Isolation in Docker is mainly accomplished via cgroups and namespaces. User namespaces are the newest namespace to be supported by the Docker engine, and allow users to run Containers as without elevated privileges, which has been a longstanding shortcoming and frequent target of both user frustration and feature requests. In addition, Seccomp support adds a new method of containment for running Containers by providing both whitelist and blacklist based Controls of system calls that are permitted and/or forbidden for containerized processes.
In this session, we’ll look at these new features, examine basics of configuration, and do some live demos to see them in action.
Paul has been working in the ops side of open source for over 20 years, providing technical support, training, and general consulting in both the largest and smallest data centers.
Wednesday August 24, 2016 2:15pm - 3:05pm EDT
Harbour B
