Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Docker rant

355 views

Published on

Slides for a short rant on Docker

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Docker rant

  1. 1. POST /v1.16/containers/ 0abe202395e4e61fc35f8f90e3432ad0f2fb 3d3816a79c367ff716ecb57965dc/resize? h=24&w=107 HTTP/1.1 Host: /var/run/docker.sock User-Agent: Docker-Client/1.4.0 Content-Length: 0 Content-Type: plain/text
  2. 2. "In the future, we expect new execution engine plugins to offer more choice and greater granularity for our security-focused users."
  3. 3. all this crap running as root
  4. 4. including the containers ran by unprivileged (not any more) users
  5. 5. „trusted” images https://titanous.com/posts/docker-insecurity
  6. 6. KISS
  7. 7. user namespaces completely unprivileged* containers in kernel 3.9+
  8. 8. remaining setuid bits lxc-user-nic a couple netlink packets if you need a private net with CAP_NET_ADMIN ! newuidmap a single write() newgidmap if you need multiple uids/gids
  9. 9. https://github.com/gnosek/shoebox

×