DockerDay2015: Docker Security

•

1 like•548 views

This document summarizes a presentation on Docker security and least-privilege microservices from DockerCon US 2015. It discusses the history and principles of least-privilege, how Docker supports fine-grained access controls for containers through features like namespaces, capabilities, and security profiles. It also covers making containers more secure by default and tools like Docker Bench for assessing container security. The conclusion is that Docker allows least-privilege microservices and better tools are still needed to define per-container security profiles.

Technology

Docker
Security

Thuong
Nguyen
–
Vega
Recap
From
DockerCon
US
2015

Least-privilege Microservices
Diogo Mónica
Nathan McCauley
Recap
From
DockerCon
US
2015

Agenda
•
•
•
•
•
Why least-privilege
History of least-privilege
Least-privilege with Docker
Ongoing and future work
Conclusions
Recap
From
DockerCon
US
2015

“Every process must be able to access only the
information and resources that are necessary for its
legitimate purpose”
Recap
From
DockerCon
US
2015

Front-end
Server
Database
Auth Service
Recap
From
DockerCon
US
2015

1990
Internet
All-in-one
Recap
From
DockerCon
US
2015

2000
Internet
DatabasesServicesFront-end
Recap
From
DockerCon
US
2015

2010
Internet
Recap
From
DockerCon
US
2015

Container
One Process
AppA
AppB
AppC
AppD
AppE
AppF
libraries
Docker Engine
Host OS
Server
Recap
From
DockerCon
US
2015

Today
Internet
Recap
From
DockerCon
US
2015

‣ A container is a process. Let’s find out what syscalls it needs.
Process Monitoring
Recap
From
DockerCon
US
2015

‣ Namespaces provide an isolated view of the system (Network, PID, etc)
‣ Cgroups limit and isolate the resource usage of a collection of processes
‣ Linux Security Modules give us a MAC (AppArmor, SELinux)
Fine-grained controls
Recap
From
DockerCon
US
2015

Fine-grained controls
‣ Capabilities divides the privileges of root into distinct units (bind, chown, etc)
‣ Per-container ulimit (since 1.6)
‣ User-namespaces: root inside is not root outside (remapped root for 1.8)
‣ Seccomp: Individual syscall filtering (working on my laptop)
Recap
From
DockerCon
US
2015

Safer by default
‣ Less than half the Linux capabilities by
default
‣ Copy-on-write ensures immutability
‣ No device access by default
‣ Default AppArmor and SELinux profiles
for an increasing number of containers
Recap
From
DockerCon
US
2015

Safer by default
‣ Smaller footprint
‣ Remove all unneeded
packages
‣ Remove all unneeded users
‣ Remove all suid
binaries
…
Debia
n
Recap
From
DockerCon
US
2015

Securing the Ecosystem
User-
namespaces
Seccomp Provenance
Selinux Kerbero
s
Recap
From
DockerCon
US
2015

Intro to Container Security
http://bit.ly/1M4O9XE
Recap
From
DockerCon
US
2015

Docker Bench
https://dockerbench.com/
‣ Fully automated
‣ Shipped as a container that tests containers
Recap
From
DockerCon
US
2015

Conclusion
‣ Docker is on the path to support least-privilege microservices, since it allows
fine-grained control over what access each container should have.
‣ We will need easier tooling to define per-container security profiles
‣ You can help!
#docker-security on Freenode
Recap
From
DockerCon
US
2015

Thank you
diogo@docker.com
nathan.mccauley@docker.com
Recap
From
DockerCon
US
2015

This document summarizes a keynote about Docker's goals of making hardware programmable through containers and open standards. The keynote discusses Docker's goals of reinventing the programmer's toolbox by solving problems like runtime, packaging, composition and networking incrementally. It also discusses building better infrastructure plumbing and promoting open standards through projects like runC, Notary, the Open Container Project and more. The goal is to help organizations solve problems in unique ways through an open developer platform and standards.

Azure container service docker-ha noi com

Van Phuc

1. This document discusses Microsoft and Docker, including how to deploy Docker containers on Azure. It provides an overview of Azure and Microsoft's support for open source software. 2. Methods for deploying Docker containers on Azure include using a Docker VM extension template, Docker Machine with the Azure driver, and Azure Container Service. 3. The document also covers upcoming integrations between Docker and Windows, such as Windows Server containers, Hyper-V containers, and the Docker beta for Windows developers.

DockerDay2015: Deploy Apps on IBM Bluemix

Docker-Hanoi

Tom Tran gave a presentation on IBM Bluemix at DockerDay Vietnam 2015. He discussed: 1) What Bluemix is and its core concepts including accounts, organizations, spaces, apps, and services. 2) The different deployment options for Bluemix including public, dedicated, and local environments. 3) The development tools available for building and deploying apps to Bluemix like the web IDE, Eclipse, Visual Studio, and command line.

Docker- Ha Noi - Year end 2015 party

Van Phuc

Dev with Docker WCPHX 2019

Maura Teal

The document discusses getting started with Docker for local development. It introduces Docker concepts like images and containers. It explains how to start with an existing image from DockerHub or by creating a Dockerfile. It also introduces Docker Compose as a way to define and run multi-container apps locally. Resources for further learning about Docker, Docker Compose, and tools like Lando are provided.

DockerDay2015: Docker orchestration for sysadmin

Docker-Hanoi

1) The document discusses Docker Swarm and Docker Machine, which are tools for orchestrating and provisioning Docker containers across multiple hosts. 2) Docker Swarm exposes multiple Docker engines as a single virtual engine and includes fault tolerance features like leader election and replication of the swarm manager. 3) Docker Machine can provision VMs on various platforms and install and manage Docker Engine, enabling easy deployment and management of Docker clusters.

Docker for Dummies

Roel Hartman

You might (or might not) have heard of Docker. But you have no idea what it is and why you should care. But if you are a database or APEX developer and still work with Virtual Machines, it is about time to broaden your horizon. In this session you'll learn what Docker is and how you can benefit from it in your daily work. In this presentation we will walk through the following subjects: - What is Docker - Where do I get my images - Pull an image - Start a Docker container / Stop / Restart - Use a Docker container for APEX Development : Via the browser, SQL Developer, SQL Plus, etc - Make host directories accessible within the container - Use scripts to modify the image or create your own one

DockerDay2015: Docker orchestration for developers

Docker-Hanoi

This document discusses Docker Machine and Docker Compose. Docker Machine allows provisioning and management of Docker hosts on various cloud providers and virtual machines. Docker Compose allows defining and running multi-container Docker applications using a compose file. The document outlines new features of Docker Machine 0.3.0 like generic drivers and swarm provisioning. It also summarizes new features of Docker Compose 1.3.0 like performance improvements and smart recreate. Live demos of both tools are included in the agenda.

Docker has the potential to revolutionize how we build, deliver, support and even design software. But it doesn't have to be a violent revolution. The end goal might be breaking your existing ASP.NET monolith into microservices which run cross-platform on .NET Core, but the first step can be as simple as packaging your whole .Net Framework application as-is into a Docker image and running it as a container. In this session, we'll take an existing ASP.NET WebForms application and package it as a Docker image, which can run in a container on Windows Server 2016 and Windows 10. We'll show you how to run the app and a SQL Server database in Docker containers on Windows, and how to use Docker Compose to define the structure of a distributed application. Then we'll iteratively add functionality to the app, making use of the Docker platform to modernize the monolith without a full rebuild. We'll take a feature-driven approach and show you how Docker makes it easy to address performance, usability and design issues.y and design issues.

Build Your Own SaaS using Docker

Julien Barbier

This document describes how to build a proof of concept Software as a Service (SaaS) using Docker containers. It discusses creating a Docker image with Memcached installed, and using that image to spawn new Memcached containers for each user upon registration on a website. When a user signs up, a new container running Memcached is created for that user using the Docker API. The user is then provided with the IP address and public port of their Memcached container so they can access it.

DockerDay2015: Microsoft and Docker

Docker-Hanoi

This document discusses Microsoft's embrace of containers through Azure and Windows Server. It notes that Azure supports Docker, Docker Machine, Docker Swarm, and other container orchestration tools. It also introduces Windows Nano Server, a lightweight OS optimized for containers, and explains that Windows Server 2016 will support two types of containers: Windows containers that run processes in isolation on the host OS, and Hyper-V containers that are virtual machines without a guest OS.

DockerCon EU 2015: Speed Up Deployment: Building a Distributed Docker Registr...

Docker, Inc.

This document discusses how to build a distributed Docker registry at scale. It describes the basic Docker registry setup and how to scale globally by using multiple registry instances across different locations, load balancing requests between them, and replicating registry data between instances using SnapMirror for high availability and disaster recovery. The full Nginx configuration for load balancing registry requests is also provided.

DCSF19 How To Build Your Containerization Strategy

Docker, Inc.

Lee Namba, Docker The Docker Enterprise container platform helps organizations deploy and manage applications faster and it secures the application pipeline at a lower cost than traditional application delivery models. But it takes more than just great technology to achieve the desired results. The organization and culture of your enterprise directly impacts what you transform, how it’s done, and who does it. Success requires a strategy for how you will govern the container platform environment, how to assess your application estate, what your delivery pipeline will look like, and how to ensure developers, operators, security teams and others play nicely together. In this talk I will cover topics such as different types of workloads (legacy, microservices, FaaS, big data and more), how your org chart can influence whether you deploy CaaS (Containers as a Service) vs CLaaS (Clusters as a Service), how "shifting left" can determine if you can outsource, centralized vs distributed CI/CD and how containers play a role, transforming your pets into cattle, how giant whale balloons are used for onboarding, and a prescriptive and comprehensive methodology for successfully deploying containers into your enterprise.

Docker for Mac and Windows: The Insider's Guide by Justin Cormack

Docker, Inc.

Docker for Mac and Windows were released in beta in March, and provide lots of new features that users have been clamouring for including: file system notifications, simpler file sharing, and no Virtualbox hassles. During this talk, I will give the inside guide to how these products work. We will look at all the major components and how they fit together to make up the product. This includes a technical deep dive covering the hypervisors for OSX and Windows, the custom file sharing code, the networking, the embedded Alpine Linux distribution, and more.

The Dockerfile Explosion and the Need for Higher Level Tools by Gareth Rushgrove

Docker, Inc.

Dockerfiles are great. They provide a zero-barrier-to-entry format for describing a single Docker image which is immediately clear to anyone reading them. But with that simplicity comes problems that become apparent as your adoption of Docker gathers pace. * Dockerfiles can inherit from other docker images, but images are not Dockerfiles * Dockerfile provides no built-in mechanism for creating abstractions, so as usage grows identical or similar instructions can be duplicated across many files * The Docker APi exposes a build endpoint, but the API is very course, taking Dockerfile as the transport rather than exposing the individual instructions * Dockerfiles are just that, files. So they can come from anywhere The one layer per line in a Dockerfile limitation can lead to an explosion of layers, which fail to take advantage of the promised space and performance benefits.

Say Bye to VMware PowerCLI ! Time to "GOVC"

Ajeet Singh Raina

Immutable infrastructure with Docker and EC2

dotCloud

This document discusses Gilt's strategy of using immutable infrastructure with Docker and EC2 to enable continuous delivery and minimize risk when deploying new software versions. Some key points made include: - Gilt builds Docker containers for each new application version, creates a new "stack" of infrastructure to run the container, and uses incremental rollout and automated rollback to reduce risk. - Immutable infrastructure emerges naturally with Docker since each version requires new containers and infrastructure rather than updating existing instances. - Automating deployment, rollback, and incremental rollout across new infrastructure stacks reduces probability, cost and occurrences of failures when deploying new versions. - Instant rollback is possible by moving traffic back to the previous version's infrastructure if

Docker Online Meetup: Announcing Docker CE + EE

Docker, Inc.

Docker Community Edition (CE) and Enterprise Edition (EE) are the best expressions of the Docker Platform to date. Whether you’re a developer, an ops team or a enterprise IT-team member, and no matter the infrastructure, Docker CE and EE gives you a way to install, upgrade and maintain Docker with the support and assurances required for your particular workload. Both Docker CE and EE are available on a wide range of popular operating systems (including Windows Server 2016) and cloud infrastructure. Developers and devOps have the freedom to run Docker on their favorite infrastructure without risk of lock-in. Michael Friis will give an overview of both editions and highlight the big enhancements to the lifecycle, maintainability and upgradability of Docker.

OSCON: Unikernels and Docker: From revolution to evolution

Docker, Inc.

with Richard Mortier and Anil Madhavapeddy Unikernels are a growing technology that augment existing virtual machine and container deployments with compact, single-purpose appliances. Two main flavors exist: clean-slate unikernels, which are often language specific, such as MirageOS (OCaml) and HaLVM (Haskell), and more evolutionary unikernels that leverage existing OS technology recreated in library form, notably Rump Kernel used to build Rumprun unikernels.

ContainerDayVietnam2016: Containers with OpenStack

Docker-Hanoi

This document discusses integrating containers with OpenStack. It outlines some of the good aspects, bad aspects, and an ugly thought around this integration. On the good side, projects like Magnum, Zun, Kuryr, Kolla, and Fuxi aim to provide container orchestration, management, networking, and storage capabilities within OpenStack. However, integrating containers poses challenges as well. The ecosystem has diverse standards for clouds and containers, making integration complex with two layers of management. This can impact user quotas, charging, and other considerations.

Windows Server Containers- How we hot here and architecture deep dive

Docker, Inc.

Porting Docker for Windows is no small feat. The technology behind Docker today takes advantage of Linux capabilities like namespaces and cgroups. For native containers to exist on Windows and to have a Docker Engine for Windows, first similar primitives needed to be developed into the Windows operating system. In this session we will explain these Windows primitives in relation to similar primitives in Linux and other architectural changes on the OS and Engine side to make containerization possible. The process of porting includes not only the technology but also open source community interactions and cultural changes to enable this development. And of course there will be a cool demo…

DockerCon EU 2015: The Latest in Docker Engine

Docker, Inc.

This document summarizes the latest developments in Docker Engine. It discusses the activity and releases since the previous DockerCon, highlights of the new Docker Engine 1.9.0 release including improvements to networking and volume management, and outlines the future plans including additional platform support, security enhancements, and continued decoupling of Engine components. It also includes a demonstration of Linux namespaces and how containers leverage them to provide isolation.

What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi

Mike Goelzer

Docker 1.12 introduces several new features for managing containerized applications at scale including Docker Swarm mode for native clustering and orchestration. Key features include services that allow defining and updating distributed applications, a built-in routing mesh for load balancing between nodes, and security improvements like cryptographic node identities and TLS encryption by default. The document also discusses plugins, health checks, and distributed application bundles for declaring stacks of services.

Containers #101 : Docker ONBUILD triggers and Introduction to Docker Compose

Raziel Tabib (Join our team)

In this session, we learnt about Docker ONBUILD triggers, how these triggers work and how to use them. In addition, we covered basic docker-compose introduction by demonstrating how to a mini microservices application (with 2 nodes). The session run for 30 minutes. the code sample used in the meetup can be found at github.com/Codefresh-Examples/express-angular-mongo For any question please email us at contact@codefresh.io Passionate about Docker technology and want to join our team? give us a shout at joinus@codefresh.io Join our meetup to attend future sessions online @ meetup.com/Containers-101-online-meetup/

Docker?!?! But I'm a SysAdmin

Docker, Inc.

Your developers just walked into your cube and said: "Here's the new app, I built it with Docker, and it's ready to go live." What do you do next? In this session, we'll talk about what containers are and what they are not. And we'll step through a series of considerations that need to be examined when deploying containerized workloads - VMs or Container? Bare Metal or Cloud? What about capacity planning? Security? Disaster Recovery? How do I even get started?

Reduce DevOps Friction with Docker & Jenkins by Andy Pemberton, Cloudbees

Docker, Inc.

Docker for .NET Developers - Michele Leroux Bustamante, Solliance

Docker, Inc.

This document discusses how Docker can help .NET developers by allowing them to containerize their .NET applications. It provides benefits like running applications across Windows and Linux containers, improving development workflows through features of Docker for Windows like Linux containers on Windows, and facilitating continuous integration and deployment of containerized applications through automation. The document provides examples of Dockerfiles for different types of .NET applications and demonstrates how to add Docker support and containerize existing applications using Visual Studio tools.

Multidimensional Interfaces for Selecting Data with Order

Ruben Taelman

This document discusses a multidimensional interface for querying linked data with low server cost. It proposes moving the data index to the client by exposing it through an HTTP interface, similar to Memento's time gate but supporting multiple dimensions. This would allow clients to navigate the index and retrieve range fragments to perform custom searches locally. Some examples are provided to illustrate querying points within ranges in a 2D index. While client-side indexing may be useful for types with many instances, trade-offs exist between client and server costs that depend on factors like index and range fragment sizes. The authors plan to experiment with different methods for exposing multidimensional data indexes.

Docker-Ha Noi- Year end 2015 party

Docker-Hanoi

This document summarizes the Docker-Hanoi meetup group's activities in 2015 and plans for 2016. In 2015, the group held 12 meetups covering topics like CI/CD with Docker and Mesos, DockerCon recap, introduction to Kubernetes and Amazon ECS, and Docker 1.9 release. They collaborated on projects like a Global Hack Day and have over 40 members. For 2016, they are seeking sponsors and want to connect with other Vietnam open source communities, contribute more globally to Docker events and code, and showcase real-world Docker production uses.

What's hot

From Zero Docker to Hackathon Winner - Marcos Lilljedahl and Jimena Tapia

Docker, Inc.

Modernizing .NET Apps

Docker, Inc.

Build Your Own SaaS using Docker

Julien Barbier

DockerDay2015: Microsoft and Docker

Docker-Hanoi

DockerCon EU 2015: Speed Up Deployment: Building a Distributed Docker Registr...

Docker, Inc.

DCSF19 How To Build Your Containerization Strategy

Docker, Inc.

Docker for Mac and Windows: The Insider's Guide by Justin Cormack

Docker, Inc.

The Dockerfile Explosion and the Need for Higher Level Tools by Gareth Rushgrove

Docker, Inc.

Say Bye to VMware PowerCLI ! Time to "GOVC"

Ajeet Singh Raina

Immutable infrastructure with Docker and EC2

dotCloud

Docker Online Meetup: Announcing Docker CE + EE

Docker, Inc.

OSCON: Unikernels and Docker: From revolution to evolution

Docker, Inc.

ContainerDayVietnam2016: Containers with OpenStack

Docker-Hanoi

Windows Server Containers- How we hot here and architecture deep dive

Docker, Inc.

DockerCon EU 2015: The Latest in Docker Engine

Docker, Inc.

What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi

Mike Goelzer

Containers #101 : Docker ONBUILD triggers and Introduction to Docker Compose

Raziel Tabib (Join our team)

Docker?!?! But I'm a SysAdmin

Docker, Inc.

Reduce DevOps Friction with Docker & Jenkins by Andy Pemberton, Cloudbees

Docker, Inc.

Docker for .NET Developers - Michele Leroux Bustamante, Solliance

Docker, Inc.

What's hot (20)

From Zero Docker to Hackathon Winner - Marcos Lilljedahl and Jimena Tapia

Modernizing .NET Apps

Build Your Own SaaS using Docker

DockerDay2015: Microsoft and Docker

DockerCon EU 2015: Speed Up Deployment: Building a Distributed Docker Registr...

DCSF19 How To Build Your Containerization Strategy

Docker for Mac and Windows: The Insider's Guide by Justin Cormack

The Dockerfile Explosion and the Need for Higher Level Tools by Gareth Rushgrove

Say Bye to VMware PowerCLI ! Time to "GOVC"

Immutable infrastructure with Docker and EC2

Docker Online Meetup: Announcing Docker CE + EE

OSCON: Unikernels and Docker: From revolution to evolution

ContainerDayVietnam2016: Containers with OpenStack

Windows Server Containers- How we hot here and architecture deep dive

DockerCon EU 2015: The Latest in Docker Engine

What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea Luzzardi

Containers #101 : Docker ONBUILD triggers and Introduction to Docker Compose

Docker?!?! But I'm a SysAdmin

Reduce DevOps Friction with Docker & Jenkins by Andy Pemberton, Cloudbees

Docker for .NET Developers - Michele Leroux Bustamante, Solliance

Viewers also liked

Multidimensional Interfaces for Selecting Data with Order

Ruben Taelman

Docker-Ha Noi- Year end 2015 party

Docker-Hanoi

ContainerDayVietnam2016: Docker for JS Developer

Docker-Hanoi

Intro to Docker October 2013

Docker, Inc.

This document provides an introduction and overview of Docker, including its rapid growth and adoption, key benefits for developers and operations teams, technical underpinnings, ecosystem support, use cases, and future plans. Docker provides a way to package applications into lightweight containers that are portable and can run on any infrastructure. It solves issues around dependency management and consistency across environments.

Azure Container Service

Docker-Hanoi

Docker. Micro services for lazy developers

Eugene Krevenets

This document discusses using Docker and microservices to build applications. It introduces Docker and how containers work at the process level in an isolated and lightweight way. It demonstrates how to build Dockerfiles for Node.js and Python applications, use Docker Hub for images, and run multi-container apps with Docker Compose. Some challenges of Docker like learning curve, build time, and file refresh are also outlined.

ContainerDayVietnam2016: Kubernetes State-of-the-art Container Management Pla...

Docker-Hanoi

Kubernetes is an open-source platform for automating deployment, scaling, and operations of containerized applications. It provides basic mechanisms such as service discovery, load balancing, failure recovery, horizontal scaling, and self-healing. Key Kubernetes concepts include pods, labels, replication controllers, services, and namespaces. Pods are the basic building blocks that can contain one or more containers, which are scheduled together on nodes and share resources. Kubernetes handles tasks such as health checking, restarting containers, and load balancing.

Intro to Docker - London meetup oct. 2013

stevedomin

This document provides an introduction and overview of Docker. It discusses what Docker is, the underlying technologies that power it such as Linux containers and AUFS filesystem, how it compares to virtual machines, how to install and try Docker, examples uses cases, the Docker ecosystem and community, and links for additional information. The presentation was given by Steve Domin in London in October 2013.

DockerDay2015: Introduction to OpenStack Magnum

Docker-Hanoi

This document introduces OpenStack Magnum, a project that provides container orchestration services for OpenStack. It discusses the Vietnam OpenStack community and provides an introduction to OpenStack and Docker. Magnum is presented as a solution for integrating OpenStack with Docker container technologies by providing container cluster resources and orchestration capabilities within OpenStack. The document concludes with an advertisement for a Magnum demonstration at the upcoming Vancouver Summit.

ContainerDayVietnam2016: Dockerize a small business

Docker-Hanoi

This document discusses how Docker can transform development and deployment processes for modern applications. It outlines some of the challenges of developing and deploying applications across different environments, and how Docker addresses these challenges through containerization. The document then provides examples of how to dockerize a Rails and Python application, set up an Nginx reverse proxy with Let's Encrypt, and configure a Docker cluster for continuous integration testing.

Understanding the container landscape and it associated projects

Anthony Chow

The document discusses containers and container technologies. It provides an overview of the history and key components of containers like Docker, including namespaces, control groups, AUFS, Docker images, registries, networking solutions, security concerns and orchestration tools. It also discusses how OpenStack projects are embracing containers to provide container orchestration platforms and run OpenStack services as containers to make them more scalable and efficient. The document encourages learning more about containers to stay relevant in today's technologies.

Docker presentation | Paris Docker Meetup

dotCloud

- The document summarizes a meetup on Docker held in Paris on February 10, 2013. It provides an introduction to Docker including its origins at dotCloud, timeline of development, and basic functionality using Linux containers, control groups, and AUFS. - The presentation covers installing Docker, basic commands like running "hello world" examples, managing containers vs images, and demonstrates a simple app deployment using Docker for local development and pushing changes to production. - Questions from attendees are solicited at the end to discuss Docker further.

Dockerfile Basics Workshop #1

Docker, Inc.

Intro to Docker November 2013

Docker, Inc.

This document provides an introduction to Docker, including why it was created, how it works, and its growing ecosystem. Docker allows applications to be packaged with all their dependencies and run consistently across any Linux server by using lightweight virtual containers rather than full virtual machines. It solves the problem of differences between development, testing, and production environments. The document outlines the technical details and advantages of Docker, examples of how companies are using it, and the growing support in tools and platforms.

ContainerDayVietnam2016: Docker 1.12 at OpenFPT

Docker-Hanoi

Docker presentation

Wes Eklund

Docker provides a standard way to package applications into containers that are portable and can run on any infrastructure. The containers isolate applications from one another and ensure that dependencies and configurations are included so applications always run the same. This allows developers to build applications once and deploy them anywhere without worrying about compatibility or missing dependencies. It also allows operators to configure applications once and run anything on their infrastructure efficiently by eliminating inconsistencies between environments.

ContainerDayVietnam2016: Django Development with Docker

Docker-Hanoi

Cuong Tran presented on Django development with Docker. The presentation covered: 1. Introduction to the Django Docker stack including Nginx, Django, Postgres, and Redis. 2. How to run the Django stack using Docker Compose including building, starting containers, and migrating data. 3. Common activities like running commands in containers, updating code in Git, and rebuilding Docker images. 4. Problems and solutions like handling Docker stop signals gracefully, ensuring proper startup order, and optimizing the Docker build process. 5. Useful Docker snippets for stats, removing containers/images, and saving/loading images.

DockerDay2015: Docker Networking

Docker-Hanoi

This document summarizes a presentation on Docker networking. It introduces Docker networking concepts like the Docker0 bridge, virtual ethernet interfaces, linking containers, and editing networking configuration files. It then provides a deep dive on experimental Docker networking features in libnetwork like creating networks, multi-host networking, services, and drivers. The presentation encourages users to try experimental networking and contribute to libnetwork.

ContainerDayVietnam2016: Hybrid and Automation System Architecture

Docker-Hanoi

This document discusses using a hybrid automation system architecture with Docker and Kubernetes on AWS. It proposes using Gitlab CI/CD for continuous integration and delivery of Rails applications packaged with Docker. The workflow would involve developers committing code changes to Gitlab, triggering automated testing, building of Docker images, and deployment to Kubernetes. Auto-scaling and auto-healing capabilities would be enabled through Kubernetes and AWS. The goals are to make operations easier through automation while also simplifying development workflows.

ContainerDayVietnam2016: Docker at scale with Mesos

Docker-Hanoi

Mesos is an open source cluster manager that provides efficient resource isolation and sharing across distributed applications or frameworks. The document discusses how to run Docker containers on Mesos at scale, including using Marathon for container orchestration. Some key lessons learned are around choosing a container style, service discovery with Mesos-DNS, networking with Calico, and managing secrets, deployments, and Docker limitations.

Viewers also liked (20)

Multidimensional Interfaces for Selecting Data with Order

Docker-Ha Noi- Year end 2015 party

ContainerDayVietnam2016: Docker for JS Developer

Intro to Docker October 2013

Azure Container Service

Docker. Micro services for lazy developers

ContainerDayVietnam2016: Kubernetes State-of-the-art Container Management Pla...

Intro to Docker - London meetup oct. 2013

DockerDay2015: Introduction to OpenStack Magnum

ContainerDayVietnam2016: Dockerize a small business

Understanding the container landscape and it associated projects

Docker presentation | Paris Docker Meetup

Dockerfile Basics Workshop #1

Intro to Docker November 2013

ContainerDayVietnam2016: Docker 1.12 at OpenFPT

Docker presentation

ContainerDayVietnam2016: Django Development with Docker

DockerDay2015: Docker Networking

ContainerDayVietnam2016: Hybrid and Automation System Architecture

ContainerDayVietnam2016: Docker at scale with Mesos

Similar to DockerDay2015: Docker Security

DockerCon SF 2015: Docker Security

Docker, Inc.

Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...

Odinot Stanislas

DCSF 19 Building Your Development Pipeline

Docker, Inc.

Oliver Pomeroy, Docker & Laura Tacho, Cloudbees Enterprises often want to provide automation and standardisation on top of their container platform, using a pipeline to build and deploy their containerized applications. However this opens up new challenges; Do I have to build a new CI/CD Stack? Can I build my CI/CD pipeline with Kubernetes orchestration? What should my build agents look like? How do I integrate my pipeline into my enterprise container registry? In this session full of examples and how-to's, Olly and Laura will guide you through common situations and decisions related to your pipelines. We'll cover building minimal images, scanning and signing images, and give examples on how to enforce compliance standards and best practices across your teams.

Cont0519

Samuel Dratwa

Tampere Docker meetup - Happy 5th Birthday Docker

Sakari Hoisko

Building Distributed Systems without Docker, Using Docker Plumbing Projects -...

Patrick Chanezon

Docker provides an integrated and opinionated toolset to build, ship and run distributed applications. Over the past year, the Docker codebase has been refactored extensively to extract infrastructure plumbing components that can be used independently, following the UNIX philosophy of small tools doing one thing well: runC, containerd, swarmkit, hyperkit, vpnkit, datakit and the newly introduced InfraKit. This talk will give an overview of these tools and how you can use them to build your own distributed systems without Docker. Patrick Chanezon & David Chung, Docker & Phil Estes, IBM

Docker Azure Friday OSS March 2017 - Developing and deploying Java & Linux on...

Patrick Chanezon

This document provides an overview of developing and deploying Java applications on Azure using Docker. It discusses using Docker to build Java applications, running containers, and deploying stacks. It also covers Docker Enterprise Edition, including subscriptions, certifications, and security features. Finally, it demonstrates using Docker on Azure, such as with Azure Container Service, and shows examples of building, running, and deploying Java applications with Docker.

Docker - A high level introduction to dockers and containers

Dr Ganesh Iyer

Docker security microservices

Vishwas Manral

This document discusses least-privilege microservices using Docker containers. It explains that Docker provides isolation between containers and processes running within containers. This isolation allows each container to have only the exact resources and access it needs, following the principle of least privilege. The document outlines various Docker security features like capabilities, namespaces, and security profiles that can be used to implement fine-grained controls for containers. It argues that better tooling is still needed to more easily create automated security profiles tailored for each container.

How to containerize at speed and at scale with Docker Enterprise Edition, mov...

Kangaroot

Run automated tests in Docker

Oleksandr Metelytsia

Run automated tests in Docker This document discusses using Docker to run automated tests. Docker containers wrap software and dependencies to guarantee consistent environments. The author demonstrates building a "hello world" application container and a separate test container. Tests are run in the container to ensure consistency between local and CI environments. Key advantages are automated, lightweight, agnostic and immutable testing.

OpenStack Summit

Docker, Inc.

The document outlines the agenda for the OpenStack Summit in November 2013, including presentations on Docker and its ecosystem, how Docker can be used with OpenStack and Rackspace, and a demonstration of cross-cloud application deployment using Docker. Docker is presented as a solution to the "matrix from hell" of running applications across different environments by providing lightweight, portable containers that can run anywhere regardless of the operating system. The summit aims to educate attendees on Docker and showcase its integration with OpenStack for simplified and efficient application deployment and management across multiple clouds.

The Future of Security and Productivity in Our Newly Remote World

DevOps.com

Andy has made mistakes. He's seen even more. And in this talk he details the best and the worst of the container and Kubernetes security problems he's experienced, exploited, and remediated. This talk details low level exploitable issues with container and Kubernetes deployments. We focus on lessons learned, and show attendees how to ensure that they do not fall victim to avoidable attacks. See how to bypass security controls and exploit insecure defaults in this technical appraisal of the container and cluster security landscape.

Docker introduction

Jo Ee Liew

This document provides an introduction to Docker, including what Docker is, why it matters, and how it works. Some key points: - Docker implements lightweight containers that provide process isolation using features of the Linux kernel like cgroups and namespaces. It allows building and shipping applications without dependency and compatibility issues. - Docker solves the "N times N" compatibility problem that arises when applications need to run in different environments. Its portable containers and standardized operations help automate development and deployment workflows. - Containers isolate applications from one another and their dependencies without the overhead of virtual machines. This makes them lightweight and efficient while still providing isolation of applications and flexibility to run anywhere.

Docker SF Meetup January 2016

Patrick Chanezon

The document discusses Docker's platform and ecosystem. It describes Docker's mission to build tools for mass innovation by providing a software layer to program the internet. It outlines key components of Docker including Docker Engine, Swarm for clustering multiple Docker hosts, Compose for defining and running multi-container applications, and Docker Hub for sharing images. It also discusses the Linux container ecosystem underpinning Docker and roadmaps for continued development.

SDLC Using Docker for Fun and Profit

dantheelder

Novacoast uses Docker and DevOps practices to streamline their development and operations processes. Previously, setting up servers and deploying code was manual and time-consuming. Now, Docker containers allow applications and their dependencies to be packaged together for easy, consistent deployment. Continuous integration using Jenkins builds and tests code changes automatically. Successful builds are pushed to an internal Docker registry for deployment via Chef to production servers. This automated workflow allows for faster, more reliable releases while improving security.

Docker Roadshow 2016

Docker, Inc.

Containers and Nutanix - Acropolis Container Services

NEXTtour

Docker Birthday #5 Meetup Cluj - Presentation

Alex Vranceanu

- Docker celebrated its 5th birthday with events worldwide including one in Cluj, Romania. Over 100 user and customer events were held. - The Docker platform now has over 450 commercial customers, 37 billion container downloads, and 15,000 Docker-related jobs on LinkedIn. - The event in Cluj included presentations on Docker and hands-on labs to learn Docker, as well as social activities like taking selfies with a birthday banner.

Docker Bday #5, SF Edition: Introduction to Docker

Docker, Inc.

In celebration of Docker's 5th birthday in March, user groups all around the world hosted birthday events with an introduction to Docker presentation and hands-on-labs. We invited Docker users to recognize where they were on their Docker journey and the goal was to help them take the next step of their journey with the help of mentors. This presentation was done at the beginning of the events (this one is from the San Francisco event in HQ) and gives a run down of the birthday event series, Docker's momentum, a basic explanation of containers, the benefits of using the Docker platform, Docker + Kubernetes and more.

Similar to DockerDay2015: Docker Security (20)

DockerCon SF 2015: Docker Security

Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...

DCSF 19 Building Your Development Pipeline

Cont0519

Tampere Docker meetup - Happy 5th Birthday Docker

Building Distributed Systems without Docker, Using Docker Plumbing Projects -...

Docker Azure Friday OSS March 2017 - Developing and deploying Java & Linux on...

Docker - A high level introduction to dockers and containers

Docker security microservices

How to containerize at speed and at scale with Docker Enterprise Edition, mov...

Run automated tests in Docker

OpenStack Summit

The Future of Security and Productivity in Our Newly Remote World

Docker introduction

Docker SF Meetup January 2016

SDLC Using Docker for Fun and Profit

Docker Roadshow 2016

Containers and Nutanix - Acropolis Container Services

Docker Birthday #5 Meetup Cluj - Presentation

Docker Bday #5, SF Edition: Introduction to Docker

More from Docker-Hanoi

ContainerDayVietnam2016: Lesson Leanred on Docker 1.12 and Swarm Mode

Docker-Hanoi

ContainerDayVietnam2016: Become a Cloud-native Developer

Docker-Hanoi

Container design patterns are emerging as microservices and containerization become more popular. Single-container patterns like container boundary and interface define how containers are packaged and interact. Single-node patterns like Kubernetes pods and sidecars schedule related containers together on one machine. Multi-node patterns coordinate distributed containers, such as using leader election sidecars to select a replication leader, work queues to distribute tasks, and scatter/gather to parallelize computations across nodes. These patterns abstract away infrastructure details and provide reusable solutions for containerized applications.

DockerDay2015: Getting started with Google Container Engine

Docker-Hanoi

This document introduces Google Container Engine and Kubernetes for container orchestration. It discusses how containers provide isolation and portability compared to traditional virtual machines. Kubernetes is an open source system for automating deployment, scaling, and management of containerized applications. It allows grouping containers into pods and uses labels to identify pods. Services provide discovery and load balancing for pods. Replication controllers help maintain the desired number of pods. Kubernetes handles scheduling pods across a cluster and replacing pods when needed through this type of declarative management.

DockerDay2015: Build and monitor a load balanced web application with Docker ...

Docker-Hanoi

DockerDay2015: Introduction to Dockerfile

Docker-Hanoi

DockerDay2015: Getting started with Docker

Docker-Hanoi

Docker is a tool that allows users to package applications into containers that can run on any Linux server. The key concepts include images which contain the files for an app and its dependencies, containers which are instances of images that run the app, and a Dockerfile which defines what goes into an image. Docker provides lightweight virtualization, portability across environments, and the ability to build distributed apps out of separate services. The meetup will cover Docker terminology, how to interact with Docker via its API and CLI, and include a hands-on lab.

DockerDay 2015: From months to minutes - How GE appliances brought docker int...

Docker-Hanoi

GE Appliances implemented Docker to improve their development process and increase automation. They created an internal tool called Voyager to bridge the gap between Docker and their users. Voyager allowed non-technical users to build and deploy Docker containers through a web interface and APIs. With Voyager and Docker, GE Appliances was able to greatly improve their development cycle, reducing build times from months to minutes and increasing adoption of Docker within the organization.

More from Docker-Hanoi (7)

ContainerDayVietnam2016: Lesson Leanred on Docker 1.12 and Swarm Mode

ContainerDayVietnam2016: Become a Cloud-native Developer

DockerDay2015: Getting started with Google Container Engine

DockerDay2015: Build and monitor a load balanced web application with Docker ...

DockerDay2015: Introduction to Dockerfile

DockerDay2015: Getting started with Docker

DockerDay 2015: From months to minutes - How GE appliances brought docker int...

Recently uploaded

Taking AI to the Next Level in Manufacturing.pdf

ssuserfac0301

Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as: 1. How quickly AI is being implemented in manufacturing. 2. Which barriers stand in the way of AI adoption. 3. How data quality and governance form the backbone of AI. 4. Organizational processes and structures that may inhibit effective AI adoption. 6. Ideas and approaches to help build your organization's AI strategy.

20240607 QFM018 Elixir Reading List May 2024

Matthew Sinclair

Best 20 SEO Techniques To Improve Website Visibility In SERP

Pixlogix Infotech

Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...

saastr

Columbus Data & Analytics Wednesdays - June 2024

Jason Packer

How to use Firebase Data Connect For Flutter

Daiki Mogmet Ito

Cosa hanno in comune un mattoncino Lego e la backdoor XZ?

Speck&Tech

ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune. Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile. BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).

Artificial Intelligence for XMLDevelopment

Octavian Nadolu

In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject. We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup. Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved. The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring. The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise. By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.

UiPath Test Automation using UiPath Test Suite series, part 6

DianaGray10

Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI. UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities. Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes. What will you get from this session? 1. Insights into integrating generative AI. 2. Understanding how this integration enhances test automation within the UiPath platform 3. Practical demonstrations 4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath Topics covered: What is generative AI Test Automation with generative AI and Open AI. UiPath integration with generative AI Speaker: Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

20240609 QFM020 Irresponsible AI Reading List May 2024

Matthew Sinclair

Mariano G Tinti - Decoding SpaceX

Mariano Tinti

Introduction of Cybersecurity with OSS at Code Europe 2024

Hiroshi SHIBATA

I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems. The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS. Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application. I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.

GraphRAG for Life Science to increase LLM accuracy

Tomaz Bratanic

Generating privacy-protected synthetic data using Secludy and Milvus

Zilliz

During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.

Energy Efficient Video Encoding for Cloud and Edge Computing Instances

Alpen-Adria-Universität

Monitoring and Managing Anomaly Detection on OpenShift.pdf

Tosin Akinosho

Monitoring and Managing Anomaly Detection on OpenShift Overview Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices. Key Topics Covered 1. Introduction to Anomaly Detection - Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems. 2. Understanding Edge (IoT) - Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source. 3. What is ArgoCD? - Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices. 4. Deployment Using ArgoCD for Edge Devices - Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD. 5. Introduction to Apache Kafka and S3 - Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions. 6. Viewing Kafka Messages in the Data Lake - Learn how to view and analyze Kafka messages stored in a data lake for better insights. 7. What is Prometheus? - Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices. 8. Monitoring Application Metrics with Prometheus - Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system. 9. What is Camel K? - Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes. 10. Configuring Camel K Integrations for Data Pipelines - Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow. 11. What is a Jupyter Notebook? - Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text. 12. Jupyter Notebooks with Code Examples - Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.

Ocean lotus Threat actors project by John Sitima 2024 (1).pptx

SitimaJohn

Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.

OpenID AuthZEN Interop Read Out - Authorization

David Brossard

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers

akankshawande

Project Management Semester Long Project - Acuity

jpupo2018

Acuity is an innovative learning app designed to transform the way you engage with knowledge. Powered by AI technology, Acuity takes complex topics and distills them into concise, interactive summaries that are easy to read & understand. Whether you're exploring the depths of quantum mechanics or seeking insight into historical events, Acuity provides the key information you need without the burden of lengthy texts.

Recently uploaded (20)

Taking AI to the Next Level in Manufacturing.pdf

20240607 QFM018 Elixir Reading List May 2024

Best 20 SEO Techniques To Improve Website Visibility In SERP

Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...

Columbus Data & Analytics Wednesdays - June 2024

How to use Firebase Data Connect For Flutter

Cosa hanno in comune un mattoncino Lego e la backdoor XZ?

Artificial Intelligence for XMLDevelopment

UiPath Test Automation using UiPath Test Suite series, part 6

20240609 QFM020 Irresponsible AI Reading List May 2024

Mariano G Tinti - Decoding SpaceX

Introduction of Cybersecurity with OSS at Code Europe 2024

GraphRAG for Life Science to increase LLM accuracy

Generating privacy-protected synthetic data using Secludy and Milvus

Energy Efficient Video Encoding for Cloud and Edge Computing Instances

Monitoring and Managing Anomaly Detection on OpenShift.pdf

Ocean lotus Threat actors project by John Sitima 2024 (1).pptx

OpenID AuthZEN Interop Read Out - Authorization

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers

Project Management Semester Long Project - Acuity

DockerDay2015: Docker Security

1. Docker Security Thuong Nguyen – Vega Recap From DockerCon US 2015

2. Least-privilege Microservices Diogo Mónica Nathan McCauley Recap From DockerCon US 2015

3. Agenda • • • • • Why least-privilege History of least-privilege Least-privilege with Docker Ongoing and future work Conclusions Recap From DockerCon US 2015

4. “Every process must be able to access only the information and resources that are necessary for its legitimate purpose” Recap From DockerCon US 2015

5. Front-end Server Database Auth Service Recap From DockerCon US 2015

6. 1990 Internet All-in-one Recap From DockerCon US 2015

7. 2000 Internet DatabasesServicesFront-end Recap From DockerCon US 2015

8. 2010 Internet Recap From DockerCon US 2015

9. Recap From DockerCon US 2015

10. Container One Process AppA AppB AppC AppD AppE AppF libraries Docker Engine Host OS Server Recap From DockerCon US 2015

11. Today Internet Recap From DockerCon US 2015

12. ‣ A FE server has a very different security profile than a database or a worker host ‣ Imagine that each container only has access exactly to the resources and APIs it needs. No more, no less. Front-end Server Back-end Server ‣ Access to a lot of downstream services ‣ Most exposed ‣ I/ O intensive ‣ Limited network access Worker Host ‣ CPU Intensive ‣ Wide range of workloads Profiles Recap From DockerCon US 2015

13. ‣ A container is a process. Let’s find out what syscalls it needs. Process Monitoring Recap From DockerCon US 2015

14. ‣ Namespaces provide an isolated view of the system (Network, PID, etc) ‣ Cgroups limit and isolate the resource usage of a collection of processes ‣ Linux Security Modules give us a MAC (AppArmor, SELinux) Fine-grained controls Recap From DockerCon US 2015

15. Fine-grained controls ‣ Capabilities divides the privileges of root into distinct units (bind, chown, etc) ‣ Per-container ulimit (since 1.6) ‣ User-namespaces: root inside is not root outside (remapped root for 1.8) ‣ Seccomp: Individual syscall filtering (working on my laptop) Recap From DockerCon US 2015

16. Safer by default ‣ Less than half the Linux capabilities by default ‣ Copy-on-write ensures immutability ‣ No device access by default ‣ Default AppArmor and SELinux profiles for an increasing number of containers Recap From DockerCon US 2015

17. Safer by default ‣ Smaller footprint ‣ Remove all unneeded packages ‣ Remove all unneeded users ‣ Remove all suid binaries … Debia n Recap From DockerCon US 2015

18. Security Profiles ‣ Producers of containers should be responsible for creating adequate profiles ‣ Profile gets shipped with the container ‣ Aggregates all of the different isolation mechanisms into one single profile Recap From DockerCon US 2015

19. Securing the Ecosystem User- namespaces Seccomp Provenance Selinux Kerbero s Recap From DockerCon US 2015

20. Intro to Container Security http://bit.ly/1M4O9XE Recap From DockerCon US 2015

21. Docker Bench https://dockerbench.com/ ‣ Fully automated ‣ Shipped as a container that tests containers Recap From DockerCon US 2015

22. Conclusion ‣ Docker is on the path to support least-privilege microservices, since it allows fine-grained control over what access each container should have. ‣ We will need easier tooling to define per-container security profiles ‣ You can help! #docker-security on Freenode Recap From DockerCon US 2015

23. Thank you diogo@docker.com nathan.mccauley@docker.com Recap From DockerCon US 2015

DockerDay2015: Docker Security

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to DockerDay2015: Docker Security

Similar to DockerDay2015: Docker Security (20)

More from Docker-Hanoi

More from Docker-Hanoi (7)

Recently uploaded

Recently uploaded (20)

DockerDay2015: Docker Security