SlideShare a Scribd company logo

Docker security configuration

Download as PPTX, PDF
John Kinsella
John Kinsella

Technical dive into configuring seccomp and linux security capabilities for Docker-based containers. The real meat for this talk was in the demos - I'm working on a screencast version, and will add a link here once I have that published!

Technology
1 of 20
Real-World Examples and Troubleshooting
 Capabilities  Seccomp  Demo demo demo!
 None of my demos should “work” the first time.
Worst to best:  Run with --privileged=true  Run with –cap-add ALL  Run with --cap-drop ALL --cap-add <only needed>  Run as non-root user, unprivileged Useful: capabilities section of https://docs.docker.com/engine/reference/run/
From my Monday talk. Even in dev you should do this. Break the bad habit. Do as I say, not as I do!
3 sections:  Default Action  Target architectures  Filter rules Like firewall rules, but harder to debug!
 SECCOMP_RET_KILL  SECCOMP_RET_TRAP  SECCOMP_RET_ERRNO  SECCOMP_RET_TRACE  SECCOMP_RET_ALLOW
 SECCOMP_RET_KILL  SECCOMP_RET_TRAP  SECCOMP_RET_ERRNO  SECCOMP_RET_TRACE  SECCOMP_RET_ALLOW https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt
 SECCOMP_RET_KILL  SECCOMP_RET_TRAP  SECCOMP_RET_ERRNO SCMP_ACT_ERRNO  SECCOMP_RET_TRACE  SECCOMP_RET_ALLOW SCMP_ACT_ALLOW https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt
We need to build a list of system calls called by the program… …that we want to succeed  Guess (preferably educated)  RTFM (thanks John!)  Capture behavior – maybe /usr/sbin/strace  Disassembly?
Getting that last 1% can be expensive
 no-new-privileges
 Modern OS  objdump (from binutils)  nm  strace  auditd (some day…)
 Study:  https://docs.docker.com/engine/reference/run/  https://github.com/docker/docker/blob/master/profiles/seccomp/default.json
@johnlkinsella http://layeredinsight.com http://github.com/jlk
 https://github.com/docker/docker/blob/master/docs/security/seccomp.md  http://man7.org/linux/man-pages/man3/seccomp_rule_add.3.html  http://linux.die.net/man/1/capsh  https://github.com/jfrazelle/blog/blob/master/content/post/how-to-use-new-docker- seccomp-profiles.md  http://www.slideshare.net/Docker/docker-security-workshop-slides  https://filippo.io/linux-syscall-table/  http://dockersl.im

Recommended

The MetaCPAN VM for Dummies Part One (Installation)
The MetaCPAN VM for Dummies Part One (Installation)The MetaCPAN VM for Dummies Part One (Installation)
The MetaCPAN VM for Dummies Part One (Installation)Olaf Alders
 
Virtualization and SAN Basics for DBAs
Virtualization and SAN Basics for DBAsVirtualization and SAN Basics for DBAs
Virtualization and SAN Basics for DBAsQuest Software
 
Deployment talk dpc 13
Deployment talk dpc 13Deployment talk dpc 13
Deployment talk dpc 13Robbert van den Bogerd
 
Orchestrating Chaos Like a Pro with Gremlin Free
Orchestrating Chaos Like a Pro with Gremlin FreeOrchestrating Chaos Like a Pro with Gremlin Free
Orchestrating Chaos Like a Pro with Gremlin FreeGremlin
 
Road to cloud hero
Road to cloud heroRoad to cloud hero
Road to cloud heroWilliam Chong
 
Advanced Jasmine
Advanced JasmineAdvanced Jasmine
Advanced Jasminejbellsey
 
cpanminus at YAPC::NA 2010
cpanminus at YAPC::NA 2010cpanminus at YAPC::NA 2010
cpanminus at YAPC::NA 2010Tatsuhiko Miyagawa
 
In the desert, without a camel
In the desert, without a camelIn the desert, without a camel
In the desert, without a camelStephen Scaffidi
 

Recommended

The MetaCPAN VM for Dummies Part One (Installation)
The MetaCPAN VM for Dummies Part One (Installation)The MetaCPAN VM for Dummies Part One (Installation)
The MetaCPAN VM for Dummies Part One (Installation)Olaf Alders
 
Virtualization and SAN Basics for DBAs
Virtualization and SAN Basics for DBAsVirtualization and SAN Basics for DBAs
Virtualization and SAN Basics for DBAsQuest Software
 
Deployment talk dpc 13
Deployment talk dpc 13Deployment talk dpc 13
Deployment talk dpc 13Robbert van den Bogerd
 
Orchestrating Chaos Like a Pro with Gremlin Free
Orchestrating Chaos Like a Pro with Gremlin FreeOrchestrating Chaos Like a Pro with Gremlin Free
Orchestrating Chaos Like a Pro with Gremlin FreeGremlin
 
Road to cloud hero
Road to cloud heroRoad to cloud hero
Road to cloud heroWilliam Chong
 
Advanced Jasmine
Advanced JasmineAdvanced Jasmine
Advanced Jasminejbellsey
 
cpanminus at YAPC::NA 2010
cpanminus at YAPC::NA 2010cpanminus at YAPC::NA 2010
cpanminus at YAPC::NA 2010Tatsuhiko Miyagawa
 
In the desert, without a camel
In the desert, without a camelIn the desert, without a camel
In the desert, without a camelStephen Scaffidi
 
Full stack, Full run, Full test
Full stack, Full run, Full testFull stack, Full run, Full test
Full stack, Full run, Full testTaras Slipets
 
Installing symfony within netbeans and WAMP
Installing symfony within netbeans and WAMPInstalling symfony within netbeans and WAMP
Installing symfony within netbeans and WAMPRiyad Bin Zaman
 
The MetaCPAN VM Part II (Using the VM)
The MetaCPAN VM Part II (Using the VM)The MetaCPAN VM Part II (Using the VM)
The MetaCPAN VM Part II (Using the VM)Olaf Alders
 
warp engine - an open source realtime push engine
warp engine - an open source realtime push enginewarp engine - an open source realtime push engine
warp engine - an open source realtime push engineDavid Pichsenmeister
 
Local development with vvv jon trujillo
Local development with vvv jon trujilloLocal development with vvv jon trujillo
Local development with vvv jon trujilloJonathan Trujillo
 
Mangling
Mangling Mangling
Mangling Olaf Alders
 
Let's make this test suite run faster
Let's make this test suite run fasterLet's make this test suite run faster
Let's make this test suite run fasterDavid Gageot
 
No Hugging, No Learning
No Hugging, No LearningNo Hugging, No Learning
No Hugging, No LearningOlaf Alders
 
你不知道的前端
你不知道的前端你不知道的前端
你不知道的前端taobao.com
 
Testando JavaScript com Spock
Testando JavaScript com SpockTestando JavaScript com Spock
Testando JavaScript com SpockIsmael
 
Capifony. Minsk PHP MeetUp #11
Capifony. Minsk PHP MeetUp #11Capifony. Minsk PHP MeetUp #11
Capifony. Minsk PHP MeetUp #11Yury Pliashkou
 
Let's make this test suite run faster! SoftShake 2010
Let's make this test suite run faster! SoftShake 2010Let's make this test suite run faster! SoftShake 2010
Let's make this test suite run faster! SoftShake 2010David Gageot
 
Let's make this test suite run faster - Paris JUG 2011
Let's make this test suite run faster - Paris JUG 2011Let's make this test suite run faster - Paris JUG 2011
Let's make this test suite run faster - Paris JUG 2011David Gageot
 
Caching for Cash: Benchmarking and Profiling
Caching for Cash: Benchmarking and ProfilingCaching for Cash: Benchmarking and Profiling
Caching for Cash: Benchmarking and ProfilingScott MacVicar
 
F.A.Q
F.A.QF.A.Q
F.A.Qdeputat
 
Vorlon.js
Vorlon.jsVorlon.js
Vorlon.jsDavid Catuhe
 
Sinatra
SinatraSinatra
SinatraTim Lucas
 
Postmortem of a uwp xaml application development
Postmortem of a uwp xaml application developmentPostmortem of a uwp xaml application development
Postmortem of a uwp xaml application developmentDavid Catuhe
 
Dplyr Installation Instructions
Dplyr Installation InstructionsDplyr Installation Instructions
Dplyr Installation InstructionsVinita Silaparasetty
 
Play Framework in EC2
Play Framework in EC2Play Framework in EC2
Play Framework in EC2kamarul kawnayeen
 
CloudStack Secured
CloudStack SecuredCloudStack Secured
CloudStack SecuredJohn Kinsella
 
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...John Kinsella
 

More Related Content

What's hot

Full stack, Full run, Full test
Full stack, Full run, Full testFull stack, Full run, Full test
Full stack, Full run, Full testTaras Slipets
 
Installing symfony within netbeans and WAMP
Installing symfony within netbeans and WAMPInstalling symfony within netbeans and WAMP
Installing symfony within netbeans and WAMPRiyad Bin Zaman
 
The MetaCPAN VM Part II (Using the VM)
The MetaCPAN VM Part II (Using the VM)The MetaCPAN VM Part II (Using the VM)
The MetaCPAN VM Part II (Using the VM)Olaf Alders
 
warp engine - an open source realtime push engine
warp engine - an open source realtime push enginewarp engine - an open source realtime push engine
warp engine - an open source realtime push engineDavid Pichsenmeister
 
Local development with vvv jon trujillo
Local development with vvv jon trujilloLocal development with vvv jon trujillo
Local development with vvv jon trujilloJonathan Trujillo
 
Let's make this test suite run faster
Let's make this test suite run fasterLet's make this test suite run faster
Let's make this test suite run fasterDavid Gageot
 
No Hugging, No Learning
No Hugging, No LearningNo Hugging, No Learning
No Hugging, No LearningOlaf Alders
 
你不知道的前端
你不知道的前端你不知道的前端
你不知道的前端taobao.com
 
Testando JavaScript com Spock
Testando JavaScript com SpockTestando JavaScript com Spock
Testando JavaScript com SpockIsmael
 
Capifony. Minsk PHP MeetUp #11
Capifony. Minsk PHP MeetUp #11Capifony. Minsk PHP MeetUp #11
Capifony. Minsk PHP MeetUp #11Yury Pliashkou
 
Let's make this test suite run faster! SoftShake 2010
Let's make this test suite run faster! SoftShake 2010Let's make this test suite run faster! SoftShake 2010
Let's make this test suite run faster! SoftShake 2010David Gageot
 
Let's make this test suite run faster - Paris JUG 2011
Let's make this test suite run faster - Paris JUG 2011Let's make this test suite run faster - Paris JUG 2011
Let's make this test suite run faster - Paris JUG 2011David Gageot
 
Caching for Cash: Benchmarking and Profiling
Caching for Cash: Benchmarking and ProfilingCaching for Cash: Benchmarking and Profiling
Caching for Cash: Benchmarking and ProfilingScott MacVicar
 
Postmortem of a uwp xaml application development
Postmortem of a uwp xaml application developmentPostmortem of a uwp xaml application development
Postmortem of a uwp xaml application developmentDavid Catuhe
 

What's hot (20)

Full stack, Full run, Full test
Full stack, Full run, Full testFull stack, Full run, Full test
Full stack, Full run, Full test
 
Installing symfony within netbeans and WAMP
Installing symfony within netbeans and WAMPInstalling symfony within netbeans and WAMP
Installing symfony within netbeans and WAMP
 
The MetaCPAN VM Part II (Using the VM)
The MetaCPAN VM Part II (Using the VM)The MetaCPAN VM Part II (Using the VM)
The MetaCPAN VM Part II (Using the VM)
 
warp engine - an open source realtime push engine
warp engine - an open source realtime push enginewarp engine - an open source realtime push engine
warp engine - an open source realtime push engine
 
Local development with vvv jon trujillo
Local development with vvv jon trujilloLocal development with vvv jon trujillo
Local development with vvv jon trujillo
 
Mangling
Mangling Mangling
Mangling
 
Let's make this test suite run faster
Let's make this test suite run fasterLet's make this test suite run faster
Let's make this test suite run faster
 
No Hugging, No Learning
No Hugging, No LearningNo Hugging, No Learning
No Hugging, No Learning
 
你不知道的前端
你不知道的前端你不知道的前端
你不知道的前端
 
Testando JavaScript com Spock
Testando JavaScript com SpockTestando JavaScript com Spock
Testando JavaScript com Spock
 
Capifony. Minsk PHP MeetUp #11
Capifony. Minsk PHP MeetUp #11Capifony. Minsk PHP MeetUp #11
Capifony. Minsk PHP MeetUp #11
 
Let's make this test suite run faster! SoftShake 2010
Let's make this test suite run faster! SoftShake 2010Let's make this test suite run faster! SoftShake 2010
Let's make this test suite run faster! SoftShake 2010
 
Let's make this test suite run faster - Paris JUG 2011
Let's make this test suite run faster - Paris JUG 2011Let's make this test suite run faster - Paris JUG 2011
Let's make this test suite run faster - Paris JUG 2011
 
Caching for Cash: Benchmarking and Profiling
Caching for Cash: Benchmarking and ProfilingCaching for Cash: Benchmarking and Profiling
Caching for Cash: Benchmarking and Profiling
 
F.A.Q
F.A.QF.A.Q
F.A.Q
 
Vorlon.js
Vorlon.jsVorlon.js
Vorlon.js
 
Sinatra
SinatraSinatra
Sinatra
 
Postmortem of a uwp xaml application development
Postmortem of a uwp xaml application developmentPostmortem of a uwp xaml application development
Postmortem of a uwp xaml application development
 
Dplyr Installation Instructions
Dplyr Installation InstructionsDplyr Installation Instructions
Dplyr Installation Instructions
 
Play Framework in EC2
Play Framework in EC2Play Framework in EC2
Play Framework in EC2
 

Viewers also liked

Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...John Kinsella
 
What is Cloud Security, and Can I Have Some?
What is Cloud Security, and Can I Have Some?What is Cloud Security, and Can I Have Some?
What is Cloud Security, and Can I Have Some?John Kinsella
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersJohn Kinsella
 

Viewers also liked (6)

CloudStack Secured
CloudStack SecuredCloudStack Secured
CloudStack Secured
 
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
 
What is Cloud Security, and Can I Have Some?
What is Cloud Security, and Can I Have Some?What is Cloud Security, and Can I Have Some?
What is Cloud Security, and Can I Have Some?
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability Scanners
 

Similar to Docker security configuration

Rails Application Optimization Techniques & Tools
Rails Application Optimization Techniques & ToolsRails Application Optimization Techniques & Tools
Rails Application Optimization Techniques & Toolsguest05c09d
 
Production Grade Kubernetes Applications
Production Grade Kubernetes ApplicationsProduction Grade Kubernetes Applications
Production Grade Kubernetes ApplicationsNarayanan Krishnamurthy
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
Stop Being Lazy and Test Your Software
Stop Being Lazy and Test Your SoftwareStop Being Lazy and Test Your Software
Stop Being Lazy and Test Your SoftwareLaura Frank Tacho
 
Check the version with fixes. Link in description
Check the version with fixes. Link in descriptionCheck the version with fixes. Link in description
Check the version with fixes. Link in descriptionPrzemyslaw Koltermann
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...tutorialsruby
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...tutorialsruby
 
When Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
When Good Code Goes Bad: Tools and Techniques for Troubleshooting PloneWhen Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
When Good Code Goes Bad: Tools and Techniques for Troubleshooting PloneDavid Glick
 
Sinatra and friends
Sinatra and friendsSinatra and friends
Sinatra and friendsJiang Wu
 
Runmodes and Configs for Fun and Profit
Runmodes and Configs for Fun and ProfitRunmodes and Configs for Fun and Profit
Runmodes and Configs for Fun and ProfitMike Pfaff
 
Runmodes and Configs for Fun and Profit
Runmodes and Configs for Fun and ProfitRunmodes and Configs for Fun and Profit
Runmodes and Configs for Fun and ProfitMike Pfaff
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousFrancis Alexander
 
AWS Lambda from the trenches
AWS Lambda from the trenchesAWS Lambda from the trenches
AWS Lambda from the trenchesYan Cui
 
Docker Introduction.pdf
Docker Introduction.pdfDocker Introduction.pdf
Docker Introduction.pdfOKLABS
 
DCEU 18: Tips and Tricks of the Docker Captains
DCEU 18: Tips and Tricks of the Docker CaptainsDCEU 18: Tips and Tricks of the Docker Captains
DCEU 18: Tips and Tricks of the Docker CaptainsDocker, Inc.
 
"Master production-grade best practices to build your Node.js Docker images",...
"Master production-grade best practices to build your Node.js Docker images",..."Master production-grade best practices to build your Node.js Docker images",...
"Master production-grade best practices to build your Node.js Docker images",...Fwdays
 
Can you contain the future - Docker, Container Technologies, The Future, and You
Can you contain the future - Docker, Container Technologies, The Future, and YouCan you contain the future - Docker, Container Technologies, The Future, and You
Can you contain the future - Docker, Container Technologies, The Future, and YouColdFusionConference
 

Similar to Docker security configuration (20)

Docker perl build
Docker perl buildDocker perl build
Docker perl build
 
Rails Application Optimization Techniques & Tools
Rails Application Optimization Techniques & ToolsRails Application Optimization Techniques & Tools
Rails Application Optimization Techniques & Tools
 
Production Grade Kubernetes Applications
Production Grade Kubernetes ApplicationsProduction Grade Kubernetes Applications
Production Grade Kubernetes Applications
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
Stop Being Lazy and Test Your Software
Stop Being Lazy and Test Your SoftwareStop Being Lazy and Test Your Software
Stop Being Lazy and Test Your Software
 
Check the version with fixes. Link in description
Check the version with fixes. Link in descriptionCheck the version with fixes. Link in description
Check the version with fixes. Link in description
 
Docker as an every day work tool
Docker as an every day work toolDocker as an every day work tool
Docker as an every day work tool
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
 
When Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
When Good Code Goes Bad: Tools and Techniques for Troubleshooting PloneWhen Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
When Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
 
Sinatra and friends
Sinatra and friendsSinatra and friends
Sinatra and friends
 
Runmodes and Configs for Fun and Profit
Runmodes and Configs for Fun and ProfitRunmodes and Configs for Fun and Profit
Runmodes and Configs for Fun and Profit
 
Runmodes and Configs for Fun and Profit
Runmodes and Configs for Fun and ProfitRunmodes and Configs for Fun and Profit
Runmodes and Configs for Fun and Profit
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life Scenarious
 
AWS Lambda from the trenches
AWS Lambda from the trenchesAWS Lambda from the trenches
AWS Lambda from the trenches
 
Docker Introduction.pdf
Docker Introduction.pdfDocker Introduction.pdf
Docker Introduction.pdf
 
DCEU 18: Tips and Tricks of the Docker Captains
DCEU 18: Tips and Tricks of the Docker CaptainsDCEU 18: Tips and Tricks of the Docker Captains
DCEU 18: Tips and Tricks of the Docker Captains
 
"Master production-grade best practices to build your Node.js Docker images",...
"Master production-grade best practices to build your Node.js Docker images",..."Master production-grade best practices to build your Node.js Docker images",...
"Master production-grade best practices to build your Node.js Docker images",...
 
Sprockets
SprocketsSprockets
Sprockets
 
Can you contain the future - Docker, Container Technologies, The Future, and You
Can you contain the future - Docker, Container Technologies, The Future, and YouCan you contain the future - Docker, Container Technologies, The Future, and You
Can you contain the future - Docker, Container Technologies, The Future, and You
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 

Recently uploaded (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

Docker security configuration

Editor's Notes

  1. There’s so many good talks going on this hour – I’m really honored that you decided to join and I hope this is worthwhile for you. This talk was tagged “intermediate” – it might go deeper, please do not be afraid to ask questions.
  2. --privileged does –cap-add ALL as well as allowing device privs Docker has 37 capabilities that can be added or removed
  3. Particularly, ”seccomp BPF”
  4. 5 seccomp values, you’ll probably just use 2
  5. Should we do a screencast of this?