Containers provide increased security through isolation and rule-based access control. While this is a great improvement, this proved to be a challenge at Datadog for effectively instrumenting and monitoring containerised workloads. In this talk, we will go through several of the technical issues we encountered while developing container-aware instrumentation, and how what we learned can be leveraged to improve your deployment’s security and performance.
-
Cgroup hierarchies: limits and accounting
-
Kernel namespacing: what do –net, –pid, –privileged imply?
-
Host-local traffic through Unix Domain Sockets: performance gains and origin detection thanks to ancillary data
-
How to secure you Docker socket?