CIALUG May 2019 Meeting: An intro to docker and using rootless docker

•

0 likes•81 views

The document summarizes a presentation given by Andrew Denner to the Central Iowa Linux Users Group about Docker and rootless Docker. It begins with welcome information about the meeting and introduces the presenter. Andrew Denner then gives a brief introduction to Docker, comparing it to shipping containers, and discusses the benefits of using Docker. He notes some limitations of running Docker as root and introduces the concept of rootless Docker as a more secure alternative, explaining how it works using user namespaces to simulate root access within containers run by non-root users.

Software

WELCOME TO CIALUG
• Meetings are the third Wednesday of the month
• Thank you to this month’s host Source Allies
• Next meeting at the 515 Maker’s Space? (watch for more details) on IoT
• Connect up with us:
• https://cialug.org
• Email list
• Slack and IRC

A LITTLE ABOUT ME
• Andrew Denner
• @adenner
• Software Developer by day,
Linux enthusiast at night
• Recently back from
Dockercon
• Slides will be emailed out
and posted to
https://denner.co

A BRIEF INTRO TO DOCKER
(AND ROOTLESS DOCKER)
ANDREW DENNER
CENTRAL IOWA LINUX USERS GROUP

THANKS TO:
• Some of the information is rehashed from two presentations at dockercon.
The videos are in the link below and are worth watching! Thanks to Akihiro
Suda of NTT Corporation and Michael Irwin of Virginia Tech
• https://www.docker.com/dockercon/2019-videos/
• https://www.docker.com/dockercon/2019-videos?watch=hardening-docker-
daemon-with-rootless-mode
• https://www.docker.com/dockercon/2019-videos?watch=containers-for-
beginners

IT’S ALL
ABOUT
SHIPPING
IN THE BEGINNING, MORE TIME
WAS SPENT LOADING AND
UNLOADING IN PORT THAN IN
TRAVEL

IF IT FITS IT SHIPS
CONTAINERS STANDARDIZED THE PROCESS
AND MAKES IT EASY FOR LOADING AND
UNLOADING

THE WHITE ZONE
IS FOR LOADING
AND UNLOADING
OF PASSENGERS
ONLY
THERE IS NEVER ANY PARKING IN THE WHITE
ZONE…

MULTI-MODAL
SHIPPING IS
EASIER
BOAT TO TRAIN TO TRUCK

WHAT DOES SHIPPING HAVE TO DO WITH ANYTHING
• Old way was order hardware, install os, software etc
• Took lots of time, hard to reproduce
• “Well it worked on my machine”
• Shipping container idea… enter docker

THINGS TO
REMEMBER
• All containers are sharing the same kernel as
the host
• Not really anything new, just nice package of a
bunch of older techs
• Docker daemon is running as root
• You can mount files in filesystem, if root inside
you are root outside
• If you can escape your container, remember
docker daemon is root!

IT EXISTS NOW… KINDA
• You can run it right now… shell script installer will take care of the
magic
• curl -fsSL https://get.docker.com/rootless | sh
• Katacoda example
https://www.katacoda.com/courses/docker/rootless

WHAT’S THE CATCH?
• No Overlay fs (except for ubuntu)
• Network performance is degraded
• Ports below 1024 can’t be listened on (remember you are not root)
• No cgroups
• --memory and -- cpu flags don’t work
• Docker top doesn’t work
• You need to be in /etc/subuid and /etc/subgid (this can be a problem in
LDAP)

WHILE MORE SECURE IT’S NOT PERFECT
• There is still room for abuse
• Won’t stop someone from bitcoin mining inside of docker
• Can use as a springboard for further attacks
• Still can fall for vm /kernel/hardware vulnerabilities

HOW DOES IT WORK?
• User namespaces allow non root users to pretend that they are root (UID0)

Sub-users (and sub-groups)
● If /etc/subuid contains “1001:100000:65536”
● Having 65536 sub-users should be enough for most
containers
0 1001 100000 165535 232
0 1 65536
Host
UserNS
primary user sub-users start sub-users len

This document summarizes an upcoming meeting of the Central Iowa Linux Users Group (CIALUG) that will feature a presentation on Linux containers. The presentation will provide a brief history of containers from early chroot-based implementations to modern Docker and Kubernetes containers. It will also demo and compare various container technologies like Docker, LXC, Podman, Buildah, and Kubernetes.

Atlanta Docker Meetup - 26June14 - Flynn

jmanuzak

Flynn is an open-source Platform as a Service (PAAS) that is modular and based on Dokku. It uses Docker containers and builds "slugs" from application source code similar to Heroku. The core Flynn components include a host service, service discovery system, controller, CLI, deployer, slug builder, and slug runner. It allows pushing code to Flynn which compiles a slug, hosts it on a file server, launches it in Docker containers, and sets up routing. While rough around the edges for managing clusters, Flynn has potential due to its small reusable components and ability to manage general containers beyond just applications.

Docker First Steps

Julian Camargo

Docker provides a lightweight container platform that allows applications to run isolated on the same host machine. It uses a layered image format and central repository called Docker Hub to distribute container images. Containers are more portable and faster to deploy than virtual machines, though they have some limitations around networking and security compared to VMs. Tools like Kubernetes help manage Docker containers in production environments.

Deploying Personalized Learning Labs using Docker Swarm by Nate Aune and Bria...

Docker, Inc.

At Appsembler, we've built a system to deploy personalized learning labs using Docker Swarm. Each learning lab consists of arbitrary software running in a Docker container, so each student can have their own isolated environment to learn and experiment. The containers can be paired with another container running the Cloud9 IDE, allowing students to modify code and see the results in real time without the need to install anything on their own system. Our system uses Docker Swarm to deploy and manage containers. To ensure the system is robust, we have automatic failover between Swarm managers (known as high availability). We'll discuss how we're using Consul to implement a highly available Swarm cluster, as well as other features of Swarm that we're using.

OSCON: Incremental Revolution - What Docker learned from the open-source fire...

Docker, Inc.

Since Solomon Hykes unveiled Docker at the PyCon conference three years ago, containers have revolutionized how developers and ops teams build, ship, and run applications. Solomon explores the past, present, and future of our container ecosystem and shares lessons learned from managing successful open source projects across several dimensions: technology, people, products, and business. Sign up for the Docker for Mac and Windows beta: beta.docker.com

Opening of Cloud Native Taiwan User Group Meetup#2

HungWei Chiu

The document announces an SDN and cloud native meetup hosted by two Taiwan user groups to promote and share knowledge of SDN and cloud native technologies. The meetup agenda includes talks on high performance networking, SDN, Kubernetes storage, writing Kubernetes operators, service meshes, and CKA certification. Speakers are requested and a follow-up workshop and meetup are planned to cover OpenStack, Kubernetes and other topics.

Balena: a Moby-based container engine for IoT

Balena

Docker stack to run your deck

Michael Cheremukhin

The document discusses best practices for developing Puppet code in a DevOps environment. It recommends keeping code in branches in version control systems like Git or SVN, writing syntax-checked and tested code locally in virtual environments, and sharing code publicly through tools like Puppet Forge and privately through Hiera. Automating processes like testing, deployments, and sharing code are also emphasized.

RunDeck

Bruno Bonfils

Icinga 2010 at OSMC

Icinga

The document discusses Icinga, an open source monitoring project. It provides an agenda for an Icinga Development Team presentation covering topics like the Icinga team, project structure, tools, current and future architectures, addons, reporting, roadmap, and a live demo. Major problems with distributed monitoring are outlined along with plans for a new core API and asynchronous, bidirectional architecture to address them.

I wanna talk about nsenter

Richárd Kovács

Netflix Open Source: Building a Distributed and Automated Open Source Program

aspyker

Netflix has been using and contributing to open source for several years. Over the years, Netflix has released over one hundred Netflix Open Source (aka NetflixOSS) libraries, servers, and technologies. Netflix engineers benefit by accepting contributions and gathering feedback with key collaborators around the world. Users of NetflixOSS from many industries benefit from our solutions including Big Data, Build and Delivery Tools, Runtime Services and Libraries, Data Persistence, Insight, Reliability and Performance, Security and User Interface. With such a large and mature open source program, Netflix has worked on approaches and tools that help manage and improve the NetflixOSS source offerings and communities. Netflix has taken a different approach to building support for open source as compared to other Internet scale companies. Come to this session to learn about the unique approaches Netflix has taken to both distribute and automate the responsibilities of building a world-class open source program.

Mobycraft - Docker in 8-bit by Aditya Gupta

Docker, Inc.

Mobycraft is a Minecraft client-side mod to manage and visualize Docker containers in Minecraft. This mod can be installed in any standard Minecraft client and allow young kids to learn Docker fundamentals in a fun way. It allowed a 13-year old boy to apply his Minecraft modding skills to pick up Docker concepts such as Engine, Machine, Swarm, and Remote API. This project became a great bonding experience between a father and a son. It allowed them to engage in fun and geeky conversations, such as code reviews and tooling discussion, and thereby building memories for a lifetime.

So Easy, A Ten Year Old Can Do It by Zeph Gardler

Docker, Inc.

Docker focuses on simplicity. In this session we will here how, Zeph, a 10 year old boy went from asking his dad a simple question, to deploying Docker containers to help search for a cancer cure and to build worlds. We’ll hear how the simplicity of Docker inspired him to learn more, and now as an 11 year old, he has moved on to programming his own containerized applications to process vital data streams from public APIs.

Ceph Day NYC: Ceph in the Ecosystem

Ceph Community

This document summarizes Patrick McGarry's presentation on Ceph in the ecosystem. The presentation introduced Ceph's role in various communities and open source projects, how to get involved in the Ceph community through code contributions and mailing lists, and Ceph's integrations with Linux distributions, orchestration tools, and cloud platforms like OpenStack and CloudStack. The presentation concluded by thanking attendees and inviting any questions or comments.

Tyrion Cannister Neural Styles by Dora Korpar and Siphan Bou

Docker, Inc.

DockerCon SF 2015: Docker Community in China

Docker, Inc.

1) The document discusses the Docker community in China, noting that early adopters like Baidu helped drive adoption. 2) Meetups and content contributed to scaling the community from 1 to over 19 cities with thousands of attendees. Chinese contributors are also among the top for the Docker project. 3) The market for Docker in China is driven by the "Internet Plus" strategy and sectors like e-commerce, social media, and IoT. This is creating opportunities for startups and traditional businesses to embrace mobile and cloud technologies. 4) The ecosystem involves startups building tools for CI/CD, container services, and management, and projects like Hyper focusing on running containers on any hypervisor. Developers are also using

Unikernel User Summit 2015: Getting started in unikernels using the rump kernel

The Linux Foundation

InfectNet Technical

Attila Bagossy

The document describes InfectNet, a massively multiplayer online strategy game powered by code written by players. It discusses the game's architecture, which includes separate server and client repositories on GitHub. The game uses a domain-specific language for players to write code that gets executed on the server. Key aspects of the architecture include entity component systems, action/request queues to handle asynchronous behavior, and various game systems that power different aspects like spawning and movement.

Docker - Hack Salem! - November 2014

Charles Anderson

JUC Europe 2015: Continuous Integration and Distribution in the Cloud with DE...

CloudBees

By Mark Galpin, JFrog Correct this if it's wrong, but as a software developer you have two main dreams - to enjoy your coding and to not have to care about anything else but code. Setting up an environment and maintaining a CI/CD cycle for your software can be complicated and painful. The good news is, it doesn't have to be! In this talk, Mark will demo some of the most popular alternatives for a cloud-based development life cycle: from CI builds with DEV@cloud, through artifact deployment to a binary repository and finally, rolling out your release on a truly modern distribution platform.

A brief intro to Ansible-CIALUG March 2020

Andrew Denner

- The document introduces Ansible, an automation tool for server provisioning, configuration, and management that allows organizing servers into groups and describing how those groups should be configured from a central location. - Key Ansible concepts are introduced including control nodes, managed nodes, inventory files, modules, tasks, and playbooks which are like todo lists that use modules to achieve tasks. - A brief demo is shown of using Ansible with a control node, two managed nodes, and a Docker Compose host for sharing files.

Icinga2 - Apify them all

Icinga

DockerDay2015: Docker Networking

Docker-Hanoi

This document summarizes a presentation on Docker networking. It introduces Docker networking concepts like the Docker0 bridge, virtual ethernet interfaces, linking containers, and editing networking configuration files. It then provides a deep dive on experimental Docker networking features in libnetwork like creating networks, multi-host networking, services, and drivers. The presentation encourages users to try experimental networking and contribute to libnetwork.

Understanding Containers through Gaming by Brendan Fosberry

Docker, Inc.

Programming games and competitions can be a great way to introduce software development, and motivate people to hone their skills. During the third Global Docker Hackday, we prototyped a simple game platform called “Docker Than Light”. Our goal was to create a fun and competitive exercise to help introduce people to the concept of stateful microservices in containers and gain familiarity with the Docker toolset, all packaged as a competitive “Faster Than Light” style free-for-all. In this talk we’ll discuss a more unusual implementation of containers; allowing game participants to utilize any programming language to build artificially intelligent actors in a distributed simulation. Docker Swarm and network plugins help distribute resources, maintain isolation and provide a realistic analogy for the different components in the system. We’ll talk about the design and orchestration of the simulation, as well as how the various actor languages and platforms were allowed to interact in a homogeneous way.

Icinga Camp Antwerp - Icinga2 Configuration

Icinga

This document discusses Icinga 2, an open source monitoring software. It provides an overview of Icinga 2 including its new configuration format, templates, value types, and functions. It also covers migrating from Icinga 1 to Icinga 2 using apply rules and host groups. The presentation demonstrates Icinga 2 using Vagrant and concludes with a discussion of Icinga's vision and taking feedback from the community.

Orchestrating Docker - Making the Whale Dance

James Turnbull

Docker hit the developer scene in a big way last year. It made it easy for developers to run their applications locally and easily share and deploy them. But it wasn't quite ready for prime-time. It wasn't easy to run n-tier applications locally, manage Docker across different geographical locations or cluster Docker for availability and performance. Recent releases of Docker have introduced new capabilities and tools to help with these use cases. In this session we're going to look at these new capabilities including: * Looking at Docker Compose for building n-tier Docker applications and managing application stacks. * Introduce Docker Swarm which provides orchestration and clustering for Docker servers. * See how to integrate Docker and service discovery tools. By the end of the session, you'll have a good understanding of how to take your Docker implementation to the next level and make use of these new capabilities.

Docker in pratice -chenyifei

dotCloud

Lightweight virtualization uses container technology to isolate processes and their resources through namespaces and cgroups. Docker is a container management system that provides lightweight virtualization. Baidu chose Docker for its BAE platform because containers provide better isolation than sandboxes with fewer restrictions and lower costs. Docker meets BAE's needs but was improved with additional security and resource constraints for its PAAS platform.

Central Iowa Linux Users group July 2019--Jupyter Notebook on a Raspberry Pi

Andrew Denner

This document summarizes a presentation given at the Central Iowa Linux Users Group meeting on July 17, 2019 about using Jupyter Notebook on a Raspberry Pi. The presentation covered installing Docker on a Raspberry Pi 3B+, building a Docker image with Jupyter Notebook and related Python packages, and briefly demonstrating Jupyter Notebook within the Docker container. The speaker was Andrew Denner, a senior software developer and president of the user group.

What's hot

Puppet Camp Atlanta 2014: DEV Toolsets for Ops (Beginner) -

Puppet

RunDeck

Bruno Bonfils

Icinga 2010 at OSMC

Icinga

I wanna talk about nsenter

Richárd Kovács

Netflix Open Source: Building a Distributed and Automated Open Source Program

aspyker

Mobycraft - Docker in 8-bit by Aditya Gupta

Docker, Inc.

So Easy, A Ten Year Old Can Do It by Zeph Gardler

Docker, Inc.

Ceph Day NYC: Ceph in the Ecosystem

Ceph Community

Tyrion Cannister Neural Styles by Dora Korpar and Siphan Bou

Docker, Inc.

DockerCon SF 2015: Docker Community in China

Docker, Inc.

Unikernel User Summit 2015: Getting started in unikernels using the rump kernel

The Linux Foundation

InfectNet Technical

Attila Bagossy

Docker - Hack Salem! - November 2014

Charles Anderson

JUC Europe 2015: Continuous Integration and Distribution in the Cloud with DE...

CloudBees

A brief intro to Ansible-CIALUG March 2020

Andrew Denner

Icinga2 - Apify them all

Icinga

DockerDay2015: Docker Networking

Docker-Hanoi

Understanding Containers through Gaming by Brendan Fosberry

Docker, Inc.

Icinga Camp Antwerp - Icinga2 Configuration

Icinga

Orchestrating Docker - Making the Whale Dance

James Turnbull

What's hot (20)

Puppet Camp Atlanta 2014: DEV Toolsets for Ops (Beginner) -

RunDeck

Icinga 2010 at OSMC

I wanna talk about nsenter

Netflix Open Source: Building a Distributed and Automated Open Source Program

Mobycraft - Docker in 8-bit by Aditya Gupta

So Easy, A Ten Year Old Can Do It by Zeph Gardler

Ceph Day NYC: Ceph in the Ecosystem

Tyrion Cannister Neural Styles by Dora Korpar and Siphan Bou

DockerCon SF 2015: Docker Community in China

Unikernel User Summit 2015: Getting started in unikernels using the rump kernel

InfectNet Technical

Docker - Hack Salem! - November 2014

JUC Europe 2015: Continuous Integration and Distribution in the Cloud with DE...

A brief intro to Ansible-CIALUG March 2020

Icinga2 - Apify them all

DockerDay2015: Docker Networking

Understanding Containers through Gaming by Brendan Fosberry

Icinga Camp Antwerp - Icinga2 Configuration

Orchestrating Docker - Making the Whale Dance

Similar to CIALUG May 2019 Meeting: An intro to docker and using rootless docker

Docker in pratice -chenyifei

dotCloud

Central Iowa Linux Users group July 2019--Jupyter Notebook on a Raspberry Pi

Andrew Denner

Consuming Cinder from Docker

John Griffith

This document summarizes John Griffith's presentation about using Docker volume plugins with OpenStack Cinder block storage. Some key points: - Griffith developed a Cinder volume plugin for Docker to provide persistent block storage to containers. This allows using existing Cinder backends without vendor lock-in. - He demonstrated deploying a Swarm cluster on OpenStack using docker-machine and the built-in OpenStack driver. The Cinder plugin was installed on each node to enable volume provisioning. - As a proof of concept, Griffith deployed a Redis service with a Cinder-backed volume for persistence, and a web frontend service, demonstrating stateful applications in containers with Swarm orchestration and Cinder storage.

Lightweight Virtualization Docker in Practice

Docker, Inc.

This document discusses lightweight virtualization and Docker. It provides an overview of lightweight virtualization technology and how it isolates processes and limits resource usage. Docker is introduced as an open source project that provides a simple way to create and manage lightweight virtual machines called containers. Baidu's BAE platform chose to use Docker due to its ease of use and ability to avoid limitations of sandbox-based platforms while providing resource isolation and constraints. The document also discusses Docker developments, such as integration with Red Hat and solutions to issues regarding security and hardware support.

From Docker Swarm to OCCS and Wercker: Live-hacking at Oracle CODE Mexico 2017

Frank Munz

Docker - 15 great Tutorials

Julien Barbier

This document lists 15 tutorials about Docker, an open-source containerization platform. The tutorials cover topics such as installing Docker on various platforms like Ubuntu, Linux, Rackspace, and Digital Ocean; deploying applications like Java, Django, Drupal, and Redis using Docker containers; and using Docker to build services and applications. The tutorials are from 2013 and provide links to blog posts and resources about getting started with Docker.

Docker in the Oracle Universe / WebLogic 12c / OFM 12c

Frank Munz

This document discusses Docker and provides an overview presented by Frank Munz. Some key points: - Docker is an open-source container technology that provides portable application isolation using Linux kernel features like namespaces and cgroups. - Docker images contain layered filesystems for applications and dependencies. Containers run the images and provide isolated, lightweight runtimes. - Docker solves issues around environment consistency by packaging applications and dependencies together. Images can be pulled from public registries or built locally. - Security with Docker involves using trusted images, dropping privileges, and combining with tools like SELinux. Public clouds provide additional isolation over plain Docker containers. - Oracle supports Docker for several of its products like Web

[DockerCon 2019] Hardening Docker daemon with Rootless mode

Akihiro Suda

https://dockercon19.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=281879 Docker CE 19.03 is going to support "Rootless mode", which allows running the entire Docker daemon and its dependencies as a non-root user on the host, so as to protect the host from malicious containers in a simple but very strong way. Rootless mode is also attractive for users who cannot get `sudo` permission for installing Docker on shared computing machines. e.g. HPC users. In this talk, Akihiro Suda, the author of the Rootless mode (PR: moby#38050), will explain how users can get started with Rootless mode. He will also explain the implementation details of Rootless mode and planned enhancements such as LDAP integration.

DCSF19 Hardening Docker daemon with Rootless mode

Docker, Inc.

Akihiro Suda, NTT Corporation Docker CE 19.03 is going to support "Rootless mode", which allows running the entire Docker daemon and its dependencies as a non-root user on the host, so as to protect the host from malicious containers in a simple but very strong way. Rootless mode is also attractive for users who cannot get `sudo` permission for installing Docker on shared computing machines. e.g. HPC users. In this talk, Akihiro Suda, the author of the Rootless mode (PR: moby#38050), will explain how users can get started with Rootless mode. He will also explain the implementation details of Rootless mode and planned enhancements such as LDAP integration.

Docker from A to Z, including Swarm and OCCS

Frank Munz

This document provides an overview of Docker from A to Z including using Docker with Oracle Container Cloud Service. It discusses basics of Docker including how it provides isolation using Linux namespaces and cgroups. It compares Docker containers to virtual machines and covers Docker images, containers, limitations, networking, security concerns and suggestions. It also discusses using Docker with Oracle technologies including Dockerfiles on GitHub, the Oracle Container Registry, and Oracle Container Cloud Service.

Docker for everything

Tim Haak

This document discusses Docker, a tool for creating and running containerized applications. It explains that Docker provides simple deployment of applications by allowing quick starting of images with the same speed as starting programs directly. It also enables central repositories for images, repeatable testing environments, and easier scaling of applications across multiple servers. Some potential issues discussed are that Docker only supports Linux containers currently, adds more moving parts than traditional virtualization, and requires learning something new. The document demonstrates installing and using Docker through examples and recommends best practices.

Introduction to Docker

James Turnbull

This document provides an introduction to Docker, describing it as a way to build, ship, and run applications using containers. It discusses how Docker allows building applications once that can run anywhere, isolated and layered for portability and efficiency. Key benefits outlined include clean and portable applications, efficient operations, and support for continuous integration and deployment workflows.

Getting Started with Docker

Geeta Vinnakota

The document provides an overview of getting started with Docker. It discusses what Docker is, how containerization differs from virtualization, and how to install Docker. It covers building Docker images using Dockerfiles, the difference between images and containers, and common Docker commands. The document also compares traditional deployment workflows to those using Docker, demonstrating how Docker can help ensure consistency across environments.

eZ Publish 5: from zero to automated deployment (and no regressions!) in one ...

Gaetano Giunta

1. The workshop will cover Docker, managing environments, database changes, and automated deployments for eZPublish websites. 2. A Docker stack is proposed that includes containers for Apache, MySQL, Solr, PHP, and other tools to replicate a production environment for development. Configuration and code are mounted as volumes. 3. Managing environments involves storing settings in the code repository and using symlinks to deploy different configurations. Database changes should be managed via migration scripts rather than connecting directly to a shared database. 4. Automating deployments is important and involves tasks like updating code, the database, caches and reindexing content. The same deployment script should be used for development and production. Testing websites is also recommended.

Fixing Docker networking - Milos Gajdos at #DOXLON

Outlyer

This document introduces DOCKNET, a Golang package for advanced Linux networking configuration. It aims to provide functionality that Docker lacks for configuring interfaces like VLANs and MAC VLANs. The package fixes issues with existing Golang Netlink implementations and allows configuration of container networks beyond what Docker supports currently. It is still in development but aims to be released within a couple weeks. The presentation includes a live demo and discusses using DOCKNET to add interfaces to Docker containers.

Dockerize the World

damovsky

Dockerizing IoT Services

msyukor

Upping your NiFi Game with Docker

Aldrin Piri

Django and Docker

Docker, Inc.

Ken Cochrane gave a presentation on Docker and Docker's suitability for Django projects. He began with an introduction to Docker, explaining how it uses Linux containers to package applications into lightweight portable containers. He then discussed several common use cases for Docker like local development, continuous integration/deployment, and testing. The presentation concluded with a demo of Docker commands and a discussion of upcoming Docker 1.0 features.

Docker at Djangocon 2013 | Talk by Ken Cochrane

dotCloud

Similar to CIALUG May 2019 Meeting: An intro to docker and using rootless docker (20)

Docker in pratice -chenyifei

Central Iowa Linux Users group July 2019--Jupyter Notebook on a Raspberry Pi

Consuming Cinder from Docker

Lightweight Virtualization Docker in Practice

From Docker Swarm to OCCS and Wercker: Live-hacking at Oracle CODE Mexico 2017

Docker - 15 great Tutorials

Docker in the Oracle Universe / WebLogic 12c / OFM 12c

[DockerCon 2019] Hardening Docker daemon with Rootless mode

DCSF19 Hardening Docker daemon with Rootless mode

Docker from A to Z, including Swarm and OCCS

Docker for everything

Introduction to Docker

Getting Started with Docker

eZ Publish 5: from zero to automated deployment (and no regressions!) in one ...

Fixing Docker networking - Milos Gajdos at #DOXLON

Dockerize the World

Dockerizing IoT Services

Upping your NiFi Game with Docker

Django and Docker

Docker at Djangocon 2013 | Talk by Ken Cochrane

More from Andrew Denner

All about Time, or how to stop from going back to the future

Andrew Denner

This document discusses network time protocol (NTP) and how to synchronize computer clocks over a network. It explains that NTP was developed in 1985 to keep clocks accurate on networked devices. NTP works by synchronizing client clocks to server clocks via the network. Servers get their time from stratum 0 sources like atomic clocks and GPS. The document recommends configuring clients to sync to public NTP pool servers or a local server by editing /etc/ntp.conf to list the server addresses. More information on NTP and setting it up is provided.

CIALUG October 2022 linux news

Andrew Denner

This document provides information about an upcoming Linux Users Group meeting and various recent Linux news items. It announces that the LUG meeting will be held in a hybrid format on the third Wednesday of the month. It also lists several recent Linux-related news stories, including the release of CBL Mariner 2.0, Rust being added to the Linux kernel, PyTorch becoming a Linux Foundation project, and systemd being added to WSL.

January 2022: Central Iowa Linux Users Group: Git

Andrew Denner

This document provides an overview of the history and features of Git version control software. It discusses earlier version control systems like SCCS and CVS, and how Git was created in 2005 by Linus Torvalds with goals of speed, data integrity, and supporting distributed non-linear workflows. The document outlines some key features of Git like distributed versioning and atomic commits, as well as potential downsides like dealing with large binary files. It also briefly introduces Git LFS as an extension for managing large files outside of the main Git repository.

Cialug August 2021

Andrew Denner

This document summarizes Andrew Denner's presentation about migrating his blog from a WordPress/LAMP stack hosted on a VM to a static site generated with Jekyll and hosted on GitLab Pages. It discusses the pros and cons of each approach, including how the new static site will have a smaller attack surface and be easier to version control but lose dynamic features. It also provides demonstrations of using Markdown, Liquid templates, and Podman to build and serve the static site locally before deployment.

Local Kubernetes for Dummies: STLLUG March 2021

Andrew Denner

Andrew Denner gives an introduction to moving from Docker to Kubernetes. He discusses drawbacks of Docker like lack of orchestration and networking headaches. Kubernetes provides orchestration, service discovery, storage orchestration, self-healing and more. It is not a drop-in replacement for Docker and does not include deployment or middleware. Key Kubernetes concepts include clusters, controllers, manifests, pods, volumes and workloads. Easier options for learning Kubernetes include Minikube, K3s and Helm.

December 2020 CIALUG: Local Kubernetes for Dummies-So you want to move on fro...

Andrew Denner

St Louis Linux Users Group Wireguard (for Fun and Networking)

Andrew Denner

This document discusses different VPN protocols and presents Wireguard as a new option. It provides an overview of older protocols like PPTP and OpenVPN, noting their security weaknesses. The document then introduces Wireguard as very fast with low overhead, using standardized encryption algorithms and having no known major vulnerabilities. It demonstrates how to install and set up Wireguard on different platforms like the Raspberry Pi, Ubuntu, MacOS, and Android to securely connect networks.

Central Iowa Linux Users Group: August 2020 Jupyter Lab

Andrew Denner

Central Iowa Linux Users Group June 2020 Meeting Apache Guacamole

Andrew Denner

The document welcomes attendees to the Central Iowa Linux Users Group (CIALUG) meeting for June 2020. It provides information on the group's monthly meetings on the third Wednesday, website, mailing list, and Slack/IRC channels. The document also lists topics for the meeting including news about Apache and Guacamole remote desktop software, with links provided for Guacamole configuration and Docker setups. Speakers for the meeting are listed as Kyle Hamilton and Andrew Denner.

Central Iowa Linux Users Group May 2020 Meeting: WireGuard

Andrew Denner

This document summarizes a presentation about the Wireguard VPN protocol given to the Central Iowa Linux Users Group. It begins with introductions and background about the presenter and organization. The bulk of the document discusses and compares existing VPN protocols like PPTP, OpenVPN, and IPSec and their security issues. It focuses on introducing Wireguard as a newer, more lightweight VPN protocol that uses standardized encryption and has no known vulnerabilities. It concludes with demos of installing Wireguard on Ubuntu, MacOS, and Android.

Central Iowa Linux Users Group-December 2019: Windows Managers

Andrew Denner

This document provides information about a Linux users group meeting, including summaries of several desktop environments that were discussed. The meeting covered setting up a Raspberry Pi 4 with Manjaro Linux, and then discussed popular desktop environments like KDE Plasma, GNOME, Budgie, Cinnamon, MATE, Enlightenment, LXDE, LXQt, Xfce, Sugar, and Deepin. Unfortunately Window Maker was not able to be demonstrated as it does not build for ARM. The document also mentions a user submitted section on desktops.

Central Iowa Linux Users Group October Meeting: Centos 8

Andrew Denner

This document summarizes a presentation about CentOS 8 and alternatives to Docker like Podman and Buildah. It discusses what CentOS is, key changes in CentOS 8 like using DNF and Python 3.6 by default. It also covers how long support lasts for CentOS 6, 7, and 8. Alternatives to Docker like Podman and Buildah are presented as being more secure since they don't require running a daemon process as root. Demo videos are linked showing how to install Podman and pull a Docker image. Risks of upgrading from CentOS 7 to 8 are discussed.

Intro to networking

Andrew Denner

This document provides a brief introduction to networking and the Internet. It discusses the history of networks from early packet networks in the 1950s to the development of the ARPANET and the birth of the Internet in the 1980s and 1990s. The presentation also introduces some key networking concepts like MAC addresses, IP addresses, DNS, network devices like hubs, switches and routers, and firewalls. It provides an overview of private IP addressing and mentions some common troubleshooting tools like Wireshark.

A Brief overview of Linux, or How I learned to stop worrying and love the pen...

Andrew Denner

August CIALUG meeting: Debian buster

Andrew Denner

Debian Buster was released on July 6, 2019 as the latest stable version, codenamed Debian 10. It replaces Debian Stretch and includes updates to major components like Gnome 3.30, Linux kernel 4.19, OpenJDK 11, and Python 3 as the default version. Some changes include switching to NFtables for firewall rules, improved ARM and SBC support, and Wayland as the default display server. The /usr directory merger and Bash 5.0 update are also covered.

CIALUG June 2019: Raspberry Pi Facial Recognition

Andrew Denner

July 18, 2018 Central Iowa Linux User's Group: Tor onion services

Andrew Denner

CIALUG: Encrypt all the things

Andrew Denner

Apache nifi

Andrew Denner

The document summarizes Apache NiFi, a software tool for automating the flow of data between systems. It was originally developed by the NSA in 2014 to address shortcomings in security, interactivity, scalability, and data lineage/provenance of existing solutions. NiFi uses a flow-based programming model where data flows between processing components via predefined connections. It has a web-based user interface and is designed to be highly configurable, loss tolerant, low latency, dynamically prioritized, and able to modify flows at runtime. Key features include data provenance tracking, extension capabilities, and security. Resources listed at the end provide more information on NiFi and flow-based programming.

More from Andrew Denner (19)

All about Time, or how to stop from going back to the future

CIALUG October 2022 linux news

January 2022: Central Iowa Linux Users Group: Git

Cialug August 2021

Local Kubernetes for Dummies: STLLUG March 2021

December 2020 CIALUG: Local Kubernetes for Dummies-So you want to move on fro...

St Louis Linux Users Group Wireguard (for Fun and Networking)

Central Iowa Linux Users Group: August 2020 Jupyter Lab

Central Iowa Linux Users Group June 2020 Meeting Apache Guacamole

Central Iowa Linux Users Group May 2020 Meeting: WireGuard

Central Iowa Linux Users Group-December 2019: Windows Managers

Central Iowa Linux Users Group October Meeting: Centos 8

Intro to networking

A Brief overview of Linux, or How I learned to stop worrying and love the pen...

August CIALUG meeting: Debian buster

CIALUG June 2019: Raspberry Pi Facial Recognition

July 18, 2018 Central Iowa Linux User's Group: Tor onion services

CIALUG: Encrypt all the things

Apache nifi

Recently uploaded

Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management

Utilocate

Utilocate offers a comprehensive solution for locate ticket management by automating and streamlining the entire process. By integrating with Geospatial Information Systems (GIS), it provides accurate mapping and visualization of utility locations, enhancing decision-making and reducing the risk of errors. The system's advanced data analytics tools help identify trends, predict potential issues, and optimize resource allocation, making the locate ticket management process smarter and more efficient. Additionally, automated ticket management ensures consistency and reduces human error, while real-time notifications keep all relevant personnel informed and ready to respond promptly. The system's ability to streamline workflows and automate ticket routing significantly reduces the time taken to process each ticket, making the process faster and more efficient. Mobile access allows field technicians to update ticket information on the go, ensuring that the latest information is always available and accelerating the locate process. Overall, Utilocate not only enhances the efficiency and accuracy of locate ticket management but also improves safety by minimizing the risk of utility damage through precise and timely locates.

Fundamentals of Programming and Language Processors

Rakesh Kumar R

Essentials of Automations: The Art of Triggers and Actions in FME

Safe Software

In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation. We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios. Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!

GraphSummit Paris - The art of the possible with Graph Technology

Neo4j

原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样

mz5nrf0n

原版一模一样【微信：741003700 】【美国纽约州立大学奥尔巴尼分校毕业证学位证书】【微信：741003700 】学位证，留信认证（真实可查，永久存档）offer、雅思、外壳等材料/诚信可靠,可直接看成品样本，帮您解决无法毕业带来的各种难题！外壳，原版制作，诚信可靠，可直接看成品样本。行业标杆！精益求精，诚心合作，真诚制作！多年品质 ,按需精细制作，24小时接单,全套进口原装设备。十五年致力于帮助留学生解决难题，包您满意。本公司拥有海外各大学样板无数，能完美还原海外各大学 Bachelor Diploma degree, Master Degree Diploma 1:1完美还原海外各大学毕业材料上的工艺：水印，阴影底纹，钢印LOGO烫金烫银，LOGO烫金烫银复合重叠。文字图案浮雕、激光镭射、紫外荧光、温感、复印防伪等防伪工艺。材料咨询办理、认证咨询办理请加学历顾问Q/微741003700 留信网认证的作用: 1:该专业认证可证明留学生真实身份 2:同时对留学生所学专业登记给予评定 3:国家专业人才认证中心颁发入库证书 4:这个认证书并且可以归档倒地方 5:凡事获得留信网入网的信息将会逐步更新到个人身份内，将在公安局网内查询个人身份证信息后，同步读取人才网入库信息 6:个人职称评审加20分 7:个人信誉贷款加10分 8:在国家人才网主办的国家网络招聘大会中纳入资料，供国家高端企业选择人才

Enterprise Resource Planning System in Telangana

NYGGS Automation Suite

Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics. To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/

Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf

timtebeek1

APIs for Browser Automation (MoT Meetup 2024)

Boni García

Graspan: A Big Data System for Big Code Analysis

Aftab Hussain

We built a disk-based parallel graph system, Graspan, that uses a novel edge-pair centric computation model to compute dynamic transitive closures on very large program graphs. We implement context-sensitive pointer/alias and dataflow analyses on Graspan. An evaluation of these analyses on large codebases such as Linux shows that their Graspan implementations scale to millions of lines of code and are much simpler than their original implementations. These analyses were used to augment the existing checkers; these augmented checkers found 132 new NULL pointer bugs and 1308 unnecessary NULL tests in Linux 4.4.0-rc5, PostgreSQL 8.3.9, and Apache httpd 2.2.18. - Accepted in ASPLOS ‘17, Xi’an, China. - Featured in the tutorial, Systemized Program Analyses: A Big Data Perspective on Static Analysis Scalability, ASPLOS ‘17. - Invited for presentation at SoCal PLS ‘16. - Invited for poster presentation at PLDI SRC ‘16.

Revolutionizing Visual Effects Mastering AI Face Swaps.pdf

Undress Baby

The quest for the best AI face swap solution is marked by an amalgamation of technological prowess and artistic finesse, where cutting-edge algorithms seamlessly replace faces in images or videos with striking realism. Leveraging advanced deep learning techniques, the best AI face swap tools meticulously analyze facial features, lighting conditions, and expressions to execute flawless transformations, ensuring natural-looking results that blur the line between reality and illusion, captivating users with their ingenuity and sophistication. Web:- https://undressbaby.com/

SWEBOK and Education at FUSE Okinawa 2024

Hironori Washizaki

ALGIT - Assembly Line for Green IT - Numbers, Data, Facts

Green Software Development

KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD

rodomar2

Using Xen Hypervisor for Functional Safety

Ayan Halder

Transform Your Communication with Cloud-Based IVR Solutions

TheSMSPoint

Discover the power of Cloud-Based IVR Solutions to streamline communication processes. Embrace scalability and cost-efficiency while enhancing customer experiences with features like automated call routing and voice recognition. Accessible from anywhere, these solutions integrate seamlessly with existing systems, providing real-time analytics for continuous improvement. Revolutionize your communication strategy today with Cloud-Based IVR Solutions. Learn more at: https://thesmspoint.com/channel/cloud-telephony

A Study of Variable-Role-based Feature Enrichment in Neural Models of Code

Aftab Hussain

Understanding variable roles in code has been found to be helpful by students in learning programming -- could variable roles help deep neural models in performing coding tasks? We do an exploratory study. - These are slides of the talk given at InteNSE'23: The 1st International Workshop on Interpretability and Robustness in Neural Software Engineering, co-located with the 45th International Conference on Software Engineering, ICSE 2023, Melbourne Australia

E-commerce Application Development Company.pdf

Hornet Dynamics

socradar-q1-2024-aviation-industry-report.pdf

SOCRadar

SOCRadar's Aviation Industry Q1 Incident Report is out now! The aviation industry has always been a prime target for cybercriminals due to its critical infrastructure and high stakes. In the first quarter of 2024, the sector faced an alarming surge in cybersecurity threats, revealing its vulnerabilities and the relentless sophistication of cyber attackers. SOCRadar’s Aviation Industry, Quarterly Incident Report, provides an in-depth analysis of these threats, detected and examined through our extensive monitoring of hacker forums, Telegram channels, and dark web platforms.

E-commerce Development Services- Hornet Dynamics

Hornet Dynamics

UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions

Peter Muessig

The UI5 tooling is the development and build tooling of UI5. It is built in a modular and extensible way so that it can be easily extended by your needs. This session will showcase various tooling extensions which can boost your development experience by far so that you can really work offline, transpile your code in your project to use even newer versions of EcmaScript (than 2022 which is supported right now by the UI5 tooling), consume any npm package of your choice in your project, using different kind of proxies, and even stitching UI5 projects during development together to mimic your target environment.

Recently uploaded (20)

Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management

Fundamentals of Programming and Language Processors

Essentials of Automations: The Art of Triggers and Actions in FME

GraphSummit Paris - The art of the possible with Graph Technology

原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样

Enterprise Resource Planning System in Telangana

Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf

APIs for Browser Automation (MoT Meetup 2024)

Graspan: A Big Data System for Big Code Analysis

Revolutionizing Visual Effects Mastering AI Face Swaps.pdf

SWEBOK and Education at FUSE Okinawa 2024

ALGIT - Assembly Line for Green IT - Numbers, Data, Facts

KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD

Using Xen Hypervisor for Functional Safety

Transform Your Communication with Cloud-Based IVR Solutions

A Study of Variable-Role-based Feature Enrichment in Neural Models of Code

E-commerce Application Development Company.pdf

socradar-q1-2024-aviation-industry-report.pdf

E-commerce Development Services- Hornet Dynamics

UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions

CIALUG May 2019 Meeting: An intro to docker and using rootless docker

2. WELCOME TO CIALUG • Meetings are the third Wednesday of the month • Thank you to this month’s host Source Allies • Next meeting at the 515 Maker’s Space? (watch for more details) on IoT • Connect up with us: • https://cialug.org • Email list • Slack and IRC

3. A LITTLE ABOUT ME • Andrew Denner • @adenner • Software Developer by day, Linux enthusiast at night • Recently back from Dockercon • Slides will be emailed out and posted to https://denner.co

4. ON WITH THE SHOW

5. A BRIEF INTRO TO DOCKER (AND ROOTLESS DOCKER) ANDREW DENNER CENTRAL IOWA LINUX USERS GROUP

6. THANKS TO: • Some of the information is rehashed from two presentations at dockercon. The videos are in the link below and are worth watching! Thanks to Akihiro Suda of NTT Corporation and Michael Irwin of Virginia Tech • https://www.docker.com/dockercon/2019-videos/ • https://www.docker.com/dockercon/2019-videos?watch=hardening-docker- daemon-with-rootless-mode • https://www.docker.com/dockercon/2019-videos?watch=containers-for- beginners

7. IT’S ALL ABOUT SHIPPING IN THE BEGINNING, MORE TIME WAS SPENT LOADING AND UNLOADING IN PORT THAN IN TRAVEL

8. IF IT FITS IT SHIPS CONTAINERS STANDARDIZED THE PROCESS AND MAKES IT EASY FOR LOADING AND UNLOADING

9. THE WHITE ZONE IS FOR LOADING AND UNLOADING OF PASSENGERS ONLY THERE IS NEVER ANY PARKING IN THE WHITE ZONE…

10.

11. MULTI-MODAL SHIPPING IS EASIER BOAT TO TRAIN TO TRUCK

12. WHAT DOES SHIPPING HAVE TO DO WITH ANYTHING • Old way was order hardware, install os, software etc • Took lots of time, hard to reproduce • “Well it worked on my machine” • Shipping container idea… enter docker

13.

14. Credit: Containers for beginners

15. THINGS TO REMEMBER • All containers are sharing the same kernel as the host • Not really anything new, just nice package of a bunch of older techs • Docker daemon is running as root • You can mount files in filesystem, if root inside you are root outside • If you can escape your container, remember docker daemon is root!

16. WHAT IF WE DIDN’T HAVE TO RUN AS ROOT?

17. IT EXISTS NOW… KINDA • You can run it right now… shell script installer will take care of the magic • curl -fsSL https://get.docker.com/rootless | sh • Katacoda example https://www.katacoda.com/courses/docker/rootless

18. WHAT’S THE CATCH? • No Overlay fs (except for ubuntu) • Network performance is degraded • Ports below 1024 can’t be listened on (remember you are not root) • No cgroups • --memory and -- cpu flags don’t work • Docker top doesn’t work • You need to be in /etc/subuid and /etc/subgid (this can be a problem in LDAP)

19. WHILE MORE SECURE IT’S NOT PERFECT • There is still room for abuse • Won’t stop someone from bitcoin mining inside of docker • Can use as a springboard for further attacks • Still can fall for vm /kernel/hardware vulnerabilities

20. HOW DOES IT WORK? • User namespaces allow non root users to pretend that they are root (UID0)

21. Sub-users (and sub-groups) ● If /etc/subuid contains “1001:100000:65536” ● Having 65536 sub-users should be enough for most containers 0 1001 100000 165535 232 0 1 65536 Host UserNS primary user sub-users start sub-users len

CIALUG May 2019 Meeting: An intro to docker and using rootless docker

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to CIALUG May 2019 Meeting: An intro to docker and using rootless docker

Similar to CIALUG May 2019 Meeting: An intro to docker and using rootless docker (20)

More from Andrew Denner

More from Andrew Denner (19)

Recently uploaded

Recently uploaded (20)

CIALUG May 2019 Meeting: An intro to docker and using rootless docker