With the adoption of container orchestration engines like Docker Swarm, Kubernetes and Mesos, it's important to adapt security technologies that scale with growing deployments. If we can isolate workloads with overlays, that's pretty good. If we can seal a container on a host, that's great!
Using open source tools like Kuryr and MidoNet, we can achieve network security for Containers in a simplified, distributed architecture. By removing architectural bottlenecks, Kuryr and MidoNet efficiently implement security policies through the hardened OpenStack Neutron framework for use by Containers in large scale environments.
Cynthia Thomas (@_techcet_) is a Networking Specialist at Google Cloud. Her background includes working with open source cloud & networking solutions. She is a frequent speaker at conferences, including ContainerCon, Container Camp, DevOps Days, DockerCon, IT Cloud Computing Conference... Read More →
Tuesday August 23, 2016 11:55am - 12:45pm EDT
Pier 2
Containers are mostly understood via docker which, up until version 1.9, did not use user namespaces at all. This leads to all sorts of wild assertions about "security problems" with Containers. This talk will remedy that by explaining what namespaces are, how they are used and how to set up unprivileged Containers with the user namespace. Since namespaces are little understood, we'll begin with the history of namespaces, how they work, the difference between label and mapping namespaces and finally how all namespaces interact with user namespaces and how user namespaces can be used both to deprivilege root and give an ordinary user a container they can enter with an unprivileged root. We'll use build Containers as a demonstration of the latter
James Bottomley is a Distinguished Engineer at IBM Research where he works on Cloud and Container technology. He is also Linux Kernel maintainer of the SCSI subsystem. He has been a Director on the Board of the Linux Foundation and Chair of its Technical Advisory Board. He went to... Read More →
Wednesday August 24, 2016 10:55am - 11:45am EDT
Harbour B
Isolation in Docker is mainly accomplished via cgroups and namespaces. User namespaces are the newest namespace to be supported by the Docker engine, and allow users to run Containers as without elevated privileges, which has been a longstanding shortcoming and frequent target of both user frustration and feature requests. In addition, Seccomp support adds a new method of containment for running Containers by providing both whitelist and blacklist based Controls of system calls that are permitted and/or forbidden for containerized processes.
In this session, we’ll look at these new features, examine basics of configuration, and do some live demos to see them in action.
Paul has been working in the ops side of open source for over 20 years, providing technical support, training, and general consulting in both the largest and smallest data centers.
Wednesday August 24, 2016 2:15pm - 3:05pm EDT
Harbour B
In the last year, Docker has released several features to “help” secure Containers. For anybody who has ever looked at SELinux, AppArmor, or Seccomp, they realize a lot more help is still needed.
As we look at the “hows” and “whys” of creating a security configuration, we’ll spend lots of time in the terminal, looking at tools that ease the workload, as well as tools that assist in troubleshooting. For many this is the pain point – figuring out why their security config isn’t working (or more precisely – isn’t working as expected).
John will be using examples relevant to real world workloads. If time permits, he’ll take audience suggestions for public images to look at, and will work through creating secure profiles with the tools discussed.
John Kinsella is the Chief Architect of Accurics, a provider of security and compliance tools for enterprises using cloud computing. His 20-year background focuses around application and network security, from initial design through business-critical production operations. He has... Read More →
Wednesday August 24, 2016 3:35pm - 4:25pm EDT
Harbour B
NorthSec is one of the biggest on-location security contests (Capture The Flag) in the world. It's also one of the biggest deployments of LXC, albeit only for a weekend.
It is unique not only because of its size but because of the way it works. Every team gets its own simulation of the real world, including its own fake internet and various fake companies and organizations connected to it. Each edition comes with its own original scenario which drives the event and gets the team going from one challenge to the next, earning points in the process.
Everything is simulated using Containers, several hundreds of them PER TEAM. Those run internet routers or simulate corporate servers. Some are deliberately vulnerable to attacks; some can't ever fail.
In this talk, we'll look at the NorthSec 2016 infrastructure, what it looked like, how it was made and what we learned from it.
Stéphane Graber works as the technical lead for LXD at Canonical Ltd. He is the upstream project leader for LXC and LXD and a frequent speaker and track leader at the various containers and other Linux related events.Stéphane is also a long time contributor to the Ubuntu Linuxdistribution... Read More →
Wednesday August 24, 2016 4:35pm - 5:25pm EDT
Harbour B