Hello from all of us here at Sysdig and Happy New Year!
Consider this: Docker was initially released just ~4 years ago, container tech evolution happens on a different time scale, you blink, you miss out.
And with the quick adoption of containers, Docker Security is becoming a more relevant topic, that’s why starting with this edition we have an specific section on security.
So here it is again: a monthly newsletter to share the latest happenings in the container ecosystem across vendors and open source projects like Docker, Kubernetes, DC/OS Mesos, Openshift, etc.
We hope you enjoy this! Ping us at @sysdig or on our open source Slack group #sysdig to share anything you feel we should include here, we are looking forward your contributions!
SECURITY
Making Sense of Meltdown/SpectreThe IT world is currently in a state of shock. What will be the consequences? You can measure the performance impact of Meltdown/Spectre patches with extreme precision using open source Sysdig.
Fishing for miners – Kubernetes honeypotA tempting Kubernetes honeypot in the open, armed with Sysdig Secure + Sysdig Inspect for deep forensics analysis. Follow the complete walkthough to detect cryptojacking in Kubernetes .
Sockguard, security for the Docker daemon socketSockguard acts as a rule-based security proxy that filters access to the underlaying Docker socket. You can, for example, white-list host bind mounts, forbid access to the host network or enforce additional containerization checks.
Precious cargo, securing containers with Kubernetes 1.8Kubernetes is rapidly adopting new security frameworks and capabilities, we are here to help you get up to speed with them. Here you have a checklist with several security best practices updated to make use of the latest features available in the platform.
DOCKER
10 reasons why LinuxKit is better than the traditional OSStill not convinced to give LinuxKit a try when you are doing just fine with regular base OS images? This article offers a comprehensive and technically solid list of reasons to evaluate the switch.
Docker Swarm & Kubernetes comparison seriesNow that Kubernetes is getting tightly integrated in the Docker stack, a series of articles comparing and translating the different logical entities (Deployments, ReplicaSets, Ingress controllers) can be handy.
Advanced Docker networking – custom outgoing IPHave a hosting machine(s) with multiple public IPs? Let’s get into Docker NATing and filtering rules to configure outgoing routing.
Tips on writing a DockerfileOptimize your Dockerfiles following these simple but effective design tips. Really worth the read to avoid common mistakes here.
Five ways to slim your Docker imagesReducing your containers footprint is more important that you might think. Here you have a list with 5 detailed methods coupled with demonstration examples on how to trim your containers to the minimum.
Adjusting Linux kernel parameters with Docker ComposeDid you know you can set kernel parameters from the Docker Compose YAML file? If you require sysctl tunning, it will let you use straight public images without having to maintain your custom Dockerfile.
Docker in development with NodemonIf you are in the first stages of development or building an example / lab stack, constantly rebuilding your Docker images can get in your way. Using Nodemon, code changes will be automatically re-deployed.
Packaging a Flask app with DockerStill in your container baby steps? Using Docker and Python Flask I guarantee you will be amazed by how much you can accomplish with just a few lines of configuration and code.
Windows subsystem for Linux w/ zsh, tmux & DockerIs Windows desktop a first class citizen for Docker development? Definitely getting there. This article makes an interesting cheat sheet to roll you container dev environment on Windows 10 with zsh, VSCode and tmux and friends.
MESOS
Developing native Python microservices for MesosPython code can be bundled into a small binary that includes the interpreter, code and dependencies, keeping the container simple and agnostic. You can just deploy your binary standalone to a native Mesos container using Marathon.
Deep Learning with PyTorch and GPUs on DC/OSDeep learning and GPU processing streams have been one of the hottest topics at the end 2017. Learn how to deploy and train a neural network using PyTorch over DC/OS.
SYSDIG
Runtime security for Kubernetes with Sysdig FalcoDo you have any runtime security measure to control the behavior of your pods after their base image has been statically scanned? Sysdig Falco is an opensource, rule-based security monitor that you can easily roll in your cluster using Kubernetes DaemonSets.
Sysdig Inspect explained visuallyLinux system call analysis is a low level and extremely powerful technique. Does it have to be dense and ugly as well? Not really. Learn how to use the Sysdig Inspect UI for deep security forensics and container troubleshooting that is also intuitive and usable.
Monitoring Alibaba Container ServiceAlibaba is offering a limited free trial! let’s do some testing and monitoring of Alibaba Container Service deploying an application stack and Sysdig Monitor.
Integrating Prometheus alerts and events with Sysdig MonitorIf you already deploy Prometheus & AlertManager, you can easily import your existing Prometheus alerts into Sysdig Monitor using a simple webhook forwarder. Batteries (code & reference containers) included.
KUBERNETES
Letter to Santa KubeA lot of Docker experts are getting used to Kubernetes lately. This lighthearted wishlist brings some constructive criticism to the table.
SaltStack recipe to deploy a Kubernetes clusterCloud provider agnostic, TLS and RBAC enabled by default and optionally including add-ons like the Dashboard or Helm out of the box. A truly time-saver resource.
Scheduling in KubernetesNode affinity and Pod affinity, two concepts to understand if you want to optimize your pod topology and logical grouping. Nicely detailed with examples and diagrams, a quality read.
What’s coming in 2018? Kubernetes trendsPossibly one of the most relevant trends we have seen in the container world last year is the meteoric rise of Kubernetes. How is this ecosystem going to evolve? there are several opinion articles on the matter.
Stern, Kubernetes log tailerStern allows you to tail multiple pods on Kubernetes and multiple containers within the pod. Each result is color coded for better readability, you can also use regular expressions to automatically tail the pods that are being dynamically spawned.
Metaparticle, Kubernetes deployment as codeImagine importing a library into your code that automatically handles Kubernetes deployment of itself, without needing to use docker build or kubectl, that’s Metaparticle’s innovative proposal.
ChaosKube, prepare for the worstYou have probably heard about Netflix’ Chaos Monkey. Deploying ChaosKube in your cluster using Helm, pods will be randomly killed to test your infrastructure resilience.
Learning to operate Kubernetes reliablySeven stratregies (with awesome comic strips!) on how not to just build your solution on top of Kubernetes, but also gain the confidence, expertise and predictability you will need to face future bugs and edge cases.
Cloning Kubernetes data volumens with TridentCloning an existing persistent volume claim (PVC) is not yet a native feature of the platform. Trident can extend the PVC YAML definition to reference the source data to be cloned.
OPENSHIFT
Deploying OpenShift applications to multiple datacentersDeploying a highly available infrastructure with disaster recovery across multiple datacenters is no trivial task. This article discusses the main complexity points and concerns to address. You can use it as a starting point for your own enterprise-grade design.
A first look at KubeVirtKubeVirt project aims to declare full-blown Virtual Machines in your cluster, like you do with pods. The software is not fully mature yet, but if you want a preview this post demonstrates a working VM deployment on top of OpenShift.