Skip to main content
USENIX
  • Conferences
  • Students
Sign in
  • Home
  • Attend
  • Program
  • Participate
    • Instructions for Participants
    • Call for Participation
  • Sponsorship
  • About
    • Summit Organizers
    • Help Promote
    • Questions
    • Past Summits
  • Home
  • Attend
  • Program
  • Participate
  • Sponsorship
  • About

help promote

URES '15 button

Get more
Help Promote graphics!

connect with us


  •  Twitter
  •  Facebook
  •  LinkedIn
  •  Google+
  •  YouTube

twitter

Tweets by @usenix

usenix conference policies

  • Event Code of Conduct
  • Conference Network Policy
  • Statement on Environmental Responsibility Policy

You are here

Home » Dynamically Provisioning App Secrets during Container Run Time
Tweet

connect with us

Dynamically Provisioning App Secrets during Container Run Time

Imran Shaikh, YellowPages

Abstract: 

How to put application secrets/credentials securely into the image has baffled quite a few industry experts. The solutions that people employ are insecure, static, and not scalable. Novice users bake secrets into the image. When they publish it to the registry, anyone can pull the image and secrets would be at their disposal.

Advanced users mount the secrets through volumes during the container run. Someone who has access to the machine can mount the same volume and can access secrets for all the images. Other advanced users pass it through ENV variables which is open for snooping for anybody that has access to the machine.

Paranoid users employ public key and elliptic key cryptography to encrypt the secrets in the image using public key. Image is then pushed to the registry. It is safe from snooping. And the secrets can be decrypted only through the private key that is resident on the host machine. But again, this solution is static.

None of these aforementioned solutions truly fit the ephemeral nature of the containers. We should be able to provide secrets to the running container on any machine dynamically during the runtime.

We, at YellowPages, have devised a solution that addresses that concern.

Imran Shaikh breathes DevOps, embodies it and that is what will ooze out if you cut him. He is a Lead Systems Engineer working at YellowPages. He has an industry experience of 10+ year working with Fortune 500 companies. He has worked extensively developing, architecting and managing cloud technologies at YP as well as Yahoo. He has substantial experience running a globally distributed production environment on thousands of systems running hundreds of application in a complex, fast moving and mission critical environment.

Presently, his team is deploying and developing Mesos supported technologies that works at scale. Mesos solutions for centralized logging, metrics, distributed monitoring, distributed storage, application secrets etc. are being worked upon. His team is solving issues which some people think don't even exist.

Imran Shaikh, YellowPages

Imran Shaikh breathe DevOps, embodies it and that is what will ooze out if you cut him. He is a Lead Systems Engineer working at YellowPages. He has an industry experience of 10+ year working with Fortune 500 companies. He has worked extensively developing, architecting and managing cloud technologies at YP as well as Yahoo. He has substantial experience running a globally distributed production environment on thousands of systems running hundreds of application in a complex, fast moving and mission critical environment. 

Presently, his team is deploying and developing Mesos supported technologies that works at scale. Mesos solutions for centralized logging, metrics, distributed monitoring, distributed storage, application secrets etc. are being worked upon. His team is solving issues which some people think don't even exist.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@conference {208655,
author = {Imran Shaikh},
title = {Dynamically Provisioning App Secrets during Container Run Time},
year = {2015},
address = {Washington, D.C.},
publisher = {USENIX Association},
month = nov,
}
Download
View the slides
  • Log in or    Register to post comments

© USENIX

  • Privacy Policy
  • Contact Us