As users of Linux containerization have become well aware, it provides a rapid deployment mechanism for consistent environments and immutable infrastructure. As attackers have become well aware, most users do not audit the containers they run and with a shared Kernel and root privileges many things are possible.
At CoreOS we eschewed the dominant paradigm, Docker, due to what we felt were inconsistencies in its security story. This led to the development of rkt (née ‘rocket') which builds upon the ideas of LXC, Docker, and containerization systems from the past while adding support for run time choice between containerization and virtualization.
Using rkt users can make a decision at run time whether a "container" should truly be run as a Linux based container through the traditional mechanisms of namespaces, cgroups, and SELinux or whether these should be layered with an additional kernel, allowing for increased run time isolation.
Best of all, rkt is available as free/libre open source software and has been battle tested in our production for over two years. In this talk we will outline how we use these technologies in production to secure our environment.