October 30–31, 2016: Training
October 31–November 2, 2016: Tutorials & Conference
New York, NY

Benefits of isolation provided by containers

Jessica Frazelle (Microsoft)
1:15pm–1:55pm Tuesday, 11/01/2016
Tools and processes
Location: Trianon Ballroom Level: Beginner
Average rating: ****.
(4.11, 9 ratings)

Prerequisite knowledge

  • Familiarity with the concept of applications like NGINX or web servers
  • A general understanding of deploying and releasing applications

What you'll learn

  • Understand how containers provide isolation
  • Explore the clear benefits from using containers


What are containers? What is the difference from a container and a VM? Why should I not always just use VMs for isolation? How can I use containers in a way that I get the most out of the security features they provide?

Containers are not going to be the answer to preventing your application from being compromised, but they can limit the damage from a compromise. The world an attacker might see from inside a very strict container with custom AppArmor/seccomp profiles greatly differs than that without the use of containers.

Jessica Frazelle outlines the benefits gained from the Linux primitives used to create containers. Linux namespaces control what a process can see, and Linux control groups control what a process can use. You’ll leave with a clear understanding of the isolation containers provide as well as how to secure them further with AppArmor, seccomp, and SELinux.

Photo of Jessica Frazelle

Jessica Frazelle


Jessica Frazelle is a software engineer at Microsoft, where she works with Linux and containers. Jess loves all things involving Linux namespaces and cgroups and is probably most well known for running desktop applications in containers. Jessica has been a maintainer of Docker and a contributor to RunC, Kubernetes, Linux, and Golang, among other projects, and maintained the AppArmor, seccomp, and SELinux bits in Docker. She is quite familiar with locking down containers.