DockerCon SF 2015: Docker Security

Jun 24, 20159 likes7,145 views

Least - Privilege Microservices; slides from Diogo Mónica and Nathan McCauley's Docker Security Talk at DockerCon SF 2015.

Least-privilege Microservices
Diogo Mónica
Nathan McCauley

Agenda
• Why least-privilege
• History of least-privilege
• Least-privilege with Docker
• Ongoing and future work
• Conclusions

“Every process must be able to access only the
information and resources that are necessary for its
legitimate purpose”

2000
Internet
DatabasesServicesFront-end

Server
Host OS
Docker Engine
AppA
AppB
AppC
AppD
AppE
AppF
libraries
Container
One Process

‣A FE server has a very different security proﬁle than a database or a worker host
‣Imagine that each container only has access exactly to the resources and APIs it
needs. No more, no less.
Front-end Server Back-end Server
‣Access to a lot of
downstream services
‣Most exposed
‣I/O intensive
‣Limited network access
Worker Host
‣CPU Intensive
‣Wide range of workloads
Profiles

‣A container is a process. Let’s ﬁnd out what syscalls it needs.
Process Monitoring

‣Namespaces provide an isolated view of the system (Network, PID, etc)
‣Cgroups limit and isolate the resource usage of a collection of processes
‣Linux Security Modules give us a MAC (AppArmor, SELinux)
Fine-grained controls

Fine-grained controls
‣Capabilities divides the privileges of root into distinct units (bind, chown, etc)
‣Per-container ulimit (since 1.6)
‣User-namespaces: root inside is not root outside (remapped root for 1.8)
‣Seccomp: Individual syscall ﬁltering (working on my laptop)

Safer by default
‣Less than half the Linux capabilities by
default
‣Copy-on-write ensures immutability
‣No device access by default
‣Default AppArmor and SELinux proﬁles
for an increasing number of containers

Safer by default
‣Smaller footprint
‣Remove all unneeded packages
‣Remove all unneeded users
‣Remove all suid binaries
…
Debia
n

Security Profiles
Debia
n
‣Producers of containers should be responsible for creating adequate proﬁles
‣Proﬁle gets shipped with the container
‣Aggregates all of the different isolation mechanisms into one single proﬁle

Securing the Ecosystem
Debia
n
User-namespaces Seccomp Provenance
Selinux Kerberos

Intro to Container Security
Debia
n
http://bit.ly/1M4O9XE

Docker Bench
Debia
n
https://dockerbench.com/
‣Fully automated
‣Shipped as a container that tests containers

Conclusion
‣Docker is on the path to support least-privilege microservices, since it allows
ﬁne-grained control over what access each container should have.
‣We will need easier tooling to deﬁne per-container security proﬁles
‣You can help!
#docker-security on Freenode

Thank you
diogo@docker.com
nathan.mccauley@docker.com

True microservices are more than simply bolting a REST interface on your legacy application, packing it in a Docker container and hoping for the best. Security is a key component when designing and building out any new architecture, and it must be considered from top to bottom. Umpa Lumpas might not be considered "real" microservices, but Willy Wonka still has them locked down tight! In this talk, Aaron will briefly touch on the idea and security benefits of microservices before diving into practical and real world examples of creating a secure microservices architecture. We'll start with designing and building high security Docker containers, using and examining the latest security features in Docker (such as User Namespaces and seccomp-bpf) as well as examine some typically forgotten security principals. Aaron will end on exploring related challenges and solutions in the areas of network security, secrets management and application hardening. Finally, while this talk is geared towards Microservices, it should prove informational for all Docker users, building a PaaS or otherwise.

Troubleshooting Tips from a Docker Support EngineerJeff Anderson

The document discusses various troubleshooting techniques for Docker including using tools like socat and curl to characterize networking and TLS issues, checking container processes and permissions, using volumes to store persistent data, and resolving issues with incorrect localhost references between containers. It also provides examples of troubleshooting issues with a Minecraft server, Ruby application, and Nginx proxy configuration.

Docker IntroductionSparkbit

Docker is a technology that uses lightweight containers to package applications and their dependencies in a standardized way. This allows applications to be easily deployed across different environments without changes to the installation procedure. Docker simplifies DevOps tasks by enabling a "build once, ship anywhere" model through standardized environments and images. Key benefits include faster deployments, increased utilization of resources, and easier integration with continuous delivery and cloud platforms.

Docker introductionPhuc Nguyen

The document introduces Docker, a container platform. It discusses how Docker addresses issues with deploying different PHP projects that have varying version requirements by allowing each project to run isolated in its own container with specified dependencies. It then covers key Docker concepts like images, containers, linking, exposing ports, volumes, and Dockerfiles. The document highlights advantages of Docker like enabling applications to run anywhere without compatibility issues and making deployment more efficient.

Docker introductionLayne Peng

This document provides an introduction to Docker. It discusses key Docker concepts like OS virtualization using containers as opposed to virtual machines. Containers isolate processes and filesystems using cgroups, namespaces and UnionFS. Namespaces provide isolation for processes, networking, mounts etc. Cgroups are used to limit, account and isolate resource usage. The document also covers Docker storage and networking as well as security best practices.

Tokyo OpenStack Summit 2015: Unraveling Docker SecurityPhil Estes

Secure Substrate: Least Privilege Container Deployment Docker, Inc.

Riyaz Faizullabhoy - Security Engineer, Docker Diogo Mónica - Security Lead, Docker The popularity of containers has driven the need for distributed systems that can provide a substrate for container deployments. These systems need the ability to provision and manage resources, place workloads, and adapt in the presence of failures. In particular, container orchestrators make it easy for anyone to manage their container workloads using their cloud-based or on-premise infrastructure. Unfortunately, most of these systems have not been architected with security in mind.Compromise of a less-privileged node can allow an attacker to escalate privileges to either gain control of the whole system, or to access resources it shouldn't have access to. In this talk, we will go over how Docker has been working to build secure blocks that allow you to run a least privilege infrastructure - where any participant of the system only has access to the resources that are strictly necessary for its legitimate purpose. No more, no less.

Advanced Docker Developer Workflows on MacOS X and WindowsAnil Madhavapeddy

Docker and the Linux KernelDocker, Inc.

Veer's Container SecurityJim Barlow

Container security involves securing containers at both the host and application level. At the host level, Linux technologies like namespaces, cgroups, SELinux, and seccomp provide isolation between containers. Container images are also scanned for vulnerabilities. The OpenShift platform provides additional security features like role-based access control, network policies, encrypted communications, and controls over privileged containers and storage. Application security best practices within containers include using HTTPS, securing secrets, and API management tools.

Docker IntroductionRobert Reiz

Building a Secure App with Docker - Ying Li and David Lawrence, DockerDocker, Inc.

Built-in security is one of the most important features in Docker. But to build a secure app, you have to understand how to take advantage of these features. Security begins with the platform, but also requires conscious secure design at all stages of app development. In this session, we'll cover the latest features in Docker security, and how you can leverage them. You'll learn how to add them to your existing development pipeline, as well as how you can and streamline your workflow while making it more secure.

Docker London: Container SecurityPhil Estes

This document summarizes a presentation on container security given by Phil Estes. It identifies several threat vectors for containers including risks from individual containers, interactions between containers, external attacks, and application security issues. It then outlines various security tools and features in Docker like cgroups, Linux Security Modules, capabilities, seccomp, and user namespaces that can help mitigate these threats. Finally, it discusses some future directions for improving container security through more secure defaults, image signing, and network security enhancements.

Deep Dive in Docker Overlay Networks - Laurent Bernaille - Architect, D2SIDocker, Inc.

Docker overlay networks allow containers on different hosts to communicate by encapsulating traffic in VXLAN tunnels. The overlay network uses Consul for service discovery and stores network state like MAC address tables. Containers connect to the overlay network via veth interfaces attached to a bridge in the overlay namespace. When a container sends traffic to an unknown destination, the bridge floods it over VXLAN tunnels to other nodes to discover the destination's location.

Docker - introductionMichał Kurzeja

Dockerizing your applications - Docker workshop @TwitterdotCloud

This document discusses how to dockerize desktop applications like Firefox by running them in Docker containers with access to the host desktop, audio devices, and data volumes. It provides instructions for downloading Docker and example Dockerfiles, building images, and running Firefox in both ephemeral and stateful containers with various volume mounting techniques to access files on the host or in data containers.

Introduction to Containers - SQL Server and DockerChris Taylor

Containers provide lightweight virtualization that packages applications and dependencies together. The document introduces containers and Docker, discusses the differences between containers and virtual machines, and covers key Docker concepts like images, Dockerfiles, Docker Hub, and running SQL Server in containers. It also addresses container setup, licensing, and performance considerations for using containers with SQL Server.

Docker Security and Content Trustehazlett

Docker presentation | Paris Docker MeetupdotCloud

- The document summarizes a meetup on Docker held in Paris on February 10, 2013. It provides an introduction to Docker including its origins at dotCloud, timeline of development, and basic functionality using Linux containers, control groups, and AUFS. - The presentation covers installing Docker, basic commands like running "hello world" examples, managing containers vs images, and demonstrates a simple app deployment using Docker for local development and pushing changes to production. - Questions from attendees are solicited at the end to discuss Docker further.

Docker Security Deep Dive by Ying Li and David LawrenceDocker, Inc.

Docker introductiondotCloud

Docker is a system for running applications in isolated containers. It addresses issues with traditional virtual machines by providing lightweight containers that share resources and allow applications to run consistently across different environments. Docker eliminates inconsistencies in development, testing and production environments. It allows applications and their dependencies to be packaged into a standardized unit called a container that can run on any Linux server. This makes applications highly portable and improves efficiency across the entire development lifecycle.

How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes

Containers technologiesJoris Bonnefoy

Orchestrating Docker containers at scaleMaciej Lasyk

What Have Namespaces Done for you Lately? Liz Rice, Aqua SecurityDocker, Inc.

Docker Presentation at the OpenStack Austin Meetup | 2013-09-12dotCloud

Docker: the road aheadshykes

1. The document discusses Docker's roadmap which includes standardizing interfaces for container sandboxing (libcontainer), communication between containers and components (libchan), and orchestrating distributed services (libswarm). 2. It announces libcontainer becoming a standalone project and new contributors joining its development. Libchan is introduced as a lightweight communication protocol and libswarm is presented as a toolkit for composing network services. 3. Identity and authorization are mentioned as upcoming areas of focus, and the document encourages participation in developing these Docker projects.

Seven problems of Linux ContainersKirill Kolyshkin

Docker, Linux Containers (LXC), and securityJérôme Petazzoni

Linux containers provide isolation between applications using namespaces and cgroups. While containers appear similar to VMs, they do not fully isolate applications and some security risks remain. To improve container security, Docker recommends: 1) not running containers as root, 2) dropping capabilities like CAP_SYS_ADMIN, 3) enabling user namespaces, and 4) using security modules like SELinux. However, containers cannot fully isolate applications that need full hardware or kernel access, so virtual machines may be needed in some cases.

More Related Content

What's hot (20)

Advanced Docker Developer Workflows on MacOS X and WindowsAnil Madhavapeddy

Docker and the Linux KernelDocker, Inc.

Veer's Container SecurityJim Barlow

Docker IntroductionRobert Reiz

Building a Secure App with Docker - Ying Li and David Lawrence, DockerDocker, Inc.

Docker London: Container SecurityPhil Estes

Deep Dive in Docker Overlay Networks - Laurent Bernaille - Architect, D2SIDocker, Inc.

Docker - introductionMichał Kurzeja

Dockerizing your applications - Docker workshop @TwitterdotCloud

Introduction to Containers - SQL Server and DockerChris Taylor

Docker Security and Content Trustehazlett

Docker presentation | Paris Docker MeetupdotCloud

Docker Security Deep Dive by Ying Li and David LawrenceDocker, Inc.

Docker introductiondotCloud

How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes

Containers technologiesJoris Bonnefoy

Orchestrating Docker containers at scaleMaciej Lasyk

What Have Namespaces Done for you Lately? Liz Rice, Aqua SecurityDocker, Inc.

Docker Presentation at the OpenStack Austin Meetup | 2013-09-12dotCloud

Docker: the road aheadshykes

Advanced Docker Developer Workflows on MacOS X and WindowsAnil Madhavapeddy

Docker and the Linux KernelDocker, Inc.

Veer's Container SecurityJim Barlow

Docker IntroductionRobert Reiz

Building a Secure App with Docker - Ying Li and David Lawrence, DockerDocker, Inc.

Docker London: Container SecurityPhil Estes

Deep Dive in Docker Overlay Networks - Laurent Bernaille - Architect, D2SIDocker, Inc.

Docker - introductionMichał Kurzeja

Dockerizing your applications - Docker workshop @TwitterdotCloud

Introduction to Containers - SQL Server and DockerChris Taylor

Docker Security and Content Trustehazlett

Docker presentation | Paris Docker MeetupdotCloud

Docker Security Deep Dive by Ying Li and David LawrenceDocker, Inc.

Docker introductiondotCloud

How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes

Containers technologiesJoris Bonnefoy

Orchestrating Docker containers at scaleMaciej Lasyk

What Have Namespaces Done for you Lately? Liz Rice, Aqua SecurityDocker, Inc.

Docker Presentation at the OpenStack Austin Meetup | 2013-09-12dotCloud

Docker: the road aheadshykes

Viewers also liked (20)

Seven problems of Linux ContainersKirill Kolyshkin

Docker, Linux Containers (LXC), and securityJérôme Petazzoni

DockerCon SF 2015: DHE/DTRDocker, Inc.

Docker Trusted Registry is a private registry for Docker images that provides key features like role-based access control, audit logs, and storage drivers. It has a modular architecture with components like registry servers, load balancers, and authentication servers. It can be deployed on any infrastructure and supports integration with directory services. Docker Trusted Registry comes in different editions for teams of various sizes and needs and pricing starts from free to $150 per month depending on the edition.

Docker on the Raspberry Pi by Dieter Reuter (Hypriot)Docker, Inc.

Docker can run on resource-constrained devices like the Raspberry Pi, allowing lightweight virtualization for IoT applications. During a live demo, over 250 Docker containers were launched on a Raspberry Pi in under 7 minutes, showing Docker's ability to scale down to minimal hardware resources. The presentation concluded with information on how to learn more about Docker on IoT devices from the speaker's blog and Twitter account.

DockerCon SF 2015: Ben Golub's Keynote Day 1Docker, Inc.

The summary provides an overview of the key points from DockerCon Day 1: - Ben Golub, Docker CEO, welcomed attendees and encouraged them to use hashtags and share photos from the conference to win prizes. - The keynote discussed how Docker has grown significantly over the past year in terms of contributors, projects, job openings, dockerized applications, and downloads. - It was noted that applications have fundamentally changed to be more distributed and composed of loosely coupled microservices, and Docker is helping enable this new model of application development and deployment. - The keynote discussed Docker's vision for the future of distributed applications and highlighted what Docker in production means in terms of community, ecosystem, and solutions for security

DockerCon 15 Keynote - Day 2Docker, Inc.

The document summarizes Day 2 of DockerCon. It discusses Docker being ready for production use with solutions for building, shipping, and running containers. It highlights Docker Hub growth and improvements to quality. Business Insider's journey with Docker is presented, covering lessons learned around local development and using Puppet and Docker Hub. Future directions discussed include orchestration tools and image security.

DockerCon SF 2015: Keynote Day 1Docker, Inc.

The document summarizes key points from Day 1 of DockerCon. It discusses Docker's mission to build tools for mass innovation and how they are taking an incremental approach to reinventing the programmer's toolbox. New tools like Docker, Docker Compose, Docker Machine, Docker Swarm, Docker Networking plugins and Notary were introduced to help solve problems around runtimes, packaging, service composition, machine management, clustering, networking and security. Docker is also donating runC to the Open Container Project and forming the Open Container Project to establish open standards around container formats and governance.

Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...Docker, Inc.

The SDACK architecture stands for Spark, Docker, Akka, Cassandra, and Kafka. At TrendMicro, we adopted the SDACK architecture to implement a security event inspection platform for APT attack analysis. In this talk, we will introduce SDACK stack with Spark lambda architecture, Akka and Kafka for streaming data pipeline, Cassandra for time series data, and Docker for microservices. Specifically, we will show you how we Dockerize each SDACK component to facilitate the RD team of algorithms development, help the QA team test the product easily, and use the Docker as a Service strategy to ship our products to customers. Next, we will show you how we monitor each Docker container and adjust the resource usage based on monitoring metrics. And then, we will share our Docker security policy which ensures our products are safety before shipping to customers. After that, we'll show you how we develop an all-in-one Docker based data product and scale it out to multi-host Docker cluster to solve the big data problem. Finally, we will share some challenges we faced during the product development and some lesson learned.

DockerCon SF 2015: AWS w/ Deepak SinghDocker, Inc.

Containerd: Building a Container Supervisor by Michael CrosbyDocker, Inc.

Containerd is a container supervisor that allows users to manage the lifecycle of a container as well as interact with the container while it is executing. Containerd was built to fulfill many of the requirements that we expect from a modern supervisor all while staying small and fast. In this talk, we will discuss some of the design decisions that shaped containerd’s architecture that allows it to reattach to running containers if it was killed and how it is designed to start 100s containers in seconds.

Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart Docker, Inc.

Riot builds a lot of software. At the start of 2015 we were looking at 3000 build jobs over a hundred different applications and dozens of teams. We were handling nearly 750 jobs per hour and our build infrastructure needed to grow rapidly to meet demand. We needed to give teams total control of the “stack” used to build their applications and we needed a solution that enabled agile delivery to our players. On top of that, we needed a scalable system that would allow a team of four engineers to support over 250. After as few explorations, we built an integrated Docker solution using Jenkins that accepts docker images submitted as build environments by engineers around the company . Our “containerized” farm now creates over 10,000 containers a week and handles nearly 1000 jobs at a rate of about 100 jobs an hour. In this occasionally technical talk, we’ll explore the decisions that led Riot to consider Docker, the evolutionary stages of our build infrastructure, and how the open source and in-house software we combined to achieve our goals at scale. You’ll come away with some best practices, plenty of lessons learned, and insight into some of the more unique aspects of our system (like automated testing of submitted build environments, or testing node.js apps in containers with Chromium and xvfb).

Docker Security workshop slidesDocker, Inc.

Get hands-on with security features and best practices to protect your containerized services. Learn to push and verify signed images with Docker Content Trust, and collaborate with delegation roles. Intermediate to advanced level Docker experience recommended, participants will be building and pushing with Docker during the workshop. Led By Docker Security Experts: Riyaz Faizullabhoy David Lawrence Viktor Stanchev Experience Level: Intermediate to advanced level Docker experience recommended

Docker Hub: Past, Present and Future by Ken Cochrane & BC WongDocker, Inc.

This document provides an overview of Docker Hub, including its history and features. Docker Hub is a cloud registry service that allows users to share applications and automate workflows. It currently has over 240,000 users, 150,000 repositories, and handles over 1 billion pulls annually. The document discusses Docker Hub's growth over time and upcoming features like improved performance, automated builds using Kubernetes, and a redesigned user interface.

Docker Registry V2Docker, Inc.

This document discusses Docker Registry API V2, a new model for image distribution that addresses limitations in the previous V1 API. Key changes include making layers content-addressable using cryptographic digests for identification and verification. Images are now described by manifests containing layer digests. The registry stores content in repositories and no longer exposes internal image details. Early adoption shows V2 providing significantly better performance than V1 with 80% fewer requests and 60% less bandwidth used. Future goals include improving documentation, adding features like pull-through caching, and developing the Docker distribution components to provide a foundation for more advanced distribution models.

Is Docker Secure?Manideep Konakandla

This document summarizes a presentation on the security of Docker containers. It begins with introductions and then outlines the container pipeline and risk areas. It discusses security issues related to images, the container runtime, and approaches for enterprises. It presents a holistic view of the container security pipeline and risks at different stages. It concludes by taking questions and providing references for further information.

Docker Chicago Meetup - July 2014Cohesive Networks

This document discusses Docker containers and security. It notes that while Dockerfiles are productive for developers and DevOps, containers currently do not fully isolate processes due to limitations of namespaces and capabilities. It also describes a "manifest problem" where the versions of packages installed in an image are not explicitly defined. The document demonstrates how to improve container security using namespaces, capabilities, and mandatory access control and predicts containers will better isolate processes over time with improved techniques and hardware support.

IoT Agents (With Lightweight M2M)dmoranj

This document provides an overview of IoT Agents and the OMA Lightweight M2M IoT Agent. It discusses interaction models between IoT Agents and the Context Broker, including active attributes, lazy attributes, and commands. It covers device and service provisioning APIs. It also outlines typical IoT scenarios and describes building custom IoT Agents using Node.js or C++ frameworks. Resources listed include Github projects for IoT Agent libraries and the Lightweight M2M IoT Agent.

Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...Jérôme Petazzoni

Containers, Docker, and Security: State of the Union This document discusses the past, present, and future of container security with Docker. It summarizes that container isolation used to be a major concern but improvements have been made through finer-grained permissions and immutable containers. Image provenance is now a bigger issue but techniques like Docker Content Trust (Notary) help address it. Defense in depth with both containers and VMs is recommended. The security of containers continues to improve through practices like better upgrades, security benchmarks, and policies.

IoT Agents (Introduction)dmoranj

This document introduces IoT agents, which act as intermediaries between IoT devices and the Orion Context Broker. It discusses the IoT architecture and how agents allow different device protocols to communicate with NGSI via a common interface. It also describes APIs for provisioning devices and interacting with their active and lazy attributes as well as commands. Finally, it provides recommendations for getting started, such as installing an IoT agent like UL 2.0 using Docker and testing it with tools like figway.

What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea LuzzardiMike Goelzer

Docker 1.12 introduces several new features for managing containerized applications at scale including Docker Swarm mode for native clustering and orchestration. Key features include services that allow defining and updating distributed applications, a built-in routing mesh for load balancing between nodes, and security improvements like cryptographic node identities and TLS encryption by default. The document also discusses plugins, health checks, and distributed application bundles for declaring stacks of services.

Seven problems of Linux ContainersKirill Kolyshkin

Docker, Linux Containers (LXC), and securityJérôme Petazzoni

DockerCon SF 2015: DHE/DTRDocker, Inc.

Docker on the Raspberry Pi by Dieter Reuter (Hypriot)Docker, Inc.

DockerCon SF 2015: Ben Golub's Keynote Day 1Docker, Inc.

DockerCon 15 Keynote - Day 2Docker, Inc.

DockerCon SF 2015: Keynote Day 1Docker, Inc.

Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...Docker, Inc.

DockerCon SF 2015: AWS w/ Deepak SinghDocker, Inc.

Containerd: Building a Container Supervisor by Michael CrosbyDocker, Inc.

Thinking Inside the Container: A Continuous Delivery Story by Maxfield Stewart Docker, Inc.

Docker Security workshop slidesDocker, Inc.

Docker Hub: Past, Present and Future by Ken Cochrane & BC WongDocker, Inc.

Docker Registry V2Docker, Inc.

Is Docker Secure?Manideep Konakandla

Docker Chicago Meetup - July 2014Cohesive Networks

IoT Agents (With Lightweight M2M)dmoranj

Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...Jérôme Petazzoni

IoT Agents (Introduction)dmoranj

What's New in Docker 1.12 (June 20, 2016) by Mike Goelzer & Andrea LuzzardiMike Goelzer

Similar to DockerCon SF 2015: Docker Security (20)

Docker security microservicesVishwas Manral

This document discusses least-privilege microservices using Docker containers. It explains that Docker provides isolation between containers and processes running within containers. This isolation allows each container to have only the exact resources and access it needs, following the principle of least privilege. The document outlines various Docker security features like capabilities, namespaces, and security profiles that can be used to implement fine-grained controls for containers. It argues that better tooling is still needed to more easily create automated security profiles tailored for each container.

DockerDay2015: Docker SecurityDocker-Hanoi

This document summarizes a presentation on Docker security and least-privilege microservices from DockerCon US 2015. It discusses the history and principles of least-privilege, how Docker supports fine-grained access controls for containers through features like namespaces, capabilities, and security profiles. It also covers making containers more secure by default and tools like Docker Bench for assessing container security. The conclusion is that Docker allows least-privilege microservices and better tools are still needed to define per-container security profiles.

Docker introductionJo Ee Liew

This document provides an introduction to Docker, including what Docker is, why it matters, and how it works. Some key points: - Docker implements lightweight containers that provide process isolation using features of the Linux kernel like cgroups and namespaces. It allows building and shipping applications without dependency and compatibility issues. - Docker solves the "N times N" compatibility problem that arises when applications need to run in different environments. Its portable containers and standardized operations help automate development and deployment workflows. - Containers isolate applications from one another and their dependencies without the overhead of virtual machines. This makes them lightweight and efficient while still providing isolation of applications and flexibility to run anywhere.

Docker-IntroSujai Sivasamy

The document provides an introduction to Docker, containers, and the problems they aim to solve. It discusses: - Why Docker was created - to address the "matrix from hell" of developing and deploying applications across different environments and platforms. - How Docker works at a high level, using lightweight containers that package code and dependencies to run consistently on any infrastructure. - Some key Docker concepts like images, containers, the Dockerfile for building images, and common Docker commands. - Benefits of Docker for developers and operations in simplifying deployment, reducing inconsistencies, and improving portability of applications.

OpenStack SummitDocker, Inc.

The document outlines the agenda for the OpenStack Summit in November 2013, including presentations on Docker and its ecosystem, how Docker can be used with OpenStack and Rackspace, and a demonstration of cross-cloud application deployment using Docker. Docker is presented as a solution to the "matrix from hell" of running applications across different environments by providing lightweight, portable containers that can run anywhere regardless of the operating system. The summit aims to educate attendees on Docker and showcase its integration with OpenStack for simplified and efficient application deployment and management across multiple clouds.

Docker SF Meetup January 2016Patrick Chanezon

The document discusses Docker's platform and ecosystem. It describes Docker's mission to build tools for mass innovation by providing a software layer to program the internet. It outlines key components of Docker including Docker Engine, Swarm for clustering multiple Docker hosts, Compose for defining and running multi-container applications, and Docker Hub for sharing images. It also discusses the Linux container ecosystem underpinning Docker and roadmaps for continued development.

Docker Securityantitree

Dockers zero to heroNicolas De Loof

Docker - Demo on PHP Application deployment Arun prasath

Docker is an open-source project to easily create lightweight, portable, self-sufficient containers from any application. The same container that a developer builds and tests on a laptop can run at scale, in production, on VMs, bare metal, OpenStack clusters, public clouds and more. In this demo, I will show how to build a Apache image from a Dockerfile and deploy a PHP application which is present in an external folder using custom configuration files.

Navigating container technology for enhanced security by Niklas SaariMetosin Oy

Demystifying Containerization Principles for Data ScientistsDr Ganesh Iyer

5 Ways to Secure Your Containers for Docker and BeyondBlack Duck by Synopsys

Presented by Tim Mackey, Senior Technology Evangelist, Black Duck Software on August 17. To use containers safely, you need to be aware of potential security issues and the tools you need for securing container-based systems. Secure production use of containers requires an understanding of how attackers might seek to compromise the container, and what you should be aware of to minimize that potential risk. Tim Mackey, Senior Technical Evangelist at Black Duck Software, provides guidance for developing container security policies and procedures around threats such as: 1. Network security 2. Access control 3. Tamper management and trust 4. Denial of service and SLAs 5. Vulnerabilities Register today to learn about the biggest security challenges you face when deploying containers, and how you can effectively deal with those threats. Watch the webinar on BrightTalk: http://bit.ly/2bpdswg

Introduction to DockerRafael Konlechner

This document introduces software containers and Docker. It defines containers as portable and isolated runtime environments for applications, sharing the same kernel as other containers. Docker is a toolset for creating and managing containers, with key components including the Docker Engine, images, and Hub registry. The document explains how Docker uses read-only layers and writable container layers to build images and run containers.

Evolution of Linux Containerization WSO2

This document discusses the evolution of Linux container virtualization, including technologies like LXC, Docker, CoreOS, and Kubernetes. It provides an overview of key concepts in virtualization like namespaces, cgroups, AppArmor, SELinux, and seccomp. It also summarizes features of Linux container engines like LXC, and container platforms like Docker, CoreOS, and the Kubernetes container cluster management system.

Evoluation of Linux Container VirtualizationImesh Gunaratne

Container & kubernetesTed Jung

Container technologies use namespaces and cgroups to provide isolation between processes and limit resource usage. Docker builds on these technologies using a client-server model and additional features like images, containers, and volumes to package and run applications reliably and at scale. Kubernetes builds on Docker to provide a platform for automating deployment, scaling, and operations of containerized applications across clusters of hosts. It uses labels and pods to group related containers together and services to provide discovery and load balancing for pods.

Building Distributed Systems without Docker, Using Docker Plumbing Projects -...Patrick Chanezon

Docker provides an integrated and opinionated toolset to build, ship and run distributed applications. Over the past year, the Docker codebase has been refactored extensively to extract infrastructure plumbing components that can be used independently, following the UNIX philosophy of small tools doing one thing well: runC, containerd, swarmkit, hyperkit, vpnkit, datakit and the newly introduced InfraKit. This talk will give an overview of these tools and how you can use them to build your own distributed systems without Docker. Patrick Chanezon & David Chung, Docker & Phil Estes, IBM

Revolutionizing the cloud with container virtualizationWSO2

This document discusses container virtualization and key related technologies. It begins with an overview of virtualization and the hypervisor model. It then covers Linux containers and the kernel features they use like namespaces, cgroups, AppArmor, and SELinux. Popular container tools like LXC, Docker, CoreOS, and Kubernetes are introduced. The document argues that containers make it possible to run multiple isolated environments on one host more efficiently than virtual machines, improving cloud deployment.

Webinar: OpenEBS - Still Free and now FASTEST Kubernetes storageMayaData Inc

Webinar Session - https://youtu.be/_5MfGMf8PG4 In this webinar, we share how the Container Attached Storage pattern makes performance tuning more tractable, by giving each workload its own storage system, thereby decreasing the variables needed to understand and tune performance. We then introduce MayaStor, a breakthrough in the use of containers and Kubernetes as a data plane. MayaStor is the first containerized data engine available that delivers near the theoretical maximum performance of underlying systems. MayaStor performance scales with the underlying hardware and has been shown, for example, to deliver in excess of 10 million IOPS in a particular environment.

Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...Odinot Stanislas

Docker security microservicesVishwas Manral

DockerDay2015: Docker SecurityDocker-Hanoi

Docker introductionJo Ee Liew

Docker-IntroSujai Sivasamy

OpenStack SummitDocker, Inc.

Docker SF Meetup January 2016Patrick Chanezon

Docker Securityantitree

Dockers zero to heroNicolas De Loof

Docker - Demo on PHP Application deployment Arun prasath

Navigating container technology for enhanced security by Niklas SaariMetosin Oy

Demystifying Containerization Principles for Data ScientistsDr Ganesh Iyer

5 Ways to Secure Your Containers for Docker and BeyondBlack Duck by Synopsys

Introduction to DockerRafael Konlechner

Evolution of Linux Containerization WSO2

Evoluation of Linux Container VirtualizationImesh Gunaratne

Container & kubernetesTed Jung

Building Distributed Systems without Docker, Using Docker Plumbing Projects -...Patrick Chanezon

Revolutionizing the cloud with container virtualizationWSO2

Webinar: OpenEBS - Still Free and now FASTEST Kubernetes storageMayaData Inc

Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...Odinot Stanislas

More from Docker, Inc. (20)

Containerize Your Game Server for the Best Multiplayer Experience Docker, Inc.

Raymond Arifianto, AccelByte and Mark Mandel, Google - We have been deploying containerized micro-services for our Game Backend Services for a while. Now we are tackling the challenge to scale up fleets of game dedicated servers in multiple regions, multiple data centers and multiple providers - some in bare metal, some in Cloud. So we leverage docker containerization to deploy Game Servers to achieve Portability, Fast Deployment and Predictability, enabling us to scale up to thousands of servers, on demand, without a sweat.

How to Improve Your Image Builds Using Advance Docker BuildDocker, Inc.

Nicholas Dille, Haufe-Lexware + Docker Captain - Docker continues to be the standard tool for building container images. For more than a year Docker ships with BuildKit as an alternative image builder, providing advanced features for secret and cache management. These features help to make image builds faster and more secure. In this session, Docker Captain Nicholas Dille will teach you how to use Buildkit features to your advantage.

Build & Deploy Multi-Container Applications to AWSDocker, Inc.

Lukonde Mwila, Entelect - As the cloud-native approach to development and deployment becomes more prevalent, it's an exciting time for software engineers to be equipped on how to dockerize multi-container applications and deploy them to the cloud. In this talk, Lukonde Mwila, Software Engineer at Entelect, will cover the following topics: - Docker Compose - Containerizing an Nginx Server - Containerizing an React App - Containerizing an Node.JS App - Containerizing anMongoDB App - Runing Multi-Container App Locally - Creating a CI/CD Pipeline - Adding a build stage to test containers and push images to Docker Hub - Deploying Multi-Container App to AWS Elastic Beanstalk Lukonde will start by giving an overview of how Docker Compose works and how it makes it very easy and straightforward to startup multiple Docker containers at the same time and automatically connect them together with some form of networking. After that, Lukonde will take a hands on approach to containerize an Nginx server, a React app, a NodeJS app and a MongoDB instance to demonstrate the power of Docker Compose. He'll demonstrate usage of two Docker files for an application, one production grade and the other for local development and running of tests. Lastly, he'll demonstrate creating a CI/CD pipeline in AWS to build and test our Docker images before pushing them to Docker Hub or AWS ECR, and finally deploying our multi-container application AWS Elastic Beanstalk.

Securing Your Containerized Applications with NGINXDocker, Inc.

How To Build and Run Node Apps with Docker and ComposeDocker, Inc.

Kathleen Juell, Digital Ocean - Containers are an essential part of today's microservice ecosystem, as they allow developers and operators to maintain standards of reliability and reproducibility in fast-paced deployment scenarios. And while there are best practices that extend across stacks in containerized environments, there are also things that make each stack distinct, starting with the application image itself. This talk will dive into some of these particularities, both at the image and service level, while also covering general best practices for building and running Node applications with database backends using Docker and Compose.

Hands-on Helm Docker, Inc.

Distributed Deep Learning with Docker at SalesforceDocker, Inc.

Jeff Hajewski, Salesforce - There is a wealth of information on building deep learning models with PyTorch or TensorFlow. Anyone interested in building a deep learning model is only a quick search away from a number of clear and well written tutorials that will take them from zero knowledge to having a working image classifier. But what happens when you need to deploy these models in a production setting? At Salesforce, we use TensorFlow models to help us provide customers with insights into their data, and we do this as close to real-time as possible. Designing these systems in a scalable manner requires overcoming a number of design challenges, but the core component is Docker. Docker enables us to design highly scalable systems by allowing us to focus on service interactions, rather than how our services will interact with the hardware. Docker is also at the core of our test infrastructure, allowing developers and data scientists to build and test the system in an end to end manner on their local machines. While some of this may sound complex, the core message is simplicity - Docker allows us to focus on the aspects of the system that matter, greatly simplifying our lives.

The First 10M Pulls: Building The Official Curl Image for Docker HubDocker, Inc.

James Fuller, webcomposite s.r.o. - Curl is the venerable (yet very modern) 'swiss army knife' command line tool and library for transferring data with URLs. Recently we (the Curl team) decided to build a release for Docker Hub. This talk will outline our current development workflow with respect to the docker image and provide insights on what it takes to build a docker image for mass public consumption. We are also keen to learn from users and other developers how we might improve and enhance the official curl docker image.

Monitoring in a Microservices WorldDocker, Inc.

Fabian Stäber, Instana - In recent years, we saw a great paradigm shift in software engineering away from static monolithic applications towards dynamic distributed horizontally scalable architectures. Docker is one of the key technologies enabling this development. This shift poses a lot of new challenges for application monitoring, ranging from practical issues (need for automation) to technical challenges (Docker networking) to organizational topics (blurring line between software engineers and operations) to fundamental questions (define what is an application). In this talk we show how Docker changed the way we do monitoring, how modern application monitoring systems work, and what future developments we expect.

COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...Docker, Inc.

Clemente Biondo, Engineering Ingegneria Informatica - When the COVID 19 pandemic started, Engineering Ingegneria Informatica Group (1.25 billion euros of revenues, 65 offices around the world, 12.000 employees) was forced to put their digital transformation to the test in order to maintain operational continuity. In this session, Clemente Biondo, the Tech Lead of the Information Systems Department, will share how his company is reacting to this unforeseeable scenario and how Docker-driven digital transformation had paved the path for work to continue remotely. Clemente will discuss learnings moving from colocated teams, manual approaches, email based-business processes, and a monolithic application to a mature DevOps culture characterized by a distributed autonomous workforce and a continuous deployment process that deploys backward-compatible Docker containerized microservices into hybrid multi cloud datacenters an average of twice a day with zero-downtime. He will detail how they use Docker to unify dev, test and production environments, and as an efficient and automated mechanism for deploying applications. Lastly, Clemente shares how, in our darkest hour, he and others are working to shine their brightest light.

Predicting Space Weather with DockerDocker, Inc.

The document discusses how NOAA's Space Weather Prediction Center transitioned from a monolithic architecture to microservices using Docker. It describes how they started with a small verification project, then replaced their critical GOES satellite data source. This improved developers' morale and delivery speed. They encountered some security issues initially but learned from them. The transition was very successful and allowed them to quickly expand their mission to forecast aviation impacts using scientists' models packaged as Docker services.

Become a Docker Power User With Microsoft Visual Studio CodeDocker, Inc.

Brian Christner, 56k + Docker Captain - In this session, we will unlock the full potential of using Microsoft Visual Studio Code (VS Code) and Docker Desktop to turn you into a Docker Power User. When we expand and utilize the VS Code Docker plugin, we can take our projects and Docker skills to the next level. In addition to using VS Code, we streamline our Docker Desktop development workflow with less context switching and built-in shortcuts. You will learn how to bootstrap new projects, quickly write Dockerfiles utilizing templates, build, run, and interact with containers all from VS Code.

How to Use Mirroring and Caching to Optimize your Container RegistryDocker, Inc.

Monolithic to Microservices + Docker = SDLC on Steroids!Docker, Inc.

Ashish Sharma, SS&C Eze - SS&C Eze provides various products in the stock market domain. We spent the last couple of years building Eclipse which is an investment suite born in cloud. The journey so far has been very interesting. The very first version of the product were a bunch of monolithic windows services and deployed using Octopus tool. We successfully managed to bring all the monolithic problem to the cloud and created a nightmare for ourselves. We then started applying microservices architecture principles and started breaking the monolithic into small services. Very soon we realized that we need a better packaging/deployment tool. Docker looked like a magical solution to our problem. Since its adoption, It has not only solved the deployment problem for us but has made a deep impact on different aspects of SDLC. It allowed us to use heterogeneous technology stacks, simplified development environment setup, simplified our testing strategy, improved our speed of delivery, and made our developers more productive. In this talk I would like to share our experience of using Docker and its positive impact on our SDLC.

Kubernetes at Datadog ScaleDocker, Inc.

Kubernetes networking can be complex to scale due to issues like growing iptables rules, but newer solutions are helping. Pod networking uses CNI plugins like flannel or Calico to assign each pod an IP and allow communication. Service networking uses kube-proxy and iptables or IPVS for load balancing to pods. DNS is used to resolve service names to IPs. While Kubernetes networking brings flexibility, operators must learn the nuances of their specific CNI plugin and issues can arise, but the ecosystem adapts quickly to new needs and changes don't impact all workloads.

Labels, Labels, Labels Docker, Inc.

Andy Clemenko, StackRox - One underutilized, and amazing, thing about the docker image scheme is labels. Labels are a built in way to document all aspects about the image itself. Think about all the information that the tags inside your clothing carry. If you care to look you can find out everything about the garment. All that information can be very valuable. Now think about how we can leverage labels to carry similar information. We can even use the labels to contain Docker Compose or even Kubernetes Yaml. We can even include labels into the CI/CD process making things more secure and smoother. Come find out some fun techniques on how to leverage labels to do some fun and amazing things.

Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment ModelDocker, Inc.

Micro Focus uses Docker Hub at scale to support its software delivery and deployment model. Some key points: - Docker Hub is used as the registry service for Micro Focus container images - It allows for optimized, secure, reliable and cost-effective software delivery through deployments and updates of container images to customers and partners - Micro Focus leverages features like private repositories, offline/online access, signing and scanning of images, and integration with CI/CD pipelines - Over 1,650 organizations, 450 repositories, and 18 teams are used on Docker Hub to manage access and deliver software from Micro Focus

Build & Deploy Multi-Container Applications to AWSDocker, Inc.

Lukonde Mwila, Entelect As the cloud-native approach to development and deployment becomes more prevalent, it's an exciting time for software engineers to be equipped on how to dockerize multi-container applications and deploy them to the cloud. In this talk, Lukonde Mwila, Software Engineer at Entelect, will cover the following topics: - Docker Compose - Containerizing an Nginx Server - Containerizing an React App - Containerizing an Node.JS App - Containerizing anMongoDB App - Runing Multi-Container App Locally - Creating a CI/CD Pipeline - Adding a build stage to test containers and push images to Docker Hub - Deploying Multi-Container App to AWS Elastic Beanstalk Lukonde will start by giving an overview of how Docker Compose works and how it makes it very easy and straightforward to startup multiple Docker containers at the same time and automatically connect them together with some form of networking. After that, Lukonde will take a hands on approach to containerize an Nginx server, a React app, a NodeJS app and a MongoDB instance to demonstrate the power of Docker Compose. He'll demonstrate usage of two Docker files for an application, one production grade and the other for local development and running of tests. Lastly, he'll demonstrate creating a CI/CD pipeline in AWS to build and test our Docker images before pushing them to Docker Hub or AWS ECR, and finally deploying our multi-container application AWS Elastic Beanstalk.

From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...Docker, Inc.

Elton Stoneman, Docker Captain + Container Consultant and Trainer How do you provide a SaaS offering when your product is a 10-year old Fortran app, currently built to run on Windows 10? With Docker and Kubernetes of course - and you can do it in a week (... to prototype level at least). In this session I'll walk through the processes and practicalities of taking an older Windows app, making it run in containers with Kubernetes, and then building a simple API wrapper to host the whole stack as a cloud-based SaaS product. There's a lot of technology here from a real world case study, and I'll focus on: - running Windows apps in Docker containers - building a .NET Core API which can run in Linux or Windows containers - running the stack in Kubernetes with Docker Desktop locally and AKS in the cloud - configuring AKS workloads in Azure to burst out to Azure Container Instances And there's a core theme to this session: Docker and Kubernetes are complex technologies, but they're the key to modern development. If you invest time learning them, they make projects like this simple, portable, fast and fun.

Developing with Docker for the Arm ArchitectureDocker, Inc.

This virtual meetup introduces the concepts and best practices of using Docker containers for software development for the Arm architecture across a variety of hardware systems. Using Docker Desktop on Windows or Mac, Amazon Web Services (AWS) A1 instances, and embedded Linux, we will demonstrate the latest Docker features to build, share, and run multi-architecture images with transparent support for Arm.

Containerize Your Game Server for the Best Multiplayer Experience Docker, Inc.

How to Improve Your Image Builds Using Advance Docker BuildDocker, Inc.

Build & Deploy Multi-Container Applications to AWSDocker, Inc.

Securing Your Containerized Applications with NGINXDocker, Inc.

How To Build and Run Node Apps with Docker and ComposeDocker, Inc.

Hands-on Helm Docker, Inc.

Distributed Deep Learning with Docker at SalesforceDocker, Inc.

The First 10M Pulls: Building The Official Curl Image for Docker HubDocker, Inc.

Monitoring in a Microservices WorldDocker, Inc.

COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...Docker, Inc.

Predicting Space Weather with DockerDocker, Inc.

Become a Docker Power User With Microsoft Visual Studio CodeDocker, Inc.

How to Use Mirroring and Caching to Optimize your Container RegistryDocker, Inc.

Monolithic to Microservices + Docker = SDLC on Steroids!Docker, Inc.

Kubernetes at Datadog ScaleDocker, Inc.

Labels, Labels, Labels Docker, Inc.

Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment ModelDocker, Inc.

Build & Deploy Multi-Container Applications to AWSDocker, Inc.

From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...Docker, Inc.

Developing with Docker for the Arm ArchitectureDocker, Inc.

Recently uploaded (20)

Drupalcamp Finland – Measuring Front-end Energy ConsumptionExove

Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell

IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...organizerofv

How analogue intelligence complements AIPaul Rowe

Artificial Intelligence is providing benefits in many areas of work within the heritage sector, from image analysis, to ideas generation, and new research tools. However, it is more critical than ever for people, with analogue intelligence, to ensure the integrity and ethical use of AI. Including real people can improve the use of AI by identifying potential biases, cross-checking results, refining workflows, and providing contextual relevance to AI-driven results. News about the impact of AI often paints a rosy picture. In practice, there are many potential pitfalls. This presentation discusses these issues and looks at the role of analogue intelligence and analogue interfaces in providing the best results to our audiences. How do we deal with factually incorrect results? How do we get content generated that better reflects the diversity of our communities? What roles are there for physical, in-person experiences in the digital world?

Linux Professional Institute LPIC-1 Exam.pdfRHCSA Guru

TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc

Most consumers believe they’re making informed decisions about their personal data—adjusting privacy settings, blocking trackers, and opting out where they can. However, our new research reveals that while awareness is high, taking meaningful action is still lacking. On the corporate side, many organizations report strong policies for managing third-party data and consumer consent yet fall short when it comes to consistency, accountability and transparency. This session will explore the research findings from TrustArc’s Privacy Pulse Survey, examining consumer attitudes toward personal data collection and practical suggestions for corporate practices around purchasing third-party data. Attendees will learn: - Consumer awareness around data brokers and what consumers are doing to limit data collection - How businesses assess third-party vendors and their consent management operations - Where business preparedness needs improvement - What these trends mean for the future of privacy governance and public trust This discussion is essential for privacy, risk, and compliance professionals who want to ground their strategies in current data and prepare for what’s next in the privacy landscape.

Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul

Artificial intelligence is changing how businesses operate. Companies are using AI agents to automate tasks, reduce time spent on repetitive work, and focus more on high-value activities. Noah Loul, an AI strategist and entrepreneur, has helped dozens of companies streamline their operations using smart automation. He believes AI agents aren't just tools—they're workers that take on repeatable tasks so your human team can focus on what matters. If you want to reduce time waste and increase output, AI agents are the next move.

2025-05-Q4-2024-Investor-Presentation.pptxSamuele Fogagnolo

Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Impelsys Inc.

Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveScyllaDB

Want to learn practical tips for designing systems that can scale efficiently without compromising speed? Join us for a workshop where we’ll address these challenges head-on and explore how to architect low-latency systems using Rust. During this free interactive workshop oriented for developers, engineers, and architects, we’ll cover how Rust’s unique language features and the Tokio async runtime enable high-performance application development. As you explore key principles of designing low-latency systems with Rust, you will learn how to: - Create and compile a real-world app with Rust - Connect the application to ScyllaDB (NoSQL data store) - Negotiate tradeoffs related to data modeling and querying - Manage and monitor the database for consistently low latencies

What is Model Context Protocol(MCP) - The new technology for communication bw...Vishnu Singh Chundawat

The MCP (Model Context Protocol) is a framework designed to manage context and interaction within complex systems. This SlideShare presentation will provide a detailed overview of the MCP Model, its applications, and how it plays a crucial role in improving communication and decision-making in distributed systems. We will explore the key concepts behind the protocol, including the importance of context, data management, and how this model enhances system adaptability and responsiveness. Ideal for software developers, system architects, and IT professionals, this presentation will offer valuable insights into how the MCP Model can streamline workflows, improve efficiency, and create more intuitive systems for a wide range of use cases.

Electronic_Mail_Attacks-1-35.pdf by xploitniftliyevhuseyn

Big Data Analytics Quick Research Guide by Arthur MorganArthur Morgan

This is a Quick Research Guide (QRG). QRGs include the following: - A brief, high-level overview of the QRG topic. - A milestone timeline for the QRG topic. - Links to various free online resource materials to provide a deeper dive into the QRG topic. - Conclusion and a recommendation for at least two books available in the SJPL system on the QRG topic. QRGs planned for the series: - Artificial Intelligence QRG - Quantum Computing QRG - Big Data Analytics QRG - Spacecraft Guidance, Navigation & Control QRG (coming 2026) - UK Home Computing & The Birth of ARM QRG (coming 2027) Any questions or comments? - Please contact Arthur Morgan at [email protected]. 100% human made.

Mobile App Development Company in Saudi ArabiaSteve Jonas

EmizenTech is a globally recognized software development company, proudly serving businesses since 2013. With over 11+ years of industry experience and a team of 200+ skilled professionals, we have successfully delivered 1200+ projects across various sectors. As a leading Mobile App Development Company In Saudi Arabia we offer end-to-end solutions for iOS, Android, and cross-platform applications. Our apps are known for their user-friendly interfaces, scalability, high performance, and strong security features. We tailor each mobile application to meet the unique needs of different industries, ensuring a seamless user experience. EmizenTech is committed to turning your vision into a powerful digital product that drives growth, innovation, and long-term success in the competitive mobile landscape of Saudi Arabia.

DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxJustin Reock

Building 10x Organizations with Modern Productivity Metrics 10x developers may be a myth, but 10x organizations are very real, as proven by the influential study performed in the 1980s, ‘The Coding War Games.’ Right now, here in early 2025, we seem to be experiencing YAPP (Yet Another Productivity Philosophy), and that philosophy is converging on developer experience. It seems that with every new method we invent for the delivery of products, whether physical or virtual, we reinvent productivity philosophies to go alongside them. But which of these approaches actually work? DORA? SPACE? DevEx? What should we invest in and create urgency behind today, so that we don’t find ourselves having the same discussion again in a decade?

Splunk Security Update | Public Sector Summit Germany 2025Splunk

Linux Support for SMARC: How Toradex Empowers Embedded DevelopersToradex

Toradex brings robust Linux support to SMARC (Smart Mobility Architecture), ensuring high performance and long-term reliability for embedded applications. Here’s how: • Optimized Torizon OS & Yocto Support – Toradex provides Torizon OS, a Debian-based easy-to-use platform, and Yocto BSPs for customized Linux images on SMARC modules. • Seamless Integration with i.MX 8M Plus and i.MX 95 – Toradex SMARC solutions leverage NXP’s i.MX 8 M Plus and i.MX 95 SoCs, delivering power efficiency and AI-ready performance. • Secure and Reliable – With Secure Boot, over-the-air (OTA) updates, and LTS kernel support, Toradex ensures industrial-grade security and longevity. • Containerized Workflows for AI & IoT – Support for Docker, ROS, and real-time Linux enables scalable AI, ML, and IoT applications. • Strong Ecosystem & Developer Support – Toradex offers comprehensive documentation, developer tools, and dedicated support, accelerating time-to-market. With Toradex’s Linux support for SMARC, developers get a scalable, secure, and high-performance solution for industrial, medical, and AI-driven applications. Do you have a specific project or application in mind where you're considering SMARC? We can help with Free Compatibility Check and help you with quick time-to-market For more information: https://www.toradex.com/computer-on-modules/smarc-arm-family

Dev Dives: Automate and orchestrate your processes with UiPath MaestroUiPathCommunity

This session is designed to equip developers with the skills needed to build mission-critical, end-to-end processes that seamlessly orchestrate agents, people, and robots. 📕 Here's what you can expect: - Modeling: Build end-to-end processes using BPMN. - Implementing: Integrate agentic tasks, RPA, APIs, and advanced decisioning into processes. - Operating: Control process instances with rewind, replay, pause, and stop functions. - Monitoring: Use dashboards and embedded analytics for real-time insights into process instances. This webinar is a must-attend for developers looking to enhance their agentic automation skills and orchestrate robust, mission-critical processes. 👨‍🏫 Speaker: Andrei Vintila, Principal Product Manager @UiPath This session streamed live on April 29, 2025, 16:00 CET. Check out all our upcoming Dev Dives sessions at https://community.uipath.com/dev-dives-automation-developer-2025/.

Heap, Types of Heap, Insertion and DeletionJaydeep Kale

Generative Artificial Intelligence (GenAI) in BusinessDr. Tathagat Varma

Drupalcamp Finland – Measuring Front-end Energy ConsumptionExove

Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell

IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...organizerofv

How analogue intelligence complements AIPaul Rowe

Linux Professional Institute LPIC-1 Exam.pdfRHCSA Guru

TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc

Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul

2025-05-Q4-2024-Investor-Presentation.pptxSamuele Fogagnolo

Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Impelsys Inc.

Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveScyllaDB

What is Model Context Protocol(MCP) - The new technology for communication bw...Vishnu Singh Chundawat

Electronic_Mail_Attacks-1-35.pdf by xploitniftliyevhuseyn

Big Data Analytics Quick Research Guide by Arthur MorganArthur Morgan

Mobile App Development Company in Saudi ArabiaSteve Jonas

DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxJustin Reock

Splunk Security Update | Public Sector Summit Germany 2025Splunk

Linux Support for SMARC: How Toradex Empowers Embedded DevelopersToradex

Dev Dives: Automate and orchestrate your processes with UiPath MaestroUiPathCommunity

Heap, Types of Heap, Insertion and DeletionJaydeep Kale

Generative Artificial Intelligence (GenAI) in BusinessDr. Tathagat Varma

DockerCon SF 2015: Docker Security

1. Least-privilege Microservices Diogo Mónica Nathan McCauley

2. Agenda • Why least-privilege • History of least-privilege • Least-privilege with Docker • Ongoing and future work • Conclusions

3. “Every process must be able to access only the information and resources that are necessary for its legitimate purpose”

4. Front-end Server Database Auth Service

5. 1990 Internet All-in-one

6. 2000 Internet DatabasesServicesFront-end

7. 2010 Internet

9. Server Host OS Docker Engine AppA AppB AppC AppD AppE AppF libraries Container One Process

10. Today Internet

11. ‣A FE server has a very different security proﬁle than a database or a worker host ‣Imagine that each container only has access exactly to the resources and APIs it needs. No more, no less. Front-end Server Back-end Server ‣Access to a lot of downstream services ‣Most exposed ‣I/O intensive ‣Limited network access Worker Host ‣CPU Intensive ‣Wide range of workloads Profiles

12. ‣A container is a process. Let’s ﬁnd out what syscalls it needs. Process Monitoring

13. ‣Namespaces provide an isolated view of the system (Network, PID, etc) ‣Cgroups limit and isolate the resource usage of a collection of processes ‣Linux Security Modules give us a MAC (AppArmor, SELinux) Fine-grained controls

14. Fine-grained controls ‣Capabilities divides the privileges of root into distinct units (bind, chown, etc) ‣Per-container ulimit (since 1.6) ‣User-namespaces: root inside is not root outside (remapped root for 1.8) ‣Seccomp: Individual syscall ﬁltering (working on my laptop)

15. Safer by default ‣Less than half the Linux capabilities by default ‣Copy-on-write ensures immutability ‣No device access by default ‣Default AppArmor and SELinux proﬁles for an increasing number of containers

16. Safer by default ‣Smaller footprint ‣Remove all unneeded packages ‣Remove all unneeded users ‣Remove all suid binaries … Debia n

17. Security Profiles Debia n ‣Producers of containers should be responsible for creating adequate profiles ‣Profile gets shipped with the container ‣Aggregates all of the different isolation mechanisms into one single profile

18. Securing the Ecosystem Debia n User-namespaces Seccomp Provenance Selinux Kerberos

19. Intro to Container Security Debia n http://bit.ly/1M4O9XE

20. Docker Bench Debia n https://dockerbench.com/ ‣Fully automated ‣Shipped as a container that tests containers

21. Conclusion ‣Docker is on the path to support least-privilege microservices, since it allows fine-grained control over what access each container should have. ‣We will need easier tooling to define per-container security profiles ‣You can help! #docker-security on Freenode

22. Thank you [email protected] [email protected]

DockerCon SF 2015: Docker Security

Recommended

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to DockerCon SF 2015: Docker Security (20)

More from Docker, Inc. (20)

Recently uploaded (20)

DockerCon SF 2015: Docker Security