Hello from all of us here at Sysdig! This month is ripe with exciting container news, like the inclusion of Sysdig Falco project in the CNCF sandbox, new features available in Kubernetes 1.12 and more.
So here it is again: a monthly newsletter to share the latest happenings in the container ecosystem across vendors and open source projects like Docker, Kubernetes, DC/OS Mesos, Openshift, etc.
We hope you enjoy this! Ping us at @sysdig or on our open source Sysdig Slack group to share anything you feel should be included in future newsletters, we are looking forward your contributions! You can also find previous newsletter editions in the Container Newsletter archive.
Sign up for our monthly Cloud-native News.
SECURITY
Falco project joins the CNCF sandbox
Falco, the container security tool from Sysdig, is the first runtime security technology to join the Cloud Native Computing Foundation as a CNCF sandbox project.
Docker security best practices: Part 1
Gentle introduction to Docker security covering host OS security, a secure container build pipeline featuring Anchore for image static analysis and early threat detection and container runtime protection. Anchore and Falco are both available with Sysdig Secure.
Kubernetes 1.12 improves cloud-native security with TLS bootstrap
As we already covered in our What’s new in Kubernetes 1.12? post, using TLS Bootstrapping a Kubernetes node (Kubelet) can request a TLS certificate before joining the cluster.
Introduction to Linux container isolation concepts
A nice overview of the different isolation layers and the role they play in air-gapping your environment. This time focused on the underlying Linux kernel capabilities.
Aging like milk, not wine: The realities of container security
Containers age like milk, not like wine. A heads up on container obsolescence, their black box nature and its implications to a consistent security policy.
SYSDIG
Sysdig Monitor 3.0 – Enterprise-grade Prometheus & Kubernetes
This major release of our monitoring product features new Prometheus capabilities like PromQL, a Grafana plugin and new enhancements for our already rich Kubernetes monitoring.
Announcing the publication of “Running containers in production for dummies”
This 44-Page book will provide you all the high level detail you need to understand your future pathway through the container adoption experience. You’ll cover orchestrators, CI/CD/CS, security and more.
Monitoring Java using JMX and custom metrics
Learn how to monitor the existing JMX metrics and attributes, and also, how to create new MBeans in your Java application to publish and monitor custom metrics.
Monitoring Java applications: Memory usage, threads and other JRE metrics
The Java Runtime Environment (JRE) contains critical information to debug and troubleshoot your production Java applications, learn about VM memory sectors, thread behaviour and more.
12 WAYS SYSDIG MAKES PROMETHEUS ENTERPRISE READY: “How to scale, secure and augment Prometheus”.
YOU CAN SEE OTHER UPCOMING SYSDIG SESSIONS HERE.
KUBERNETES
Topology-aware volume provisioning in Kubernetes
This new multi-zone feature allows Kubernetes 1.12 to make better decisions when dynamically provisioning volumes by getting scheduler input on the best place to provision a volume.
Introducing volume snapshot alpha for Kubernetes
This storage-related feature in Kubernetes 1.12 allows creating/deleting volume snapshots, and the ability to create new volumes from a snapshot natively using the Kubernetes API.
Autoscaling applications on Kubernetes – A primer
This series will walk you through the basics of the scalability aspects in Kubernetes and give you some hints on how to design your applications for scale.
Health checking gRPC servers on Kubernetes
gRPC is on its way to become the lingua franca for communication between cloud-native microservices. Grpc-health-probe is a Kubernetes-native way to health check gRPC endpoints.
In-depth introduction to Kubernetes admission webhooks
Using Kubernetes admission controllers, you can intercept Kubernetes API requests and modify or reject them based on custom logic. Try this out with all the nice code examples included in this post.
KubeDirector: The easy way to run complex stateful applications on Kubernetes
KubeDirector enables data scientists familiar with data-intensive distributed applications such as Hadoop, TensorFlow, etc. to run these applications on Kubernetes – with a minimal learning curve and no need to write GO code.
Kubernetes Metal LB for on-prem cluster in 10 minutes
If you are not using a public cloud, you have no LoadBalancers by default. Learn how to roll your own with Metal LB in just 10 minutes.
Multi-DC Consul on Kubernetes
With multi-cluster Kubernetes deployments gaining a lot of attention lately, Consul native cluster bridging and service discovery capabilities will come in handy.
How to use Envoy as a Load Balancer in Kubernetes
Envoy is a high performance proxy that provides some advanced features such as various load balancing algorithms. Make the most of it deploying the code examples provided in this thorough blog post.
DOCKER
3 Docker Compose features for improving team workflow
Environment variables, templating and command scope, three aspects of Docker compose that you need to master when you have several developers tinkering with the same stack.
Elastic stack for Docker swarm using docker-app
Docker Application Package v0.5.0 is the latest offering from Docker, let’s see it in action deploying a complete Elastic Search stack on top of Docker swarm.
Using Docker containers as development machines
Docker is not only for server hosts! In this post, a developer will walk you through the experience of using Docker containers as their dev machines, and the lessons learnt along the way.
Docker Tips : running a container with a non root user
A best practice to secure a container is to launch the main process with a non root user. You can achieve this with the USER instruction in the Dockerfile or by changing the user at runtime.
OPENSHIFT & MESOS
Introducing Red Hat OpenShift Container Engine
OpenShift Container Engine is a minimal configuration of OpenShift Container Platform. Using this bare-bones, more agnostic engine, customers can bring their own networking and management solutions to OpenShift.
Connecting multiple OpenShift SDNs with a network tunnel
To extend the Istio service-mess across multiple clusters, you first need to be able to forward and route network traffic between any arbitrary pair of pods living in different clusters.
Running Scylla on the DC/OS distributed operating system
Being able to natively run Scylla, the real-time database, in DC/OS will allow for simplified deployment, easy management, maintenance and troubleshooting.
How to build a highly scalable IoT platform on DC/OS
Build an IoT architecture using Percona-Server-MongoDB, swiftly deployed and highly scalable by making use of the DC/OS platform capabilities.