Docker, Kubernetes, Mesos, and the container buzzword bingo game leaves us all asking this same question at some point. We know VMs are great, so why all this fuss now about containers? Are they the same thing, but better? This talk will go deep into the technical details of the fundamental differences between the technology, explaining in depth how each of them works, and where each of them shine and why businesses choose one over the other. You will also get a good sense of where the warts are too, so you know when to pick the right one (or the right combination of them) depending on what’s important for each of your various workloads.
What's really the difference between a VM and a Container?Adrian Otto
Slides for my SCaLE 15x Presentation for 2017-03-04:
What's really the difference between a VM and a Container?
Docker, Kubernetes, Mesos, and the container buzzword bingo game leaves us all asking this same question at some point. We know VMs are great, so why all this fuss now about containers? Are they the same thing, but better? This talk will go deep into the technical details of the fundamental differences between the technology, explaining in depth how each of them works, and where each of them shine and why businesses choose one over the other. You will also get a good sense of where the warts are too, so you know when to pick the right one (or the right combination of them) depending on what’s important for each of your various workloads.
https://www.socallinuxexpo.org/scale/15x/presentations/whats-really-difference-between-vm-and-container
Webinar container management in OpenStackCREATE-NET
This webinar covers the topics of Containers in OpenStack and, in particular it offers an overview of what containers are, LXC, Docker and Kubernetes. It also includes the topic of Containers in OpenStack and the specific examples of Nova docker, Murano and Magnum. In the final part there are live Demos about the elements covered earlier.
From SCALE13 session on 2015-02-22. Overview of Docker, swarm, and demonstration of docker-machine for easily bootstrapping container environments and swarm clusters.
Slides from Docker Austin Meetup on 2016-08-04 with an overview of OpenStack Magnum, how we use it in Carina on private clouds, an overview of the Container Orchestration Engines Magnum supports, and an overview of how to manage your COEs with Magnum (v1). Includes a link to a video demo.
The Nova driver for Docker has been maturing rapidly since its mainline removal in Icehouse. During the Juno cycle, substantial improvements have been made to the driver, and greater parity has been reached with other virtualization drivers. We will explore these improvements and what they mean to deployers. Eric will additionally showcase deployment scenarios for the deployment of OpenStack itself inside and underneath of Docker for powering traditional VM-based computing, storage, and other cloud services. Finally, users should expect a preview of the planned integration with the new OpenStack Containers Service effort to provide automation of advanced containers functionality and Docker-API semantics inside of an OpenStack cloud.
Note that the included Heat templates are NOT usable. See the linked Heat resources for viable templates and examples.
Docker for any type of workload and any IT InfrastructureDocker, Inc.
This presentation discusses the different types of workloads typical enterprises are required to run, which use cases exist for containerizing them and how leading-edge workload orchestration can be used to deploy, run and manage the containerized workloads or various types or scale-out infrastructures, such as on-premise clusters, public clouds or hybrid clouds.
What's really the difference between a VM and a Container?Adrian Otto
Slides for my SCaLE 15x Presentation for 2017-03-04:
What's really the difference between a VM and a Container?
Docker, Kubernetes, Mesos, and the container buzzword bingo game leaves us all asking this same question at some point. We know VMs are great, so why all this fuss now about containers? Are they the same thing, but better? This talk will go deep into the technical details of the fundamental differences between the technology, explaining in depth how each of them works, and where each of them shine and why businesses choose one over the other. You will also get a good sense of where the warts are too, so you know when to pick the right one (or the right combination of them) depending on what’s important for each of your various workloads.
https://www.socallinuxexpo.org/scale/15x/presentations/whats-really-difference-between-vm-and-container
Webinar container management in OpenStackCREATE-NET
This webinar covers the topics of Containers in OpenStack and, in particular it offers an overview of what containers are, LXC, Docker and Kubernetes. It also includes the topic of Containers in OpenStack and the specific examples of Nova docker, Murano and Magnum. In the final part there are live Demos about the elements covered earlier.
From SCALE13 session on 2015-02-22. Overview of Docker, swarm, and demonstration of docker-machine for easily bootstrapping container environments and swarm clusters.
Slides from Docker Austin Meetup on 2016-08-04 with an overview of OpenStack Magnum, how we use it in Carina on private clouds, an overview of the Container Orchestration Engines Magnum supports, and an overview of how to manage your COEs with Magnum (v1). Includes a link to a video demo.
The Nova driver for Docker has been maturing rapidly since its mainline removal in Icehouse. During the Juno cycle, substantial improvements have been made to the driver, and greater parity has been reached with other virtualization drivers. We will explore these improvements and what they mean to deployers. Eric will additionally showcase deployment scenarios for the deployment of OpenStack itself inside and underneath of Docker for powering traditional VM-based computing, storage, and other cloud services. Finally, users should expect a preview of the planned integration with the new OpenStack Containers Service effort to provide automation of advanced containers functionality and Docker-API semantics inside of an OpenStack cloud.
Note that the included Heat templates are NOT usable. See the linked Heat resources for viable templates and examples.
Docker for any type of workload and any IT InfrastructureDocker, Inc.
This presentation discusses the different types of workloads typical enterprises are required to run, which use cases exist for containerizing them and how leading-edge workload orchestration can be used to deploy, run and manage the containerized workloads or various types or scale-out infrastructures, such as on-premise clusters, public clouds or hybrid clouds.
Docker is a relatively new technology, but it is based on solid underpinnings of the Linux Kernel. It can provision instances in a fraction of the time versus a traditional virtual machine. This makes it a great candidate for development teams to create consistent test benches for their developers. To set up your own disposable Docker environments bring a laptop and make your development a pleasurable experience.
The ABC of Docker: The Absolute Best Compendium of DockerAniekan Akpaffiong
This presentation is my contribution to the body of work around Docker.
It codifies my experience so far, with Docker. The goal is to provide a concise yet complete introduction to Docker and its ecosystem.
I explore various Docker objects, compare containers and virtualization, provide usage examples, and discuss critical concepts around Docker and Linux. The compendium part of this, is aspirational. I will update and add to it as I have time and my experience with the product evolves.
Let me know what you think. Feedback and Likes are always appreciated.
Docker 101 - High level introduction to dockerDr Ganesh Iyer
This deck will help you understand the basics of Docker. It introduces dockers and containers, gives a comparison with virtualization and gives some getting started guides.
Who carries your container? Zun or Magnum?Madhuri Kumari
There are multiple solution in OpenStack to enable containers. These slides talk about two projects i.e. Magnum and Zun in OpenStack and their use cases.
Docker is a relatively new technology, but it is based on solid underpinnings of the Linux Kernel. It can provision instances in a fraction of the time versus a traditional virtual machine. This makes it a great candidate for development teams to create consistent test benches for their developers. To set up your own disposable Docker environments bring a laptop and make your development a pleasurable experience.
The ABC of Docker: The Absolute Best Compendium of DockerAniekan Akpaffiong
This presentation is my contribution to the body of work around Docker.
It codifies my experience so far, with Docker. The goal is to provide a concise yet complete introduction to Docker and its ecosystem.
I explore various Docker objects, compare containers and virtualization, provide usage examples, and discuss critical concepts around Docker and Linux. The compendium part of this, is aspirational. I will update and add to it as I have time and my experience with the product evolves.
Let me know what you think. Feedback and Likes are always appreciated.
Docker 101 - High level introduction to dockerDr Ganesh Iyer
This deck will help you understand the basics of Docker. It introduces dockers and containers, gives a comparison with virtualization and gives some getting started guides.
Who carries your container? Zun or Magnum?Madhuri Kumari
There are multiple solution in OpenStack to enable containers. These slides talk about two projects i.e. Magnum and Zun in OpenStack and their use cases.
3a Lei - A Lei do Darma ou Causa EfeitoEduardo Cesar
Toda a ação gera uma força de energia que nos é devolvida na mesma espécie... aquilo que semeamos é aquilo que colhemos.
E quando escolhemos ações que trazem aos outros felicidade e sucesso, o fruto do nosso Darma será de felicidade e sucesso.
OpenStack is the prevailing open source cloud software. It includes numerous API services for programmatic management of all sorts of IaaS and SaaS services. VMs, Containers, Bare Metal, Multi-tenancy. Use this platform to strike the right balance between developer self-service to your infrastructure and a well defined platform for next generation containerized microservice applications that your IT department feels happy to support and your CFO would be happy to pay for.
Adrian Otto from Rackspace will present his perspective of "Docker 101", for Docker novices. Learn the difference between Dockerfiles, containers, running containers, terminated containers, container images, Docker Registry, and a demo of the Docker CLI that goes beyond what you learn from the online simulator.
Medlemskommunikation med sociala medier -Lisa Possne FrisellSvenska Båtunionen
Lisa Possne Frisells föreläsning från Stora Båtklubbsdagen 2017.
Om sociala medier som hjälpmedel och komplement för medlemskommunikation i båtklubbar.
Kubernetes at Spreadshirt - First steps to productionJens Hadlich
This presentation describes how we at Spreadshirt got started on our adventure into Docker-land which finally led to introducing Kubernetes for container orchestration.
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...Odinot Stanislas
(FR)
Introduction très sympathique autour des environnements Cloud avec un focus particulier sur la virtualisation et les containers (Docker)
(ENG)
Friendly presentation about Cloud solutions with a focus on virtualization and containers (Docker).
Author: Nicholas Weaver – Principal Architect, Intel Corporation
Cloud native applications are popular these days. They promise superior reliability and almost arbitrary scalability. They follow three key principles: they are built and composed as microservices. They are packaged and distributed in containers. The containers are executed dynamically in the cloud. But which technology is best to build this kind of application? This talk will be your guidebook.
In this hands-on session, we will briefly introduce the core concepts and some key technologies of the cloud native stack and then show how to build, package, containerize, compose and orchestrate a cloud native showcase application on top of a cluster operating system such as Kubernetes or OpenShift. Throughout the session we will be using an off-the-shelf MIDI controller to visualize the concepts and to remote control the cluster.
Container Days 2017 conference. @ConDaysEU #CDS17 #qaware #CloudNativeNerd @LeanderReimer
A hitchhiker‘s guide to the cloud native stackQAware GmbH
Container Days 2017, Hamburg: Vortrag von Mario-Leander Reimer (@LeanderReimer, Cheftechnologe bei QAware).
Abstract: Cloud-Größen wie Google, Twitter und Netflix haben die Kernbausteine ihrer Infrastruktur quelloffen verfügbar gemacht. Das Resultat aus vielen Jahren Cloud-Erfahrung ist nun frei zugänglich, und jeder kann seine eigenen Cloud-nativen Anwendungen entwickeln – Anwendungen, die in der Cloud zuverlässig laufen und fast beliebig skalieren. Die einzelnen Bausteine wachsen zu einem großen Ganzen zusammen, dem Cloud Native Stack.
In dieser Session stellen wir die wichtigsten Konzepte und Schlüsseltechnologien vor und bringen dann eine Spring-Cloud-basierte Beispielanwendung schrittweise auf Kubernetes und DC/OS zum Laufen. Dabei diskutieren wir verschiedene praktikable Architekturalternativen.
AtlanTEC 2017: Containers! Why Docker, Why NOW?Phil Estes
A talk given at the AtlanTEC festival/conference (http://atlantec.ie/#atlantec-conference) in Galway, Ireland on Thursday, May 25th, 2017. This talk provides the background of how container popularity exploded in the past few years, the impact of Docker to this ecosystem, and why containers are interesting for developers and the enterprise in 2017.
Docker in Production: How RightScale Delivers Cloud ApplicationsRightScale
Combining Docker, cloud infrastructure, and continuous integration and delivery practices can create a highly automated and efficient way to get new applications and features to market. The RightScale development team has been using Docker from development to continuous integration, and now the operations team has taken Docker into the production environment.
The Docker in Production: How RightScale Delivers Cloud Applications webinar will cover:
Approach and use case for adopting Docker
How RightScale has adopted Docker for development, CI, and production
Overcoming technical and process challenges
The RightScale process before and after Docker
Benefits for both developers and operations teams
Continuous Delivery the hard way with KubernetesLuke Marsden
This talk shows three increasingly advanced levels of continuous delivery with Kubernetes and GitLab (as an example), arguing for a continuous delivery architecture which has an explicit _Release Manager_ component. We then propose Flux, the open source project which powers the _Deploy_ feature of Weave Cloud, as an implementation of that idea. This approach is the precursor to GitOps.
It's 2018. Are My Containers Secure Yet!?Phil Estes
A talk given at DevOps Pro Vilnius on March 15, 2018 about container security. In this talk we discussed the core topics around the container ecosystem (host, runtime, image) applicable to both Docker and Kubernetes, as well as discussing usable security/secure by default, and defense in depth principles. Also discussed were security futures like Project Grafeas, libentitlement, LinuxKit concepts, and trusted/untrusted container runtimes in Kubernetes.
Google has been running everything in containers for the past 15 years, but how do we orchestrate and manage all those containers? We've built and released the open source Kubernetes (http://kubernetes.io), which is based on years of running containers internally at Google. Join us for an introduction to containers and Kubernetes, followed by a hands-on workshop building and deploying your own Kubernetes cluster with multiple front end, database and caching instances.
Docker containers help solve the issue of process-level reproducibility by packaging up your apps and execution environments into a number of containers. But once you have a lot of containers running, you'll need to coordinate them across a cluster of machines while keeping them healthy and making sure they can find each other. This can quickly turn into an unmanageable mess! Wouldn't it be helpful if you could declare what wanted, and then have the cluster assign the resources to get it done and to recover from failures and scale on demand? Kubernetes is here to help!
Key takeaways
- Gentle introduction into containers: why and how
- Learn how Google manages applications using containers
- Intro to Kubernetes: managing applications and services
- Build and deploy your own multi-tier application using Kubernetes
Docker moves very fast, with an edge channel released every month and a stable release every 3 months. Patrick will talk about how Docker introduced Docker EE and a certification program for containers and plugins with Docker CE and EE 17.03 (from March), the announcements from DockerCon (April), and the many new features planned for Docker CE 17.05 in May.
This talk will be about what's new in Docker and what's next on the roadmap
OSDC 2015: Martin Gerhard Loschwitz - Kristian Köhntopp | 45 Minutes of OpenS...NETWAYS
OpenStack has been dominating the news on Open Source cloud computing for more than two years now - and there is no end in sight for the hype. If you have been looking into cloud computing, you will most likely have considered OpenStack as a possible solution. You will also have heard success stories of large organizations such as Rackspace or CERN. And of course people told you about all the glittering parties held during the semi-annual OpenStack summits.
What you probably haven't heard that often are stories about all the occasions where OpenStack will blow up right in your face. At SysEleven, we've been working on an OpenStack platform for more than a year now - and we would like to share our experiences with you in this presentation. We'll explain why we have decided to go with OpenStack in the first place, what problems we have ran into and how we solved them. We'll demonstrate what our platform looks like at the moment and what challenges we are currently working on. At the end, you will have a better understanding of what OpenStack means for ISPs and what kind of trouble you are signing up for when becoming an OpenStacker.
Similar to What's really the difference between a VM and a Container? (20)
OpenStack Magnum, Containers-as-a-Service for OpenStack clouds. This talk explains how Magnum fits among other OpenStack projects, and what abstracts are available in the Magnum API. Learn how Magnum is different from other Container management software.
7 Habits of Highly Effective ContirbutorsAdrian Otto
In this session, I share a formula for becoming a highly valued contributor to an Openstack community project. As the founder and PTL of both Solum and Magnum, I have had the freedom to try a bunch of things to run projects, and to on-board new contributors. You will learn all of the things you can do to quickly become a valued and respected member of your favorite project. This is proven, and guaranteed to work!
Adrian Otto from Rackspace will present "Docker 102", This includes a summary of Docker 101 as a refresher from the August session, and builds upon that by discussing who should use a registry, and what options are available for keeping them private. We will discuss best practices for keeping your production environments evergreen with updated operating system environments, library dependencies, and maintaining an immutable infrastructure.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
9. She said that it would double the company’s sales, and it could be done for almost no cost on an immediate basis. She pitched it to the executives to secure a 2% cut
for a year if it worked. The idea: Make the hole twice as big.
11. WELL, ACTUALLY…
11
This story would be even more awesome if the lab assistant part of the story was actually true, but it’s just urban legend. The story illustrates one thing very clearly: seemingly simple ideas can
have a huge impact.
12. 1) PRESSURE BUILT UP IN A FINITE BOUNDED SYSTEM
NEEDS TO BE RELEASED SOMEWHERE OR THE SYSTEM
WILL BREAK.
2) THERE ARE DIMINISHING RETURNS TO SQUEEZING
THE TUBE AFTER A CERTAIN POINT.
TOOTHPASTE TUBE THEORY
Here is something that is actually true.
13. IMAGE PLACEHOLDER
1920 X1080
IDEA
13
Recently, there was a technical innovation that changed the game for containers the way the toothpaste story went. I will detail this idea for you in a moment.
16. 16
HISTORY OF VIRTUALIZATION
• 1960’s IBM S/360 Mainframes are the 800# Gorilla
• Single user system designed for batch jobs
• 1963 MIT Project MAC ($2M grant from DARPA)
• Vendor Choice == GE (Commercial interest in time sharing computer)
• Whoops! IBM panicked! Created CP-40 for Bell Labs, CP-67.
• Virtual Machines on the CP-67 using “CP (Control Program)” in 1967!
• 1987 Insignia Solutions “SoftPC”
• 1997 Apple (Connectrix) “VirtualPC”
• 1999 VMWare “VMWare Workstation”
Virtual Machines have commercially existed since the IBM CP-67 in 1967.
17. 17
APPLICATION VIRTUALIZATION
• 1990 Sun Microsystems “Stealth”
• Address C/C++ Portability problems
• Renamed Oak -> Webrunner -> Java (1995)
• 1996 Sun Microsystems “Java”
• Java Development Kit (JDK)
• Java Runtime Environment (JRE)
• Java Virtual Machine (JVM)
Sun attempted to answer code portability using Java starting in 1990.
18. 18
OPEN SOURCE VIRTUALIZATION
• 1999 VMWare “VMWare Workstation”
• Commercial License
• 2003 Xensource
• Open Source
• 2007 Citrix acquired Xensource
• Renamed Xensource to Xenserver
• 2007 Oracle VirtualBox
• VirtualBox Open Source Edition (OSE)
• 2007 Linux KVM, Kernel 2.6.20
Commercially supported open source virtualization for workstations hit the mainstream in 1999, and for servers since 2003.
19. 19
HISTORY OF CONTAINERS (1/2)
• 1979 UNIX chroot (added to BSD in 1982)
• 2000 FreeBSD Jails (filesystems, users, networks)
• 2001 Linux VServer (VPS Solution)
• 2005 OpenVZ (filesystems, users/groups, process tree, networks, devices, IPC)
• 2006 Process Containers (Linux Kernel 2.6.24, limit CPU, mem, disk, network IO)
• 2008 Control Groups (cgroups added to Linux Kernel)
• 2008 LXC (LinuX Containers, CLI and language bindings for 6 languages)
• 2011 Warden, CloudFoundry
• 2013 LMCTFY, Google
Namespace concepts like chroot have been around since 1979.
20. 20
HISTORY OF CONTAINERS (2/2)
• 2013 Docker, DotCloud -> Docker Inc.
• 2014 Rocket, CoreOS
• 2016 Windows Containers, Microsoft
In 2013 containers caught fire, and hit the mainstream by 2015.
21. 21
EVERYTHING CHANGED IN 2013
2013
DOCKER IMAGE
The concept of the Docker Image is the innovation that started to make containers something really compelling, and caused it to become popular.
22. 22
Docker is an open source project sponsored by Docker, Inc. Docker Engine is how Docker Inc. refers to the open source software called “Docker”.
23. 23
• Kernel Feature
• Groups of processes
• Control resource allocations
• CPU
• Memory
• Disk
• I/O
• May be nested
LINUX CGROUPS
Cgroups control the level of utilization processes on a host can consume. Containers are placed within a Cgroup.
24. 24
• Kernel Feature
• Restrict your view of the system
• Mounts (CLONE_NEWNS)
• UTS (CLONE_NEWUTS)
• uname() output
• IPC (CLONE_NEWIPC)
• PID (CLONE_NEWPID)
• Networks (CLONE_NEWNET)
• User (CLONE_NEWUSER)
• See also: privileged/unprivileged modes
• May be nested
LINUX KERNEL NAMESPACES
Kernel Namespaces restrict access of processes to a limited view of the system defined at the time CLONE_* syscalls are used.
25. 25
• NOT A FILESYSTEM
• NOT A VHD
• Basically a tar file
• Has a hierarchy
• Arbitrary depth
• Layered filesystem
• Top layer can be writable
• Fits into the Docker Registry
DOCKER CONTAINER IMAGE
Base Image
Child Image
Grandchild Image
Forget everything you think you know about images, because container images are totally different. The concept of layering allows for amazing speed benefits that allow
containers to start in a fraction of the time of VMs.
26. 26
• Git Repo Semantics
• Pull
• Push
• Commit
• Hierarchy
DOCKER REGISTRY
Base Image
Child Image
Grandchild Image
The Docker Registry is a hosted service provided by Docker, Inc. that allows you to save and share your docker images.
27. 27
• Combines several things
• Linux Cgroups
• Kernel Namespaces
• Docker Image
• Has a lifecycle
CONTAINER
CGROUPS NAMESPACES IMAGE
DOCKER
CONTAINER+ + =
A container is an amalgam of concepts.
28. 28
• Like a Makefile (shell script with keywords)
• Extends from a Base Image
• Results in a new Docker Image
• Imperative, not Declarative
DOCKERFILE
DOCKERFILE BASE IMAGE
DOCKER
CONTAINER+ =
A Dockerfile is used to create a container image, and contains all the instructions needed to build one.
29. 29
FROM centos:centos6
MAINTAINER Adrian Otto <aotto@aotto.com>
RUN yum -y install httpd
EXPOSE 80
ADD start.sh /start.sh
CMD /start.sh
DOCKERFILE EXAMPLE
$ docker build -t webserver .
This is how to build a simple web server container that contains only a few megabytes of data in the image itself, just the changes on disk for the “yum install httpd” plus some metadata
about the container.
30. 30
FROM webserver
MAINTAINER Adrian Otto <aotto@aotto.com>
RUN yum -y install mysql-server php
EXPOSE 80
ADD start.sh /start.sh
CMD /start.sh
DOCKERFILE EXAMPLE
$ docker build -t lampstack .
This is how to base a container image on an existing one. I create a LAMP stack container image here based on my webserver image.
31. 30
FROM webserver
MAINTAINER Adrian Otto <aotto@aotto.com>
RUN yum -y install mysql-server php
EXPOSE 80
ADD start.sh /start.sh
CMD /start.sh
DOCKERFILE EXAMPLE
$ docker build -t lampstack .
This is how to base a container image on an existing one. I create a LAMP stack container image here based on my webserver image.
33. 32
THE DIFFERENCE
1 EFFICIENCY
Containers have a lower memory overhead, and require less storage on disk, because all apps share the same kernel, even if they use different operating system distros.
34. 33
THE DIFFERENCE
2 PERFORMANCE
Apps running on bare metal on a host execute faster because there is no visualization in the execution path of a process once is has started. With VM’s there are multiple sets of context
switches for each interaction with the hardware.
35. 33
THE DIFFERENCE
2 PERFORMANCE
Apps running on bare metal on a host execute faster because there is no visualization in the execution path of a process once is has started. With VM’s there are multiple sets of context
switches for each interaction with the hardware.
36. 33
THE DIFFERENCE
2 PERFORMANCE
Apps running on bare metal on a host execute faster because there is no visualization in the execution path of a process once is has started. With VM’s there are multiple sets of context
switches for each interaction with the hardware.
37. 34
THE DIFFERENCE
3 SECURITY
The attack surface area between neighboring containers on the same host is considerably larger than the attack surface area between neighboring VMs.
39. IMAGE PLACEHOLDER
1920 X1080
CASTILLO DE SAN MARCOS
35
Constructed 1672-1695 (23 years). Imagine how many soldiers it would take to successfully defend this fortress.
40. IMAGE PLACEHOLDER
1920 X1080
36
Try protecting 80 fortresses, and if one of them is breached, they all fall. Totally different class of problem.
47. 40
CONTAINTER ISOLATION TECHNIQUES
What’s special about this key? It’s a sweeping vulnerability present in the common door locks. There are other lock designs that are not vulnerable, but they cost more. There are ways to make neighboring
containers isolated near the level of VMs, but they don’t all produce an environment were all software can run without modification.
48. 40
CONTAINTER ISOLATION TECHNIQUES
What’s special about this key? It’s a sweeping vulnerability present in the common door locks. There are other lock designs that are not vulnerable, but they cost more. There are ways to make neighboring
containers isolated near the level of VMs, but they don’t all produce an environment were all software can run without modification.
49. 40
CONTAINTER ISOLATION TECHNIQUES
What’s special about this key? It’s a sweeping vulnerability present in the common door locks. There are other lock designs that are not vulnerable, but they cost more. There are ways to make neighboring
containers isolated near the level of VMs, but they don’t all produce an environment were all software can run without modification.
50. 40
CONTAINTER ISOLATION TECHNIQUES
• SELinux / AppArmor
• Secure Computing Mode (seccomp)
• Container Nesting
• Docker Auth Plugins
• User Namespaces
• Encrypted Filesystems
• Address Space Layout Randomization (ASLR)
• Hardware Security Features (NX, VT-d, TPM, TXT, SMAP)
What’s special about this key? It’s a sweeping vulnerability present in the common door locks. There are other lock designs that are not vulnerable, but they cost more. There are ways to make neighboring
containers isolated near the level of VMs, but they don’t all produce an environment were all software can run without modification.
51. THE DIFFERENCE
41
1
2
3
EFFICIENCY
PERFORMANCE
SECURITY
In review, these are the three key points of differentiation between VM and Container technology. If performance and efficiency are your primary concerns, then containers make sense. If you want the benefit of
containers with the security of VM’s then combine them, or match them with additional security techniques that provide enough fortification to prevent breakouts.