This talk on the progress to bring user namespace support into Docker was presented by Phil Estes at LinuxCon/ContainerCon 2015 on Wednesday, Aug. 19th, 2015
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
A conference talk at ContainerCon Europe in Berlin, Germany, given on October 5th, 2016. This is a slightly modified version of my talk first used at Docker London in July 2016.
Presentation on the Linux namespaces and system calls used to provide container isolation with Docker. Presented in March 2015 at http://www.meetup.com/Docker-Phoenix/ in Tempe, Arizona.
Container Security: How We Got Here and Where We're GoingPhil Estes
A talk given on Wednesday, Nov. 16th at DefragCon (DefragX) on a historical perspective on container security with a look to where we're going in the future.
Linux Container Brief for IEEE WG P2302Boden Russell
A brief into to Linux Containers presented to IEEE working group P2302 (InterCloud standards and portability). This deck covers:
- Definitions and motivations for containers
- Container technology stack
- Containers vs Hypervisor VMs
- Cgroups
- Namespaces
- Pivot root vs chroot
- Linux Container image basics
- Linux Container security topics
- Overview of Linux Container tooling functionality
- Thoughts on container portability and runtime configuration
- Container tooling in the industry
- Container gaps
- Sample use cases for traditional VMs
Overall, a bulk of this deck is covered in other material I have posted here. However there are a few new slides in this deck, most notability some thoughts on container portability and runtime config.
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
A conference talk at ContainerCon Europe in Berlin, Germany, given on October 5th, 2016. This is a slightly modified version of my talk first used at Docker London in July 2016.
Presentation on the Linux namespaces and system calls used to provide container isolation with Docker. Presented in March 2015 at http://www.meetup.com/Docker-Phoenix/ in Tempe, Arizona.
Container Security: How We Got Here and Where We're GoingPhil Estes
A talk given on Wednesday, Nov. 16th at DefragCon (DefragX) on a historical perspective on container security with a look to where we're going in the future.
Linux Container Brief for IEEE WG P2302Boden Russell
A brief into to Linux Containers presented to IEEE working group P2302 (InterCloud standards and portability). This deck covers:
- Definitions and motivations for containers
- Container technology stack
- Containers vs Hypervisor VMs
- Cgroups
- Namespaces
- Pivot root vs chroot
- Linux Container image basics
- Linux Container security topics
- Overview of Linux Container tooling functionality
- Thoughts on container portability and runtime configuration
- Container tooling in the industry
- Container gaps
- Sample use cases for traditional VMs
Overall, a bulk of this deck is covered in other material I have posted here. However there are a few new slides in this deck, most notability some thoughts on container portability and runtime config.
Delve Labs was present during the GoSec 2016 conference, where our lead DevOps engineer presented an overview of the current options available for securing Docker in production environments.
https://www.delve-labs.com
Oscon London 2016 - Docker from Development to ProductionPatrick Chanezon
Docker revolutionized how developers and operations teams build, ship, and run applications, enabling them to leverage the latest advancements in software development: the microservice architecture style, the immutable infrastructure deployment style, and the DevOps cultural model.
Existing software layers are not a great fit to leverage these trends. Infrastructure as a service is too low level; platform as a service is too high level; but containers as a service (CaaS) is just right. Container images are just the right level of abstraction for DevOps, allowing developers to specify all their dependencies at build time, building and testing an artifact that, when ready to ship, is the exact thing that will run in production. CaaS gives ops teams the tools to control how to run these workloads securely and efficiently, providing portability between different cloud providers and on-premises deployments.
Patrick Chanezon offers a detailed overview of the latest evolutions to the Docker ecosystem enabling CaaS: standards (OCI, CNCF), infrastructure (runC, containerd, Notary), platform (Docker, Swarm), and services (Docker Cloud, Docker Datacenter). Patrick ends with a demo showing how to do in-container development of a Spring Boot application on a Mac running a preconfigured IDE in a container, provision a highly available Swarm cluster using Docker Datacenter on a cloud provider, and leverage the latest Docker tools to build, ship, and run a polyglot application architected as a set of microservices—including how to set up load balancing.
Christian Kniep from Docker Inc. gave this talk at the Stanford HPC Conference.
"This talk will recap the history of and what constitutes Linux Containers, before laying out how the technology is employed by various engines and what problems these engines have to solve. Afterward, Christian will elaborate on why the advent of standards for images and runtimes moved the discussion from building and distributing containers to orchestrating containerized applications at scale. In conclusion, attendees will get an update on what problems still hinder the adoption of containers for distributed high performance workloads and how Docker is addressing these issues."
Christian Kniep is a Technical Account Manager at Docker, Inc. With a 10 year journey rooted in the HPC parts of the german automotive industry, Christian Kniep started to support CAE applications and VR installations. When told at a conference that HPC can not learn anything from the emerging Cloud and BigData companies, he became curious and was leading the containerization effort of the cloud-stack at Playstation Now. Christian joined Docker Inc in 2017 to help push the adoption forward and be part of the innovation instead of an external bystander. During the day he helps Docker customers in the EMEA region to fully utilize the power of containers; at night he likes to explore new emerging trends by containerizing them first and seek application in the nebulous world of DevOps.
Watch the video: https://wp.me/p3RLHQ-i4X
Learn more: http://docker.com
and
http://hpcadvisorycouncil.com
Sign up for our insideHPC Newsletter: http://insidehpc.com
Docker Security: Are Your Containers Tightly Secured to the Ship?Michael Boelen
Docker is hot, Docker security is not? In this talk the risks, benefits and defenses of Docker are discussed. They are followed up by some best practices, which can you use in your daily activities. What is clear is that there is still a lot to do to get your containers secured.
Event: Docker Amsterdam Meetup - January 2015
This presentation was given by Michael Boelen, January 23rd at Schuberg Philis. The event was organized by Mark Robert Coleman with help of Harm Boertien. With a full house of people, Docker security was discussed.
About the author:
Michael Boelen is founder of CISOfy and researches Linux security to build tools and documentation, to simplify it for others. Examples are tools like Rootkit Hunter and Lynis, blog posts and presentations.
KVM and docker LXC Benchmarking with OpenStackBoden Russell
Passive benchmarking with docker LXC and KVM using OpenStack hosted in SoftLayer. These results provide initial incite as to why LXC as a technology choice offers benefits over traditional VMs and seek to provide answers as to the typical initial LXC question -- "why would I consider Linux Containers over VMs" from a performance perspective.
Results here provide insight as to:
- Cloudy ops times (start, stop, reboot) using OpenStack.
- Guest micro benchmark performance (I/O, network, memory, CPU).
- Guest micro benchmark performance of MySQL; OLTP read, read / write complex and indexed insertion.
- Compute node resource consumption; VM / Container density factors.
- Lessons learned during benchmarking.
The tests here were performed using OpenStack Rally to drive the OpenStack cloudy tests and various other linux tools to test the guest performance on a "micro level". The nova docker virt driver was used in the Cloud scenario to realize VMs as docker LXC containers and compared to the nova virt driver for libvirt KVM.
Please read the disclaimers in the presentation as this is only intended to be the "chip of the ice burg".
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityPhil Estes
A Docker security talk that Salman Baset and Phil Estes presented at the Tokyo OpenStack Summit on October 29th, 2015. In this talk we provided an overview of the security constraints available to Docker cloud operators and users and then walked through a "lessons learned" from experiences operating IBM's public Bluemix container cloud based on Docker container technology.
Overview of Docker 1.11 features(Covers Docker release summary till 1.11, runc/containerd, dns load balancing ipv6 service discovery, labels, macvlan/ipvlan)
ContainerDays Boston 2016: "Autopilot: Running Real-world Applications in Con...DynamicInfraDays
Slides from Tim Gross's talk "Autopilot: Running Real-world Applications in Containers" at ContainerDays Boston 2016: http://dynamicinfradays.org/events/2016-boston/programme.html#autopilot
Delve Labs was present during the GoSec 2016 conference, where our lead DevOps engineer presented an overview of the current options available for securing Docker in production environments.
https://www.delve-labs.com
Oscon London 2016 - Docker from Development to ProductionPatrick Chanezon
Docker revolutionized how developers and operations teams build, ship, and run applications, enabling them to leverage the latest advancements in software development: the microservice architecture style, the immutable infrastructure deployment style, and the DevOps cultural model.
Existing software layers are not a great fit to leverage these trends. Infrastructure as a service is too low level; platform as a service is too high level; but containers as a service (CaaS) is just right. Container images are just the right level of abstraction for DevOps, allowing developers to specify all their dependencies at build time, building and testing an artifact that, when ready to ship, is the exact thing that will run in production. CaaS gives ops teams the tools to control how to run these workloads securely and efficiently, providing portability between different cloud providers and on-premises deployments.
Patrick Chanezon offers a detailed overview of the latest evolutions to the Docker ecosystem enabling CaaS: standards (OCI, CNCF), infrastructure (runC, containerd, Notary), platform (Docker, Swarm), and services (Docker Cloud, Docker Datacenter). Patrick ends with a demo showing how to do in-container development of a Spring Boot application on a Mac running a preconfigured IDE in a container, provision a highly available Swarm cluster using Docker Datacenter on a cloud provider, and leverage the latest Docker tools to build, ship, and run a polyglot application architected as a set of microservices—including how to set up load balancing.
Christian Kniep from Docker Inc. gave this talk at the Stanford HPC Conference.
"This talk will recap the history of and what constitutes Linux Containers, before laying out how the technology is employed by various engines and what problems these engines have to solve. Afterward, Christian will elaborate on why the advent of standards for images and runtimes moved the discussion from building and distributing containers to orchestrating containerized applications at scale. In conclusion, attendees will get an update on what problems still hinder the adoption of containers for distributed high performance workloads and how Docker is addressing these issues."
Christian Kniep is a Technical Account Manager at Docker, Inc. With a 10 year journey rooted in the HPC parts of the german automotive industry, Christian Kniep started to support CAE applications and VR installations. When told at a conference that HPC can not learn anything from the emerging Cloud and BigData companies, he became curious and was leading the containerization effort of the cloud-stack at Playstation Now. Christian joined Docker Inc in 2017 to help push the adoption forward and be part of the innovation instead of an external bystander. During the day he helps Docker customers in the EMEA region to fully utilize the power of containers; at night he likes to explore new emerging trends by containerizing them first and seek application in the nebulous world of DevOps.
Watch the video: https://wp.me/p3RLHQ-i4X
Learn more: http://docker.com
and
http://hpcadvisorycouncil.com
Sign up for our insideHPC Newsletter: http://insidehpc.com
Docker Security: Are Your Containers Tightly Secured to the Ship?Michael Boelen
Docker is hot, Docker security is not? In this talk the risks, benefits and defenses of Docker are discussed. They are followed up by some best practices, which can you use in your daily activities. What is clear is that there is still a lot to do to get your containers secured.
Event: Docker Amsterdam Meetup - January 2015
This presentation was given by Michael Boelen, January 23rd at Schuberg Philis. The event was organized by Mark Robert Coleman with help of Harm Boertien. With a full house of people, Docker security was discussed.
About the author:
Michael Boelen is founder of CISOfy and researches Linux security to build tools and documentation, to simplify it for others. Examples are tools like Rootkit Hunter and Lynis, blog posts and presentations.
KVM and docker LXC Benchmarking with OpenStackBoden Russell
Passive benchmarking with docker LXC and KVM using OpenStack hosted in SoftLayer. These results provide initial incite as to why LXC as a technology choice offers benefits over traditional VMs and seek to provide answers as to the typical initial LXC question -- "why would I consider Linux Containers over VMs" from a performance perspective.
Results here provide insight as to:
- Cloudy ops times (start, stop, reboot) using OpenStack.
- Guest micro benchmark performance (I/O, network, memory, CPU).
- Guest micro benchmark performance of MySQL; OLTP read, read / write complex and indexed insertion.
- Compute node resource consumption; VM / Container density factors.
- Lessons learned during benchmarking.
The tests here were performed using OpenStack Rally to drive the OpenStack cloudy tests and various other linux tools to test the guest performance on a "micro level". The nova docker virt driver was used in the Cloud scenario to realize VMs as docker LXC containers and compared to the nova virt driver for libvirt KVM.
Please read the disclaimers in the presentation as this is only intended to be the "chip of the ice burg".
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityPhil Estes
A Docker security talk that Salman Baset and Phil Estes presented at the Tokyo OpenStack Summit on October 29th, 2015. In this talk we provided an overview of the security constraints available to Docker cloud operators and users and then walked through a "lessons learned" from experiences operating IBM's public Bluemix container cloud based on Docker container technology.
Overview of Docker 1.11 features(Covers Docker release summary till 1.11, runc/containerd, dns load balancing ipv6 service discovery, labels, macvlan/ipvlan)
ContainerDays Boston 2016: "Autopilot: Running Real-world Applications in Con...DynamicInfraDays
Slides from Tim Gross's talk "Autopilot: Running Real-world Applications in Containers" at ContainerDays Boston 2016: http://dynamicinfradays.org/events/2016-boston/programme.html#autopilot
Get 30 social media posts across your social channels for just £295/month
ContentCal AutoPilot is for businesses that want to build a lively and engaging social media presence, but struggle to find the time, resource or ideas to do so.
Building infrastructure with Terraform (Google)Radek Simko
Building your infrastructure as one-off thing by clicking in the UI of your chosen cloud provider may be easy, but that isn't scalable nor fun in long-term nor in team.
Terraform is a tool for building, changing, and versioning infrastructure safely and efficiently. Terraform can manage existing and popular service providers as well as custom in-house solutions.
DEVNET-1144 Deploying hybrid cloud applications with HashiCorp AtlasCisco DevNet
Physical, virtual, containers. Public cloud, private cloud, hybrid cloud. IaaS, PaaS, SaaS. These are the choices that we're faced with when architecting a datacenter of today. And the choice is not one or the other; it is often a combination of many of these. How do we remain in control of our datacenters? How do we deploy and configure software, manage change across disparate systems, and enforce policy/security? How do we do this in a way that operations engineers and developers alike can rejoice in the processes and workflow? In this talk, I will discuss the problems faced by the modern datacenter, and how automation, workflows, and collaboration can be used to tame the rising complexity curve.
Meetup @ Docker Belgium relocated to Antwerp (re: #Devoxx) on Nov. 11th with Jessica Frazelle and Patrick Chanezon from Docker and myself. I talked about user namespaces and multi-arch support, and demo'd user namespaces.
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Codemotion
In less than two years Docker went from first line of code to major Open Source project with contributions from all the big names in IT. Everyone is excited, but what's in for me - as a Dev or Ops? In short, Docker makes creating Development, Test and even Production environments an order of magnitude simpler, faster and completely portable across both local and cloud infrastructure. We will start from Docker main concepts: how to create a Linux Container from base images, run your application in it, and version your runtimes as you would with source code, and finish with a concrete example.
Real-World Docker: 10 Things We've Learned RightScale
Docker has taken the world of software by storm, offering the promise of a portable way to build and ship software - including software running in the cloud. The RightScale development team has been diving into Docker for several projects, and we'll share our lessons learned on using Docker for our cloud-based applications.
A talk given at Docker London on Wednesday, July 20th, 2016. This talk is a fast-paced overview of the potential threats faced when containerizing applications, married to a quick run-through of the "security toolbox" available in the Docker engine via Linux kernel capabilities and features enabled by OCI's libcontainer/runc and Docker.
A video recording of this talk is available here: https://skillsmatter.com/skillscasts/8551-container-security
Faster and Easier Software Development using Docker Platformmsyukor
Faster and Easier Software Development using Docker Platform presentation for Workshop with Open Source Community 1/2019 organized by MAMPU Malaysia under project Open Source Development and Capabilities Program (OSDeC) for Public Sector in Malaysia on January 29, 2019 at Port Dickson, Negeri Sembilan, Malaysia.
Dev opsec dockerimage_patch_n_lifecyclemanagement_kanedafromparis
Lors de cette présentation, nous allons dans un premier temps rappeler la spécificité de docker par rapport à une VM (PID, cgroups, etc) parler du système de layer et de la différence entre images et instances puis nous présenterons succinctement kubernetes.
Ensuite, nous présenterons un processus « standard » de propagation d’une version CI/CD (développement, préproduction, production) à travers les tags docker.
Enfin, nous parlerons des différents composants constituant une application docker (base-image, tooling, librairie, code).
Une fois cette introduction réalisée, nous parlerons du cycle de vie d’une application à travers ses phases de développement, BAU pour mettre en avant que les failles de sécurité en période de développement sont rapidement corrigées par de nouvelles releases, mais pas nécessairement en BAU où les releases sont plus rares. Nous parlerons des diverses solutions (jfrog Xray, clair, …) pour le suivie des automatique des CVE et l’automatisation des mises à jour. Enfin, nous ferons un bref retour d’expérience pour parler des difficultés rencontrées et des propositions d’organisation mises en oeuvre.
Cette présentation bien qu’illustrée par des implémentations techniques est principalement organisationnelle.
Docker Kubernetes Istio
Understanding Docker and creating containers.
Container Orchestration based on Kubernetes
Blue Green Deployment, AB Testing, Canary Deployment, Traffic Rules based on Istio
Il s’agit dans un premier temps de présenter Docker, ses cas d’usage et quelques bonnes pratiques d’utilisation.
Le but est de présenter Docker, son mode de fonctionnement et son écosystème.
Ce qu’il peut apporter et les pièges à éviter
https://github.com/kanedafromparis/prez-fabric8-dmp
Dockerizing Symfony2 application. Why Docker is so cool And what is Docker? And what are Containers? How they works? What are the ecosystem of Docker? And how to dockerize your web application (can be based on Symfony2 framework)?
Similar to Rooting Out Root: User namespaces in Docker (20)
Enabling Security via Container RuntimesPhil Estes
A talk given at the Google-hosted Container Security Summit on Wednesday, February 12th, 2020 in Seattle, Washington. This talk covered the impact of work done at the lower-level runtimes layer and up through layers like cri-o, containerd, and Docker to bring specific security features to overall platforms like Kubernetes.
Extended and embedding: containerd update & project use casesPhil Estes
A talk given at FOSDEM 2020 in the containers devroom on the current status of the CNCF containerd project as well as a dive into the ways users are extending and embedding containerd in other platforms and projects.
Cloud Native TLV Meetup: Securing Containerized Applications PrimerPhil Estes
A talk give on Tuesday, January 28th, 2020 at the Tel Aviv, Israel Cloud Native meetup covering the core concepts of how to secure containerized applications in a Kubernetes context.
Securing Containerized Applications: A PrimerPhil Estes
A talk given at Devoxx Morocco on Wednesday, November 13, 2019. In this talk a very insecure sample (demo) application is used to explain the various security principles application developers can apply when using containers and Kubernetes--from image sourcing, content, scanning to resource controls, attack surface mitigation, and reducing privilege for containers.
Securing Containerized Applications: A PrimerPhil Estes
A talk given at Open Source Summit Europe in Lyon, France on Tuesday, October 29th, 2019. In this talk we try and focus on the key areas that an application developer can influence with regards to image and runtime security, focused on using Kubernetes as the orchestrator for a containerized application.
Let's Try Every CRI Runtime Available for KubernetesPhil Estes
A talk given at KubeCon/CloudNativeCon EU in Barcelona, Spain on May 23, 2019. In this talk Phil presented the explosion of OCI-compliant CRI-enabled runtimes that can be used underneath Kubernetes, and demonstrated several of them live.
CraftConf 2019: CRI Runtimes Deep Dive: Who Is Running My Pod?Phil Estes
A talk given at Craft Conf in Budapest, Hungary on May 10th, 2019. In this talk, Phil walked through the history of the need for a Container Runtime Interface (CRI) in Kubernetes, followed by an overview of all available CRI implementations, focusing on containerd, the CNCF core container runtime used in many clouds and projects. Phil demonstrated the "layers" of interaction from Kubernetes API, to CRI API to a container runtime's native API using an IBM Cloud Kubernetes cluster using containerd 1.2.6.
JAX Con 2019: Containers. Microservices. Cloud. Open Source. Fantasy or Reali...Phil Estes
A keynote given at JAX Con 2019 on May 7th in Mainz, Germany. In this keynote address, Phil presented four "buzzwords": containers, cloud, microservices, and open source and compared those technology areas against three main needs--speed, security, and efficiency--which seem to be common among enterprises today. Phil gives real world examples from IBM Cloud customers as well as detailing IBM's own transformation to a cloud native, container first approach to our own service delivery.
Giving Back to Upstream | DockerCon 2019Phil Estes
Giving Back to Upstream: An open source beginner's primer is a talk presented at DockerCon 2019 in San Francisco on April 30, 2019. In this talk, Phil Estes presented his story of getting involved in the container open source ecosystem, and provides a set of "open source 101" tips and guidance for those wanting to participate in open source contribution.
What's Running My Containers? A review of runtimes and standards.Phil Estes
A talk given at Open Source Leadership Summit (OSLS) on Thursday, March 14th in Half Moon Bay, CA. In this talk the current status of the Open Container Initiative (OCI) standards as well as the Kubernetes Container Runtime Interface (CRI) were presented, with a view towards how these components have provided a level playing field with significant choice when it comes to container runtimes for use in Kubernetes, as well as interoperability per the OCI standards.
Docker London Meetup: Docker Engine EvolutionPhil Estes
A meetup talk on the evolution of the Docker engine from 2014-2019, including the refactoring and spin out of OCI runc and CNCF containerd codebases. This talk was given at the Docker London meetup group on Thursday, 31st January, 2019.
CRI Runtimes Deep-Dive: Who's Running My Pod!?Phil Estes
A talk given at QCon NYC on Wednesday, June 27, 2018 in the Container track, focused on helping developers understand the inner workings of pluggable container runtimes in the Kubernetes world. The second half of this talk is not available in slide form, but should be available via QCon video. The non-slide talk content included hands-on-keyboard demonstrations of various tools which can be used to investigate and introspect kubelet and pod -> container runtime boundaries and details, all shown in IBM Cloud using the containerd runtime underneath a Kubernetes 1.11 cluster.
Docker Athens: Docker Engine Evolution & Containerd Use CasesPhil Estes
These slides are from a talk presented at the Docker Athens meetup on Thursday, May 31, 2018. They start by covering the evolution of the Docker engine of 2014/2015 into the separate components of OCI runc, (now) CNCF containerd, and the Docker client and daemon projects. Finally, various use cases for the CNCF containerd "core container runtime" project are detailed, from the Docker engine itself to serverless frameworks like OpenWhisk, to the container runtime interface (CRI) within Kubernetes.
It's 2018. Are My Containers Secure Yet!?Phil Estes
A talk given at DevOps Pro Vilnius on March 15, 2018 about container security. In this talk we discussed the core topics around the container ecosystem (host, runtime, image) applicable to both Docker and Kubernetes, as well as discussing usable security/secure by default, and defense in depth principles. Also discussed were security futures like Project Grafeas, libentitlement, LinuxKit concepts, and trusted/untrusted container runtimes in Kubernetes.
Docker Engine Evolution: From Monolith to Discrete ComponentsPhil Estes
A talk given on Tuesday and Wednesday the 27th and 28th of February 2018 at the Docker Mountain View and Docker SF meetup groups. In this talk, Docker Captain Phil Estes provides a history of the Docker engine from its early days as a single statically linked binary providing all the Docker engine functions to today's Moby and Docker CE projects comprising multiple projects and layers, including the Open Container Initiative (OCI) specifications and runC implementation, and the Cloud Native Computing Foundation (CNCF) containerd project. This talk also describes how these lower layer components spun out from Docker are being used to enhance other projects and offerings in the container ecosystem.
An Open Source Story: Open Containers & Open CommunitiesPhil Estes
A talk given at All Thing Open's Open Source 101 event at NC State University, Raleigh, North Carolina on Saturday, 17th February, 2018.
This talk covered some interesting history lessons of the Docker open source project and inter-vendor tensions. If you were not at this talk do not read intent into these slides as this was truly an attempt at a "blame-free" post-mortem of the important topics of open source, governance, and foundations as it related to the extremely popular Docker open source project.
Whose Job Is It Anyway? Kubernetes, CRI, & Container RuntimesPhil Estes
A talk given at Cloud Native London meetup, February 6, 2018 on the role of container runtimes in Kubernetes, the introduction of the Container Runtime Interface (CRI), and the history of containerd and it's use as a CRI implementing container runtime for Kubernetes.
Presentation given on Sunday, February 4th, 2018 in the containers devroom at FOSDEM 2018. This presentation covers the containerd project background, history, architecture, and current status as a CNCF project used by Docker, Kubernetes, and other projects requiring a stable, performant core container runtime.
A talk given on December 6, 2017 at KubeCon/CloudNativeCon in Austin, Texas. In this talk, Phil talked briefly about containerd history and design, but the bulk of the talk was a live coding demo of creating a simple client for containerd to learn about the clean and simple API design for the client library and gRPC services. The GitHub project https://github.com/estesp/examplectr has the code and sample LinuxKit assembly used for the code and example client demo.
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
A Comprehensive Look at Generative AI in Retail App Testing.pdfkalichargn70th171
Traditional software testing methods are being challenged in retail, where customer expectations and technological advancements continually shape the landscape. Enter generative AI—a transformative subset of artificial intelligence technologies poised to revolutionize software testing.
Navigating the Metaverse: A Journey into Virtual Evolution"Donna Lenk
Join us for an exploration of the Metaverse's evolution, where innovation meets imagination. Discover new dimensions of virtual events, engage with thought-provoking discussions, and witness the transformative power of digital realms."
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
Software Engineering, Software Consulting, Tech Lead.
Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Security,
Spring Transaction, Spring MVC,
Log4j, REST/SOAP WEB-SERVICES.
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...informapgpstrackings
Keep tabs on your field staff effortlessly with Informap Technology Centre LLC. Real-time tracking, task assignment, and smart features for efficient management. Request a live demo today!
For more details, visit us : https://informapuae.com/field-staff-tracking/
Listen to the keynote address and hear about the latest developments from Rachana Ananthakrishnan and Ian Foster who review the updates to the Globus Platform and Service, and the relevance of Globus to the scientific community as an automation platform to accelerate scientific discovery.
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
Cyaniclab : Software Development Agency Portfolio.pdfCyanic lab
CyanicLab, an offshore custom software development company based in Sweden,India, Finland, is your go-to partner for startup development and innovative web design solutions. Our expert team specializes in crafting cutting-edge software tailored to meet the unique needs of startups and established enterprises alike. From conceptualization to execution, we offer comprehensive services including web and mobile app development, UI/UX design, and ongoing software maintenance. Ready to elevate your business? Contact CyanicLab today and let us propel your vision to success with our top-notch IT solutions.
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month.
The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies.
However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News.
Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
May Marketo Masterclass, London MUG May 22 2024.pdfAdele Miller
Can't make Adobe Summit in Vegas? No sweat because the EMEA Marketo Engage Champions are coming to London to share their Summit sessions, insights and more!
This is a MUG with a twist you don't want to miss.
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfJay Das
With the advent of artificial intelligence or AI tools, project management processes are undergoing a transformative shift. By using tools like ChatGPT, and Bard organizations can empower their leaders and managers to plan, execute, and monitor projects more effectively.
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Rooting Out Root: User namespaces in Docker
1. Rooting out Root:
User namespaces in Docker
Phil Estes
Senior Technical Staff Member, Open Technologies, IBM Cloud
ContainerCon 2015
@estesp
estesp@gmail.com
2. I work for IBM’s Cloud division
We have a large organization focused on open cloud technologies,
including CloudFoundry, OpenStack, and Docker.
I have been working upstream in the Docker community since July
2014, and am currently a Docker core maintainer.
I have interests in runC (IBM is a founding member of OCI),
libnetwork, and the docker/distribution project (Registry v2)
Trivia: I worked in IBM’s Linux Technology Center for over 10 years!
Hello!
ContainerCon 2015
2
3. Why user namespaces?
Unprivileged Root
Currently, by default,
the user inside the
container is root;
more specifically uid
= 0, gid = 0. If a
breakout were to
occur, the container
user is root on the
host system.
Multitenancy
Sharing Docker
compute resources
among more than
one user requires
isolation between
tenants. Providing
uid/gid ranges per
tenant will allow for
this separation.
User Accounting
Any per-user
accounting
capabilities are
useless if everyone is
root. Specifying
unique uids enables
resource limitations
specific to a
user/uid.
ContainerCon 2015
3
5. Multitenant Services
5
ContainerCon 2015
root 0 3000
daemon 1 3001
bin 2 3002
mail 8 3008
www-data 33 3033
dbus 81 3081
root 0 4000
daemon 5 4005
bin 6 4006
mail 12 4012
www-data 55 4055
dbus 84 4084
Tenant A Tenant B
Full UID and GID namespace separation
between tenants in the same hosted cloud
6. User Accounting/Limits
6
ContainerCon 2015
$ ulimit -n
2048
$ docker run lotsofiles
# of Open Files Limit:
1024
----------------------
Can't open temp file #1021, error: open
/tmp/zzz378562286: too many open files
Container root uid = 2000
7. User Accounting/Limits
7
ContainerCon 2015
$ ulimit -n
2048
$ docker run lotsofiles
# of Open Files Limit:
1024
----------------------
Can't open temp file #1021, error: open
/tmp/zzz378562286: too many open files
Container root uid = 2000
Wrong!
8. Docker Security
User namespaces are only one piece of the puzzle.
AppArmor/SELinux, Notary, image security, and
proper environment/network security all play a
part in the overall Docker security picture.
ContainerCon 2015
8
9. Linux user namespaces
◉ Available as a clone() flag [CLONE_NEWUSER] in Linux
kernel 3.8 (some work completed in 3.9)
◉ Per-process namespace to map user and group IDs to a
specified set of numeric ranges
ContainerCon 2015
uid = 1000
gid = 1000 pid = 8899
uid = 0
gid = 0
clone(.., .. | CLONE_NEWUSER)
parent process
9
10. “
“Most notably, a process can have a nonzero user ID outside a
namespace while at the same time having a user ID of zero inside
the namespace; in other words, the process is unprivileged for
operations outside the user namespace but has root privileges
inside the namespace.”
https://lwn.net/Articles/532593/
Michael Kerrisk, February 27, 2013
ContainerCon 2015
10
11. User namespaces and Go
◉ Available since Go version 1.4.0 (October 2014) as fields
within the syscall.SysProcAttr structure: arrays
UidMappings and GidMappings
◉ Thanks to good work from Mrunal Patel and Michael
Crosby laying the Go-lang groundwork for user
namespace capability within Docker/libcontainer
ContainerCon 2015
( https://github.com/golang/go/issues/8447 )
11
12. Go user namespaces example
ContainerCon 2015
var sys *syscall.SysProcAttr
sys.UidMappings = []syscall.SysProcIDMap{{
ContainerID: 0,
HostID: 1000,
Size: 1,
}}
sys.GidMappings = []syscall.SysProcIDMap{{
ContainerID: 0,
HostID: 1000,
Size: 1,
}}
sys.Cloneflags = syscall.CLONE_NEWUSER
cmd := exec.Cmd{
Path: "/bin/bash",
SysProcAttr: sys,
}
When we run this code
we’ll have a command
that, when executed,
will appear to be
running as root
(uid/gid = 0), but will
actually be the non-
privileged user with
uid/gid = 1000
mapped inside the user
namespace to root.
12
13. What’s the holdup?
At this point you might be asking
yourself: “So why doesn’t Docker
have user namespace support yet!?”
Let’s take a deeper look at some of
the challenges...
Well, that was easy!
ContainerCon 2015
13
14. File Ownership
Who can read the metadata, image layers, and associated files across
Docker’s runtime store?
1
ContainerCon 2015
14
15. Docker Filesystem Hierarchy
ContainerCon 2015
drwx------ root:root /var/lib/docker
drwx------ root:root /var/lib/docker/containers
drwx------ root:root /var/lib/docker/aufs
btrfs
devicemapper
overlay
vfs
zfs
drwx------ root:root /var/lib/docker/{tmp, volumes, ..}
Docker’s metadata tree is rooted
(by default) at /var/lib/docker
and only accessible to user root
The container metadata also
contains files which are bind-
mounted into the container as
root:root today
Depending on your chosen
storage driver, the actual layer
content of Docker images will
be placed here in a root-owned
directory path
Other various locations exist
which may need to be accessed
by container processes 15
16. File Ownership Solution
◉ At Docker daemon startup, if remapped root is enabled,
create a new subtree owned by the remapped root’s
uid and gid
◉ Whenever the Docker daemon components create a
directory structure, take remapped root into account
◉ This solves an additional issue around file ownership
that we’ll discuss next
ContainerCon 2015
# docker daemon --root=2000:2000 ...
drwxr-xr-x root:root /var/lib/docker
drwx------ 2000:2000 /var/lib/docker/2000.2000
16
17. Layer Sharing
Docker images are downloaded to the local daemon’s cache from a
registry and expanded into the storage driver’s subtree by ID
2
ContainerCon 2015
17
19. Layer Sharing Solution
Given:
◉ Already mentioned: one metadata subtree per
remapped root
◉ Remapped root setting is daemon-wide (for all
containers running in this instance)
Therefore we:
◉ Untar all layers per the user namespace uid/gid
mapping provided at daemon start
◉ All layers are usable (correct ownership) by any
container in this daemon instance
ContainerCon 2015
restriction?
19
20. Pros
No ugly chown -R uid:gid
<huge file tree> work to
do at container start time.
For a daemon-wide user
namespace setting, this
solution works perfectly for
the general “don’t be root”
case.
Layer Solution Pros/Cons
Cons
Restarting the daemon
with/without remapped
roots resets the metadata
cache (must re-pull images,
no prior container history)
Some increased disk cost if
daemon is started with
unique remappings or turned
on/off
ContainerCon 2015
20
21. Namespace Order
When not using clone() to create all namespaces, joining other
namespace types (PID, UTC, Network) may not work properly
depending on the order of operations
3
ContainerCon 2015
21
22. Namespace Sharing/Ordering
◉ Joining a namespace (e.g. network) which was not
created in the context of a user namespace will not
work as expected.
◉ Prior to Docker 1.7, this meant --net=<container> was
impacted by adding the user namespace function.
◉ In Docker 1.7, libnetwork took over the role of Linux
network namespace creation, introducing the same
ordering problem as --net=<container>
◉ These issues are being resolved now; more info in https:
//github.com/docker/docker/issues/15187
ContainerCon 2015
22
23. ContainerCon 2015
So where are we now?
User namespace support in Linux kernel 3.8 (early 2013)
User namespace support in Go 1.4 (December 2014)
User namespace support in libcontainer (February 2015)
23
24. User Namespace Status
◉ Namespace sharing/ordering details & design are resolved;
implementation/changes underway in runC and libnetwork
> runC hooks PR: https://github.com/opencontainers/runc/pull/160
> libnetwork tracker: https://github.com/docker/libnetwork/issues/429
◉ “Phase 1” user namespace implementation (remapped root
per daemon instance) targeted for Docker 1.9
> tracking issue: https://github.com/docker/docker/issues/15187
> code PR: https://github.com/docker/docker/pull/12648
◉ “Phase 2”--providing full maps and allowing per-container
maps--is still under discussion
ContainerCon 2015
24
25. “Phase 1” Usage Overview
ContainerCon 2015
# docker daemon --root=2000:2000 ...
drwxr-xr-x root:root /var/lib/docker
drwx------ 2000:2000 /var/lib/docker/2000.2000
$ docker run -ti --name fred --rm busybox /bin/sh
/ # id
uid=0(root) gid=0(root) groups=10(wheel)
$ docker inspect -f ‘{{ .State.Pid }}’ fred
8851
$ ps -u 2000
PID TTY TIME CMD
8851 pts/7 00:00:00 sh
Start the daemon with a remapped root
setting (in this case uid/gid = 2000/2000)
Start a container and verify that inside the
container the uid/gid map to root (0/0)
You can verify that the container process
(PID) is actually running as user 2000
25