User Namespace and Seccomp Support in Docker Engine – Paul Novarese, Docker

A lot of demonstration about various security options in Docker. Some very rough notes:
  • Developer and Operations Engineers have a lot of security options available for processes running as containers. User Namespaces, Seccomp, etc.
  • Integrity of images can be guaranteed by Notary (Docker software)
  • He introduced the iceberg analogy: The tip of the iceberg is the actual code that is written by some application engineer. But then below the surface there is a ton more. Things that you just drag along. Whole OS filesystem, libraries, frameworks, etc.
  • Originally, Docker supported only namespaces and cgroups. Then, seccomp was added.
  • Some vulnerabilities that were avoided by the default seccomp profile in use in Docker:
  • Contrary to common opinion, he specifically emphasized that applications running in containers are more secure than on bare metal, because of cgroups, namespaces and seccomp.