Download presentation
Presentation is loading. Please wait.
Published byAria Rule Modified over 10 years ago
1
AppSec USA 2014 Denver, Colorado Implications & Opportunities at the Bleeding Edge of DevOps Chris Swan, CTO CohesiveFT @cpswan
2
CTO – CohesiveFT Cloud native networking Chris Swan – why me? Introduction
3
Dockerfile is awesomely productive Great for DevOps Containers don’t contain At least not yet Images have a manifest problem Keep track of your stuff TL;DR
4
What do I mean when I say ‘DevOps’? Part 1
5
Let’s start with a demo Demo time
6
John Boyd’s OODA loop
7
Industrial design maturity – the auto example Design for purpose Design for manufacture Design for operations
8
Industrial design maturity - software Design for purpose Design for manufacture Design for operations DevOps is just an artefact
9
Containers and containment Part 2
10
Containers don’t contain With thanks to Dan Walsh @rhatdan Watch his DockerCon 2014 presentation at http://is.gd/dcrhdwhttp://is.gd/dcrhdw
11
Shocker The issue The response http://stealth.openwall.net/xSports/shocker.c https://news.ycombinator.com/item?id=7910117
12
Because containers aren’t VMs And this has yet to come:
13
Possible to have our cake and eat it?
14
cgroups
15
namespaces mnt mount points, filesystems pid processes net network ipc inter process communication uts hostname devicedevices user UIDs
16
Fine grained control over ‘root’ privileges: deny all "mount" operations; deny access to raw sockets (to prevent packet spoofing); deny access to some filesystem operations, like creating new device nodes, changing the owner of files, or altering attributes (including the immutable flag); deny module loading; etc. capabilities
17
AppArmor and SELinux Mandatory Access Control (MAC)
18
Use of namespaces, capabilities and MAC will improve – Might be a game of ‘whack a mole’ Hard to tell when we’re done (is @solomonstre’s word going to be enough?) Libcontainer can drive other mechanisms – More secure options might come Hardware support might come – Existing rings 1 & 2 aren’t used much, but aren’t really suitable – VT-x introduced ring -1, do we need a ring 0.5? Containers will contain
19
The manifest problem Part 3
20
My Dockerfile from (much) earlier
21
Each active line creates a layer
22
An image binds layers together
23
The image is the unit of deployment
24
Which version of Nginx is that?
25
Which version of OpenSSL is installed?
26
Whilst we want this to be cached in the short term: apt-get install nginx We perhaps don’t want it cached in the long term What are those durations? Problem 1 – non determinism
27
When I run apt-get install nginx I don’t know which version of Nginx I just got Should I? nginx –v > some_log.txt Or maybe? apt-cache policy nginx > some_log.txt Problem 2 – the manifest problem
28
Dockerfile is awesomely productive Great for DevOps Containers don’t contain At least not yet Images have a manifest problem Keep track of your stuff TL;DR
29
Questions? Ask now, or on Twitter: @cpswan Question time
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.