BEGIN:VCALENDAR VERSION:2.0 PRODID:-//Pentabarf//Schedule 0.3//EN CALSCALE:GREGORIAN METHOD:PUBLISH X-WR-CALDESC;VALUE=TEXT:Containers devroom X-WR-CALNAME;VALUE=TEXT:Containers devroom X-WR-TIMEZONE;VALUE=TEXT:Europe/Brussels BEGIN:VEVENT METHOD:PUBLISH UID:7079@FOSDEM18@fosdem.org TZID:Europe-Brussels DTSTART:20180204T090000 DTEND:20180204T090500 SUMMARY:Welcome DESCRIPTION:
Introduction to the containers devroom.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2018/schedule/2018/schedule/event/containers_welcome/ LOCATION:UD2.120 (Chavanne) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Stéphane Graber":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:6997@FOSDEM18@fosdem.org TZID:Europe-Brussels DTSTART:20180204T091000 DTEND:20180204T093000 SUMMARY:The State of Containers in Scientific Computing DESCRIPTION:Containers are gaining significant traction as a means of deploying and distributing software in the scientific computing space. With a plethora of solutions to choose from, this talk will go into why there is a tendency for custom container runtimes in this area of computing. We will discuss portability, performance, security and ease of use, as well as direct hardware access as driving factors. As new processor architectures and specialized hardware for machine learning emerge, some of those factors will affect larger parts of the container community.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2018/schedule/2018/schedule/event/containers_scientific/ LOCATION:UD2.120 (Chavanne) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Georg Rath":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:6484@FOSDEM18@fosdem.org TZID:Europe-Brussels DTSTART:20180204T093500 DTEND:20180204T095500 SUMMARY:Automated Linux Containers deployment for fun and profit. DESCRIPTION:How we use LXD, Puppet, Jenkins, Bash and PyLXD to create system containers for our developers development environments in Emesa.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2018/schedule/2018/schedule/event/containers_automated_deployments/ LOCATION:UD2.120 (Chavanne) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="David Negreira":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:6188@FOSDEM18@fosdem.org TZID:Europe-Brussels DTSTART:20180204T100000 DTEND:20180204T102500 SUMMARY:You want a Clean Desktop OS? Containerize it DESCRIPTION:Containers are all the rage, alongside cloud and DevOps. Sometimes they also induce rage. In this talk, we will take a look at using Fedora Atomic on your desktop, when it makes sense, and what the potential benefits vs drawbacks of having a container-based OS on your desktop are for you as a developer.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2018/schedule/2018/schedule/event/containers_desktop/ LOCATION:UD2.120 (Chavanne) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Sanja Bonic":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:6899@FOSDEM18@fosdem.org TZID:Europe-Brussels DTSTART:20180204T103000 DTEND:20180204T110000 SUMMARY:Making Linux Security Modules available to Containers DESCRIPTION:Containers would like to be able to make use of Linux SecurityModules (LSMs), from providing more complete system virtualizationto improving container confinement. To date containers access to theLSM has been limited but there has been work to change the situation.
This presentation will discuss the current state of LSM stackingand namespacing. The work being done on various security modules tosupport namespacing, the infrastructure work being done to improve theLSM, an examination of the remaining problems, and provide a demoof a container leveraging LSM stacking so that the host is usinga different security module than that of the container.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2018/schedule/2018/schedule/event/containers_lsm/ LOCATION:UD2.120 (Chavanne) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="John Johansen":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:6924@FOSDEM18@fosdem.org TZID:Europe-Brussels DTSTART:20180204T110500 DTEND:20180204T112500 SUMMARY:How to build and run OCI containers DESCRIPTION:In this talk you can expect to learn what OCI containers are, how to build them and why you may want them. The first part will be a brief introduction to OCI containers followed by the motivation behind our use-case at the OpenStack/Magnum project and the Container Service at CERN. How we leverage OCI containers and why we chose them to offer container infrastructure to our users, meaning running kubernetes, etcd, flanneld, OpenStack-specific daemons, CERN-specific tools, the docker daemon and cri-o.
The second part will be a shallow dive on how to run and build OCI containers from scratch and most importantly how to populate the famous config.json file, the heart of the OCI configuration. This part will include examples on how to use docker, runc, rkt, atomic and buildah.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2018/schedule/2018/schedule/event/containers_build_oci/ LOCATION:UD2.120 (Chavanne) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Spyros Trigazis":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:6812@FOSDEM18@fosdem.org TZID:Europe-Brussels DTSTART:20180204T113000 DTEND:20180204T115000 SUMMARY:State of the rkt container runtime and its Kubernetes integration DESCRIPTION:This presentation will give an update on the rkt project, what new features were implemented recently and what’s coming up. It will also give an update on the state of the rkt implementation of the Kubernetes Container Runtime Interface (CRI), rktlet.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2018/schedule/2018/schedule/event/containers_rkt_kubernetes/ LOCATION:UD2.120 (Chavanne) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Iago Lopez Galeiras":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:6691@FOSDEM18@fosdem.org TZID:Europe-Brussels DTSTART:20180204T115500 DTEND:20180204T120500 SUMMARY:Turning physical systems into containers DESCRIPTION:System containers such as those that LXD can run are effectively Linux systems but without a Linux kernel.So wouldn't it be nice to just be able to take an existing physical system or virtual machine and transfer it over the network to a LXD host, then boot it as a container without needing any manual transfer process?
This is what I'll be demoing in this short talk, using a small piece of software that uses the LXD migration API to stream a system over the network to a remote LXD server, turning it into a container.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2018/schedule/2018/schedule/event/containers_physical_migration/ LOCATION:UD2.120 (Chavanne) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Stéphane Graber":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:6884@FOSDEM18@fosdem.org TZID:Europe-Brussels DTSTART:20180204T121000 DTEND:20180204T125000 SUMMARY:File access-control per container with Landlock DESCRIPTION:Linux has multiple access-control systems, including SELinux, AppArmor, Smack or Tomoyo, that can enforce a security policy. However, it may be challenging to create and maintain such a policy per container. Moreover, a dynamically configured and unprivileged access control may better fit to container needs.
In this talk, we present a Linux Security Module (LSM) proposal called Landlock, leveraging eBPF to create flexible access-control rules. Landlock can be used as a new security layer, composing with namespaces, cgroups, seccomp and other LSMs, to sandbox applications and containers. We highlight the last Landlock patchset (v8) which brings a new way to restrict access to files.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2018/schedule/2018/schedule/event/containers_landlock/ LOCATION:UD2.120 (Chavanne) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Mickaël Salaün":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:7094@FOSDEM18@fosdem.org TZID:Europe-Brussels DTSTART:20180204T125500 DTEND:20180204T131500 SUMMARY:Introduction to LXD clustering DESCRIPTION:This demo introduces the new LXD clustering feature and show how to scale a single-node deployment to a fault-tolerant multi-node one, sharing information about containers, storage pools and networks in the same database.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2018/schedule/2018/schedule/event/containers_lxd_clustering/ LOCATION:UD2.120 (Chavanne) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Free Ekanayaka":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:6368@FOSDEM18@fosdem.org TZID:Europe-Brussels DTSTART:20180204T132000 DTEND:20180204T134000 SUMMARY:containerd 1.0 Project Update DESCRIPTION:Containerd, a minimal container runtime created out of the original Docker engine, has now been a Cloud Native Computing Foundation (CNCF) member project since March 2017. Intended for use not just by the Docker engine as a lower layer container runtime and management layer above an OCI compliant executor, the expectation is that Kubernetes will use containerd as well as other projects that need a straightforward, embeddable container runtime without vendor control or opinionated behavior.
This project update will overview how we arrived at a "containerd 1.0" feature complete state from the original containerd implementation, and how it is being embedded and used in various projects like "cri-containerd" for Kubernetes and the recent Docker engine releases. We'll also look at the ease with which containerd can be embedded via its client library to offer container lifecycle management to any broader application.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2018/schedule/2018/schedule/event/containers_containerd/ LOCATION:UD2.120 (Chavanne) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Phil Estes":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:6382@FOSDEM18@fosdem.org TZID:Europe-Brussels DTSTART:20180204T134500 DTEND:20180204T140500 SUMMARY:LTTng: The road to container awareness DESCRIPTION:The LTTng kernel and user-space tracer were designed for traditional Linux hosts but can alsobe used in a container environment. While we currently lack high-level functions and integrationwith container technologies, the raw data can be gathered and analysed by the seasoned lttnguser. This talk will detail what is currently available, what we would like to add and hopefully whatthe community would expect from a container aware version of LTTng.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2018/schedule/2018/schedule/event/containers_lttng/ LOCATION:UD2.120 (Chavanne) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Michael Jeanson":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:6190@FOSDEM18@fosdem.org TZID:Europe-Brussels DTSTART:20180204T141000 DTEND:20180204T143500 SUMMARY:Kubernetes Security Best Practices DESCRIPTION:Containers give developers the ability to isolate applications from one another, but that’s not enough. Resource isolation is much different that security isolation. How do we make applications deployed in containers more secure? How do we apply existing tools like SELinux and AppArmor, and seccomp to our containers running in Kubernetes? How can we apply policy to our network and services to make sure applications only have access to what they need and nothing more?
Kubernetes provides the ability to secure containers, and secure access to the API. But it also has a flexible enough architecture to allow for applying network and service policy to various pods and services.
In this talk we will learn about the risks and attack surfaces and how to use tools like SELinux, AppArmor and seccomp to improve the security of containers deployed in Kubernetes. We’ll then go up the stack and learn how to apply network policy to containers to further improve security. Finally we will look at the Istio service mesh and how we can add authentication, mutual TLS, and access policies to whole services greatly reducing application attack surfaces.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2018/schedule/2018/schedule/event/containers_kubernetes_security/ LOCATION:UD2.120 (Chavanne) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Ian Lewis":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:6144@FOSDEM18@fosdem.org TZID:Europe-Brussels DTSTART:20180204T144000 DTEND:20180204T150000 SUMMARY:Forwarding system calls to userspace DESCRIPTION:In this talk, I will describe SECCOMPUSERNOTIF, a new seccomp return type under development to forward syscalls to another userspace daemon. This would allow container engines to transparently hook syscalls like mount or modprobe, enabling applications inside containers to use these syscalls without modification.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2018/schedule/2018/schedule/event/containers_syscall_forwarding/ LOCATION:UD2.120 (Chavanne) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Tycho Andersen":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:6646@FOSDEM18@fosdem.org TZID:Europe-Brussels DTSTART:20180204T150500 DTEND:20180204T152500 SUMMARY:Exploring container image distribution with casync DESCRIPTION:Container engines like Docker and rkt download container images containing applications to be executed. With Kubernetes – a container orchestration system – updates to a new version of an application can be propagated on the nodes automatically. When the new version has only a few changes compared to the previous versions, this results in downloading the same content again, wasting network bandwidth. With casync – a content-addressable data synchronization tool – we could do better.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2018/schedule/2018/schedule/event/containers_casync/ LOCATION:UD2.120 (Chavanne) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Alban Crequy":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:7081@FOSDEM18@fosdem.org TZID:Europe-Brussels DTSTART:20180204T153000 DTEND:20180204T155000 SUMMARY:Optimized container live-migration DESCRIPTION:LXD has supported container migration between hosts for a long time. Recently we have not just implemented optimized transfers of container storage for non-live migration and live migration but also optimized transfers of the container's memory state for the live migration case. This talk will give an overview how live and non-live migration works and what was done to tweak performance.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2018/schedule/2018/schedule/event/containers_optimized_migration/ LOCATION:UD2.120 (Chavanne) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Christian Brauner":invalid:nomail ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Adrian Reber":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:6198@FOSDEM18@fosdem.org TZID:Europe-Brussels DTSTART:20180204T155500 DTEND:20180204T162000 SUMMARY:Everything you need to know about containers security DESCRIPTION:Security is important but not everyone cares about it until something bad happens. In this talk, I’ll speak about main tips for integrating Security into Containers.I will share my knowledge and experience and help people learn to focus more on Containers Security.In this talk I will review the state of the art of application security practices and talk about best security practices to create more secure containers. And we look at organizational, process, and technology innovations to secure applications in ways that incorporate, but go beyond, testing for vulnerabilities, by looking at what developers can do before checking in code and what application security looks like in production.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2018/schedule/2018/schedule/event/containers_workload_security/ LOCATION:UD2.120 (Chavanne) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="José Manuel Ortega":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:6449@FOSDEM18@fosdem.org TZID:Europe-Brussels DTSTART:20180204T162500 DTEND:20180204T164500 SUMMARY:Containing container memory DESCRIPTION:This talk is about how CRIU deals with application memory during container checkpoint, restore and live migration. We present techniques we use to create exact snapshot of a process memory layout during checkpoint and then how we recreate that exact layout at the time of restore. We present optimizations for reducing the snapshots footprint and for making container live migration livelier.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Containers URL:https:/fosdem.org/2018/schedule/2018/schedule/event/containers_containing_memory/ LOCATION:UD2.120 (Chavanne) ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Mike Rapoport":invalid:nomail END:VEVENT END:VCALENDAR