Consulting Engineer
Twitter: @rhatdan
Blog: danwalsh.livejournal.com
Email: dwalsh@redhat.com
How do you furnish the pigs apartment?
Where did you go to get software?
Go to yahoo.com or AltaVista.com
and google it?
I found it on rpmfind.net, download and install.
Hey I hear there is a big Security vulnerability in Zlib.
How many copies of the Zlib vulnerability to you have?
I have no clue!!!
Red Hat Enterprise Linux solved this problem
Certified software and hardware platforms
Containers move the responsibility for security updates from the Operator to the Developer.
Do you trust developers to
fix security issues in their images?
https://www.youtube.com/watch?v=jBgOW8mCrUk
Everyone is doing one
Each scanner wants access to /var/run/docker.sock
What happens if my container runtime is not docker?
(Shameless plug for CRI-O)
Can I use my scanner to scan other rootfs?
https://developers.redhat.com/blog/2016/05/02/introducing-atomic-scan-container-vulnerability-detection
https://martin.preisler.me/2015/11/atomic-scan-and-openscap-daemon/
http://www.projectatomic.io/blog/2016/05/using-the-atomic-cli-to-scan-vms
https://developers.redhat.com/blog/2016/05/20/creating-a-custom-atomic-scan-plug-in
Ongoing work
Scans hightlight images with problems
Admin chooses to have OpenShift quarantee these images
How do you define trust?
How can I sign the images?
https://www.youtube.com/watch?v=93-71phWiOg
Must support multiple signatures?
Must not be tied to one registry?
Must be based on common standards?
Must be easy to understand?
Must support Offline Verification
https://access.redhat.com/articles/2750891
https://www.youtube.com/watch?v=0yoQu-YylwA
https://www.youtube.com/watch?v=xr-5kKj22gs&t=12s
https://www.youtube.com/watch?v=kaTaZ4VzoSI