January 2018 Container Newsletter.

Hello from all of us here at Sysdig and Happy New Year!

Consider this: Docker was initially released just ~4 years ago, container tech evolution happens on a different time scale, you blink, you miss out.

And with the quick adoption of containers, Docker Security is becoming a more relevant topic, that’s why starting with this edition we have an specific section on security.

So here it is again: a monthly newsletter to share the latest happenings in the container ecosystem across vendors and open source projects like Docker, Kubernetes, DC/OS Mesos, Openshift, etc.

We hope you enjoy this! Ping us at @sysdig or on our open source Slack group #sysdig to share anything you feel we should include here, we are looking forward your contributions!


Making Sense of Meltdown/Spectre

The IT world is currently in a state of shock. What will be the consequences? You can measure the performance impact of Meltdown/Spectre patches with extreme precision using open source Sysdig.

Fishing for miners – Kubernetes honeypot

A tempting Kubernetes honeypot in the open, armed with Sysdig Secure + Sysdig Inspect for deep forensics analysis. Follow the complete walkthough to detect cryptojacking in Kubernetes .

Sockguard, security for the Docker daemon socket

Sockguard acts as a rule-based security proxy that filters access to the underlaying Docker socket. You can, for example, white-list host bind mounts, forbid access to the host network or enforce additional containerization checks.

Precious cargo, securing containers with Kubernetes 1.8

Kubernetes is rapidly adopting new security frameworks and capabilities, we are here to help you get up to speed with them. Here you have a checklist with several security best practices updated to make use of the latest features available in the platform.


10 reasons why LinuxKit is better than the traditional OS

Still not convinced to give LinuxKit a try when you are doing just fine with regular base OS images? This article offers a comprehensive and technically solid list of reasons to evaluate the switch.

Docker Swarm & Kubernetes comparison series

Now that Kubernetes is getting tightly integrated in the Docker stack, a series of articles comparing and translating the different logical entities (Deployments, ReplicaSets, Ingress controllers) can be handy.

Advanced Docker networking – custom outgoing IP

Have a hosting machine(s) with multiple public IPs? Let’s get into Docker NATing and filtering rules to configure outgoing routing.

Tips on writing a Dockerfile

Optimize your Dockerfiles following these simple but effective design tips. Really worth the read to avoid common mistakes here.

Five ways to slim your Docker images

Reducing your containers footprint is more important that you might think. Here you have a list with 5 detailed methods coupled with demonstration examples on how to trim your containers to the minimum.

Adjusting Linux kernel parameters with Docker Compose

Did you know you can set kernel parameters from the Docker Compose YAML file? If you require sysctl tunning, it will let you use straight public images without having to maintain your custom Dockerfile.

Docker in development with Nodemon

If you are in the first stages of development or building an example / lab stack, constantly rebuilding your Docker images can get in your way. Using Nodemon, code changes will be automatically re-deployed.

Packaging a Flask app with Docker

Still in your container baby steps? Using Docker and Python Flask I guarantee you will be amazed by how much you can accomplish with just a few lines of configuration and code.

Windows subsystem for Linux w/ zsh, tmux & Docker

Is Windows desktop a first class citizen for Docker development? Definitely getting there. This article makes an interesting cheat sheet to roll you container dev environment on Windows 10 with zsh, VSCode and tmux and friends.


Developing native Python microservices for Mesos

Python code can be bundled into a small binary that includes the interpreter, code and dependencies, keeping the container simple and agnostic. You can just deploy your binary standalone to a native Mesos container using Marathon.

Deep Learning with PyTorch and GPUs on DC/OS

Deep learning and GPU processing streams have been one of the hottest topics at the end 2017. Learn how to deploy and train a neural network using PyTorch over DC/OS.


Runtime security for Kubernetes with Sysdig Falco

Do you have any runtime security measure to control the behavior of your pods after their base image has been statically scanned? Sysdig Falco is an opensource, rule-based security monitor that you can easily roll in your cluster using Kubernetes DaemonSets.

Sysdig Inspect explained visually

Linux system call analysis is a low level and extremely powerful technique. Does it have to be dense and ugly as well? Not really. Learn how to use the Sysdig Inspect UI for deep security forensics and container troubleshooting that is also intuitive and usable.

Monitoring Alibaba Container Service

Alibaba is offering a limited free trial! let’s do some testing and monitoring of Alibaba Container Service deploying an application stack and Sysdig Monitor.

Integrating Prometheus alerts and events with Sysdig Monitor

If you already deploy Prometheus & AlertManager, you can easily import your existing Prometheus alerts into Sysdig Monitor using a simple webhook forwarder. Batteries (code & reference containers) included.


Letter to Santa Kube

A lot of Docker experts are getting used to Kubernetes lately. This lighthearted wishlist brings some constructive criticism to the table.

SaltStack recipe to deploy a Kubernetes cluster

Cloud provider agnostic, TLS and RBAC enabled by default and optionally including add-ons like the Dashboard or Helm out of the box. A truly time-saver resource.

Scheduling in Kubernetes

Node affinity and Pod affinity, two concepts to understand if you want to optimize your pod topology and logical grouping. Nicely detailed with examples and diagrams, a quality read.

What’s coming in 2018? Kubernetes trends

Possibly one of the most relevant trends we have seen in the container world last year is the meteoric rise of Kubernetes. How is this ecosystem going to evolve? there are several opinion articles on the matter.

Stern, Kubernetes log tailer

Stern allows you to tail multiple pods on Kubernetes and multiple containers within the pod. Each result is color coded for better readability, you can also use regular expressions to automatically tail the pods that are being dynamically spawned.

Metaparticle, Kubernetes deployment as code

Imagine importing a library into your code that automatically handles Kubernetes deployment of itself, without needing to use docker build or kubectl, that’s Metaparticle’s innovative proposal.

ChaosKube, prepare for the worst

You have probably heard about Netflix’ Chaos Monkey. Deploying ChaosKube in your cluster using Helm, pods will be randomly killed to test your infrastructure resilience.

Learning to operate Kubernetes reliably

Seven stratregies (with awesome comic strips!) on how not to just build your solution on top of Kubernetes, but also gain the confidence, expertise and predictability you will need to face future bugs and edge cases.

Cloning Kubernetes data volumens with Trident

Cloning an existing persistent volume claim (PVC) is not yet a native feature of the platform. Trident can extend the PVC YAML definition to reference the source data to be cloned.


Deploying OpenShift applications to multiple datacenters

Deploying a highly available infrastructure with disaster recovery across multiple datacenters is no trivial task. This article discusses the main complexity points and concerns to address. You can use it as a starting point for your own enterprise-grade design.

A first look at KubeVirt

KubeVirt project aims to declare full-blown Virtual Machines in your cluster, like you do with pods. The software is not fully mature yet, but if you want a preview this post demonstrates a working VM deployment on top of OpenShift.