improving trust in containers
play

Improving Trust in Containers Matthew Garrett @mjg59 | - PowerPoint PPT Presentation

Sep 07, 2022 •121 likes •508 views

Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com Containers are great Containers are resource efficient Containers make deployment easy Containers can be monitored easily Containers are secure But are

  1. Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com

  2. Containers are great

  3. Containers are resource efficient

  4. Containers make deployment easy

  5. Containers can be monitored easily

  6. Containers are secure

  7. But are they secure enough?

  8. Shared kernel = shared attack surface

  9. The kernel is imperfect

  10. The kernel will always be imperfect

  11. What can we do about that?

  12. What does a container vulnerability look like?

  13. Namespace escape

  14. LSM isolation (sVirt)

  15. Arbitrary modification of kernel

  16. Reduce attack surface

  17. Seccomp

  18. Root is too many things

  19. Capabilities

  20. User namespaces

  21. Harden the kernel itself

  22. Run virtualised containers

  23. We can build a world where containers are secure enough

  24. Can we go further?

  25. TPMs

  26. Measured boot

  27. Integrity Measurement Architecture

  28. All very difficult to manage

  29. Traditional deployment patterns result in combinatorial explosions

  30. Containers make this more manageable

  31. Simple base OS

  32. Containers are independently measurable objects

  33. Measure containers into the TPM log

  34. Cryptographically verifiable audit chain

  35. How about the future

  36. Hybrid models

  37. Introspection

  38. https://github.com/coreos/clair https://github.com/coreos/rkt https://clearlinux.org/features/clear-containers

Recommend

Pennine Acute Hospitals NHS Trust: Improvement Journey 1 Pennine Improvement Plan Improving

Pennine Acute Hospitals NHS Trust: Improvement Journey 1 Pennine Improvement Plan Improving

Pennine Acute Hospitals NHS Trust: Improvement Journey 1 Pennine Improvement Plan Improving Improving Improving Improving Improving Improving Fragile Quality Risk and Operations & Workforce Leadership & Services Governance

415 views • 29 slides
Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are not going to be the answer to preventing your application from being compromised, but they can limit the damage from a compromise. How do

823 views • 25 slides
Everything you need to know about Containers Security Track Containers Jos Manuel Ortega

Everything you need to know about Containers Security Track Containers Jos Manuel Ortega

Everything you need to know about Containers Security Track Containers Jos Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container

807 views • 57 slides
SUSE Containers as a Service Platform 53 53 Why Do You Want to Invest in Containers? 54 54

SUSE Containers as a Service Platform 53 53 Why Do You Want to Invest in Containers? 54 54

SUSE Containers as a Service Platform 53 53 Why Do You Want to Invest in Containers? 54 54 What are Containers? A package/image that can be deployed anywhere (thats running a Linux Kernel) Developers create a layered image of their

996 views • 53 slides
Herd of Containers Sad DIF Database Engineer Herd of Containers: PostgreSQL in containers at

Herd of Containers Sad DIF Database Engineer Herd of Containers: PostgreSQL in containers at

Herd of Containers Sad DIF Database Engineer Herd of Containers: PostgreSQL in containers at BlaBlaCar pgDay Paris, Mar 15, 2018 BlaBlaCar Overview Todays agenda PostgreSQL usage at BlaBlaCar Switching to a new implementation

844 views • 40 slides
Improving Trust in Software through Diverse Double Compilation and Reproducible Builds Yrjan

Improving Trust in Software through Diverse Double Compilation and Reproducible Builds Yrjan

Improving Trust in Software through Diverse Double Compilation and Reproducible Builds Yrjan Skrimstad 10th September 2018 University of Oslo Introduction Trust is the belief that someone or something is good, honest, safe or reliable.

673 views • 32 slides
Persistent storage for Containers Anil Degwekar What are we talking about? Containers have

Persistent storage for Containers Anil Degwekar What are we talking about? Containers have

Persistent storage for Containers Anil Degwekar What are we talking about? Containers have become popular replacing many Physical / Virtual Machine use cases But: The persistent storage problem for containers is still not fully solved

1.01k views • 17 slides
Containers in the Enterprise Avoiding the Kobayashi Maru Agenda Containers Bring Change

Containers in the Enterprise Avoiding the Kobayashi Maru Agenda Containers Bring Change

Containers in the Enterprise Avoiding the Kobayashi Maru Agenda Containers Bring Change An Approach Required Software Processes Cultural Changes Additional Concerns Lessons Learned Why This Talk? Containers are

678 views • 49 slides
Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs

Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs

Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs Google Wisdom: VMs and Containers are similar but different Try running containers in VMs for security Containers are best for scale-out

314 views • 17 slides
our container journey @beshippable shippable.com our container journey containers can

our container journey @beshippable shippable.com our container journey containers can

our container journey @beshippable shippable.com our container journey containers can make us way more efficient containers can save us money on hosting containers sound interesting company founded in 2013

848 views • 30 slides
Improving the Trust in Results of Numerical Simulations and Scientific Data Analytics Franck

Improving the Trust in Results of Numerical Simulations and Scientific Data Analytics Franck

Improving the Trust in Results of Numerical Simulations and Scientific Data Analytics Franck Cappello Argonne/MCS Improving the Trust in Results of Numerical Simulations and Scientific Data Analytics Cappello, F, Constantinescu, EM, Hovland,

516 views • 50 slides
KANSAS CHILDRENS CABINET & TRUST FUND Friday, February 15, 2019 IMPROVING THE HEALTH AND

KANSAS CHILDRENS CABINET & TRUST FUND Friday, February 15, 2019 IMPROVING THE HEALTH AND

KANSAS CHILDRENS CABINET & TRUST FUND Friday, February 15, 2019 IMPROVING THE HEALTH AND WELL-BEING OF AT-RISK KANSAS CHILDREN AND FAMILIES APPROVAL OF 10/26/18 MEETING MINUTES KANSAS CHILDREN' S CABINET AND TRUST FUND INTRODUCTORY

597 views • 40 slides
The proposed containers are "Flat-pack" type. Disassembled and reduced as

The proposed containers are "Flat-pack" type. Disassembled and reduced as

CON-IMEX CONTAINERS 2009 AKAR Logistics 70 Beecham Court Owings Mills, MD 21117 USA Sophia Akar Tel: + 410-961-7232 / + 410-961-0327 Fax: + 410-356-8267 sophia@akarlogistics.com 1 / 20 GENERAL The proposed containers are

313 views • 20 slides
Improving L-BFGS Initialization for Trust-Region Methods in Deep Learning Jacob Rafati

Improving L-BFGS Initialization for Trust-Region Methods in Deep Learning Jacob Rafati

Improving L-BFGS Initialization for Trust-Region Methods in Deep Learning Jacob Rafati http://rafati.net jrafatiheravi@ucmerced.edu Ph.D. Candidate, Electrical Engineering and Computer Science University of California, Merced Agenda

699 views • 52 slides
Fairport Containers Supporting the Charity Retail Sector www.fairportcontainers.co.uk

Fairport Containers Supporting the Charity Retail Sector www.fairportcontainers.co.uk

Fairport Containers Supporting the Charity Retail Sector www.fairportcontainers.co.uk Introductions David Porter Fairport Containers Director Steve Collinson Managing Director Fairport Containers Ltd Tam Unsworth Recycling Banks

552 views • 28 slides
Singularity - Containers for Scientific Computing ZID Workshop Michael Fink Universitt

Singularity - Containers for Scientific Computing ZID Workshop Michael Fink Universitt

Singularity - Containers for Scientific Computing ZID Workshop Michael Fink Universitt Innsbruck Innsbruck Nov 2018 Overview Preliminaries Why containers Understanding Containers vs. Virtual Machines Comparison of

482 views • 37 slides
Alm dos Containers na Nuvem QConSP - Containers & Devops 26 April 2017 Guilherme Rezende

Alm dos Containers na Nuvem QConSP - Containers & Devops 26 April 2017 Guilherme Rezende

Alm dos Containers na Nuvem QConSP - Containers & Devops 26 April 2017 Guilherme Rezende Globo.com About me Software Engineer at Globo.com/Tsuru @guilhermebr (GitHub) in/guilhermebr (LinkedIn) @gbrezende (Twitter) Agenda Cloud Native

636 views • 45 slides
100% Containers Powered Carpooling Maxime Fouilleul Database Reliability Engineer BlaBlaCar -

100% Containers Powered Carpooling Maxime Fouilleul Database Reliability Engineer BlaBlaCar -

100% Containers Powered Carpooling Maxime Fouilleul Database Reliability Engineer BlaBlaCar - Facts & Figures Infrastructure Ecosystem - 100% containers powered carpooling Todays agenda Stateful Services into containers - MariaDB as

463 views • 45 slides
LEAN Library IMPROVING ACCESS TO EVIDENCE ACROSS MERSEY CARE small team Big Trust 4 7,000

LEAN Library IMPROVING ACCESS TO EVIDENCE ACROSS MERSEY CARE small team Big Trust 4 7,000

LEAN Library IMPROVING ACCESS TO EVIDENCE ACROSS MERSEY CARE small team Big Trust 4 7,000 100+ Local staff sites Authorities 41 million+ full-text articles Introducing... LEAN Library Access 41 Natural browsing: directed to

444 views • 6 slides
Containers, VMs, and Clouds: Containers & Clouds & VMs: OH My Oh My! Mike Coleman,

Containers, VMs, and Clouds: Containers & Clouds & VMs: OH My Oh My! Mike Coleman,

Containers, VMs, and Clouds: Containers & Clouds & VMs: OH My Oh My! Mike Coleman, Technology Evangelist Docker @mikegcoleman Who Am I? Technology evangelist at Docker Former: Puppet, VMware, MSFT, Intel, and HP First

390 views • 25 slides
Improving Energy Efficiency BSRIAs Operation & Maintenance Benchmarking Network Paul

Improving Energy Efficiency BSRIAs Operation & Maintenance Benchmarking Network Paul

Improving Energy Efficiency BSRIAs Operation & Maintenance Benchmarking Network Paul Huggins AD, Carbon Trust Programmes December 2013 The Carbon Trust The Carbon We are a not for profit group with the mission to accelerate the move to a

632 views • 35 slides
Unprivileged GPU containers on a LXD cluster GPU-enabled system containers at scale Stphane

Unprivileged GPU containers on a LXD cluster GPU-enabled system containers at scale Stphane

Unprivileged GPU containers on a LXD cluster GPU-enabled system containers at scale Stphane Graber Christian Brauner LXD project leader LXD maintainer @stgraber @brau_ner https://stgraber.org https://brauner.io

394 views • 12 slides
Cloud Native and Container Technology Landscape Chris Aniszczyk (@cra) Rise of Containers and

Cloud Native and Container Technology Landscape Chris Aniszczyk (@cra) Rise of Containers and

Cloud Native and Container Technology Landscape Chris Aniszczyk (@cra) Rise of Containers and Cloud Native Computing! Google running 2B+ containers per week! Internet scale companies are running containers too: Facebook, Twitter,

1.8k views • 49 slides
FT Consultation An NHS Foundation Trust The Trust is applying to become an NHS Foundation Trust

FT Consultation An NHS Foundation Trust The Trust is applying to become an NHS Foundation Trust

FT Consultation An NHS Foundation Trust The Trust is applying to become an NHS Foundation Trust Your Local Mental Health NHS Trust Implementation of Involvement Agenda National accreditation for Memory Service Team (Bloxwich Hospital)

763 views • 14 slides

More recommend