Wjs7rbz9dsrbtv10p53a
SkillsCast

Can I haz non-privileged containers?

5th September 2017 in London at CodeNode

There are 2 other SkillsCasts available from Cloud Native London September

In this talk, we will look at the problems associated with running Docker containers with privileged status and some solutions to how you can harden your Docker-based security. Check it out!

To understand the problem, we will take a quick look at how user and group isolation works in Unix and how this translates into a container. We will also look at how user namespaces work in Docker and how simple it is to build a non-root Docker container. In addition to all of this, we will look at some simple tools which can automatically detect these problems and notify you if they occur.

Takeaways:

  • How users and groups work in Unix

  • Security problems with running container processes as root

  • Understanding of container namespaces and user mappings

  • How to build a non-Root container

  • Edge cases where Root containers may be required

YOU MAY ALSO LIKE:

Thanks to our sponsors

Can I haz non-privileged containers?

Michael Hausenblas

Michael is a Developer Advocate for Go, Kubernetes, and OpenShift at Red Hat where he helps appops to build and operate distributed services. His background is in large-scale data processing and container orchestration and he's experienced in advocacy and standardization at W3C and IETF. Before Red Hat, Michael worked at Mesosphere, MapR and in two research institutions in Ireland and Austria. He contributes to open source software (mainly using Go), blogs and hangs out on Twitter too much.

Nic Jackson

Nic Jackson is a software engineering evangelist working for notonthehighstreet.com, with over 20 years experience in software development and leading software development teams. A huge believer that the rise of Docker and container solutions is a positive transformation for the way we develop, deploy and maintain software.

SkillsCast

In this talk, we will look at the problems associated with running Docker containers with privileged status and some solutions to how you can harden your Docker-based security. Check it out!

To understand the problem, we will take a quick look at how user and group isolation works in Unix and how this translates into a container. We will also look at how user namespaces work in Docker and how simple it is to build a non-root Docker container. In addition to all of this, we will look at some simple tools which can automatically detect these problems and notify you if they occur.

Takeaways:

  • How users and groups work in Unix

  • Security problems with running container processes as root

  • Understanding of container namespaces and user mappings

  • How to build a non-Root container

  • Edge cases where Root containers may be required

YOU MAY ALSO LIKE:

Thanks to our sponsors

About the Speakers

Can I haz non-privileged containers?

Michael Hausenblas

Michael is a Developer Advocate for Go, Kubernetes, and OpenShift at Red Hat where he helps appops to build and operate distributed services. His background is in large-scale data processing and container orchestration and he's experienced in advocacy and standardization at W3C and IETF. Before Red Hat, Michael worked at Mesosphere, MapR and in two research institutions in Ireland and Austria. He contributes to open source software (mainly using Go), blogs and hangs out on Twitter too much.

Nic Jackson

Nic Jackson is a software engineering evangelist working for notonthehighstreet.com, with over 20 years experience in software development and leading software development teams. A huge believer that the rise of Docker and container solutions is a positive transformation for the way we develop, deploy and maintain software.