Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

Red Hat OCID and Container Security

Date and Time

Wednesday, January 18, 2017 from 6:30 pm to 9:00 pm


MIT Building E-51, Room 315


Daniel J Walsh , Lead SELinux Engineer , Red Hat Software - dwalsh redhat com


Red Hat's new OCID container system, an alternative to Docker


OCID (CRI-O) is a container runtime to be used with the Kubernetes Kublet. Specifically, it implements the Kubelet Container Runtime Interface (CRI) using OCI conformant runtimes. The goal of the OCID is to optimize running of containers in production, via Kubernetes and OpenShift.

At a high level, we expect the scope of OCID:

  • Support multiple image formats including the existing Docker image format
  • Support for multiple means to download images including trust & image verification
  • Container image management (managing image layers, overlay filesystems, etc)
  • Container process lifecycle management
  • Monitoring and logging required to satisfy the CRI
  • Resource isolation as required by the CRI

Second part of the talk will cover Container Security. We will cover all parts of container security from the importance of the kernel, to where you should run your containers, container separation and what you should run inside

Meeting Notes


  1. Running production applications in containers: Introducing OCID
  2. Red Hat's OCID is a Docker Alternative, But Not a Fork
  3. Dan Walsh's slides (pdf)
  4. Dan Walsh's slides (html)
  5. Dan Walsh's slides (text)

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /