Agenda Intro Why use containers at all? Linux Kernel: a pop of history

Slides:

Advertisements

Similar presentations

PlanetLab: An Overlay Testbed for Broad-Coverage Services Bavier, Bowman, Chun, Culler, Peterson, Roscoe, Wawrzoniak Presented by Jason Waddle.

Advertisements

Lightweight virtual system mechanism Gao feng

Internet Information Server 6.0. IIS 6.0 Enhancements  Fundamental changes, aimed at: Reliability & Availability Reliability & Availability Performance.

What to expect.  Linux  Windows Server (2008 or 2012)

KVM and Container Performance and Isolation Deep Dive.

Presented by Justin Bode CS 450 – Computer Security February 17, 2010.

Introduction to Docker Jitendra Kumar Patel Saturday, January 24, 2015.

Zap Steven Osman Dinesh Subhraveti Gong Su Jason Nieh A System for Migrating Computing Environments.

Case study 2 Android – Mobile OS.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as .

Agenda Review route summarization Cisco acquire Sourcefire Review Final Exam.

OS Hardening Justin Whitehead Francisco Robles. ECE Internetwork Security OS Hardening Installing kernel/software patches and configuring a system.

4P13 Week 1 Talking Points. Kernel Organization Basic kernel facilities: timer and system-clock handling, descriptor management, and process Management.

Docker and Container Technology

1.4 Open source implement. Open source implement Open vs. Closed Software Architecture in Linux Systems Linux Kernel Clients and Daemon Servers Interface.

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Docker Overview Automating.

VM vs Container Xen, KVM, VMware, etc. Hardware emulation / paravirtualization Can run different OSs on the same box Dozens of instances OS sprawl problem.

LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►

Virtualization Redefined: Embedded virtualization through CGE7 and Docker. Paul Farmer Technical Solutions Engineering Manager MontaVista Software

#msitconf. Damien Caro Technical Evangelist Manager, Что будет, если приложение поместить в контейнер? What happens if the application.

Eric Osborne ARNOG 2016 NFV (and SDN). Introduction About me: 20+ years in Internet networking: startup, Cisco, Level(3) Currently a principal architect.

Containers vs Others Xen, VMware, etc. ● Emulation/paravirtualization ● Can run different OSs on the same box ● Lower density/scalability ● OS sprawl problem.

OpenShift & SELinux Dan Walsh Twitter: #rhatdan

Intro to Docker Containers

Microsoft Build /9/2017 5:00 AM © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY,

Computer System Structures

Web Server Administration

Containers How to get started … and win

Containers as a Service with Docker to Extend an Open Platform

Bentley Systems, Incorporated

Agenda Hardware Virtualization Concepts

© 2002, Cisco Systems, Inc. All rights reserved.

Reproducible Bioinformatics

Dockerize OpenEdge Srinivasa Rao Nalla.

Red Hat partner event The evolution of Linux – From containers to OpenShift PaaS & how to get started Kristijan Walter, Presales engineer Veracomp d.o.o.

Application Sandboxes

Containers: The new network endpoint

Linux Containers Overview & Roadmap

CONFIGURING A MICROSOFT EXCHANGE SERVER 2003 INFRASTRUCTURE

Intro to Docker Containers

Containers and Virtualisation

Virtualization overview

Oracle Solaris Zones Study Purpose Only

What is an Operating System?

IS3440 Linux Security Unit 6 Using Layered Security for Access Control

Azhagappan Arunachalam

Introduction to Docker

Oracle DB and Docker Get Your Dockerized Oracle Sandbox Running in the Cloud or On- Premises Martin Knazovicky Dbvisit Software.

Authentication Protocol

Microsoft Ignite NZ October 2016 SKYCITY, Auckland.

Kubernetes intro.

Introduction to Introduction to Singularity

Container technology. Let’s dive into the world of docker and kubernetes Bjarte Brandt, DevOps Architect TV2.

Microsoft Ignite NZ October 2016 SKYCITY, Auckland.

Security in a Container based World

Innovating Out in the Open

Continuous deployment best practices, methods and tools.

Intro about Contanier and Docker Technology

SOCK: Rapid Task Provisioning with Serverless-Optimized Containers

SCONE: Secure Linux Containers Environments with Intel SGX

Docker Some slides from Martin Meyer Vagrant Box:

Oracle Container Cloud Service made easy HROUG Conference 2018

OpenShift as a cloud for Data Science

NSA Security-Enhanced Linux (SELinux)

OpenStack Summit Berlin – November 14, 2018

Building, Debugging & Deploying Containerized

Docker and Kubernetes Security in ONAP Pawel Pawlak Amy Zwarico

Presentation transcript:

Agenda Intro Why use containers at all? Linux Kernel: a pop of history Docker and friends Host Security Container Security Building secure images Questions?

Why use containers at all?

Why use containers? Repeatable environment Isolation Fast startup Run anywhere Small, deployable units

Linux kernel: a pop of history

Origins of container technology

Linux Kernel chroot Added to Unix in 1979 Changes apparent root directory for processes

Linux Kernel Namespaces Added in 2002 by employees at IBM Allow for kernel resource partitioning Provide processes with their own view of the system

Linux Kernel Mount Namespace Host file systems OverlayFS

Linux Kernel PID Namespace Independent process IDs First process gets PID 1 lifecycle tied to that

Linux Kernel Network Namespace Isolated network stack IP Routing Firewall

Linux Kernel IPC Namespace SysV Interprocess Communication Commonly use shared memory between processes

Linux Kernel UTS Namespace Allows control of hostname / domain

Linux Kernel User Namespace Privilege isolation Shifts User Identification

Linux Kernel cgroups Added in 2007 by employees at Google Allow for kernel resource limiting Work on groups of processes Single container per group

Docker and friends

Docker and friends Docker Released 2013 Internal project at dotCloud Over 1200 contributors Cisco, Google, Huawei, IBM, Microsoft, and Red Hat

Docker and friends Docker Developer focused Dockerfile FS Layers 160% rise in 2016 alone

Docker and friends Docker Troubles Docker Inc. Fast moving APIs libcontainer

Docker and friends CoreOS rkt OCI Multiple Stages kvm/hypervisor based container runtime introduces concept of pods

Docker and friends runc OCI

Host Security

Host Security Standard rules apply Minimize access Up to date kernel Hardened

Host Security Minimize Attack Surface Container have limited host requirements no build tools no debuggers

Container Security

Container Security Container Scanning Static analysis virus scanning

Container Security Container Signing Ensures image integrity Only allow signed images in production

Container Security ReadOnly Root Running image cannot be mutated Primarily useful in stateless images

Container Security NonRoot User Switch user as soon as possible in build Ensures container breakout doesn’t attain root Slightly less critical with the adoption of user namespaces

Container Security Minimal Images Smaller surface area Less software to become stale

Building secure images