SlideShare a Scribd company logo
1 of 11
Containers: Anti-patterns
Jeeva S. Chelladhurai
sjeeva@gmail.com
https://www.linkedin.com/in/jeevachelladhurai
Why containers
Structure
• Synopsis
• Symptoms
• Prognosis
• Side effects
• Cure
• Exceptions
VictiMizing
• Synopsis:
• Converting a container as a VM (VMizing)
• Symptoms:
• Linux, RHEL, CentOS, Fedora, Ubuntu
• SSH/Telnet Connection, SCP/FTP Transfer
• Cron Job
• Prognosis:
• Marring to the old habits
• Purpose of containerization is not understood
• Side effects:
• Bloated image size
• Increased attack surface
• Cure:
• Narrow it down to application runtime
Overloading
• Synopsis:
• Running multiple services inside a container
• Symptoms:
• Running upstart or systemd
• Prognosis:
• Purpose of containerization is not well understood
• Side effects:
• Cannot DevOps or scale individual services
• Cure:
• Separation area of concern: Run one application inside the container in the foreground
and connect to the dependent service like any other backing service
• Exceptions:
• Zombie reaper like tini (--init)
• Tight dependency between services (really?, I still feel it can be separated)
Skidding
• Synopsis:
• Dockerfile FROM instruction with a moving tag
• Symptoms:
• Under qualified or non-concrete image in the Dockerfile FROM instruction
• FROM python:3 or FROM python:latest
• Prognosis:
• Quick hacking mode
• Impact of version change and immutability is not well understood
• Side effects:
• Unexpected failures during image rebuilds
• Cure:
• Always fully qualify the image name with tag or digest (later is recommended)
• FROM python:3.6.3-alpine3.6
• FROM python@sha256:b29985dc837ae19408a89cdd6c72653e3aeed9cc731a3be81472f035f9d16f60
Petting or Tinkering
• Synopsis:
• Working inside a container
• Symptoms:
• The workflow involves exec-ing or attach-ing to the container
• Prognosis:
• Quick hacking mode
• Either immutability is not understood or ignored
• Side effects:
• Cannot be automated or involves tools like expect
• Cure:
• Dockerfile with ENTRYPOINT and/or CMD
Desensitizing
• Synopsis:
• Storing sensitive information in the image file system
• Symptoms:
• Applications using sensitive information like password and tokens from the container file
system
• Prognosis:
• Gap in understanding the docker image filesystem and related commands
• Side effects:
• Sensitive information can be retrieved from the image file system
• Cure:
• Pass sensitive information to the container thru env variable or mounted files
Fleeting
• Synopsis:
• Storing application state and logs in the containers ephemeral filesystem
• Symptoms:
• No strategy around storing and handling container’s state and logs
• Prognosis:
• Either immutability is not understood or ignored
• Side effects:
• Losing the state of containerized application and logs
• Cure:
• Use volumes or external data store to persist the container state
• Route container logs to external log handlers like graylog, syslog and etc
Thanks
Jeeva S. Chelladhurai
sjeeva@gmail.com
https://www.linkedin.com/in/jeevachelladhurai
https://www.meetup.com/preview/opensourceblr
https://www.meetup.com/preview/jenkinsBLR
https://www.meetup.com/preview/EthereumBlr
Open Source Meetup Jenkins Area Meetup Ethereum Meetup

More Related Content

What's hot

Prometheus: infrastructure and application monitoring in kubernetes cluster
Prometheus: infrastructure and application monitoring in kubernetes clusterPrometheus: infrastructure and application monitoring in kubernetes cluster
Prometheus: infrastructure and application monitoring in kubernetes clusterLohika_Odessa_TechTalks
 
The State of Logging on Docker
The State of Logging on DockerThe State of Logging on Docker
The State of Logging on DockerTrevor Parsons
 
Container (Docker) Orchestration Tools
Container (Docker) Orchestration ToolsContainer (Docker) Orchestration Tools
Container (Docker) Orchestration ToolsDhilipsiva DS
 
Docker Multi Host Networking, Rachit Arora, IBM
Docker Multi Host Networking, Rachit Arora, IBMDocker Multi Host Networking, Rachit Arora, IBM
Docker Multi Host Networking, Rachit Arora, IBMNeependra Khare
 
Dockerizing Windows Server Applications by Ender Barillas and Taylor Brown
Dockerizing Windows Server Applications by Ender Barillas and Taylor BrownDockerizing Windows Server Applications by Ender Barillas and Taylor Brown
Dockerizing Windows Server Applications by Ender Barillas and Taylor BrownDocker, Inc.
 
Introduction to Version Control
Introduction to Version ControlIntroduction to Version Control
Introduction to Version ControlJeremy Coates
 
Automated Image Builds in OpenShift and Kubernetes
Automated Image Builds in OpenShift and KubernetesAutomated Image Builds in OpenShift and Kubernetes
Automated Image Builds in OpenShift and KubernetesGraham Dumpleton
 
Breaking the RpiDocker challenge
Breaking the RpiDocker challenge Breaking the RpiDocker challenge
Breaking the RpiDocker challenge Nicolas De Loof
 
DockerDay2015: Docker orchestration for sysadmin
DockerDay2015: Docker orchestration for sysadminDockerDay2015: Docker orchestration for sysadmin
DockerDay2015: Docker orchestration for sysadminDocker-Hanoi
 
U boot source clean up project how-to
U boot source clean up project how-toU boot source clean up project how-to
U boot source clean up project how-toMacpaul Lin
 
OpenNebula Conf 2014: CentOS, QA an OpenNebula - Christoph Galuschka
OpenNebula Conf 2014: CentOS, QA an OpenNebula - Christoph GaluschkaOpenNebula Conf 2014: CentOS, QA an OpenNebula - Christoph Galuschka
OpenNebula Conf 2014: CentOS, QA an OpenNebula - Christoph GaluschkaNETWAYS
 
Online Meetup: Why should container system / platform builders care about con...
Online Meetup: Why should container system / platform builders care about con...Online Meetup: Why should container system / platform builders care about con...
Online Meetup: Why should container system / platform builders care about con...Docker, Inc.
 
DockerDay2015: Docker orchestration for developers
DockerDay2015: Docker orchestration for developersDockerDay2015: Docker orchestration for developers
DockerDay2015: Docker orchestration for developersDocker-Hanoi
 
JUC Europe 2015: Jenkins Pipeline for Continuous Delivery of Big Data Projects
JUC Europe 2015: Jenkins Pipeline for Continuous Delivery of Big Data ProjectsJUC Europe 2015: Jenkins Pipeline for Continuous Delivery of Big Data Projects
JUC Europe 2015: Jenkins Pipeline for Continuous Delivery of Big Data ProjectsCloudBees
 
Docker for Developers - Part 2 by Borja Burgos and Fernando Mayo
Docker for Developers - Part 2 by Borja Burgos and Fernando MayoDocker for Developers - Part 2 by Borja Burgos and Fernando Mayo
Docker for Developers - Part 2 by Borja Burgos and Fernando MayoDocker, Inc.
 
.NET on Linux: Entity Framework Core 1.0
.NET on Linux: Entity Framework Core 1.0.NET on Linux: Entity Framework Core 1.0
.NET on Linux: Entity Framework Core 1.0All Things Open
 
Docker for Developers - Part 1 by David Gageot
Docker for Developers - Part 1 by David GageotDocker for Developers - Part 1 by David Gageot
Docker for Developers - Part 1 by David GageotDocker, Inc.
 

What's hot (20)

Jenkins' shared libraries in action
Jenkins' shared libraries in actionJenkins' shared libraries in action
Jenkins' shared libraries in action
 
Prometheus: infrastructure and application monitoring in kubernetes cluster
Prometheus: infrastructure and application monitoring in kubernetes clusterPrometheus: infrastructure and application monitoring in kubernetes cluster
Prometheus: infrastructure and application monitoring in kubernetes cluster
 
Golang workshop
Golang workshopGolang workshop
Golang workshop
 
The State of Logging on Docker
The State of Logging on DockerThe State of Logging on Docker
The State of Logging on Docker
 
Container (Docker) Orchestration Tools
Container (Docker) Orchestration ToolsContainer (Docker) Orchestration Tools
Container (Docker) Orchestration Tools
 
Docker Multi Host Networking, Rachit Arora, IBM
Docker Multi Host Networking, Rachit Arora, IBMDocker Multi Host Networking, Rachit Arora, IBM
Docker Multi Host Networking, Rachit Arora, IBM
 
Dockerizing Windows Server Applications by Ender Barillas and Taylor Brown
Dockerizing Windows Server Applications by Ender Barillas and Taylor BrownDockerizing Windows Server Applications by Ender Barillas and Taylor Brown
Dockerizing Windows Server Applications by Ender Barillas and Taylor Brown
 
Introduction to Version Control
Introduction to Version ControlIntroduction to Version Control
Introduction to Version Control
 
Automated Image Builds in OpenShift and Kubernetes
Automated Image Builds in OpenShift and KubernetesAutomated Image Builds in OpenShift and Kubernetes
Automated Image Builds in OpenShift and Kubernetes
 
Breaking the RpiDocker challenge
Breaking the RpiDocker challenge Breaking the RpiDocker challenge
Breaking the RpiDocker challenge
 
DockerDay2015: Docker orchestration for sysadmin
DockerDay2015: Docker orchestration for sysadminDockerDay2015: Docker orchestration for sysadmin
DockerDay2015: Docker orchestration for sysadmin
 
U boot source clean up project how-to
U boot source clean up project how-toU boot source clean up project how-to
U boot source clean up project how-to
 
OpenNebula Conf 2014: CentOS, QA an OpenNebula - Christoph Galuschka
OpenNebula Conf 2014: CentOS, QA an OpenNebula - Christoph GaluschkaOpenNebula Conf 2014: CentOS, QA an OpenNebula - Christoph Galuschka
OpenNebula Conf 2014: CentOS, QA an OpenNebula - Christoph Galuschka
 
JavaCro'15 - Docker, Kubernetes and Jube - a new cloud architecture - Aleš Ju...
JavaCro'15 - Docker, Kubernetes and Jube - a new cloud architecture - Aleš Ju...JavaCro'15 - Docker, Kubernetes and Jube - a new cloud architecture - Aleš Ju...
JavaCro'15 - Docker, Kubernetes and Jube - a new cloud architecture - Aleš Ju...
 
Online Meetup: Why should container system / platform builders care about con...
Online Meetup: Why should container system / platform builders care about con...Online Meetup: Why should container system / platform builders care about con...
Online Meetup: Why should container system / platform builders care about con...
 
DockerDay2015: Docker orchestration for developers
DockerDay2015: Docker orchestration for developersDockerDay2015: Docker orchestration for developers
DockerDay2015: Docker orchestration for developers
 
JUC Europe 2015: Jenkins Pipeline for Continuous Delivery of Big Data Projects
JUC Europe 2015: Jenkins Pipeline for Continuous Delivery of Big Data ProjectsJUC Europe 2015: Jenkins Pipeline for Continuous Delivery of Big Data Projects
JUC Europe 2015: Jenkins Pipeline for Continuous Delivery of Big Data Projects
 
Docker for Developers - Part 2 by Borja Burgos and Fernando Mayo
Docker for Developers - Part 2 by Borja Burgos and Fernando MayoDocker for Developers - Part 2 by Borja Burgos and Fernando Mayo
Docker for Developers - Part 2 by Borja Burgos and Fernando Mayo
 
.NET on Linux: Entity Framework Core 1.0
.NET on Linux: Entity Framework Core 1.0.NET on Linux: Entity Framework Core 1.0
.NET on Linux: Entity Framework Core 1.0
 
Docker for Developers - Part 1 by David Gageot
Docker for Developers - Part 1 by David GageotDocker for Developers - Part 1 by David Gageot
Docker for Developers - Part 1 by David Gageot
 

Similar to Containers: Anti Pattern

DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDocker, Inc.
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningStephane Woillez
 
Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...The Incredible Automation Day
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Evolving for Kubernetes
Evolving for KubernetesEvolving for Kubernetes
Evolving for KubernetesChris McEniry
 
SOA with PHP and Symfony
SOA with PHP and SymfonySOA with PHP and Symfony
SOA with PHP and SymfonyMichalSchroeder
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
How to avoid microservice pitfalls
How to avoid microservice pitfallsHow to avoid microservice pitfalls
How to avoid microservice pitfallsParticular Software
 
Hands on kubernetes_container_orchestration
Hands on kubernetes_container_orchestrationHands on kubernetes_container_orchestration
Hands on kubernetes_container_orchestrationAmir Hossein Sorouri
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok   Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Docker, Inc.
 
Architectural Decisions: Smoothly and Consistently
Architectural Decisions: Smoothly and ConsistentlyArchitectural Decisions: Smoothly and Consistently
Architectural Decisions: Smoothly and ConsistentlyComsysto Reply GmbH
 
Architectural Decisions: Smoothly and Consistently
Architectural Decisions: Smoothly and ConsistentlyArchitectural Decisions: Smoothly and Consistently
Architectural Decisions: Smoothly and ConsistentlyComsysto Reply GmbH
 
Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxGiuseppe Paterno'
 
Realtime traffic analyser
Realtime traffic analyserRealtime traffic analyser
Realtime traffic analyserAlex Moskvin
 
Ch 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsCh 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsSam Bowne
 
Ch 13: Attacking Other Users: Other Techniques (Part 1)
Ch 13: Attacking Other Users:  Other Techniques (Part 1)Ch 13: Attacking Other Users:  Other Techniques (Part 1)
Ch 13: Attacking Other Users: Other Techniques (Part 1)Sam Bowne
 
John adams talk cloudy
John adams   talk cloudyJohn adams   talk cloudy
John adams talk cloudyJohn Adams
 

Similar to Containers: Anti Pattern (20)

DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at Netflix
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment Planning
 
Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Evolving for Kubernetes
Evolving for KubernetesEvolving for Kubernetes
Evolving for Kubernetes
 
SOA with PHP and Symfony
SOA with PHP and SymfonySOA with PHP and Symfony
SOA with PHP and Symfony
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
How to avoid microservice pitfalls
How to avoid microservice pitfallsHow to avoid microservice pitfalls
How to avoid microservice pitfalls
 
Hands on kubernetes_container_orchestration
Hands on kubernetes_container_orchestrationHands on kubernetes_container_orchestration
Hands on kubernetes_container_orchestration
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok   Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok
 
Architectural Decisions: Smoothly and Consistently
Architectural Decisions: Smoothly and ConsistentlyArchitectural Decisions: Smoothly and Consistently
Architectural Decisions: Smoothly and Consistently
 
Architectural Decisions: Smoothly and Consistently
Architectural Decisions: Smoothly and ConsistentlyArchitectural Decisions: Smoothly and Consistently
Architectural Decisions: Smoothly and Consistently
 
Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-Linux
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
 
Software Security and IDS.pptx
Software Security and IDS.pptxSoftware Security and IDS.pptx
Software Security and IDS.pptx
 
Realtime traffic analyser
Realtime traffic analyserRealtime traffic analyser
Realtime traffic analyser
 
Ch 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsCh 10: Attacking Back-End Components
Ch 10: Attacking Back-End Components
 
Ch 13: Attacking Other Users: Other Techniques (Part 1)
Ch 13: Attacking Other Users:  Other Techniques (Part 1)Ch 13: Attacking Other Users:  Other Techniques (Part 1)
Ch 13: Attacking Other Users: Other Techniques (Part 1)
 
John adams talk cloudy
John adams   talk cloudyJohn adams   talk cloudy
John adams talk cloudy
 

Recently uploaded

Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 

Recently uploaded (20)

Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 

Containers: Anti Pattern

  • 1. Containers: Anti-patterns Jeeva S. Chelladhurai sjeeva@gmail.com https://www.linkedin.com/in/jeevachelladhurai
  • 3. Structure • Synopsis • Symptoms • Prognosis • Side effects • Cure • Exceptions
  • 4. VictiMizing • Synopsis: • Converting a container as a VM (VMizing) • Symptoms: • Linux, RHEL, CentOS, Fedora, Ubuntu • SSH/Telnet Connection, SCP/FTP Transfer • Cron Job • Prognosis: • Marring to the old habits • Purpose of containerization is not understood • Side effects: • Bloated image size • Increased attack surface • Cure: • Narrow it down to application runtime
  • 5. Overloading • Synopsis: • Running multiple services inside a container • Symptoms: • Running upstart or systemd • Prognosis: • Purpose of containerization is not well understood • Side effects: • Cannot DevOps or scale individual services • Cure: • Separation area of concern: Run one application inside the container in the foreground and connect to the dependent service like any other backing service • Exceptions: • Zombie reaper like tini (--init) • Tight dependency between services (really?, I still feel it can be separated)
  • 6. Skidding • Synopsis: • Dockerfile FROM instruction with a moving tag • Symptoms: • Under qualified or non-concrete image in the Dockerfile FROM instruction • FROM python:3 or FROM python:latest • Prognosis: • Quick hacking mode • Impact of version change and immutability is not well understood • Side effects: • Unexpected failures during image rebuilds • Cure: • Always fully qualify the image name with tag or digest (later is recommended) • FROM python:3.6.3-alpine3.6 • FROM python@sha256:b29985dc837ae19408a89cdd6c72653e3aeed9cc731a3be81472f035f9d16f60
  • 7. Petting or Tinkering • Synopsis: • Working inside a container • Symptoms: • The workflow involves exec-ing or attach-ing to the container • Prognosis: • Quick hacking mode • Either immutability is not understood or ignored • Side effects: • Cannot be automated or involves tools like expect • Cure: • Dockerfile with ENTRYPOINT and/or CMD
  • 8. Desensitizing • Synopsis: • Storing sensitive information in the image file system • Symptoms: • Applications using sensitive information like password and tokens from the container file system • Prognosis: • Gap in understanding the docker image filesystem and related commands • Side effects: • Sensitive information can be retrieved from the image file system • Cure: • Pass sensitive information to the container thru env variable or mounted files
  • 9. Fleeting • Synopsis: • Storing application state and logs in the containers ephemeral filesystem • Symptoms: • No strategy around storing and handling container’s state and logs • Prognosis: • Either immutability is not understood or ignored • Side effects: • Losing the state of containerized application and logs • Cure: • Use volumes or external data store to persist the container state • Route container logs to external log handlers like graylog, syslog and etc
  • 11. Open Source Meetup Jenkins Area Meetup Ethereum Meetup