Upload File

aguascalientes local chapter - owasp · dockervs lxc, jails, vagrant • lxc runs in the host but...

  • Home
  • Documents
  • Aguascalientes Local Chapter - OWASP · Dockervs LXC, Jails, Vagrant • LXC runs in the host but has it's own section of RAM, CPU, disk, etc. Closer to a VM. Docker can be just one
19
Aguascalientes Local Chapter 2 nd Meeting

Upload: dangmien

Post on 13-Jan-2019

222 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Aguascalientes Local Chapter - OWASP · Dockervs LXC, Jails, Vagrant • LXC runs in the host but has it's own section of RAM, CPU, disk, etc. Closer to a VM. Docker can be just one

AguascalientesLocalChapter

2nd Meeting

Page 2: Aguascalientes Local Chapter - OWASP · Dockervs LXC, Jails, Vagrant • LXC runs in the host but has it's own section of RAM, CPU, disk, etc. Closer to a VM. Docker can be just one

About– ChapterLeader

• JuanGama– ApplicationSecurityEngineer@AspectSecurity– 9+yearsinAppsec,Testing,Development– MaintainerofOWASPBenchmark– IlikeGIFs!

Page 3: Aguascalientes Local Chapter - OWASP · Dockervs LXC, Jails, Vagrant • LXC runs in the host but has it's own section of RAM, CPU, disk, etc. Closer to a VM. Docker can be just one

Docker

Page 4: Aguascalientes Local Chapter - OWASP · Dockervs LXC, Jails, Vagrant • LXC runs in the host but has it's own section of RAM, CPU, disk, etc. Closer to a VM. Docker can be just one

WhatisDocker?

• "Docker istheworld'sleadingsoftwarecontainerizationplatform"

Page 5: Aguascalientes Local Chapter - OWASP · Dockervs LXC, Jails, Vagrant • LXC runs in the host but has it's own section of RAM, CPU, disk, etc. Closer to a VM. Docker can be just one

Whatisacontainer?

• Consistsofanentireruntimeenvironment:anapplication,plusallitsdependencies,librariesandotherbinaries,andconfigurationfilesneededtorunit,bundledintoonepackage.

Page 6: Aguascalientes Local Chapter - OWASP · Dockervs LXC, Jails, Vagrant • LXC runs in the host but has it's own section of RAM, CPU, disk, etc. Closer to a VM. Docker can be just one

Docker inventedcontainers?

Page 7: Aguascalientes Local Chapter - OWASP · Dockervs LXC, Jails, Vagrant • LXC runs in the host but has it's own section of RAM, CPU, disk, etc. Closer to a VM. Docker can be just one

Docker vs LXC,Jails,Vagrant

• LXCrunsinthehostbuthasit'sownsectionofRAM,CPU,disk,etc.ClosertoaVM.Dockercanbejustoneprocess,needsavolume.

• VagrantisascriptforVMs.

Page 8: Aguascalientes Local Chapter - OWASP · Dockervs LXC, Jails, Vagrant • LXC runs in the host but has it's own section of RAM, CPU, disk, etc. Closer to a VM. Docker can be just one

Docker vs Virtualization

• Virtualizationincludesanentireoperatingsystemaswellastheapplication.Docker sitsontopoftheOS

Page 9: Aguascalientes Local Chapter - OWASP · Dockervs LXC, Jails, Vagrant • LXC runs in the host but has it's own section of RAM, CPU, disk, etc. Closer to a VM. Docker can be just one

Docker vs Virtualization

Page 10: Aguascalientes Local Chapter - OWASP · Dockervs LXC, Jails, Vagrant • LXC runs in the host but has it's own section of RAM, CPU, disk, etc. Closer to a VM. Docker can be just one

Docker vs Virtualization

Page 11: Aguascalientes Local Chapter - OWASP · Dockervs LXC, Jails, Vagrant • LXC runs in the host but has it's own section of RAM, CPU, disk, etc. Closer to a VM. Docker can be just one

WhyDocker?

• Solvesdependencyproblemsandtheproblemofancienttimes:

• "Itworksonmymachine!"

Page 12: Aguascalientes Local Chapter - OWASP · Dockervs LXC, Jails, Vagrant • LXC runs in the host but has it's own section of RAM, CPU, disk, etc. Closer to a VM. Docker can be just one

Docker Components

• Docker Engine

• Docker Hub

Page 13: Aguascalientes Local Chapter - OWASP · Dockervs LXC, Jails, Vagrant • LXC runs in the host but has it's own section of RAM, CPU, disk, etc. Closer to a VM. Docker can be just one

Docker Engine

• Docker daemon– Runsonthehostmachine

• Docker Client– CLIusedtointeractwiththedaemon

• WindowsandOSX– docker-machine(smalllinux runningtheDockerdaemon)- NeedsVirtualbox

Page 14: Aguascalientes Local Chapter - OWASP · Dockervs LXC, Jails, Vagrant • LXC runs in the host but has it's own section of RAM, CPU, disk, etc. Closer to a VM. Docker can be just one

Docker WorkflowComponents

• Docker image– Hastheenv,yourapplication,OS,dependencies,

• Docker Container– Createdfromimages,start,stop,move,delete

• Docker Registry– Publicandprivaterepotostoreimages

• Dockerfile– Automatesimageconstruction

Page 15: Aguascalientes Local Chapter - OWASP · Dockervs LXC, Jails, Vagrant • LXC runs in the host but has it's own section of RAM, CPU, disk, etc. Closer to a VM. Docker can be just one

Docker

• Docker Container

• Docker Composer

• Docker Swarm

Page 16: Aguascalientes Local Chapter - OWASP · Dockervs LXC, Jails, Vagrant • LXC runs in the host but has it's own section of RAM, CPU, disk, etc. Closer to a VM. Docker can be just one

Demo

Page 17: Aguascalientes Local Chapter - OWASP · Dockervs LXC, Jails, Vagrant • LXC runs in the host but has it's own section of RAM, CPU, disk, etc. Closer to a VM. Docker can be just one

Docker Security

• Quitesecure.• Namespacesforisolation:processesrunningwithina

containercannotsee,andevenlessaffect,processesrunninginanothercontainer,orinthehostsystem

• Eachcontaineralsogetsitsownnetworkstack.• ControlGroupsforresourceaccountingandlimiting,

ensurethateachcontainergetsitsfairshareofmemory,CPU,diskI/O;and,moreimportantly,thatasinglecontainercannotbringthesystemdownbyexhaustingoneofthoseresources.

Page 18: Aguascalientes Local Chapter - OWASP · Dockervs LXC, Jails, Vagrant • LXC runs in the host but has it's own section of RAM, CPU, disk, etc. Closer to a VM. Docker can be just one

Docker Security• OnlytrustedusersshouldbeallowedtocontrolyourDocker daemon

• “root”withinacontainerhasmuchlessprivilegesthanthereal“root”.Forinstance,itispossibleto:– denyall“mount”operations;– denyaccesstorawsockets(topreventpacketspoofing);– denyaccesstosomefilesystem operations,likecreatingnewdevicenodes,changingtheowneroffiles,oralteringattributes(includingtheimmutableflag);

– denymoduleloading;– andmanyothers.

Page 19: Aguascalientes Local Chapter - OWASP · Dockervs LXC, Jails, Vagrant • LXC runs in the host but has it's own section of RAM, CPU, disk, etc. Closer to a VM. Docker can be just one

Docker Security

• Additional:AppArmor,SELinux,GRSEC• RuninsideaVM• Compromisedimages• DOS• https://www.docker.com/docker-security


Directorio de Personas Responsables de Estancias ... · 33 aguascalientes konejitos maria victoria velazquez ... 40 aguascalientes angelitos star margarita salas ... 43 aguascalientes

DevOps with Vagrant and KVM/qemu Hiroshi Miura (@miurahr ... · Vagrant-KVM vs. -libvirt Features Vagrant-KVM Vagrant-libvirt KVM Yes Yes Xen N.A. Plan Remote N.A. Experimental

Padrón de Beneficiarios del Cuarto Trimestre 20151 aguascalientes adrian gonzalez macias 1 aguascalientes adrian guadalupe calixto medina. 1 aguascalientes adrian guzman ortiz 1 aguascalientes

Alberta Wild Species General Status Listing - 2015 · ABNJB10120 Birds Anas querquedula Garganey Accidental/Vagrant Accidental/Vagrant Accidental/Vagrant -

Docker lxc win

Lightweight Virtualization: LXC Best Practices 10/28 4) LXC - Intro LXC = userspace tools for Linux containers based on mainline kernel Linux containers are based on: Kernel namespaces

Vagrant up.key

Vagrant + Docker

SPDK Vagrant Box Install Instructions · vagrant@localhost:/vagrant# cd fio && git checkout fio-3.3 vagrant@localhost:/vagrant# ./configure vagrant@localhost:/vagrant# make vagrant@localhost:/vagrant#

Vagrant - "Pilot"

LXC(Linux Container)

Summit University Aguascalientes - Matriz Esmeraldasummituniversity.org/.../10/SU-Aguascalientes-Nov.... · Ciudad de Aguascalientes, México Hotel "Fiesta Americana" Los Laureles

Lightweight Virtualization: LXC containers & AUFS

Scale11x lxc talk

Vagrant puppet

Aguascalientes Local Chapter - OWASP · • Vagrant is a script for VMs. Docker vs Virtualization • Virtualization includes an entire operating system as well as the application

Instalar Vagrant

Aguascalientes Sightseeing Map

LXC/LXD Deep Dive… · The daemon on the host that accepts API calls for LXC LXC manages the container and LXD manages the remote -- image/container servers Extends LXC functionality

Lightweight virtualization: LXC vs. OpenVZ

Vagrant Workshop

Drupalcamp es 2013 drupal with lxc docker and vagrant

Lightweight Virtualization LXC containers & AUFS

Lightweight Virtualization: LXC Best Practices · Slide 12/28 4) LXC – Userspace lxc-start / lxc-stop lxc-start -n ct0 -f /lxc/ct0/config lxc-create / lxc-destroy creates/destroys

Reproducibility through environment capture: Part 1: Docker · container (using Docker, LXC, etc.) ideally environment creation should be automated (shell script, Puppet, Chef, Vagrant,

Vagrant Story

Directorio de Estancias Infantiles - gob.mx · aguascalientes aguascalientes aguascalientes aprendiendo y jugando martha veronica gutierrez gutierrez beethoven del trabajo 20180 515

AGUASCALIENTES - IIEG

LXC Containers and AUFs

LXC outline

Leverage LXC/LXD with Kubernetes

Vagrant 101

INTRODUCTION TO LINUX CONTAINTER (LXC) …people.redhat.com/mlessard/mtl/presentations/jan2014/LXC...1 LXC DOCKER | MICHAEL LESSARD INTRODUCTION TO LINUX CONTAINTER (LXC) AND DOCKER

LXC on Ganeti

Vagrant presentation