Unprivileged Containers: Shaving Yaks To Get the Toothpaste Back In the Tube
Matt Carroll
44CON 2024 · Day 2 · Main
Matt Carroll's 44CON talk, "Unprivileged Containers: Shaving Yaks To Get the Toothpaste Back In the Tube," delves into the arduous journey Yelp undertook to secure its containerized development environment. The presentation is a candid recounting of a year-and-a-half-long project aimed at resolving a critical security vulnerability: the inherent root access granted by Docker's default operational model in a multi-tenant development setup. Carroll uses two memorable idioms to frame the challenge: "getting the toothpaste back in the tube," representing an incredibly difficult-to-reverse action, and "shaving yaks," symbolizing seemingly unrelated, yet dependent, tasks necessary to achieve a primary goal.
AI review
Honest, technically grounded war story about fixing a real privilege escalation problem in a production multi-tenant container environment. Carroll pulls no punches about the complexity gap between 'just use rootless Docker' and actually shipping it, and the implementation details — ID mapped mounts, sub-UID allocation, overlayFS page-size limits, mixed-privilege networking — are specific enough to be genuinely useful to anyone facing the same problem.