- 138
- 565 828
Container Camp
United Kingdom
Приєднався 16 вер 2014
Welcome to the Container Camp channel. You can find all the talks from our international conference series on containers here.
Next Camp - Container Camp Virtual: May 22, 2020
For more information visit container.camp or follow us on twitter @containercamp.
Next Camp - Container Camp Virtual: May 22, 2020
For more information visit container.camp or follow us on twitter @containercamp.
Don’t be a fail whale, secure your containers - Sarah Young (Versent)
In the talk, Sarah will look at the different layers of security that can be applied to a container ecosystem and the different team's responsibility in the ecosystem to deliver security. From the sysadmin's point of view, how do I make sure the container orchestrator is secured, what official hardening guides are out there to follow. From an application developers point of view, how does secomp/appapparmor work? To make sure that only the process from the application has access to the host machine. Now that we have the local container secured, how do we make sure our deployments follow the same structure and security profiles. Lastly with our developer's hat on we will look at least privileged or zero test API calls with Istio. Can we add security checks to our container CD pipeline like we would quality gates? Lastly, we will look at this from the point of the security team. How can they have input to all the steps we have taken from the beginning of the process and not the end, and how can we use our security teams’ skills to enhance the security posture of the container ecosystem e.g. with threat modelling. Allowing all the teams to work together breaking down silos to deliver a secure solution.
Sarah is a security architect currently based in Melbourne, Australia. She has previously worked in New Zealand, the UK and Europe across a range of industry sectors. Sarah comes from an infrastructure engineering background and deployed enterprise-grade WAN, LAN and VoIP solutions before moving into the security space and providing independent security consulting to a range of businesses and organisations. In her current role at Versent, Sarah helps enterprises move into the cloud securely, design their secure pipeline and adopt automated security processes.
container.camp/
@containercamp
Sarah is a security architect currently based in Melbourne, Australia. She has previously worked in New Zealand, the UK and Europe across a range of industry sectors. Sarah comes from an infrastructure engineering background and deployed enterprise-grade WAN, LAN and VoIP solutions before moving into the security space and providing independent security consulting to a range of businesses and organisations. In her current role at Versent, Sarah helps enterprises move into the cloud securely, design their secure pipeline and adopt automated security processes.
container.camp/
@containercamp
Переглядів: 764
Відео
Running Kubernetes in Production A Million Ways to Crash Your Cluster - Henning Jacobs (Zalando)
Переглядів 8254 роки тому
Bootstrapping a Kubernetes cluster is easy, rolling it out to nearly 200 engineering teams and operating it at scale is a challenge. In this talk, we are presenting our approach to Kubernetes provisioning on AWS, operations and developer experience for our growing Zalando developer base. We will walk you through our horror stories of operating 80 clusters and share the insights we gained from i...
Pragmatic Pod Patterns: Leveraging sidecar containers in Kubernetes - James Relph (Capgemini)
Переглядів 4804 роки тому
While it's easy to take a pod=container approach when working with Kubernetes, taking comprehensive advantage of Kubernetes' pod's ability to share resources between containers on a node can have significant benefits. In this talk I will share some of the patterns and concepts we've used which have helped to speed delivery, spread best practice and improve security. James is a Senior Platform E...
Container Images Considered Harmful - Aleksa Sarai (SUSE)
Переглядів 4644 роки тому
Effectively all modern container image formats are based on tar, and many proposed improvements to formats are only surface-level changes. In an attempt to make their images smaller, a lot of users end up patching over the underlying issue by using smaller distribution images and stunting their container images. In this talk, we will discuss the many drawbacks of using tar and outline how image...
Container Images Considered Harmful - Aleksa Sarai (SUSE)
Переглядів 1474 роки тому
Lightning talk session at Container Camp AU 2018
Filesystem mounts in user namespaces - Christian Brauner
Переглядів 1,7 тис.4 роки тому
User namespaces have become one of the most important security features for container workloads. But since they can be created by any user on the system they restrict access to a wide range of features including mounting of filesystems. In recent years a lot of work went into making mounts of filesystems from non-initial user namespace safe. Starting with kernel 4.18 it is possible to mount FUS...
The Route To Rootless Containers - Claudia Beresford (Pivotal)
Переглядів 2,9 тис.4 роки тому
Rootless containers are a new and exciting development in the container community, offering the ability to create and manage containers as a completely unprivileged, non-root user. During this presentation, Claudia will share her team's learnings from the journey to adopting rootless containers in production for a large multi-tenant PaaS (Cloud Foundry). The talk contains a technical overview o...
In the beginning was the server - Matt Butcher (Microsoft)
Переглядів 2644 роки тому
The opening keynote from Container Camp UK 2018. Matt Butcher is the head of the CNCF Helm project. He is a principal engineer at Microsoft, where he leads the cloud native open source team that works on Draft, Brigade, Kashti, and Helm. He is the author of eight technical books (most recently "Go in Practice" with Matt Farina). He also wrote the Illustrated Children's Guide to Kubernetes. Matt...
Consuming cloud services with the Kubernetes Service Catalog - Neil Peterson (Microsoft)
Переглядів 1274 роки тому
In a cloud native world, managed services such as database, storage, and event processing systems can be utilized by applications without the overhead of total service ownership. Kubernetes provides an extension mechanism for dynamically requesting and consuming managed services through the Kubernetes Service Catalog API. Using the service catalog, you can deploy applications into your Kubernet...
Istio: Weaving, Securing and Observing microservices - Lin Sun (IBM)
Переглядів 2304 роки тому
With the rapid adoption of microservices, Istio has become the de facto framework to load-balance, route, secure and monitor the traffic that flows between microservices. Istio provides a common networking, security, policy and telemetry substrate for services that we call a 'Service-Mesh'. Come learn how the service-mesh helps with the transition to microservices, to empower operations teams, ...
Istio 1.0: time for production! - Craig Box (Google)
Переглядів 674 роки тому
Istio 1.0 (has/will have) been released, so it's safe to move from "looking at it" to "putting it into production". Craig will talk about the history of the Istio project, the use cases at Google which inspired it, and the actual customer problems it is solving today, which you can apply to your business.
kubecfg: express the patterns in your declarative Kubernetes config - Angus Lees (Bitnami)
Переглядів 2044 роки тому
Declarative configuration goes by several names (desired state, gitops, etc), and is a subtle but important shift in process that leads to more predictable and lower risk changes. Kubernetes is built around these principles, but most users encounter it as a ""wall of YAML"" that is difficult to use in practice. This talk introduces the ""kubecfg"" tool from the ksonnet project, heavily inspired...
The second revolution of Unikernels: Unikraft - Wei Chen (ARM)
Переглядів 9414 роки тому
In the last few years, several open source projects had started to use Unikernels to create faster, more secure and scalable applications for cloud. For example: MirageOS, HalVM, ClickOS, Rump kernels, OSv etc. Developing applications for all these projects was not easy though. One had to re-write almost all the existing applications for Unikernels. This process was time consuming and prone to ...
Deep dive on the AWS CNI Plug-in for Kubernetes - Mitch Beaumont (AWS)
Переглядів 9 тис.4 роки тому
AWS recently introduced AWS Elastic Container Service for Kubernetes (EKS), it also open-sourced a new CNI plug-in that enables pods within EKS to use VPC networking fabric. This greatly simplifies the network connectivity within a Kubernetes cluster. The CNI is the primary plugin that is used to power Amazon EKS, and is being developed in collaboration with the community. This talk will share ...
Lessons learnt while operating multi-tenant kubernetes cluster in production - Prateek Nayak (MYOB)
Переглядів 2004 роки тому
At MYOB, as part of the Platform Enablement group we operate a multi-tenant kubernetes cluster in production. Our cluster come with sane, sensible defaults around monitoring, logging alert built out of the box for delivery teams meaning our devs can focus on delivering customer value. We have learnt quite a few lessons on our kubernetes journey mainly through investigation and sometimes through...
Going crazy with Docker multi-stage build - Jorge Arteiro (IBM)
Переглядів 3854 роки тому
Going crazy with Docker multi-stage build - Jorge Arteiro (IBM)
Set up and manage multi-cloud clusters using the Cluster API - Karan Goel (Google)
Переглядів 1,4 тис.4 роки тому
Set up and manage multi-cloud clusters using the Cluster API - Karan Goel (Google)
Building a Kubernetes distro the easy way - Scott Coulton and Dave Try (Puppet)
Переглядів 1644 роки тому
Building a Kubernetes distro the easy way - Scott Coulton and Dave Try (Puppet)
Security Considerations for Containers as a Service & Serverless Architectures- Tsvi Korren (Aqua)
Переглядів 534 роки тому
Security Considerations for Containers as a Service & Serverless Architectures- Tsvi Korren (Aqua)
Lessons from Production Incidents at Monzo Bank - Oliver Beattie (Monzo)
Переглядів 1 тис.4 роки тому
Lessons from Production Incidents at Monzo Bank - Oliver Beattie (Monzo)
Storing is Boring: Managing Persistant Storage - Phoebe Goh (NetApp)
Переглядів 654 роки тому
Storing is Boring: Managing Persistant Storage - Phoebe Goh (NetApp)
Creating Effective Images - Abby Fuller (AWS)
Переглядів 1,2 тис.4 роки тому
Creating Effective Images - Abby Fuller (AWS)
Dockerless Container Builds with Buildah - William Henry (Red Hat)
Переглядів 4,2 тис.4 роки тому
Dockerless Container Builds with Buildah - William Henry (Red Hat)
Keeping an eye on your serverless containers - Prateek Nayak (Innablr) and Arjen Schwarz (DigIO)
Переглядів 1004 роки тому
Keeping an eye on your serverless containers - Prateek Nayak (Innablr) and Arjen Schwarz (DigIO)
Introducing a Kubernetes Operator for Azure Databricks - Azadeh Khojandi (Microsoft)
Переглядів 1 тис.4 роки тому
Introducing a Kubernetes Operator for Azure Databricks - Azadeh Khojandi (Microsoft)
libp2p and the cloud - Adrian Lanzafame (Protocol Labs)
Переглядів 2134 роки тому
libp2p and the cloud - Adrian Lanzafame (Protocol Labs)
Building with Buildkit - Sam Cochran (Buildkite)
Переглядів 4,9 тис.4 роки тому
Building with Buildkit - Sam Cochran (Buildkite)
Dockerised local build and testing environments made easy - Charles Korn (Thoughtworks)
Переглядів 8864 роки тому
Dockerised local build and testing environments made easy - Charles Korn (Thoughtworks)
Using Kubernetes in IOT Edge Node Development - Katherine Lim (Inabblr)
Переглядів 1,1 тис.4 роки тому
Using Kubernetes in IOT Edge Node Development - Katherine Lim (Inabblr)
Building Native Kubernetes Integrations with Operators - Nick Schuch (PreviousNext)
Переглядів 1664 роки тому
Building Native Kubernetes Integrations with Operators - Nick Schuch (PreviousNext)
TL;DR: chroot && mount proc
Note that child processes can call chroot() again and break outside of this container easily. Docker doesn't use chroot.
Why am I watching 7yo video about sth I don't do very often in a language I don't use, I don't know. But it''s good xD
this video makes me want to more about docker and snap.
🤯
wait this is so easy
Woah... very nice explanation 🔥
Excellent work. When IPO?
Nice
Nice
Where is the network stack+virtualization for that? How does that work?
Too much weird sounds from Liz (don't how to say it since I am not good with english) but good presentation.
06:35 cringe, with respect for trying
Min 05:00 and I don't know what the heck she is doing. And yes as she said, this is quite dull. And Go, why?
Thanks
Looks like my favorite presentations are those that start so simple you almost think they are jokes, until suddenly they are not.
Really good walk through. The container doesn't have internet access. Is there a way to provide the container with internet access?
yes there is a way, how to do that i have no idea
wow..this is super awesome!! ps not showing host processes was very nice. But why Go though. As someone who doesnt speak Go, what I understood was you did some syscalls, cloned UTS namespace, changed rootdir, and invoked a new /bin/bash as a fork process. Same thing can be done in any language cpp/python/java right?
Efficiency. You can build a completely self-contained binary that does everything. If you add https or a straight TLS socket you only need the exe and a cert file... it's super clean. With Python you may have versioning/suppor issues. Java is a pig - it latches onto cpu+memory resources. Not really apropos. C++ is ok for this, but younger engineers may not know it + unix command programming in C++ can be a bit tricky. Golang makes it (and certain other tasks) pretty straightforward. I would use either C or golang. Maybe Rust but I don't know it yet.
@@RockwellAIM65 yeah I think outside of Go, c++ would be the best choice
@@piyushsingh178 A C based solution would be clean; you'd have to add lots of external libraries tho' ... would have been nice if C had a standard add-on for managing databases, doing all the simple network type transactions w/ a second thread perhaps (application+background processing thread) + an easy-to-interface string based hierarchical data store. C++ wasn't really necessary... it turned into the Cobol of the 1990s!
Badass
Ok love the hammer vs malet analogy
Fuck go modules and fuck whoever broke 'go get'.
great explanation. Thank you 👍
Really good talk
I've watched Liz write about 4 slightly different versions of this program now. ;) Working out the difference between Podman and Docker is kinda simple is you watch a scaled down version of the code get written. :)
Thank you 🙏
This was amazing. Simple and easy to digest, but packed with information.
Great pres!
Good explanation, thanks
Likee
Awesome video and a great intro to how containers are constructed
Came for Vim, saw Sublime, leave.
Made me want to learn Go. Thanks.
Thanks
Seriously underrated talk. This should have like a million views!
Every Liz Rice talk should have like, a million views 🙂
never knew that jenkins that such UI like in gitlabci '__')
I just have lxd up and running, love it 😘
Great tutorial thank you!
The best part of this demo is that it makes containers more like jail and addresses the trust issue.
Very good
Did I just watch Go programing in Downtown Abbey?
Does anyone have the link to the talk by Julian Friedman she is talking about ?
Thanks, It was the best way someone can show me concept of a container.
"You are my peer reviewers"... what a lass <3
this is by far very short and well explained how the container can expand the possibilities how GO can do it.
I must say that a company whose CEO knows and still remembers how to operate a terminal makes me feel confident.
i know Im asking the wrong place but does anybody know of a trick to get back into an instagram account?? I stupidly forgot the password. I appreciate any help you can offer me!
@@omarzakai4905 write to support
@@omarzakai4905 if you have 2FA then you can get the account back
really good
Thanks for adding a sequel with the addition of rootless containers content in golang. Truly amazing :-)
InstaBlaster
Is it possible to stop helm upgrade or how to do immutable config map using helm with kubernates v1.13
Great talk!
zaaa