Diogo Mónica
Security Lead @ Docker
Diogo Mónica is the security lead at Docker, an open platform for building, shipping and running distributed applications. He was an early employee at Square where he led the platform security team, has a BSc, MSc and PhD degrees in Computer Science, serves on the board of advisors of several security startups, and is a long-time IEEE Volunteer.
talkOrchestrating Least Privilege
The popularity of containers has driven the need for distributed systems that have the ability to manage resources, place workloads and adapt to faults. These so-called Container Orchestrators have seen a rise in popularity in the enterprise that is reminiscent of the early container adoption. Open-source projects such as Docker Swarm, Kubernetes and Marathon make it easy for anyone to manage their container workloads using their cloud-based or on-premise infrastructure. Unfortunately, a lot of these orchestrator systems have not been architected with security in mind. In particular, compromise of a less-privileged node usually allows an attacker to escalate privileges to either gain control of the whole system, or to access resources it shouldn't have access to. Given the popularity of containers in the enterprise, it is critical that we start designing orchestrators that are designed with security in mind, and follow the principle of least-privilege, where any participant of the system only has access to the resources that are strictly necessary for its legitimate purpose. No more, no less.
Meet our international lineup of container experts
Learn about security, orchestration, networking and more
- Brendan BurnsMicrosoft Azure
talkContainer Journey: Past, Present, and Future
Opening Keynote
workshopSolutioning with Brendan Burns
Love white boards? Have burning distributed systems or container orchestration on Azure cloud challenges that are blocking your business from achieving technological nirvana? Bring them with you to this University style problem solving and solutioning session where Brendan Burns will deliver a lecture on devops and the future of container orchestration, followed up by engaging with the audience in real-time solutioning. Come prepared with your challenges, raise your hand, introduce the difficulty, and we’ll put our collective minds to the test in some informal side-by-side communal engineering fun.
More about Brendan Burns
- Diogo MónicaDocker
talkOrchestrating Least Privilege
The popularity of containers has driven the need for distributed systems that have the ability to manage resources, place workloads and adapt to faults. These so-called Container Orchestrators have seen a rise in popularity in the enterprise that is reminiscent of the early container adoption. Open-source projects such as Docker Swarm, Kubernetes and Marathon make it easy for anyone to manage their container workloads using their cloud-based or on-premise infrastructure. Unfortunately, a lot of these orchestrator systems have not been architected with security in mind. In particular, compromise of a less-privileged node usually allows an attacker to escalate privileges to either gain control of the whole system, or to access resources it shouldn't have access to. Given the popularity of containers in the enterprise, it is critical that we start designing orchestrators that are designed with security in mind, and follow the principle of least-privilege, where any participant of the system only has access to the resources that are strictly necessary for its legitimate purpose. No more, no less.
More about Diogo Mónica
- Vishnu KannanGoogle
talkKubernetes meets Linux
Kubernetes is a cluster management infrastructure that can manage thousands of linux nodes and hundreds of thousands of linux containers. This talk will explore how kubernetes manages linux nodes under the hood. This talk will also present some of the current shortcomings of linux in the containers clusters space and explore how Google's Borg had solved those limitations.
More about Vishnu Kannan
- Jonathan BoulleNStack
talkOCI and Open Container Standards
In 2015, the Open Container Initiative was formed to establish common standards around application container images and runtimes. Both specifications are fast approaching version 1.0, an important milestone release for the container ecosystem. This talk will explore some of the history of efforts to create standards for containers, describe the particulars of the OCI specifications today, and talk about what the future holds for users.
More about Jonathan Boulle
- Michelle NooraliDeis
talkHighway to Helm
Helm is a tool that helps you find, share, build, and manage Kubernetes native applications. It allows you to install packages (or Charts) of Kubernetes resources and manage them as a single unit. In this talk, we'll discuss the history of helm, how to use it, and how to get involved with the helm community.
More about Michelle Noorali
- Scott CoultonPuppet
talkIf It's In a Container It's Secure Right?
In the talk we will look at the different layers of security that can be applied to a container eco system and the different teams responsibility in the eco system to deliver security. From the sysadmins point of view how do i make sure the container daemon is secured, what official hardening guides are out there to follow. From an application developers point of view, how does secomp/appapparmor work ? To make sure that only the process from the application have access to the host machine. Now that we have the local container secured, how do we make sure our deployments follow the same structure and security profiles. Can we add security checks to our container CD pipeline like we would quality gates ? Lastly we will look at from the point of the security team. How can they have input to all the steps we have taken from beginning of the process and not the end. Allowing all the teams to work together breaking down silo to deliver a solution.
workshopDocker Orchestration (Beginner)
Deployment and orchestration at scale. Docker Captain Scott Coulton walks you through taking an application from development to production with Docker. You’ll run a sample app on a single node with Compose and add scaling and load balancing before provisioning a cluster of Docker nodes and deploying the application on that cluster. Scott also demonstrates how to perform Ops tasks and explores options for high availability.
More about Scott Coulton
- Liz RiceAqua Security
talkContainers from scratch - the sequel!
What are containers, really? In this talk we dispel the magic by writing one live in Go from scratch, so you can really see what people mean when they talk about namespaces and control groups. This is an evolved version of a talk at Container Camp London, with some more container features and a few extra twists and turns!
More about Liz Rice
- Angus LeesBitnami
talkKubernetes and the Rise of Serverless
There is an ongoing transition in infrastructure plumbing as successive technology layers emerge, evolve and mature. Containers and Pods are now the lowest compute unit, and the building blocks become “applications/services” rather than “servers”. We look at Kubernetes applications definition and how serverless computing fits within this new model, putting the focus on application design and operation rather than on bare infrastructure.
More about Angus Lees
- Michael HausenblasRed Hat
talkCoding with containers
Developing with and in containers, using a cluster of machine that potentially runs in a cloud setting is becoming the new norm. In this talk we’ll discuss the challenges around development velocity, modes of development (from offline to online) and show how and when to use which mode using OpenShift and Kubernetes as an example environment.
More about Michael Hausenblas
- Luke BondUK Home Office
workshopBuilding a Kubernetes Operator (Advanced)
In 2016, CoreOS announced "Operators", a semi-automatic weapon for automation of operations for complex, stateful services- the kind of service that fall outside of the easy-to-automate services commonly discussed in the PaaS and container world. In this workshop, we will write our own Operator for a real, complex, distributed service: PostgreSQL. You will also learn about how Operators relate to other Kubernetes concepts such as StatefulSets, ReplicaSets and Deployments. We will build the Operator in Golang; even if you have only a very basic familiarity with Golang you will still find the workshop useful, as the workshop will work towards the solution iteratively, providing all code along the way. Whilst this is an advanced topic, we will do our best to accommodate all levels of experience.
More about Luke Bond
- Mike HepburnRed Hat
workshopOpenShift - Cloud Deployments Made Easy (Advanced)
A hands on workshop for developers and operators who can learn to easily deploy container based applications to OpenShift Container Platform - RedHat's enterprise Kubernetes Container based Platform as a Service. Learn about deployment strategies, CICD techniques, microservices architectures and hear real world stories and techniques for speeding up your enterprise deployments safely - so you can get your weekends back!
More about Mike Hepburn
- Vishal BiyaniInfracloud Technologies
talkDeploying Serverless on Kubernetes with Funktion, Iron Functions & Fission
The talk will demo running serverless (Function as a service) style frameworks on top of Kubernetes. We will compare Funktion from Fabric8, Iron Functions and Fission from Platform9; each framework comes with its strength & weaknesses be it connectors or maturity of deployment. We will evaluate and demo these frameworks from POV of 1) Built in triggers 2) Cold start capability 3) Runtime availability 4) Ease of use: deployment and operations 5) Additional features such as API gateway etc. We will demonstrate two distinct use cases one with low latency requirement and one without.
workshopKubernetes 101 with Vishal (Beginner)
The workshop will start with setting up a Kubernetes cluster and understanding the components of the architecture. We will show how to interact with Kubernetes with Kubectl & API. Next we will cover basic types such as POD, ReplicaSet, Service, Ingress, StatefulSet, Labels & selectors in concept and one sample of each deployed to a live cluster. Next we will compose an application composed of various types we discussed earlier and deploy to cluster. The last section will cover areas such as networking, storage, integration with the underlying cloud provider and one sample each.
More about Vishal Biyani
- Ian LewisGoogle
workshopKubernetes 101 with Ian (Beginner)
How do I manage application at scale? That’s a common question facing developers today and this code lab helps to make sense of the ever changing scalable app landscape. Use Docker and Kubernetes to deploy, scale, and manage a microservices based application in this workshop.
More about Ian Lewis
- Aleksa SaraiSUSE
talkRootless Containers with runC
Essentially all popular container runtimes require some form of root privileges in order to create and manage containers. This becomes a problem for certain systems, where administrators are hesitant to install any software, let alone a container runtime -- many of which allow for privileged containers without authentication. In this talk, Aleksa Sarai will describe recent work done within runC by himself and other maintainers to allow people to use rootless containers with a well-supported container runtime, as well as discussing challenges discovered by this work and kernel work which is being done to alleviate these challenges and bring a new form of containers to users and developers. In addition, he will briefly talk about image formats and the management of images without privileges as well.
More about Aleksa Sarai
- Andrew MartinUK Home Office
workshopSecuring Docker Containers (Advanced)
Docker provides a number of container security extensions that can appear esoteric and confusing to a new user. This workshop will demonstrate why containers are insecure and work with vulnerable containers to secure them against various forms of attack and privilege escalation. Attendees will work through hardening, intrusion detection, and CI continuous security measures to lock down containers at all stages of their lifecycle. It finishes with a comprehensive summary of container native security tooling and a comparison with existing tools.
More about Andrew Martin
- Christian BraunerCanonical
talkMixing cgroupfs v1 and cgroupfs v2: finding solutions for container runtimes
With the release of kernel 4.5 the new cgroupfs v2 API was declared non-experimental. But the missing feature parity between cgroupfs v2 with cgroupfs v1 makes it nearly impossible for container runtimes to use it. Especially before the cpu controller is merged, no runtime is expected to switch to it by default. Nonetheless cgroupfs v2 is slowly making its way into various distributions. This brings with it a new set of problems and challenges which container runtimes must tackle. For example, one of the core problems container runtimes will have to face is how to support running cgroupfs v1 hierarchies inside a container while the host is running a cgroupfs v2 hierarchy and vica versa. This talk will try to outline some of these problems more clearly, and suggest possible solutions and hopefully inspire a fruitful discussion that leads to further solutions or at least helps to identify and specify various problems more clearly.
More about Christian Brauner
- James Buckettlevvel.io
talkKubernetes and the Next Generation Data Center
Kubernetes and the Next Generation Data Center Kubernetes is becoming an attractive option to run true hybrid cloud workloads without vendor lock in. Cloud providers such as Microsoft Azure and Google Kontainer Engine offering Kubernetes support enable this capability. Kubernetes Federation and Federation Ingress are key concepts to understand. I will discuss Kubernetes, Kubernetes Federation and Federation Ingress and how they will drive future hybrid cloud workloads.
More about James Buckett
- Michael WithrowTwistlock
talkScaling App Defense with Intent Based Security
While some have focused on trying to bend traditional security approaches to fit containers and devops, the larger security opportunity has often been missed. Containers, both the core technology and the operational patterns they enable, have some fundamental differences from traditional models. In the session, we examine the changes to the threat landscape that containers bring, what fundamental characteristics of containers are different, and how security organizations can leverage these characteristics to understand developer intent and automate the creation and management of scalable, yet app tailored, defenses.
More about Michael Withrow
- Rachit AroraIBM
talkRunning Hadoop Clusters as a Service in Production using Containers
In order to build and deploy an analytic service on Cloud is a challenge and bigger challenge is to maintain the service. Users are moving towards the model where they want to provision an instance of service on the fly and use it for analytics and done with the service when done. Containers is now proven technology to deploy and distribute modules quickly, easily and reliably. Intent of this talk is to share the experience of building such service. Usually it takes weeks to provision a production/enterprise ready hadoop cluster. In this Session we will give details on how we have build a platform which is offering Hadoop Clusters to the user within 4 mins out of which 2-3 mins are used be various hadoop components to start. In This we will also discuss the framework used to deploy 1000s of containers on 100s of machine and efficiently handle resource management. In this session there will be discussion on how stateless containers help in patching 1000s of containers in very short time.
More about Rachit Arora
- Sven DowideitRancher Labs
talkBuilding and using micro Linux distributions for Docker
Docker containers have transformed how new software is developed, with hundreds of millions of containers supporting applications in production today. However, every container needs a Linux host on which to run. This talk will provide a short history and landscape review of Linux microdistributions available today, before diving into the considerations for building and using such distributions.We'll include the architectural decision points involved with buiLding and choosing a container-focused Linux distribution, and conclude with demos and practical use cases for developers, DevOps, and operations teams who are investigating and using containers today.
More about Sven Dowideit
- Vincent De Smethonestbee
talkDistributed Command Execution using Containers and Cog
Overview of Operable Cog (a ChatOps bot) and how it uses containers and Docker hosts to execute command across a distributed set of servers. A 30 minute talk about ChatOps and the power of linux command pipelines when leveraging technologies such as Docker. I hope to ignite an interest to attract new FaaS oriented frameworks on integrating with the user interface provided by Cog.
More about Vincent De Smet
- Jorge ArteiroKLOUD Solutions
talkContainers on Enterprise – A game changer for developers
How development and operation teams can work together to implement containers on Enterprise organizations? Let’s discuss tools and workflow options to hide complexity from developers and improve collaboration. A new generation of PaaS services using containers is coming. It’s time to get developers involved!
More about Jorge Arteiro