Container camp - London - 2015
In general, it was fun to be at container.camp. What I especially liked is the fact that you didn’t have to make a choice about what you’re going to miss as all presentations were in the same room so everyone was able to attend every talk (if they liked to). As always, there’s no conference without having some minor technical difficulties, in this case it was (surprise surprise!) getting the screen/s to work. This kind-of kept on being a challenge until the end of the day, but rather than annoying, it seemed to entertain all / most of the techies around.
joyent / bryan cantrill
Container.camp opened with Joyent’s own Bryan Cantrill going a bit more into the history of containers starting with chroot to chroot jails to solaris zones to Docker. Joyent’s Triton is a public/private elastic container service that allows you to view your Data Centre (private) as one logical unit of computing power, Triton will do the rest of managing where your container will run. Containers on Triton run directly on Metal, making it more performant than running containers inside VMs (as many/most/all other providers currently do — probably due to security concerns).
sysdig / loris degioanni
Loris Degioanni, CEO & Founder of Sysdig, gave me a quick demo of the commercial product Sysdig Cloud which I found very promising, especially since all one needs to do to start monitoring all the docker containers running on a host is simply spin up, well, just another docker container that runs the sysdig daemons that send data back to Sysdig Cloud. Have a look at the demo, it’s as he said “like a google maps for your infrastructure”.
Sysdig is a pretty cool tool to inspect not only containers, but also your system’s processes and what they’re up to in any given moment. It’s much like a combination of
tcpdump and the likes, combined in one tool to rule them all. Talking to the founder, he also explained that as sysdig is written in C, and with that not easily extensible, he added lua script support to add your own custom modules to sysdig. Sysdig is open-source and free to use.
google / mandy waite
TL;DR of @tekgrrl’s presentation — Google’s been the lonely user of containers for > 10 years until recently when containers became finally more popular, thanks to Docker. She explained about resource stranding and how careful planning / management and a good scheduler can make sure to make most of ones resources. We also got a quick demo of Google’s GKE (Google Container Engine), it’s basically a hosted Kubernetes and Google peeps will take care of your Kubernetes master should there be issues — there is currently no HA for Kubernetes masters. More info on Google Container Engine is as always available on Google. Here a link to the Bork paper which is what Google is using for their container / cluster management.
scrapbook / ben hall
One of my favourite talks was Ben Hall’s “Running potential malicious code in containers”. The idea of scrapbook was to allow users to run their own apps in OS containers for training purposes. And as always there were quickly a couple bad guys trying to break the system, break out of the container, etc. Ben showed several real-world hacks that happened in the process of building scrapbook and what he’s done to investigate, mitigate and to improve security. One of the examples was a hacked ElasticSearch container, see his blog post here.
docker / diogo monica
Another great talk about Docker & Secuirty was from Diogo, he is currently the secuirty lead at Docker. Diogo demonstrated a “new way” of signing and verifying a Docker image’s validity and integrity — he also explained why gpg/pgp signatures are not enough (MITM / replay attack). Without going into too much detail, we all should have a look at The Update Framework which is in practice implemented by Docker’s new Notary — it’s open source and free to use.
The use of Notary is currently optional, and can be enabled by
export DOCKER_CONTENT_TRUST=1 or
--disable-content-trust=false, this will prevent MITM attacks as well as unauthorized tampering with a container image's layers. From what I remember, you will need to have at least version 1.8.1 to be able to use signed Docker Images with Notary.
luminis tech / arjan schaaf
Arjan compared container performance on different clouds with the TL;DR being that Amazon seemed to outperform Azure and using Flannel w/ VxLAN gives comparable the best SDN performance. He compared Native vs Weave, Flannel, Flannel w/ VxLAN and Calico. Some of the tools he used were
qperf where iperf3 was used for longer running tests vs qperf for short bursts.
There were several more talks which were interesting, but I personally feel that above were my favorites from the day. You should probably keep an eye on speakerdeck / youtube / etc. for the Container.Camp talks going online in the next few weeks.