Back To Schedule
Thursday, October 29 • 1:50pm - 2:30pm
Unraveling Docker Security: Lessons From a Production Cloud

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Whether you are integrating Docker containers into an existing cloud, or building out a multi-tenant cloud implementation using Docker, it can be a significant challenge to ensure proper security is in place. In this session, we will unravel various threads of security topics that all come together to provide properly configured security and isolation for Docker containers. Many of our findings are based on our experience in building and securing the IBM Container service based on Docker technology on top of an OpenStack IaaS. Topics include: 
  • Usage and threat model
  • Implications of sharing the kernel with the host
  • How user namespaces provide isolation from the root user on host
  • Docker engine configuration for security and limitations for preventing forkbomb, filebomb, DOS
  • Security features and issues for Docker registry
  • Docker API and lack of multi-tenancy capabilities

avatar for Salman Baset

Salman Baset

Research Staff Member
Salman Baset is working as a Research Staff Member at IBM T. J. Watson Research Center. He received a PhD in Computer Science from Columbia University. His recent work at IBM has been focused on Docker security and designing, building, and securing IBM Containers. Presently, he also... Read More →

Stefan Berger

Senior Technical Staff Member, IBM Corporation
Stefan Berger works at IBM Research. His focus is on cloud security, virtualization security, trusted computing and more recently on security for containers. He is actively involved in several open source projects related to Linux virtualization, Linux containers, as well as the Linux... Read More →
avatar for Phil Estes

Phil Estes

Principal Engineer, AWS
Phil is a Principal Engineer for Amazon Web Services (AWS), focused on core container technologies that power AWS container offerings like Fargate, EKS, and ECS.Phil is currently an active contributor and maintainer for the CNCF containerd runtime project, and participates in the... Read More →

Thursday October 29, 2015 1:50pm - 2:30pm JST

Attendees (0)