Post on 15-Aug-2015
© 2013 Cassini Consulting
Andreas Schmidt | @aschmidt75
Docker: User Friendly Application & Service Containers for HPC Environments Docker In A Nutshell
2 16.07.15 Cassini Consulting
3 16.07.15 Cassini Consulting
4 16.07.15 Cassini Consulting
vs. Pets Cattle
5 16.07.15 Cassini Consulting
16.07.15 Cassini Consulting 6
Technical Perspective
Developer Perspective
Security
Ecosystem & Partners
16.07.15 Cassini Consulting 7
Technical Perspective
Developer Perspective
Security
Ecosystem & Partners
Docker Daemon
Docker Engine core components
8 16.07.15 Cassini Consulting
Containers
Images
Containers
Docker Daemon
Docker Engine core components
9 16.07.15 Cassini Consulting
Containers
Images
Containers
API
Docker Client
Docker Client
The Docker workflow & commands
10 16.07.15 Cassini Consulting
Image
The Docker workflow & commands
11 16.07.15 Cassini Consulting
Registry
Image
pull
The Docker workflow & commands
12 16.07.15 Cassini Consulting
Registry
Image
Docker- file
pull
build
The Docker workflow & commands
13 16.07.15 Cassini Consulting
Registry
Image
Docker- file
push pull
build
The Docker workflow & commands
14 16.07.15 Cassini Consulting
Registry
Image
Container
Docker- file
push pull
run
build
The Docker workflow & commands
15 16.07.15 Cassini Consulting
Registry
Image
Container
Docker- file
push pull
run
commit
build
The Docker workflow & commands
16 16.07.15 Cassini Consulting
Registry
Image
Container
Docker- file
push pull
run
commit
start, stop, ...
build
The Docker workflow & commands
17 16.07.15 Cassini Consulting
Registry
Image
Container
Docker- file
✖
push pull
run
commit
rm
start, stop, ...
build
The Docker workflow & commands
18 16.07.15 Cassini Consulting
Registry
Image
Container
Docker- file
✖ ✖
push pull
run
commit
rm rmi
start, stop, ...
build
The Docker workflow & commands
19 16.07.15 Cassini Consulting
Registry
Image
Container
Docker- file
External Tarball
✖ ✖
push pull
run
commit
rm rmi
start, stop, ...
build
export
Docker Engine technology foundation
Isolation through Kernel Namespaces Linux Capabilities Resource limitation through Linux control groups Filesystem isolation, Copy-On-Write & Union FS
20 16.07.15 Cassini Consulting
Docker Engine technology foundation
21 16.07.15 (*) https://www.docker.com/whatisdocker
Virtual Machines vs. Containers
22 16.07.15 (*) https://www.docker.com/whatisdocker
16.07.15 Cassini Consulting 23
Technical Perspective
Developer Perspective
Security
Ecosystem & Partners
From Development to Production: Challenges ahead!
24 16.07.15 Cassini Consulting
What Docker gives to developers
25 16.07.15 Cassini Consulting
Easy sandbox approach
Easy way to deliver software
Dev / Prod parity
Easy Sandbox approach
§ Create build and test environments
§ Choose Libraries and Framework Dependencies, per application
§ Deal with incompatible version mismatches (Ruby 1.9 vs. Ruby 2.1, including libs, bundler, version switchers, ...)
§ Lightweight alternative to using virtual machines
26 16.07.15 Cassini Consulting
Easy Sandbox approach
A Docker Image contains its own userland libraries and binaries
§ separated from other images
§ take exactly the versions of libraries you need
§ leave out things you do not need
§ reproducible, lightweight, easily testable
§ look at it as a unit of delivery
27 16.07.15 Cassini Consulting
Easy way to deliver software
28 16.07.15 Cassini Consulting
Code Deliverables (i.e. RPM packages) are not runnable.
An installed instance (i.e. in a VM) is hard to transport.
29 16.07.15 Cassini Consulting
https://twitter.com/joyent/status/565243828718678016
Easy way to deliver software
Dockerfile as a Contract between Development and Operations
30 16.07.15 Cassini Consulting
what to base from
set environment params
prepare the image, i.e. install something, configure it
describe the interface
what to run
Easy way to deliver software
Dockerfile as the blueprint for reusable building blocks
31 16.07.15 Cassini Consulting
what to base from
Redis is an official repository at dockerhub
Easy way to deliver software
Dockerfile as the blueprint for reusable building blocks
32 16.07.15 Cassini Consulting
what to base from
Redis is an official repository at dockerhub
Pave the way for Dev/Prod parity
33 16.07.15 Cassini Consulting
§ From Applications to Systems
§ Describe not only compute, but also storage and networking.
§ Example: docker-compose
16.07.15 Cassini Consulting 34
Technical Perspective
Developer Perspective
Security
Ecosystem & Partners
35 16.07.15 Cassini Consulting
Is Docker secure?
Let's ask this question more specific.
Is the docker daemon secure? Are images transported securely? Are images built in a secure fashion? Are containers as secure as virtual machines? Are application processes more or less secure when containerized?
36 16.07.15 Cassini Consulting
Are containers as secure as virtual machines?
Control group-separated, chroot-like, namespaced resources, running on a shared kernel.
37 16.07.15 Cassini Consulting
Application Containers Virtual Machines
Virtualized pieces of hardware, running its own kernel with process/user/network spaces separated on hypervisor level.
Are application processes more or less secure when containerized?
Definitely more secure, if "used properly(*)" Docker Container ~ Application process, ideally a single process, without management daemons Smaller attack surface Namespaced process, network, FS mounts, ...: ~ Application cannot see "the outside OS world" Reduced Linux Capabilities, can be fine tuned Additional isolation mechanisms at hand: SELinux Type Enforcement, AppArmor profiles, Libseccomp System Call Filtering
38 16.07.15 Cassini Consulting (*) http://container-solutions.com/is-docker-safe-for-production
Docker Hardening – Docker Security Benchmark
39 16.07.15 Cassini Consulting
§ Extensive Guide on hardening docker hosts, images and containers, including checks
§ Automated tools are in development
§ benchmarks.cisecurity.org
16.07.15 Cassini Consulting 40
Technical Perspective
Developer Perspective
Security
Ecosystem & Partners
Tooling around Docker
41 16.07.15 Cassini Consulting
Where to run Specialised Operating systems
Where to pull images from Registries (Private, On Premise, ...)
How to operate it Orchestration, Scheduling, Management, Monitoring
From Infrastructure to Applications
Platform-As-a-Service
How to build containers Config Management, Developer Tools
Technical topics Networking, Security, Storage
42 16.07.15 Cassini Consulting
Competitors & Container Runtime Alternatives
LXC + LXD
CoreOS Rocket (rkt), Application Container Spec (appc)
Open Container Project (www.opencontainers.org)
43 16.07.15 Cassini Consulting
16.07.15 Cassini Consulting 44
Technical Perspective
16.07.15 Cassini Consulting 45
Technical Perspective Developer Perspective
16.07.15 Cassini Consulting 46
Technical Perspective Developer Perspective Security
16.07.15 Cassini Consulting 47
Technical Perspective Developer Perspective Security Ecosystem & Partners
16.07.15 Cassini Consulting 48
Technical Perspective Developer Perspective Security Ecosystem & Competitors Thank you!