Docker is two years old. While security has always been at the core of the questions revolving around Docker, the nature of those questions has changed. Last year, the main concern was "can I safely colocate containers on the same machine?" and it elicited various responses. Dan Walsh, SELinux expert, notoriously said: "containers do not contain!", and at last year's LinuxCon, Jérôme delivered a presentation detailing how to harden Docker and containers to isolate them better. Today, people have new concerns. They include image transport, vulnerability mitigation, and more.
After a recap about the current state of container security, Jérôme will explain why those new questions showed up, and most importantly, how to address them and safely deploy containers in general, and Docker in particular.
Deploy microservices in containers with Docker and friends - KCDC2015Jérôme Petazzoni
Docker lets us build, ship, and run any Linux application, on any platform. It found many early adopters in the CI/CD industry, long before it reached the symbolic 1.0 milestone and was considered "production-ready." Since then, its stability and features attracted enterprise users in many different fields, including very demanding ones like finance, banking, or intelligence agencies.
We will see how Docker is particularly suited to the deployment of distributed applications, and why it is an ideal platform for microservice architectures. In particular, we will look into three Docker related projects that have been announced at DockerCon Europe last December: Machine, Swarm, and Compose, and we will explain how they improve the way we build, deploy, and scale distributed applications.
The Docker ecosystem and the future of application deploymentJérôme Petazzoni
Ten years ago, virtualization ignited a revolution which gave birth to the Cloud and the DevOps initiative. Today, with containers, we are at the dawn of a similar breakthrough.
How can we capture the value of containers? How can we use their features to implement microservices and immutable infrastructures, while retaining as much as possible of our existing practices? The answer is in the rich ecosystem that developed around Docker, an open-source platform to build, ship, and run applications in containers.
In this keynote we’ll explore what the applications of tomorrow will look like, how they’ll be deployed and distributed – and how to leverage those tools today.
Introduction to Docker, December 2014 "Tour de France" EditionJérôme Petazzoni
Docker, the Open Source container Engine, lets you build, ship and run, any app, anywhere.
This is the presentation which was shown in December 2014 for the "Tour de France" in Paris, Lille, Lyon, Nice...
Docker landed almost two years ago, making it possible to build, ship, and run
any Linux application, on any platform, it was quickly adopted by developers
and ops, like no other tool before. The CI/CD industry even took it to
production long before it was stamped "production-ready."
Why does everyone (or almost!) love Docker? Because it puts powerful
automation abilities within the hands of normal developers. Automation
almost always involves building distribution packages, virtual machine
images, or writing configuration management manifests. With Docker,
those tasks are radically transformed: sometimes they're far easier than before,
other times they're no longer needed at all. Either way, the intervention
of a seasoned sysadmin guru is no longer required.
Docker, Linux Containers, and Security: Does It Add Up?Jérôme Petazzoni
Containers are becoming increasingly popular. They have many advantages over virtual machines: they boot faster, have less performance overhead, and use less resources. However, those advantages also stem from the fact that containers share the kernel of their host, instead of abstracting an new independent environment. This sharing has significant security implications, as kernel exploits can now lead to host-wide escalations.
In this presentation, we will:
- Review the actual security risks, in particular for multi-tenant environments running arbitrary applications and code
- Discuss how to mitigate those risks
- Focus on containers as implemented by Docker and the libcontainer project, but the discussion also stands for plain containers as implemented by LXC
Orchestration, resource scheduling…What does that mean? Is this only relevant for data centers with thousands of nodes? Should I care about Mesos, Kubernetes, Swarm, when all I have is a handful of virtual machines? The motto of public cloud IAAS is "pay for what you use," so in theory, if I deploy my apps there, I'm already getting the best "resource utilization" aka "bang for my buck," right? In this talk, we will answer those questions, and a few more. We will define orchestration, scheduling, and others, and show what it's like to use a scheduler to run containerized applications there.
Containers: from development to production at DevNation 2015Jérôme Petazzoni
In Docker, applications are shipped using a lightweight format, managed with a high-level API, and run within software containers which abstract the host environment. Operating details like distributions, versions, and network setup no longer matter to the application developer.
Thanks to this abstraction level, we can use the same container across all steps of the life cycle of an application, from development to production. This eliminates problems stemming from discrepancies between those environments.
Even so, these environments will always have different requirements. If our quality assurance (QA) and production systems use different logging systems, how can we still ship the same container to both? How can we satisfy the backup and security requirements of our production stack without bloating our development stack?
In this sess, you will learn about the unique features in containers that allow you to cleanly decouple system administrator tasks from the core of your application. We’ll show you how this decoupling results in smaller, simpler containers, and gives you more flexibility when building, managing, and evolving your application stacks.
Use the Source or Join the Dark Side: differences between Docker Community an...Jérôme Petazzoni
The Docker Project delivers a complete open source platform to “build, ship, and run” any application, anywhere, using containers. The Docker Engine and the other main components (Compose, Machine,
and the SwarmKit orchestration system) are free; but Docker Inc. (the company who started the Docker Project) also has a complete commercial offering named “Docker EE” (for Enterprise Edition) that adds an extra set of features geared at larger organizations, as well as an extended support and release cycle.
In this talk, I will explain (and show with demos) what you can do using exclusively Docker CE (community, free edition) and which features are added by Docker EE. This talk is for you if you are in the process of selecting a container platform; or if you’re just curious, and want to know exactly what you can do (and cannot do) with Docker CE and EE.
Deploy microservices in containers with Docker and friends - KCDC2015Jérôme Petazzoni
Docker lets us build, ship, and run any Linux application, on any platform. It found many early adopters in the CI/CD industry, long before it reached the symbolic 1.0 milestone and was considered "production-ready." Since then, its stability and features attracted enterprise users in many different fields, including very demanding ones like finance, banking, or intelligence agencies.
We will see how Docker is particularly suited to the deployment of distributed applications, and why it is an ideal platform for microservice architectures. In particular, we will look into three Docker related projects that have been announced at DockerCon Europe last December: Machine, Swarm, and Compose, and we will explain how they improve the way we build, deploy, and scale distributed applications.
The Docker ecosystem and the future of application deploymentJérôme Petazzoni
Ten years ago, virtualization ignited a revolution which gave birth to the Cloud and the DevOps initiative. Today, with containers, we are at the dawn of a similar breakthrough.
How can we capture the value of containers? How can we use their features to implement microservices and immutable infrastructures, while retaining as much as possible of our existing practices? The answer is in the rich ecosystem that developed around Docker, an open-source platform to build, ship, and run applications in containers.
In this keynote we’ll explore what the applications of tomorrow will look like, how they’ll be deployed and distributed – and how to leverage those tools today.
Introduction to Docker, December 2014 "Tour de France" EditionJérôme Petazzoni
Docker, the Open Source container Engine, lets you build, ship and run, any app, anywhere.
This is the presentation which was shown in December 2014 for the "Tour de France" in Paris, Lille, Lyon, Nice...
Docker landed almost two years ago, making it possible to build, ship, and run
any Linux application, on any platform, it was quickly adopted by developers
and ops, like no other tool before. The CI/CD industry even took it to
production long before it was stamped "production-ready."
Why does everyone (or almost!) love Docker? Because it puts powerful
automation abilities within the hands of normal developers. Automation
almost always involves building distribution packages, virtual machine
images, or writing configuration management manifests. With Docker,
those tasks are radically transformed: sometimes they're far easier than before,
other times they're no longer needed at all. Either way, the intervention
of a seasoned sysadmin guru is no longer required.
Docker, Linux Containers, and Security: Does It Add Up?Jérôme Petazzoni
Containers are becoming increasingly popular. They have many advantages over virtual machines: they boot faster, have less performance overhead, and use less resources. However, those advantages also stem from the fact that containers share the kernel of their host, instead of abstracting an new independent environment. This sharing has significant security implications, as kernel exploits can now lead to host-wide escalations.
In this presentation, we will:
- Review the actual security risks, in particular for multi-tenant environments running arbitrary applications and code
- Discuss how to mitigate those risks
- Focus on containers as implemented by Docker and the libcontainer project, but the discussion also stands for plain containers as implemented by LXC
Orchestration, resource scheduling…What does that mean? Is this only relevant for data centers with thousands of nodes? Should I care about Mesos, Kubernetes, Swarm, when all I have is a handful of virtual machines? The motto of public cloud IAAS is "pay for what you use," so in theory, if I deploy my apps there, I'm already getting the best "resource utilization" aka "bang for my buck," right? In this talk, we will answer those questions, and a few more. We will define orchestration, scheduling, and others, and show what it's like to use a scheduler to run containerized applications there.
Containers: from development to production at DevNation 2015Jérôme Petazzoni
In Docker, applications are shipped using a lightweight format, managed with a high-level API, and run within software containers which abstract the host environment. Operating details like distributions, versions, and network setup no longer matter to the application developer.
Thanks to this abstraction level, we can use the same container across all steps of the life cycle of an application, from development to production. This eliminates problems stemming from discrepancies between those environments.
Even so, these environments will always have different requirements. If our quality assurance (QA) and production systems use different logging systems, how can we still ship the same container to both? How can we satisfy the backup and security requirements of our production stack without bloating our development stack?
In this sess, you will learn about the unique features in containers that allow you to cleanly decouple system administrator tasks from the core of your application. We’ll show you how this decoupling results in smaller, simpler containers, and gives you more flexibility when building, managing, and evolving your application stacks.
Use the Source or Join the Dark Side: differences between Docker Community an...Jérôme Petazzoni
The Docker Project delivers a complete open source platform to “build, ship, and run” any application, anywhere, using containers. The Docker Engine and the other main components (Compose, Machine,
and the SwarmKit orchestration system) are free; but Docker Inc. (the company who started the Docker Project) also has a complete commercial offering named “Docker EE” (for Enterprise Edition) that adds an extra set of features geared at larger organizations, as well as an extended support and release cycle.
In this talk, I will explain (and show with demos) what you can do using exclusively Docker CE (community, free edition) and which features are added by Docker EE. This talk is for you if you are in the process of selecting a container platform; or if you’re just curious, and want to know exactly what you can do (and cannot do) with Docker CE and EE.
Immutable infrastructure with Docker and containers (GlueCon 2015)Jérôme Petazzoni
"Never upgrade a server again. Never update your code. Instead, create new servers, and throw away the old ones!"
That's the idea of immutable servers, or immutable infrastructure. This makes many things easier: rollbacks (you can always bring back the old servers), A/B testing (put old and new servers side by side), security (use the latest and safest base system at each deploy), and more.
However, throwing in a bunch of new servers at each one-line CSS change is going to be complicated, not to mention costly.
Containers to the rescue! Creating container "golden images" is easy, fast, dare I say painless. Replacing your old containers with new ones is also easy to do; much easier than virtual machines, let alone physical ones.
In this talk, we'll quickly recap the pros (and cons) of immutable servers; then explain how to implement that pattern with containers. We will use Docker as an example, but the technique can easily be adapted to Rocket or even plain LXC containers.
From development environments to production deployments with Docker, Compose,...Jérôme Petazzoni
In this session, we will learn how to define and run multi-container applications with Docker Compose. Then, we will show how to deploy and scale them seamlessly to a cluster with Docker Swarm; and how Amazon EC2 Container Service (ECS) eliminates the need to install,operate, and scale your own cluster management infrastructure. We will also walk through some best practice patterns used by customers for running their microservices platforms or batch jobs. Sample code and Compose templates will be provided on GitHub afterwards.
How to contribute to large open source projects like Docker (LinuxCon 2015)Jérôme Petazzoni
Contributing to a large open source project can seem daunting at first; but fear not! You too can join thousands of successful contributors. First, you don't have to be an expert in Golang, Python, or C, to contribute to Docker, OpenStack, or the Linux Kernel. Many projects also need help with documentation, translation, testing, triaging issues, and more. Very often, just going through bug reports to reproduce them and confirm "this also happens on my setup, with version XYZ" is extremely helpful.
If you decide to take the leap and propose a change (be it code or documentation), each open source project has different contribution guidelines and workflows.
In this talk, Arnaud and Jérôme will explain some of those workflows, how maintainers review your patches, and highlight the details that make your changes more likely to be merged into the project.
Docker Overview - Rise of the ContainersRyan Hodgin
Containers allow for applications to become more portable, organized more efficiently, and configured to make better use of system resources. This presentation will explain Docker's container technology, DevOps approach, partner ecosystem, popularity, performance, challenges, and roadmap. We'll review how containers are changing application and operating system designs.
As Docker containers become the new standard, learn about what's catapulting them to the head of the pack and how to best protect their assets now and later with the help of Unitrends.
MIT Licensed - Reuse freely, but attribute "Hamilton Turner"
An introduction to the Docker container engine. Focuses on how to use Docker and implications of Docker for Cloud-based services. Shows multiple examples of rapidly starting complex environments using Docker. Very minor discussion on how Docker works technically.
Presentation source is available at https://github.com/hamiltont/intro-to-docker
OSCON: Better Collaboration through ToolingDocker, Inc.
Ying Li and David Lawrence investigate how to use free tools to ease collaboration and improve outcomes in open source Go projects. By providing a better way for your contributors to get up and running and giving them more visibility into their impact, positive or negative, you can increase their independence and the velocity of your project.
Ying and David discuss three key topics: Introduction to a project, Submitting a pull request, Distributing updates.
Docker and Containers for Development and Deployment — SCALE12XJérôme Petazzoni
Docker is an Open Source engine to build, run, and manage containers. We'll explain what are Linux Containers, what powers them (under the hood), and what extra value Docker brings to the table. Then we'll see what the typical Docker workflow looks like from a developer point of view. We'll also give an Ops perspective, including deployment options. If you already saw a "Docker 101", consider this presentation as the February 2014 update! :-)
The ABC of Docker: The Absolute Best Compendium of DockerAniekan Akpaffiong
This presentation is my contribution to the body of work around Docker.
It codifies my experience so far, with Docker. The goal is to provide a concise yet complete introduction to Docker and its ecosystem.
I explore various Docker objects, compare containers and virtualization, provide usage examples, and discuss critical concepts around Docker and Linux. The compendium part of this, is aspirational. I will update and add to it as I have time and my experience with the product evolves.
Let me know what you think. Feedback and Likes are always appreciated.
Docker Tips And Tricks at the Docker Beijing MeetupJérôme Petazzoni
This talk was presented in October at the Docker Beijing Meetup, in the VMware offices.
It presents some of the latest features of Docker, discusses orchestration possibilities with Docker, then gives a briefing about the performance of containers; and finally shows how to use volumes to decouple components in your applications.
Real-World Docker: 10 Things We've Learned RightScale
Docker has taken the world of software by storm, offering the promise of a portable way to build and ship software - including software running in the cloud. The RightScale development team has been diving into Docker for several projects, and we'll share our lessons learned on using Docker for our cloud-based applications.
Orchestrating Docker containers at scaleMaciej Lasyk
Many of us already poked around Docker. Let's recap what we know and then think what do we know about scaling apps & whole environments which are Docker - based? Should we PaaS, IaaS or go with bare? Which tools to use on a given scale?
Amazon Web Services support Docker containers by Elastic Beanstalk service and with new Elastic Container Services. AWS Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and services. ECS is a highly scalable, high performance container management service that supports Docker.
Immutable infrastructure with Docker and containers (GlueCon 2015)Jérôme Petazzoni
"Never upgrade a server again. Never update your code. Instead, create new servers, and throw away the old ones!"
That's the idea of immutable servers, or immutable infrastructure. This makes many things easier: rollbacks (you can always bring back the old servers), A/B testing (put old and new servers side by side), security (use the latest and safest base system at each deploy), and more.
However, throwing in a bunch of new servers at each one-line CSS change is going to be complicated, not to mention costly.
Containers to the rescue! Creating container "golden images" is easy, fast, dare I say painless. Replacing your old containers with new ones is also easy to do; much easier than virtual machines, let alone physical ones.
In this talk, we'll quickly recap the pros (and cons) of immutable servers; then explain how to implement that pattern with containers. We will use Docker as an example, but the technique can easily be adapted to Rocket or even plain LXC containers.
From development environments to production deployments with Docker, Compose,...Jérôme Petazzoni
In this session, we will learn how to define and run multi-container applications with Docker Compose. Then, we will show how to deploy and scale them seamlessly to a cluster with Docker Swarm; and how Amazon EC2 Container Service (ECS) eliminates the need to install,operate, and scale your own cluster management infrastructure. We will also walk through some best practice patterns used by customers for running their microservices platforms or batch jobs. Sample code and Compose templates will be provided on GitHub afterwards.
How to contribute to large open source projects like Docker (LinuxCon 2015)Jérôme Petazzoni
Contributing to a large open source project can seem daunting at first; but fear not! You too can join thousands of successful contributors. First, you don't have to be an expert in Golang, Python, or C, to contribute to Docker, OpenStack, or the Linux Kernel. Many projects also need help with documentation, translation, testing, triaging issues, and more. Very often, just going through bug reports to reproduce them and confirm "this also happens on my setup, with version XYZ" is extremely helpful.
If you decide to take the leap and propose a change (be it code or documentation), each open source project has different contribution guidelines and workflows.
In this talk, Arnaud and Jérôme will explain some of those workflows, how maintainers review your patches, and highlight the details that make your changes more likely to be merged into the project.
Docker Overview - Rise of the ContainersRyan Hodgin
Containers allow for applications to become more portable, organized more efficiently, and configured to make better use of system resources. This presentation will explain Docker's container technology, DevOps approach, partner ecosystem, popularity, performance, challenges, and roadmap. We'll review how containers are changing application and operating system designs.
As Docker containers become the new standard, learn about what's catapulting them to the head of the pack and how to best protect their assets now and later with the help of Unitrends.
MIT Licensed - Reuse freely, but attribute "Hamilton Turner"
An introduction to the Docker container engine. Focuses on how to use Docker and implications of Docker for Cloud-based services. Shows multiple examples of rapidly starting complex environments using Docker. Very minor discussion on how Docker works technically.
Presentation source is available at https://github.com/hamiltont/intro-to-docker
OSCON: Better Collaboration through ToolingDocker, Inc.
Ying Li and David Lawrence investigate how to use free tools to ease collaboration and improve outcomes in open source Go projects. By providing a better way for your contributors to get up and running and giving them more visibility into their impact, positive or negative, you can increase their independence and the velocity of your project.
Ying and David discuss three key topics: Introduction to a project, Submitting a pull request, Distributing updates.
Docker and Containers for Development and Deployment — SCALE12XJérôme Petazzoni
Docker is an Open Source engine to build, run, and manage containers. We'll explain what are Linux Containers, what powers them (under the hood), and what extra value Docker brings to the table. Then we'll see what the typical Docker workflow looks like from a developer point of view. We'll also give an Ops perspective, including deployment options. If you already saw a "Docker 101", consider this presentation as the February 2014 update! :-)
The ABC of Docker: The Absolute Best Compendium of DockerAniekan Akpaffiong
This presentation is my contribution to the body of work around Docker.
It codifies my experience so far, with Docker. The goal is to provide a concise yet complete introduction to Docker and its ecosystem.
I explore various Docker objects, compare containers and virtualization, provide usage examples, and discuss critical concepts around Docker and Linux. The compendium part of this, is aspirational. I will update and add to it as I have time and my experience with the product evolves.
Let me know what you think. Feedback and Likes are always appreciated.
Docker Tips And Tricks at the Docker Beijing MeetupJérôme Petazzoni
This talk was presented in October at the Docker Beijing Meetup, in the VMware offices.
It presents some of the latest features of Docker, discusses orchestration possibilities with Docker, then gives a briefing about the performance of containers; and finally shows how to use volumes to decouple components in your applications.
Real-World Docker: 10 Things We've Learned RightScale
Docker has taken the world of software by storm, offering the promise of a portable way to build and ship software - including software running in the cloud. The RightScale development team has been diving into Docker for several projects, and we'll share our lessons learned on using Docker for our cloud-based applications.
Orchestrating Docker containers at scaleMaciej Lasyk
Many of us already poked around Docker. Let's recap what we know and then think what do we know about scaling apps & whole environments which are Docker - based? Should we PaaS, IaaS or go with bare? Which tools to use on a given scale?
Amazon Web Services support Docker containers by Elastic Beanstalk service and with new Elastic Container Services. AWS Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and services. ECS is a highly scalable, high performance container management service that supports Docker.
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...Jérôme Petazzoni
Docker is two years old. While security has always been at the core of the questions revolving around Docker, the nature of those questions has changed. Last year, the main concern was "can I safely colocate containers on the same machine?" and it elicited various responses. Dan Walsh, SELinux expert, notoriously said: "containers do not contain!", and at last year's LinuxCon, Jérôme delivered a presentation detailing how to harden Docker and containers to isolate them better.
Today, people have new concerns. They include image transport, vulnerability mitigation, and more.
After a recap about the current state of container security, Jérôme will explain why those new questions showed up, and most importantly, how to address them and safely deploy containers in general, and Docker in particular.
Shipping Applications to Production in Containers with DockerJérôme Petazzoni
Docker is an Open Source engine to build, run, and manage Linux Containers. Containers use less resources than virtual machines, they boot faster, but they have similar guarantees of portability and repeatability for Linux applications. Those features made Docker and Linux Containers extremely popular for development and testing environments. But what does it take to use Docker and Containers for production workloads?
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Jérôme Petazzoni
Linux containers are different from Solaris Zones or BSD Jails: they use discrete kernel features like cgroups, namespaces, SELinux, and more. We will describe those mechanisms in depth, as well as demo how to put them together to produce a container. We will also highlight how different container runtimes compare to each other.
This talk was delivered at DockerCon Europe 2015 in Barcelona.
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...Jérôme Petazzoni
Docker, the container Engine and Platform, is coming to Oracle Solaris! This is the talk that Jérôme Petazzoni (Docker) and Jesse Butler (Oracle) gave at Oracle Open World in November 2015.
Virtual machines are generally considered secure. At least, secure enough to power highly multi-tenant, large-scale public clouds, where a single physical machine can host a large number of virtual instances belonging to different customers. Containers have many advantages over virtual machines: they boot faster, have less performance overhead, and use less resources. However, those advantages also stem from the fact that containers share the kernel of their host, instead of abstracting a new independent environment. This sharing has significant security implications, as kernel exploits can now lead to host-wide escalations.
We will show techniques to harden Linux Containers; including kernel capabilities, mandatory access control, hardened kernels, user namespaces, and more, and discuss the remaining attack surface.
Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...Jérôme Petazzoni
Présentation donnée le 18 novembre 2015 au Paris Open Source Summit par Hervé Leclerc (Alterway) et Jérôme Petazzoni (Docker), présentant entre autres les nouvelles fonctionalités de Docker pour le stockage et le réseau arrivées dans la version 1.9 du Docker Engine.
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionJérôme Petazzoni
Docker, the Open Source container Engine, lets you build, ship and run, any app, anywhere.
This is the presentation which was shown in December 2014 for the last stop of the "Tour de France" in Bordeaux. It is slightly different from the presentation which was shown in the other cities (http://www.slideshare.net/jpetazzo/introduction-to-docker-december-2014-tour-de-france-edition), and includes a detailed history of dotCloud and Docker and a few other differences.
Special thanks to https://twitter.com/LilliJane and https://twitter.com/zirkome, who gave me the necessary motivation to put together this slightly different presentation, since they had already seen the other presentation in Paris :-)
LXC, Docker, security: is it safe to run applications in Linux Containers?Jérôme Petazzoni
Linux Containers (or LXC) is now a popular choice for development and testing environments. As more and more people use them in production deployments, they face a common question: are Linux Containers secure enough? It is often claimed that containers have weaker isolation than virtual machines. We will explore whether this is true, if it matters, and what can be done about it.
A Gentle Introduction To Docker And All Things ContainersJérôme Petazzoni
Docker is a runtime for Linux Containers. It enables "separation of concern" between devs and ops, and solves the "matrix from hell" of software deployment. This presentation explains it all! It also explains the role of the storage backend and compares the various backends available. It gives multiple recipes to build Docker images, including integration with configuration management software like Chef, Puppet, Salt, Ansible. If you already watched other Docker presentations, this is an actualized version (as of mid-November 2013) of the thing!
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConJérôme Petazzoni
Containers are everywhere. But what exactly is a container? What are they made from? What's the difference between LXC, butts-nspawn, Docker, and the other container systems out there? And why should we bother about specific filesystems?
In this talk, Jérôme will show the individual roles and behaviors of the components making up a container: namespaces, control groups, and copy-on-write systems. Then, he will use them to assemble a container from scratch, and highlight the differences (and likelinesses) with existing container systems.
Container Security: How We Got Here and Where We're GoingPhil Estes
A talk given on Wednesday, Nov. 16th at DefragCon (DefragX) on a historical perspective on container security with a look to where we're going in the future.
Slides of Maxime Petazzoni's talk at the Palo Alto Docker Meetup on September 1st, 2015. Discusses how we use Docker to power our software development lifecycle and run our production environments, as well as how to monitor Dockerized deployments and applications, in particular with SignalFx.
Rough presentation about the aspects and problems that you have to deal with when you build a system based on Docker. Presentation done for the Docker Amsterdam meetup.
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisOW2
There’s a constant rise of the container usage in the existing cloud ecosystem.
Most companies are evaluating how to migrate to newer, flexible and automated platform for content and application delivery.
The containers are building themselves alone across the business, but who's securing them?
This presentation discusses the evolution of infrastructure solutions from servers to containers, how can they be secured.
What opensource security options are available today?
Where is the future leading towards container security?
What will come after containers?
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Codemotion
In less than two years Docker went from first line of code to major Open Source project with contributions from all the big names in IT. Everyone is excited, but what's in for me - as a Dev or Ops? In short, Docker makes creating Development, Test and even Production environments an order of magnitude simpler, faster and completely portable across both local and cloud infrastructure. We will start from Docker main concepts: how to create a Linux Container from base images, run your application in it, and version your runtimes as you would with source code, and finish with a concrete example.
What Quality Aspects Influence the Adoption of Docker Images?Giovanni Rosa
Docker is a containerization technology that allows developers to ship software applications along with their dependencies in Docker images. Developers can extend existing images using them as base images when writing Dockerfiles. However, a lot of alternative functionally-equivalent base images are available. While many studies define and evaluate quality features that can be extracted from Docker artifacts, it is still unclear what are the criteria on which developers choose a base image over another.
In this paper, we aim to fill this gap. First, we conduct a literature review through which we define a taxonomy of quality features, identifying two main groups: Configuration-related features (i.e., mainly related to the Dockerfile and image build process), and externally observable features (i.e., what the Docker image users can observe). Second, we ran an empirical study considering the developers’ preference for 2,441 Docker images in 1,911 open-source software projects. We want to understand (i) how the externally observable features influence the developers’ preferences, and (ii) how they are related to the configuration-related features. Our results pave the way to the definition of a reliable quality measure for Docker artifacts, along with tools that support developers for a quality-aware development of them.
Giovanni Rosa (a), Simone Scalabrino (a), Gabriele Bavota (b), and Rocco Oliveto (a)
a) STAKE Lab, University of Molise, Italy
b) Software Institute, USI Università della Svizzera Italiana, Switzerland
DOI: https://doi.org/10.1145/3603111
Preprint: https://giovannirosa.com/assets/pdf/rosa2023qualityaspects.pdf
Basic Idea
Develop a build system that leverages Docker for implementing continuous integration/deployment(CI/CD) pipeline. A git commit must kick off packaging a Docker Image and provisioning it in a VM.
A git based commit should be used for starting of a build for a docker image which would then be run and provisioned in a Virtual Machine. After every commit a series of test cases is then run on the code to ensure the correctness of the code. After all the test-cases pass, the image gets updated on docker-hub registry, and a VM gets provisioned which can then run the software directly (after pulling the image from the docker-hub).
This entire process ensures that the most recent and updated version of the code is available to the person who is using the software and this speeds up the overall process by at least 2-3 folds.
Top 6 Practices to Harden Docker Images to Enhance Security9 series
Dockers can be considered equivalent to containers. Different verses of tools and platforms of containers are being used to develop containers to work more profitably. However, there are so many principles for protecting applications based on the container by collaborating with other secured applications.
"Docker best practice", Станислав Коленкин (senior devops, DataArt)DataArt
Docker best practice
про Docker, лучшие практики в написании Dockerfile, проблемы большого количества слоев (Layers) в images и подходы по оптимизации Layers в images, функционал multi-stage builds, подходы к безопастности контейнеров и Hosts системе, подходы дебагинга и мониторинга.
Containers, Docker, and Microservices: the Terrific TrioJérôme Petazzoni
One of the upsides of Microservices is the ability to deploy often,at arbitrary schedules, and independently of other services, instead of requiring synchronized deployments happening on a fixed time.
But to really leverage this advantage, we need fast, efficient, and reliable deployment processes. That's one of the value propositions of Containers in general, and Docker in particular.
Docker offers a new, lightweight approach to application portability.It can build applications using easy-to-write, repeatable, efficient recipes; then it can ship them across environments using a common container format; and it can run them within isolated namespaces which abstract the operating environment, independently of the distribution,versions, network setup, and other details of this environment.
But Docker can do way more than deploy your apps. Docker also enables you to generalize Microservices principles and apply them on operational tasks like logging, remote access, backups, and troubleshooting.This decoupling results in independent, smaller, simpler moving parts.
Containerization is more than the new Virtualization: enabling separation of ...Jérôme Petazzoni
Docker offers a new, lightweight approach to application
portability. Applications are shipped using a common container format,
and managed with a high-level API. Their processes run within isolated
namespaces which abstract the operating environment, independently of
the distribution, versions, network setup, and other details of this
environment.
This "containerization" has often been nicknamed "the new
virtualization". But containers are more than lightweight virtual
machines. Beyond their smaller footprint, shorter boot times, and
higher consolidation factors, they also bring a lot of new features
and use cases which were not possible with classical virtual machines.
We will focus on one of those features: separation of operational
concerns. Specifically, we will demonstrate how some fundamental tasks
like logging, remote access, backups, and troubleshooting can be
entirely decoupled from the deployment of applications and
services. This decoupling results in independent, smaller, simpler
moving parts; just like microservice architectures break down large
monolithic apps in more manageable components.
Pipework: Software-Defined Network for Containers and DockerJérôme Petazzoni
Pipework lets you connect together containers in arbitrarily complex scenarios. Pipework uses cgroups and namespaces and works with "plain" LXC containers (created with lxc-start), and with the awesome Docker.
It's nothing less than Software-Defined Networking for Linux Containers!
This is a short presentation about Pipework, given at the Docker Networking meet-up November 6th in Mountain View.
More information:
- https://github.com/jpetazzo/pipework
- http://www.meetup.com/Docker-Networking/
Introduction to Docker at Glidewell Laboratories in Orange CountyJérôme Petazzoni
In this presentation we will introduce Docker, and how you can use it to build, ship, and run any application, anywhere. The presentation included short demos, links to further material, and of course Q&As. If you are already a seasoned Docker user, this presentation will probably be redundant; but if you started to use Docker and are still struggling with some of his facets, you'll learn some!
Dans cette présentation, nous donnons plusieurs réponses aux grandes questions classiques associées au déploiement avec Docker. Entre autres :
- comment orchestrer des déploiements non triviaux (plusieurs containers sur plusieurs machines) ?
- comment avoir des métriques sur les ressources utilisées par les containers ?
- comment optimiser les performances de Docker, en particulier pour des applications où ces performances sont critiques ?
- comment intégrer Docker avec des outils de "configuration management" comme Puppet, Chef, Salt, Ansible ?
- comment implémenter la "service discovery", ou, de manière générale, connecter entre eux plusieurs containers ?
La présentation a été donnée Lundi 8 Septembre à Paris dans les locaux de Zenika, cabinet spécialisé dans l'architecture informatique et les méthodes Agiles possédant une triple compétence de conseil, réalisation et formation.
Introduction to Docker at the Azure Meet-up in New YorkJérôme Petazzoni
This is the presentation given at the Azure New York Meet-Up group, September 3rd.
It includes a quick overview of the Open Source Docker Engine and its associated services delivered through the Docker Hub. It also covers the new features of Docker 1.0, and briefly explains how to get started with Docker on Azure.
If you're not familiar with Docker yet, here is your chance to catch up: a quick overview of the Open Source Docker Engine, and its associated services delivered through the Docker Hub. It also includes Jérôme will also discuss the new features of Docker 1.0, and briefly explain how you can run and maintain Docker on Azure. In addition, an Azure team member will demonstrate how deploy docker to Azure. The presentation will be followed by a Q&A session!
Working with software means working with bugs. Bugs in software, bugs in hardware; bugs in Open Source code, bugs in proprietary code. If software is eating the world, bugs might end up taking the first bite.
We will present a few typical bugs, some of them famous, some of them infamous (including bugs that actually killed people). Since one can never be too well-prepared to fend off the next infestation, we will give tools, tips, and best practices to fix bugs in Open Source software. We will give real world examples of Really Mysterious Bugs (sometimes nicknamed "Heisenbugs" because they tend to disappear when you try to observe them), and how they were fixed, in Node.js, Docker, and the Linux Kernel.
Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...Jérôme Petazzoni
If you're not familiar yet with Docker, here is your chance to catch up. This presentation includes a quick overview of the Open Source Docker Engine, and its associated services delivered through the Docker Hub. Recent features are listed, as well as a glimpse at what's next in the Docker world.
This presentation was given during OSCON, at a meet-up hosted by New Relic, with co-presentations from CoreOS and Rackspace OnMetal.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
2. Who am I?
Jérôme Petazzoni (@jpetazzo)
French software engineer living in California
Joined Docker (dotCloud) almost 5 years ago
(I was at Docker before it was cool!)
I built and scaled the dotCloud PaaS
(millions of containers, no known security issues)
I learned a few things about running containers
(in production)
2 / 43
5. Containers and Security yesterday
Yesterday = Summer 2014.
At LinuxCon and OSCON, I gave a talk to answer the question:
"Is it safe to run applications in containers?"
5 / 43
6. Containers and Security yesterday
Yesterday = Summer 2014.
At LinuxCon and OSCON, I gave a talk to answer the question:
"Is it safe to run applications in containers?"
this really meant
"Can one container break out, and into another?"
6 / 43
7. Containers and Security yesterday
Yesterday = Summer 2014.
At LinuxCon and OSCON, I gave a talk to answer the question:
"Is it safe to run applications in containers?"
this really meant
"Can one container break out, and into another?"
Main concern: isolation
7 / 43
10. What was the answer?
"It's complicated"
Long list of recommendations
some were easy
(and automatically enforced by Docker)
some were not obvious
(and had to be enabled manually)
some were hard to deploy
(or required missing kernel features)
Video and Slides
10 / 43
11. How is this different today?
People still ask about container isolation
Much more frequently, they ask about
image security and provenance
They want to know:
if dockerpulldebianis what it claims to be
if jpetazzo/dindhas vulnerabilities
if a given image has been vetted by their sec team
11 / 43
12. Why has it changed?
Who cares about container isolation?
hosting providers (more density = more $$$)
PAAS (for rapid deployment; on-demand activation)
→ early adopters
Who doesn't care about container isolation?
people who use VMs only because autoscaling
people who would put multiple components per
machine anyway
→ second wave of users
12 / 43
14. Docker and Containers Security Today
Improving what we had yesterday
(fine-grained permissions, immutable containers)
Addressing new challenges
(provenance, content verification, notary)
Defense in depth
(containers + VM)
The infosec mindset
(better upgrades, security benchmarks, policies)
14 / 43
15. Finer-grained permissions
Per-container ulimit
Capability reduction with --cap-drop/ --cap-add
allow network config: --cap-addnet_admin
forbid everything: --cap-dropall
Device access restrictions with --device
(better than --privileged!)
Improved handling of LSM (SELinux, AppArmor)
example: @frazelledazzell's bane
(AppArmor profile generator for docker containers)
15 / 43
16. Smaller attack surface
Hardware management done on the host
(no kernel, drivers, device handling... in containers)
Package management is optional
(once a container is built, it doesn't need to be changed)
Minimal distros can be used
(e.g. buildroot, Alpine Linux...)
Less software = less risk
16 / 43
17. Immutable containers
dockerrun--read-only
(makes it impossible to entrench in a container)
Helps with vulnerability detection
(audit can be performed on offline images)
Even without --read-onlyflag:
copy-on-write prevents changes from being permanent
break a container when hacking it → it gets recycled
dockerdiffallows easy audit of changes
17 / 43
18. Image provenance
How can I trust dockerpulldebian?
I must trust upstream
(i.e. Debian and whoever maintains the image)
I must trust Docker Inc.
(operator of the Hub)
I must trust the transport
(between the Hub and my Docker host)
18 / 43
19. Image provenance
How can I trust dockerpulldebian?
I must trust upstream
(i.e. Debian and whoever maintains the image)
I must trust Docker Inc.
(operator of the Hub)
I must trust the transport
(between the Hub and my Docker host)
That's a lot of trust
19 / 43
20. "I don't want to trust anybody!"
If you don't trust upstream, you have to ...
stop using apt-getand yumwith public repos
rebuild everything from source
verify source integrity
(full audit + review all changes)
If you don't trust Docker Inc., you probably should ...
audit the whole Docker Engine code
audit every single patch that goes into Docker
(if you can do that ... we're looking for reviewers)
20 / 43
25. Think twice
npminstallfoois way more dangerous than curl|sh
If you're on OS X, you're probably using Brew
ruby-e"$(curl-fsSL
https://raw.githubusercontent.com/Homebrew/install/master/install)"
See also: Curl | bash a victimless crime?
25 / 43
26. Security reminder
It's OK to be paranoid, but beware of:
Bumps in the carpet
(moving a problem rather than solving it)
Usability
(if security makes it hard/impossible to work,
people will work around it!)
Tinfoil hats
26 / 43
27. Can we trust the transport?
Registry v1 protocol had serious issues:
arbitrary layer IDs
no integrity check
(other than TLS transport integrity)
Registry v2 protocol has:
content-based layer IDs
signed image manifests
Is that enough?
27 / 43
29. What are we trying to address?
Distributed content should be signed
Stealing a key should be hard
Stealing a key shouldn't have dire consequences
Replay attacks should be hard
(=can't serve you yesterday's vulnerable version)
Should use known models and research
Existing distribution infrastructure should be used
(=HTTP, HTTPS, FTP… are good)
Trusting Docker Hub should not be mandatory
29 / 43
30. Notary
Based on TUF (The Update Framework)
Sign content with offline keys
Trust thresholds (require K out of N keys)
(Stealing a key reduces signing requirements,
but doesn't break the whole model)
Guarantee freshness
Distribute signed content on (potentially insecure) servers
(leverage existing (insecure) transport and mirrors)
Enabled in Docker 1.8 by setting DOCKER_CONTENT_TRUST
30 / 43
33. Defense in depth
So, VM or containers?
VM and containers!
Reduce number of VMs
(when security perimeter allows it)
Colocated containers are safer than colocated processes
Malicious code has to escape both layers
Docker provides an extra layer of isolation
Applications are safer with containers than without
33 / 43
35. Better upgrades
Dockerfile= easy, fast, reliable builds and rebuilds
"But now I have 1000s of container images to upgrade!"
Yes, but that's way better than the 100s of server images
that you had before
The organizational risk is lower
(because if something goes wrong,
you have reliable rollbacks)
35 / 43
36. Security benchmarks
CIS (Center of Internet Security) Docker Benchmark
Docker Bench (https://dockerbench.com) :
automated assessment tool to check compliance
36 / 43
37. Policies
Docker Inc. (the company) and the Docker Project (open
source) have clear security guidelines
Mandatory code reviews (see CONTRIBUTING.md) to
ensure quality of code base
Quarterly security audits and pen tests of our
infrastructure
We support responsible disclosure
37 / 43
39. Container security in the future
Personal predictions - not Docker Inc.'s roadmap!
39 / 43
40. Container security in the future
Personal predictions - not Docker Inc.'s roadmap!
Offline image audit
Hardening of immutable containers (noexec, nosuid)
Better GRSEC, PAX, LSM integration
User namespaces (on experimental.docker.com)
Better default seccomp profiles
40 / 43
41. Last words
David Mortman at DEFCON this year:
“ A year ago, [Docker and security] was pretty horrible,
six months ago it wasn't so bad, and now it's pretty usable.
41 / 43
42. Resources
Docker security page
Docker security presentation at DockerCon 2015 SF
Docker Security CheatSheet
Notary on GitHub
Docker Bench for Security
42 / 43