BSidesSF 2019

In this talk, Maya and Dan will cover what changes in your patch management story if you use containers instead of virtual machines in production. Containers are meant to be immutable and short-lived—so they're frequently redeployed. Rather than pushing individual code changes, you rebuild and redeploy the whole container image. Processes that take place passively, like patching, can be going on constantly, with the latest images kept in your image registry. As a result, the new container image is fully patched and can be rolled out or rolled back as one unit, so that the patch rollout process becomes the same as your (obviously very frequent) code rollout process, with monitoring, canarying, testing, and lots of SREs in tight black ripped jeans. No more Sunday 2am patching windows!
You’ll learn what containers are, why patching is different for containers, best practices for maintaining your container images and patches as part of an image registry, how Google has used a containerized infrastructure to its advantage to patch critical vulnerabilities like Spectre with no downtime, and that despite trying we can’t make jean jackets cool again.