As Docker and other container runtimes are growing their user base, the merits and the weaknesses of Linux containers as a technology for isolation are under scrutiny. Due to the large surface of attack exposed by the porous POSIX interface, avoiding multi-tenant containers deployments is still recommended. Clear Containers by Intel propose to solve the problem by running Docker containers as KVM virtual machines. Is that really the way forward?
This talk will compare traditional container models in terms of security, performance and integration with Docker. The talk will go into details on why protecting the kernel and monitoring syscalls is important. It will propose a novel approach to running containers securely, one that provides stronger security and isolation together with the flexibility that Docker offers today.
In addition to hardening Linux kernel structures for containers, this session will also cover an alternate implementation of network policy within Kubernetes for Docker Containers that does not require any external policy controller or any central state and is based on a completely distributed architecture.
The goal is to demonstrate how cloud-native applications can be made secure with a combination of HW-assisted isolation for containers and a simplified, controller-less method for segmenting distributed applications.
Dimitri Stilliadis, Co-Founder and CEO, Aporeto
Dimitri has a background in distributed systems, security and networking and holds more than 25 patents. Prior to Aporeto, he was the co-founder and CTO of Nuage Networks, where he led the development of the industry-leading Virtualized Services Platform. He was also the CTO and co-founder of the NonStop Laptop Guardian, an end-point security solution. He has held several leading roles in Bell Labs Research, where he led a series of research programs with fundamental contributions in networking, algorithms, and distributed systems.
Amir Sharif, Co-Founder and VP of Products, Aporeto
Amir has 20 years of experience in virtualization, networking technologies and low-latency I/O. His experience includes running business development, product management and software development teams, with his last position being at Nuage Networks, where the led the business development efforts. Before that, Amir worked at Violin Memory, Parallels, VMware, Cisco and Sun. He was the ESX product manager at VMware, who helped lead the hypervisor architectural transition from ESX to ESXi.
Join us and Aporeto to discuss this topic.
Our meetings are scheduled for 7:30pm on the third Thursday of each month.
BayLISA includes system and network administrators across a range of skill levels. BayLISA meets to discuss topics of interest to system administrators and managers. The meetings are free and open to the public.
We always welcome presentation topics and volunteer speakers. Use the "Contact us" link on this page to get in touch with BayLISA's directors.