Presentation is loading. Please wait.

Presentation is loading. Please wait.

Agenda Intro Why use containers at all? Linux Kernel: a pop of history

Published byBlanche Henry Modified over 6 years ago

Similar presentations

Presentation on theme: "Agenda Intro Why use containers at all? Linux Kernel: a pop of history"— Presentation transcript:

1

2 Agenda Intro Why use containers at all? Linux Kernel: a pop of history
Docker and friends Host Security Container Security Building secure images Questions?

3 Why use containers at all?

4 Why use containers? Repeatable environment Isolation Fast startup
Run anywhere Small, deployable units

5 Linux kernel: a pop of history

6 Origins of container technology

7 Linux Kernel chroot Added to Unix in 1979
Changes apparent root directory for processes

8 Linux Kernel Namespaces Added in 2002 by employees at IBM
Allow for kernel resource partitioning Provide processes with their own view of the system

9 Linux Kernel Mount Namespace Host file systems OverlayFS

10 Linux Kernel PID Namespace Independent process IDs
First process gets PID 1 lifecycle tied to that

11 Linux Kernel Network Namespace Isolated network stack IP Routing
Firewall

12 Linux Kernel IPC Namespace SysV Interprocess Communication
Commonly use shared memory between processes

13 Linux Kernel UTS Namespace Allows control of hostname / domain

14 Linux Kernel User Namespace Privilege isolation
Shifts User Identification

15 Linux Kernel cgroups Added in 2007 by employees at Google
Allow for kernel resource limiting Work on groups of processes Single container per group

16 Docker and friends

17 Docker and friends Docker Released 2013 Internal project at dotCloud
Over 1200 contributors Cisco, Google, Huawei, IBM, Microsoft, and Red Hat

18 Docker and friends Docker Developer focused Dockerfile FS Layers
160% rise in 2016 alone

19 Docker and friends Docker Troubles Docker Inc. Fast moving APIs
libcontainer

20 Docker and friends CoreOS rkt OCI Multiple Stages kvm/hypervisor based
container runtime introduces concept of pods

21 Docker and friends runc OCI

22 Host Security

23 Host Security Standard rules apply Minimize access Up to date kernel
Hardened

24 Host Security Minimize Attack Surface
Container have limited host requirements no build tools no debuggers

25 Container Security

26 Container Security Container Scanning Static analysis virus scanning

27 Container Security Container Signing Ensures image integrity
Only allow signed images in production

28 Container Security ReadOnly Root Running image cannot be mutated
Primarily useful in stateless images

29 Container Security NonRoot User
Switch user as soon as possible in build Ensures container breakout doesn’t attain root Slightly less critical with the adoption of user namespaces

30 Container Security Minimal Images Smaller surface area
Less software to become stale

31 Building secure images

32

Download ppt "Agenda Intro Why use containers at all? Linux Kernel: a pop of history"

Similar presentations

PlanetLab: An Overlay Testbed for Broad-Coverage Services Bavier, Bowman, Chun, Culler, Peterson, Roscoe, Wawrzoniak Presented by Jason Waddle.

PlanetLab: An Overlay Testbed for Broad-Coverage Services Bavier, Bowman, Chun, Culler, Peterson, Roscoe, Wawrzoniak Presented by Jason Waddle.
Lightweight virtual system mechanism Gao feng

Lightweight virtual system mechanism Gao feng
Internet Information Server 6.0. IIS 6.0 Enhancements  Fundamental changes, aimed at: Reliability & Availability Reliability & Availability Performance.

Internet Information Server 6.0. IIS 6.0 Enhancements  Fundamental changes, aimed at: Reliability & Availability Reliability & Availability Performance.
What to expect.  Linux  Windows Server (2008 or 2012)

What to expect.  Linux  Windows Server (2008 or 2012)
KVM and Container Performance and Isolation Deep Dive.

KVM and Container Performance and Isolation Deep Dive.
Presented by Justin Bode CS 450 – Computer Security February 17, 2010.

Presented by Justin Bode CS 450 – Computer Security February 17, 2010.
Introduction to Docker Jitendra Kumar Patel Saturday, January 24, 2015.

Introduction to Docker Jitendra Kumar Patel Saturday, January 24, 2015.
Zap Steven Osman Dinesh Subhraveti Gong Su Jason Nieh A System for Migrating Computing Environments.

Zap Steven Osman Dinesh Subhraveti Gong Su Jason Nieh A System for Migrating Computing Environments.
Case study 2 Android – Mobile OS.

Case study 2 Android – Mobile OS.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as e-mail.

Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as .
Agenda Review route summarization Cisco acquire Sourcefire Review Final Exam.

Agenda Review route summarization Cisco acquire Sourcefire Review Final Exam.
OS Hardening Justin Whitehead Francisco Robles. ECE 4112 - Internetwork Security OS Hardening Installing kernel/software patches and configuring a system.

OS Hardening Justin Whitehead Francisco Robles. ECE Internetwork Security OS Hardening Installing kernel/software patches and configuring a system.
4P13 Week 1 Talking Points. Kernel Organization Basic kernel facilities: timer and system-clock handling, descriptor management, and process Management.

4P13 Week 1 Talking Points. Kernel Organization Basic kernel facilities: timer and system-clock handling, descriptor management, and process Management.
Docker and Container Technology

Docker and Container Technology
1.4 Open source implement. Open source implement Open vs. Closed Software Architecture in Linux Systems Linux Kernel Clients and Daemon Servers Interface.

1.4 Open source implement. Open source implement Open vs. Closed Software Architecture in Linux Systems Linux Kernel Clients and Daemon Servers Interface.
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Docker Overview Automating.

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Docker Overview Automating.
VM vs Container Xen, KVM, VMware, etc. Hardware emulation / paravirtualization Can run different OSs on the same box Dozens of instances OS sprawl problem.

VM vs Container Xen, KVM, VMware, etc. Hardware emulation / paravirtualization Can run different OSs on the same box Dozens of instances OS sprawl problem.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►

LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Virtualization Redefined: Embedded virtualization through CGE7 and Docker. Paul Farmer Technical Solutions Engineering Manager MontaVista Software

Virtualization Redefined: Embedded virtualization through CGE7 and Docker. Paul Farmer Technical Solutions Engineering Manager MontaVista Software

Similar presentations

Ads by Google