Download presentation
Presentation is loading. Please wait.
Published byBlanche Henry Modified over 6 years ago
2
Agenda Intro Why use containers at all? Linux Kernel: a pop of history
Docker and friends Host Security Container Security Building secure images Questions?
3
Why use containers at all?
4
Why use containers? Repeatable environment Isolation Fast startup
Run anywhere Small, deployable units
5
Linux kernel: a pop of history
6
Origins of container technology
7
Linux Kernel chroot Added to Unix in 1979
Changes apparent root directory for processes
8
Linux Kernel Namespaces Added in 2002 by employees at IBM
Allow for kernel resource partitioning Provide processes with their own view of the system
9
Linux Kernel Mount Namespace Host file systems OverlayFS
10
Linux Kernel PID Namespace Independent process IDs
First process gets PID 1 lifecycle tied to that
11
Linux Kernel Network Namespace Isolated network stack IP Routing
Firewall
12
Linux Kernel IPC Namespace SysV Interprocess Communication
Commonly use shared memory between processes
13
Linux Kernel UTS Namespace Allows control of hostname / domain
14
Linux Kernel User Namespace Privilege isolation
Shifts User Identification
15
Linux Kernel cgroups Added in 2007 by employees at Google
Allow for kernel resource limiting Work on groups of processes Single container per group
16
Docker and friends
17
Docker and friends Docker Released 2013 Internal project at dotCloud
Over 1200 contributors Cisco, Google, Huawei, IBM, Microsoft, and Red Hat
18
Docker and friends Docker Developer focused Dockerfile FS Layers
160% rise in 2016 alone
19
Docker and friends Docker Troubles Docker Inc. Fast moving APIs
libcontainer
20
Docker and friends CoreOS rkt OCI Multiple Stages kvm/hypervisor based
container runtime introduces concept of pods
21
Docker and friends runc OCI
22
Host Security
23
Host Security Standard rules apply Minimize access Up to date kernel
Hardened
24
Host Security Minimize Attack Surface
Container have limited host requirements no build tools no debuggers
25
Container Security
26
Container Security Container Scanning Static analysis virus scanning
27
Container Security Container Signing Ensures image integrity
Only allow signed images in production
28
Container Security ReadOnly Root Running image cannot be mutated
Primarily useful in stateless images
29
Container Security NonRoot User
Switch user as soon as possible in build Ensures container breakout doesn’t attain root Slightly less critical with the adoption of user namespaces
30
Container Security Minimal Images Smaller surface area
Less software to become stale
31
Building secure images
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.