is required for unprivileged containers. LXC 1.0.1 (also known as the NorthSec edition) or higher is recommended. ➔ Reasonably recent distro Ubuntu 14.04 LTS for example. Needs a very recent version of shadow (newuidmap, newgidmap). Good cgroup setup support (such as using cgmanager). ➔ Our Internet generator How? Sure! Let’s create some Internetz! Can we see it? Beware of the bugs! It can’t always go smoothly ➔ Javascript… We really need to fix that map... ➔ Partial distributed Internets You never have enough routers! ➔ Monitoring Bandwidth usage per link, per AS, per IX, BGP session monitoring, ... ➔ Making it more authentic More carriers, more routers, more exchanges, whois services, looking glass, domain registrars, maybe some way to import data from the real thing? … Simulate BGP hijacking, countries going dark, fibers getting cut, links and datacenters being tapped, ... What’s next? git clone git://github.com/nsec/the-internet How do I get my own? Stéphane Graber [email protected] [email protected] https://www.stgraber.org LXC https://www.linuxcontainers.org https://github.com/lxc NorthSec https://www.nsec.io https://github.com/nsec ? Questions anyone?.