Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

CNCF [Cloud Native Computing Foundation]

In a Container, Nobody Hears Your Screams - Next Generation Process Isolation

CNCF [Cloud Native Computing Foundation] via YouTube

Overview

Explore the next generation of process isolation techniques in this conference talk on container security. Examine the history of safely running unsafe processes, compare emerging isolation and security methods, and understand the design decisions driving each project. Learn about breaking in and out of different technologies, and discover which workloads are best suited for various isolation techniques. Gain insights into the challenges of running untrusted code in containers, the evolution of process isolation, and the blurred boundaries between containers and micro VMs. Understand the implications of different isolation technologies for your applications and how to potentially run diverse workloads on the same cluster using different "container" types.

Syllabus

Intro
Sandboxing Tech
Glossary • untrusted workload: cannot be certified as safe to run
Containers and VMs
What's wrong with containers?
Assumption Maketh the Ass
Rootlessness
Rootless State of Union
History of Virtualisation
Virtual Machine Monitor
KVM vs Xen vs QEMU
Spectrum of Isolation
gVisor vs Firecracker vs Kata
gVisor Sentry
Firecracker Device Model
Kata Containers
Honourable mention: rust-vmm
Docker & Kubernetes RuntimeClass
What are the risks of next gen proc iso?
What should I use?
Conclusion

Taught by

CNCF [Cloud Native Computing Foundation]

Reviews

Start your review of In a Container, Nobody Hears Your Screams - Next Generation Process Isolation

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.