We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Generating seccomp profiles for containers using podman and eBPF

Formal Metadata

Title
Generating seccomp profiles for containers using podman and eBPF
Title of Series
Number of Parts
44
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language
Producer

Content Metadata

Subject Area
Genre
Abstract
Currently everyone uses the same seccomp rules for running their containers. This tool allows us to generate seccomp rules based on what the container actually requires and allows us to lock down the container. We had a GSOC student this summer who instrumented podman to allow it to run containers and then genrate the seccomp rules for the container based on the syscalls that the container actually made. Once you have this newly generate seccomp file and are satisfied that you have thoroughly tested the container, you can run the container inproduction using the seccomp.json file. This talk will explain how the tool works and demonstrate it in action.