SlideShare a Scribd company logo

Docker security configuration

Download as PPTX, PDF
John Kinsella
John Kinsella

Technical dive into configuring seccomp and linux security capabilities for Docker-based containers. The real meat for this talk was in the demos - I'm working on a screencast version, and will add a link here once I have that published!

Technology
1 of 20
Real-World Examples and Troubleshooting
 Capabilities  Seccomp  Demo demo demo!
 None of my demos should “work” the first time.
Worst to best:  Run with --privileged=true  Run with –cap-add ALL  Run with --cap-drop ALL --cap-add <only needed>  Run as non-root user, unprivileged Useful: capabilities section of https://docs.docker.com/engine/reference/run/
From my Monday talk. Even in dev you should do this. Break the bad habit. Do as I say, not as I do!
3 sections:  Default Action  Target architectures  Filter rules Like firewall rules, but harder to debug!
 SECCOMP_RET_KILL  SECCOMP_RET_TRAP  SECCOMP_RET_ERRNO  SECCOMP_RET_TRACE  SECCOMP_RET_ALLOW
 SECCOMP_RET_KILL  SECCOMP_RET_TRAP  SECCOMP_RET_ERRNO  SECCOMP_RET_TRACE  SECCOMP_RET_ALLOW https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt
 SECCOMP_RET_KILL  SECCOMP_RET_TRAP  SECCOMP_RET_ERRNO SCMP_ACT_ERRNO  SECCOMP_RET_TRACE  SECCOMP_RET_ALLOW SCMP_ACT_ALLOW https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt
We need to build a list of system calls called by the program… …that we want to succeed  Guess (preferably educated)  RTFM (thanks John!)  Capture behavior – maybe /usr/sbin/strace  Disassembly?
Getting that last 1% can be expensive
 no-new-privileges
 Modern OS  objdump (from binutils)  nm  strace  auditd (some day…)
 Study:  https://docs.docker.com/engine/reference/run/  https://github.com/docker/docker/blob/master/profiles/seccomp/default.json
@johnlkinsella http://layeredinsight.com http://github.com/jlk
 https://github.com/docker/docker/blob/master/docs/security/seccomp.md  http://man7.org/linux/man-pages/man3/seccomp_rule_add.3.html  http://linux.die.net/man/1/capsh  https://github.com/jfrazelle/blog/blob/master/content/post/how-to-use-new-docker- seccomp-profiles.md  http://www.slideshare.net/Docker/docker-security-workshop-slides  https://filippo.io/linux-syscall-table/  http://dockersl.im

Recommended

The MetaCPAN VM for Dummies Part One (Installation)
The MetaCPAN VM for Dummies Part One (Installation)The MetaCPAN VM for Dummies Part One (Installation)
The MetaCPAN VM for Dummies Part One (Installation)Olaf Alders
 
Virtualization and SAN Basics for DBAs
Virtualization and SAN Basics for DBAsVirtualization and SAN Basics for DBAs
Virtualization and SAN Basics for DBAsQuest Software
 
Deployment talk dpc 13
Deployment talk dpc 13Deployment talk dpc 13
Deployment talk dpc 13Robbert van den Bogerd
 
Orchestrating Chaos Like a Pro with Gremlin Free
Orchestrating Chaos Like a Pro with Gremlin FreeOrchestrating Chaos Like a Pro with Gremlin Free
Orchestrating Chaos Like a Pro with Gremlin FreeGremlin
 
Road to cloud hero
Road to cloud heroRoad to cloud hero
Road to cloud heroWilliam Chong
 
Advanced Jasmine
Advanced JasmineAdvanced Jasmine
Advanced Jasminejbellsey
 
cpanminus at YAPC::NA 2010
cpanminus at YAPC::NA 2010cpanminus at YAPC::NA 2010
cpanminus at YAPC::NA 2010Tatsuhiko Miyagawa
 
In the desert, without a camel
In the desert, without a camelIn the desert, without a camel
In the desert, without a camelStephen Scaffidi
 

Recommended

The MetaCPAN VM for Dummies Part One (Installation)
The MetaCPAN VM for Dummies Part One (Installation)The MetaCPAN VM for Dummies Part One (Installation)
The MetaCPAN VM for Dummies Part One (Installation)Olaf Alders
 
Virtualization and SAN Basics for DBAs
Virtualization and SAN Basics for DBAsVirtualization and SAN Basics for DBAs
Virtualization and SAN Basics for DBAsQuest Software
 
Deployment talk dpc 13
Deployment talk dpc 13Deployment talk dpc 13
Deployment talk dpc 13Robbert van den Bogerd
 
Orchestrating Chaos Like a Pro with Gremlin Free
Orchestrating Chaos Like a Pro with Gremlin FreeOrchestrating Chaos Like a Pro with Gremlin Free
Orchestrating Chaos Like a Pro with Gremlin FreeGremlin
 
Road to cloud hero
Road to cloud heroRoad to cloud hero
Road to cloud heroWilliam Chong
 
Advanced Jasmine
Advanced JasmineAdvanced Jasmine
Advanced Jasminejbellsey
 
cpanminus at YAPC::NA 2010
cpanminus at YAPC::NA 2010cpanminus at YAPC::NA 2010
cpanminus at YAPC::NA 2010Tatsuhiko Miyagawa
 
In the desert, without a camel
In the desert, without a camelIn the desert, without a camel
In the desert, without a camelStephen Scaffidi
 
Full stack, Full run, Full test
Full stack, Full run, Full testFull stack, Full run, Full test
Full stack, Full run, Full testTaras Slipets
 
Installing symfony within netbeans and WAMP
Installing symfony within netbeans and WAMPInstalling symfony within netbeans and WAMP
Installing symfony within netbeans and WAMPRiyad Bin Zaman
 
The MetaCPAN VM Part II (Using the VM)
The MetaCPAN VM Part II (Using the VM)The MetaCPAN VM Part II (Using the VM)
The MetaCPAN VM Part II (Using the VM)Olaf Alders
 
warp engine - an open source realtime push engine
warp engine - an open source realtime push enginewarp engine - an open source realtime push engine
warp engine - an open source realtime push engineDavid Pichsenmeister
 
Local development with vvv jon trujillo
Local development with vvv jon trujilloLocal development with vvv jon trujillo
Local development with vvv jon trujilloJonathan Trujillo
 
Mangling
Mangling Mangling
Mangling Olaf Alders
 
Let's make this test suite run faster
Let's make this test suite run fasterLet's make this test suite run faster
Let's make this test suite run fasterDavid Gageot
 
No Hugging, No Learning
No Hugging, No LearningNo Hugging, No Learning
No Hugging, No LearningOlaf Alders
 
你不知道的前端
你不知道的前端你不知道的前端
你不知道的前端taobao.com
 
Testando JavaScript com Spock
Testando JavaScript com SpockTestando JavaScript com Spock
Testando JavaScript com SpockIsmael
 
Capifony. Minsk PHP MeetUp #11
Capifony. Minsk PHP MeetUp #11Capifony. Minsk PHP MeetUp #11
Capifony. Minsk PHP MeetUp #11Yury Pliashkou
 
Let's make this test suite run faster! SoftShake 2010
Let's make this test suite run faster! SoftShake 2010Let's make this test suite run faster! SoftShake 2010
Let's make this test suite run faster! SoftShake 2010David Gageot
 
Let's make this test suite run faster - Paris JUG 2011
Let's make this test suite run faster - Paris JUG 2011Let's make this test suite run faster - Paris JUG 2011
Let's make this test suite run faster - Paris JUG 2011David Gageot
 
Caching for Cash: Benchmarking and Profiling
Caching for Cash: Benchmarking and ProfilingCaching for Cash: Benchmarking and Profiling
Caching for Cash: Benchmarking and ProfilingScott MacVicar
 
F.A.Q
F.A.QF.A.Q
F.A.Qdeputat
 
Vorlon.js
Vorlon.jsVorlon.js
Vorlon.jsDavid Catuhe
 
Sinatra
SinatraSinatra
SinatraTim Lucas
 
Postmortem of a uwp xaml application development
Postmortem of a uwp xaml application developmentPostmortem of a uwp xaml application development
Postmortem of a uwp xaml application developmentDavid Catuhe
 
Dplyr Installation Instructions
Dplyr Installation InstructionsDplyr Installation Instructions
Dplyr Installation InstructionsVinita Silaparasetty
 
Play Framework in EC2
Play Framework in EC2Play Framework in EC2
Play Framework in EC2kamarul kawnayeen
 
CloudStack Secured
CloudStack SecuredCloudStack Secured
CloudStack SecuredJohn Kinsella
 
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...John Kinsella
 

More Related Content

What's hot

Full stack, Full run, Full test
Full stack, Full run, Full testFull stack, Full run, Full test
Full stack, Full run, Full testTaras Slipets
 
Installing symfony within netbeans and WAMP
Installing symfony within netbeans and WAMPInstalling symfony within netbeans and WAMP
Installing symfony within netbeans and WAMPRiyad Bin Zaman
 
The MetaCPAN VM Part II (Using the VM)
The MetaCPAN VM Part II (Using the VM)The MetaCPAN VM Part II (Using the VM)
The MetaCPAN VM Part II (Using the VM)Olaf Alders
 
warp engine - an open source realtime push engine
warp engine - an open source realtime push enginewarp engine - an open source realtime push engine
warp engine - an open source realtime push engineDavid Pichsenmeister
 
Local development with vvv jon trujillo
Local development with vvv jon trujilloLocal development with vvv jon trujillo
Local development with vvv jon trujilloJonathan Trujillo
 
Let's make this test suite run faster
Let's make this test suite run fasterLet's make this test suite run faster
Let's make this test suite run fasterDavid Gageot
 
No Hugging, No Learning
No Hugging, No LearningNo Hugging, No Learning
No Hugging, No LearningOlaf Alders
 
你不知道的前端
你不知道的前端你不知道的前端
你不知道的前端taobao.com
 
Testando JavaScript com Spock
Testando JavaScript com SpockTestando JavaScript com Spock
Testando JavaScript com SpockIsmael
 
Capifony. Minsk PHP MeetUp #11
Capifony. Minsk PHP MeetUp #11Capifony. Minsk PHP MeetUp #11
Capifony. Minsk PHP MeetUp #11Yury Pliashkou
 
Let's make this test suite run faster! SoftShake 2010
Let's make this test suite run faster! SoftShake 2010Let's make this test suite run faster! SoftShake 2010
Let's make this test suite run faster! SoftShake 2010David Gageot
 
Let's make this test suite run faster - Paris JUG 2011
Let's make this test suite run faster - Paris JUG 2011Let's make this test suite run faster - Paris JUG 2011
Let's make this test suite run faster - Paris JUG 2011David Gageot
 
Caching for Cash: Benchmarking and Profiling
Caching for Cash: Benchmarking and ProfilingCaching for Cash: Benchmarking and Profiling
Caching for Cash: Benchmarking and ProfilingScott MacVicar
 
Postmortem of a uwp xaml application development
Postmortem of a uwp xaml application developmentPostmortem of a uwp xaml application development
Postmortem of a uwp xaml application developmentDavid Catuhe
 

What's hot (20)

Full stack, Full run, Full test
Full stack, Full run, Full testFull stack, Full run, Full test
Full stack, Full run, Full test
 
Installing symfony within netbeans and WAMP
Installing symfony within netbeans and WAMPInstalling symfony within netbeans and WAMP
Installing symfony within netbeans and WAMP
 
The MetaCPAN VM Part II (Using the VM)
The MetaCPAN VM Part II (Using the VM)The MetaCPAN VM Part II (Using the VM)
The MetaCPAN VM Part II (Using the VM)
 
warp engine - an open source realtime push engine
warp engine - an open source realtime push enginewarp engine - an open source realtime push engine
warp engine - an open source realtime push engine
 
Local development with vvv jon trujillo
Local development with vvv jon trujilloLocal development with vvv jon trujillo
Local development with vvv jon trujillo
 
Mangling
Mangling Mangling
Mangling
 
Let's make this test suite run faster
Let's make this test suite run fasterLet's make this test suite run faster
Let's make this test suite run faster
 
No Hugging, No Learning
No Hugging, No LearningNo Hugging, No Learning
No Hugging, No Learning
 
你不知道的前端
你不知道的前端你不知道的前端
你不知道的前端
 
Testando JavaScript com Spock
Testando JavaScript com SpockTestando JavaScript com Spock
Testando JavaScript com Spock
 
Capifony. Minsk PHP MeetUp #11
Capifony. Minsk PHP MeetUp #11Capifony. Minsk PHP MeetUp #11
Capifony. Minsk PHP MeetUp #11
 
Let's make this test suite run faster! SoftShake 2010
Let's make this test suite run faster! SoftShake 2010Let's make this test suite run faster! SoftShake 2010
Let's make this test suite run faster! SoftShake 2010
 
Let's make this test suite run faster - Paris JUG 2011
Let's make this test suite run faster - Paris JUG 2011Let's make this test suite run faster - Paris JUG 2011
Let's make this test suite run faster - Paris JUG 2011
 
Caching for Cash: Benchmarking and Profiling
Caching for Cash: Benchmarking and ProfilingCaching for Cash: Benchmarking and Profiling
Caching for Cash: Benchmarking and Profiling
 
F.A.Q
F.A.QF.A.Q
F.A.Q
 
Vorlon.js
Vorlon.jsVorlon.js
Vorlon.js
 
Sinatra
SinatraSinatra
Sinatra
 
Postmortem of a uwp xaml application development
Postmortem of a uwp xaml application developmentPostmortem of a uwp xaml application development
Postmortem of a uwp xaml application development
 
Dplyr Installation Instructions
Dplyr Installation InstructionsDplyr Installation Instructions
Dplyr Installation Instructions
 
Play Framework in EC2
Play Framework in EC2Play Framework in EC2
Play Framework in EC2
 

Viewers also liked

Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...John Kinsella
 
What is Cloud Security, and Can I Have Some?
What is Cloud Security, and Can I Have Some?What is Cloud Security, and Can I Have Some?
What is Cloud Security, and Can I Have Some?John Kinsella
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersJohn Kinsella
 

Viewers also liked (6)

CloudStack Secured
CloudStack SecuredCloudStack Secured
CloudStack Secured
 
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
 
What is Cloud Security, and Can I Have Some?
What is Cloud Security, and Can I Have Some?What is Cloud Security, and Can I Have Some?
What is Cloud Security, and Can I Have Some?
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability Scanners
 

Similar to Docker security configuration

Rails Application Optimization Techniques & Tools
Rails Application Optimization Techniques & ToolsRails Application Optimization Techniques & Tools
Rails Application Optimization Techniques & Toolsguest05c09d
 
Production Grade Kubernetes Applications
Production Grade Kubernetes ApplicationsProduction Grade Kubernetes Applications
Production Grade Kubernetes ApplicationsNarayanan Krishnamurthy
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
Stop Being Lazy and Test Your Software
Stop Being Lazy and Test Your SoftwareStop Being Lazy and Test Your Software
Stop Being Lazy and Test Your SoftwareLaura Frank Tacho
 
Check the version with fixes. Link in description
Check the version with fixes. Link in descriptionCheck the version with fixes. Link in description
Check the version with fixes. Link in descriptionPrzemyslaw Koltermann
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...tutorialsruby
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...tutorialsruby
 
When Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
When Good Code Goes Bad: Tools and Techniques for Troubleshooting PloneWhen Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
When Good Code Goes Bad: Tools and Techniques for Troubleshooting PloneDavid Glick
 
Sinatra and friends
Sinatra and friendsSinatra and friends
Sinatra and friendsJiang Wu
 
Runmodes and Configs for Fun and Profit
Runmodes and Configs for Fun and ProfitRunmodes and Configs for Fun and Profit
Runmodes and Configs for Fun and ProfitMike Pfaff
 
Runmodes and Configs for Fun and Profit
Runmodes and Configs for Fun and ProfitRunmodes and Configs for Fun and Profit
Runmodes and Configs for Fun and ProfitMike Pfaff
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousFrancis Alexander
 
AWS Lambda from the trenches
AWS Lambda from the trenchesAWS Lambda from the trenches
AWS Lambda from the trenchesYan Cui
 
Docker Introduction.pdf
Docker Introduction.pdfDocker Introduction.pdf
Docker Introduction.pdfOKLABS
 
DCEU 18: Tips and Tricks of the Docker Captains
DCEU 18: Tips and Tricks of the Docker CaptainsDCEU 18: Tips and Tricks of the Docker Captains
DCEU 18: Tips and Tricks of the Docker CaptainsDocker, Inc.
 
"Master production-grade best practices to build your Node.js Docker images",...
"Master production-grade best practices to build your Node.js Docker images",..."Master production-grade best practices to build your Node.js Docker images",...
"Master production-grade best practices to build your Node.js Docker images",...Fwdays
 
Can you contain the future - Docker, Container Technologies, The Future, and You
Can you contain the future - Docker, Container Technologies, The Future, and YouCan you contain the future - Docker, Container Technologies, The Future, and You
Can you contain the future - Docker, Container Technologies, The Future, and YouColdFusionConference
 

Similar to Docker security configuration (20)

Docker perl build
Docker perl buildDocker perl build
Docker perl build
 
Rails Application Optimization Techniques & Tools
Rails Application Optimization Techniques & ToolsRails Application Optimization Techniques & Tools
Rails Application Optimization Techniques & Tools
 
Production Grade Kubernetes Applications
Production Grade Kubernetes ApplicationsProduction Grade Kubernetes Applications
Production Grade Kubernetes Applications
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
Stop Being Lazy and Test Your Software
Stop Being Lazy and Test Your SoftwareStop Being Lazy and Test Your Software
Stop Being Lazy and Test Your Software
 
Check the version with fixes. Link in description
Check the version with fixes. Link in descriptionCheck the version with fixes. Link in description
Check the version with fixes. Link in description
 
Docker as an every day work tool
Docker as an every day work toolDocker as an every day work tool
Docker as an every day work tool
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
 
When Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
When Good Code Goes Bad: Tools and Techniques for Troubleshooting PloneWhen Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
When Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
 
Sinatra and friends
Sinatra and friendsSinatra and friends
Sinatra and friends
 
Runmodes and Configs for Fun and Profit
Runmodes and Configs for Fun and ProfitRunmodes and Configs for Fun and Profit
Runmodes and Configs for Fun and Profit
 
Runmodes and Configs for Fun and Profit
Runmodes and Configs for Fun and ProfitRunmodes and Configs for Fun and Profit
Runmodes and Configs for Fun and Profit
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life Scenarious
 
AWS Lambda from the trenches
AWS Lambda from the trenchesAWS Lambda from the trenches
AWS Lambda from the trenches
 
Docker Introduction.pdf
Docker Introduction.pdfDocker Introduction.pdf
Docker Introduction.pdf
 
DCEU 18: Tips and Tricks of the Docker Captains
DCEU 18: Tips and Tricks of the Docker CaptainsDCEU 18: Tips and Tricks of the Docker Captains
DCEU 18: Tips and Tricks of the Docker Captains
 
"Master production-grade best practices to build your Node.js Docker images",...
"Master production-grade best practices to build your Node.js Docker images",..."Master production-grade best practices to build your Node.js Docker images",...
"Master production-grade best practices to build your Node.js Docker images",...
 
Sprockets
SprocketsSprockets
Sprockets
 
Can you contain the future - Docker, Container Technologies, The Future, and You
Can you contain the future - Docker, Container Technologies, The Future, and YouCan you contain the future - Docker, Container Technologies, The Future, and You
Can you contain the future - Docker, Container Technologies, The Future, and You
 

Recently uploaded

SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 

Recently uploaded (20)

SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 

Docker security configuration

Editor's Notes

  1. There’s so many good talks going on this hour – I’m really honored that you decided to join and I hope this is worthwhile for you. This talk was tagged “intermediate” – it might go deeper, please do not be afraid to ask questions.
  2. --privileged does –cap-add ALL as well as allowing device privs Docker has 37 capabilities that can be added or removed
  3. Particularly, ”seccomp BPF”
  4. 5 seccomp values, you’ll probably just use 2
  5. Should we do a screencast of this?