A lot of demonstration about various security options in Docker. Some very rough notes:
- Developer and Operations Engineers have a lot of security options available for processes running as containers. User Namespaces, Seccomp, etc.
- Integrity of images can be guaranteed by Notary (Docker software)
- He introduced the iceberg analogy: The tip of the iceberg is the actual code that is written by some application engineer. But then below the surface there is a ton more. Things that you just drag along. Whole OS filesystem, libraries, frameworks, etc.
- Originally, Docker supported only namespaces and cgroups. Then, seccomp was added.
- Some vulnerabilities that were avoided by the default seccomp profile in use in Docker: https://docs.docker.com/engine/security/non-events/
- Contrary to common opinion, he specifically emphasized that applications running in containers are more secure than on bare metal, because of cgroups, namespaces and seccomp.