Sync: add container security notes
This commit is contained in:
20
wiki/entities/Ashish.md
Normal file
20
wiki/entities/Ashish.md
Normal file
@@ -0,0 +1,20 @@
|
||||
---
|
||||
title: "Ashish"
|
||||
type: entity
|
||||
tags: [Micro Focus, Security, Container, Kubernetes]
|
||||
last_updated: 2026-04-24
|
||||
---
|
||||
|
||||
## Basic Information
|
||||
- **Role:** Member, Product Security Group
|
||||
- **Organization:** [[Micro Focus]]
|
||||
- **Expertise:** Container Security, Kubernetes Hardening
|
||||
|
||||
## Description
|
||||
Ashish 是 Micro Focus Product Security Group 的成员,在 CTP Topic 49 分享了容器镜像构建阶段的安全加固标准。演讲涵盖了 11 条可操作的安全实践,通过 Demo 演示了配置效果。
|
||||
|
||||
## Aliases
|
||||
- Ashish
|
||||
|
||||
## Sources
|
||||
- [[ctp-topic-49-container-lifecycle-hardening-standards]]
|
||||
39
wiki/entities/Micro-Focus.md
Normal file
39
wiki/entities/Micro-Focus.md
Normal file
@@ -0,0 +1,39 @@
|
||||
---
|
||||
title: "Micro Focus"
|
||||
type: entity
|
||||
tags:
|
||||
- Company
|
||||
- Cloud Transformation
|
||||
- Enterprise Software
|
||||
last_updated: 2026-04-14
|
||||
---
|
||||
|
||||
## Overview
|
||||
|
||||
Micro Focus is an enterprise software company undergoing a major cloud transformation to AWS and SaaS delivery models. The company has one of the largest commercial data center footprints globally (14 data centers, ~20,000 assets), and is actively migrating workloads to AWS.
|
||||
|
||||
## Role in Cloud Transformation Programme (CTP)
|
||||
|
||||
Micro Focus is the organization running the Cloud Transformation Programme (CTP), which covers AWS landing zones, EKS, Terraform, GitOps, FinOps, observability, security, and enterprise architecture.
|
||||
|
||||
### Key Characteristics
|
||||
|
||||
- **Tool Diversity**: High heterogeneity in development tools — 17 different Source Code Management (SCM) tools in use
|
||||
- **Cloud Migration Scale**: One of the world's largest commercial data center footprints (14 data centers, ~20,000 assets)
|
||||
- **Migration Progress**: 55% of AWS costs currently occur outside of Landing Zones, requiring governance
|
||||
- **Security Focus**: Product Security team led by Shlomi Ben-Hur driving supply chain security initiatives
|
||||
|
||||
### Key Products & Platforms
|
||||
|
||||
- **Octane Hub**: Software Factory team, part of CTP, led by CTO Holger Rode; focused on Docker containerization of workloads from Bibling Lab to AWS Landing Zone
|
||||
- **Operations Bridge Manager (OBM)**: Cloud monitoring solution integrating with AWS CloudWatch
|
||||
- **Cyber Suite**: Security and encryption platform
|
||||
|
||||
### References
|
||||
|
||||
- [[ctp-topic-21-supply-chain-security-in-micro-focus]] — Product Security team's supply chain security approach (Shlomi Ben-Hur)
|
||||
- [[ctp-topic-53-why-bother-with-cloud]] — Cloud migration business value case
|
||||
- [[ctp-topic-43-vmware-cloud-on-aws]] — VMware Cloud on AWS as hybrid cloud intermediate route
|
||||
- [[ctp-topic-8-implementation-of-cloud-monitoring-using-micro-focus-operations-bridge]] — OBM cloud monitoring implementation
|
||||
- [[ctp-topic-14-octane-hub-on-aws-real-life-experience]] — Octane Hub real-life migration experience
|
||||
- [[ctp-topic-44-aws-backup-in-micro-focus]] — AWS Backup implementation within Micro Focus
|
||||
21
wiki/entities/Product-Security-Group.md
Normal file
21
wiki/entities/Product-Security-Group.md
Normal file
@@ -0,0 +1,21 @@
|
||||
---
|
||||
title: "Product Security Group"
|
||||
type: entity
|
||||
tags: [Micro Focus, Security, Container, Kubernetes]
|
||||
last_updated: 2026-04-24
|
||||
---
|
||||
|
||||
## Basic Information
|
||||
- **Type:** Team / Group
|
||||
- **Organization:** [[Micro Focus]]
|
||||
- **Related People:** [[Ashish]]
|
||||
|
||||
## Description
|
||||
Micro Focus 产品安全小组(Product Security Group)负责制定和推广容器安全标准和最佳实践。在 CTP Topic 49 中,Ashish 代表该团队介绍了容器镜像构建阶段的 11 条安全加固标准。该组织还制定了其他安全相关标准,如供应链安全(CTP Topic 21,Shlomi Ben-Hur 主讲)。
|
||||
|
||||
## Aliases
|
||||
- Product Security Group
|
||||
|
||||
## Sources
|
||||
- [[ctp-topic-49-container-lifecycle-hardening-standards]]
|
||||
- [[ctp-topic-21-supply-chain-security-in-micro-focus]]
|
||||
31
wiki/entities/tini.md
Normal file
31
wiki/entities/tini.md
Normal file
@@ -0,0 +1,31 @@
|
||||
---
|
||||
title: "tini"
|
||||
type: entity
|
||||
tags: [Container, Kubernetes, Security, Open Source, Init System]
|
||||
last_updated: 2026-04-24
|
||||
---
|
||||
|
||||
## Basic Information
|
||||
- **Type:** Product / Open Source Tool
|
||||
- **Category:** Container Init System
|
||||
- **Website:** https://github.com/krallin/tini
|
||||
- **Language:** C
|
||||
|
||||
## Description
|
||||
tini 是 Docker 和 Kubernetes 容器中最广泛使用的轻量级 Init 系统,用于:
|
||||
1. **信号处理**:正确接收并转发 SIGTERM/SIGINT 等信号到子进程,确保容器可优雅停止
|
||||
2. **僵尸进程收割**:防止已终止但父进程尚未 wait() 的子进程(Zombie Process)占用系统资源
|
||||
3. **单进程容器**:在无 systemd 的容器环境中替代 PID 1 职责
|
||||
|
||||
在 [[ctp-topic-49-container-lifecycle-hardening-standards]] 中,Ashish 通过 Demo 展示了 tini 如何在 Kubernetes 环境中阻止僵尸进程——当容器不运行 Init 系统时,僵尸进程会耗尽系统资源;引入 tini 后僵尸进程被正确收割。
|
||||
|
||||
## Relationship to Kubernetes
|
||||
- Kubernetes Pod 默认使用容器镜像的 PID 1 作为 Init 进程
|
||||
- 在 Kubernetes 中可通过 Pod Security Context 或 Init Container 方式集成 tini
|
||||
|
||||
## Aliases
|
||||
- tini
|
||||
- teeny(CTP Topic 49 Demo 中提到的替代名称,指同一机制)
|
||||
|
||||
## Sources
|
||||
- [[ctp-topic-49-container-lifecycle-hardening-standards]]
|
||||
Reference in New Issue
Block a user