© 2013 Cassini Consulting

Andreas Schmidt | @aschmidt75

Docker: User Friendly Application & Service Containers for HPC Environments Docker In A Nutshell

2 16.07.15 Cassini Consulting

3 16.07.15 Cassini Consulting

4 16.07.15 Cassini Consulting

vs. Pets Cattle

5 16.07.15 Cassini Consulting

16.07.15 Cassini Consulting 6

Technical Perspective

Developer Perspective

Security

Ecosystem & Partners

16.07.15 Cassini Consulting 7

Technical Perspective

Developer Perspective

Security

Ecosystem & Partners

Docker Daemon

Docker Engine core components

8 16.07.15 Cassini Consulting

Containers

Images

Containers

Docker Daemon

Docker Engine core components

9 16.07.15 Cassini Consulting

Containers

Images

Containers

API

Docker Client

Docker Client

The Docker workflow & commands

10 16.07.15 Cassini Consulting

Image

The Docker workflow & commands

11 16.07.15 Cassini Consulting

Registry

Image

pull

The Docker workflow & commands

12 16.07.15 Cassini Consulting

Registry

Image

Docker- file

pull

build

The Docker workflow & commands

13 16.07.15 Cassini Consulting

Registry

Image

Docker- file

push pull

build

The Docker workflow & commands

14 16.07.15 Cassini Consulting

Registry

Image

Container

Docker- file

push pull

run

build

The Docker workflow & commands

15 16.07.15 Cassini Consulting

Registry

Image

Container

Docker- file

push pull

run

commit

build

The Docker workflow & commands

16 16.07.15 Cassini Consulting

Registry

Image

Container

Docker- file

push pull

run

commit

start, stop, ...

build

The Docker workflow & commands

17 16.07.15 Cassini Consulting

Registry

Image

Container

Docker- file

✖

push pull

run

commit

rm

start, stop, ...

build

The Docker workflow & commands

18 16.07.15 Cassini Consulting

Registry

Image

Container

Docker- file

✖ ✖

push pull

run

commit

rm rmi

start, stop, ...

build

The Docker workflow & commands

19 16.07.15 Cassini Consulting

Registry

Image

Container

Docker- file

External Tarball

✖ ✖

push pull

run

commit

rm rmi

start, stop, ...

build

export

Docker Engine technology foundation

Isolation through Kernel Namespaces Linux Capabilities Resource limitation through Linux control groups Filesystem isolation, Copy-On-Write & Union FS

20 16.07.15 Cassini Consulting

Docker Engine technology foundation

21 16.07.15 (*) https://www.docker.com/whatisdocker

Virtual Machines vs. Containers

22 16.07.15 (*) https://www.docker.com/whatisdocker

16.07.15 Cassini Consulting 23

Technical Perspective

Developer Perspective

Security

Ecosystem & Partners

From Development to Production: Challenges ahead!

24 16.07.15 Cassini Consulting

What Docker gives to developers

25 16.07.15 Cassini Consulting

Easy sandbox approach

Easy way to deliver software

Dev / Prod parity

Easy Sandbox approach

§  Create build and test environments

§  Choose Libraries and Framework Dependencies, per application

§  Deal with incompatible version mismatches (Ruby 1.9 vs. Ruby 2.1, including libs, bundler, version switchers, ...)

§  Lightweight alternative to using virtual machines

26 16.07.15 Cassini Consulting

Easy Sandbox approach

A Docker Image contains its own userland libraries and binaries

§  separated from other images

§  take exactly the versions of libraries you need

§  leave out things you do not need

§  reproducible, lightweight, easily testable

§  look at it as a unit of delivery

27 16.07.15 Cassini Consulting

Easy way to deliver software

28 16.07.15 Cassini Consulting

Code Deliverables (i.e. RPM packages) are not runnable.

An installed instance (i.e. in a VM) is hard to transport.

29 16.07.15 Cassini Consulting

https://twitter.com/joyent/status/565243828718678016

Easy way to deliver software

Dockerfile as a Contract between Development and Operations

30 16.07.15 Cassini Consulting

what to base from

set environment params

prepare the image, i.e. install something, configure it

describe the interface

what to run

Easy way to deliver software

Dockerfile as the blueprint for reusable building blocks

31 16.07.15 Cassini Consulting

what to base from

Redis is an official repository at dockerhub

Easy way to deliver software

Dockerfile as the blueprint for reusable building blocks

32 16.07.15 Cassini Consulting

what to base from

Redis is an official repository at dockerhub

Pave the way for Dev/Prod parity

33 16.07.15 Cassini Consulting

§  From Applications to Systems

§  Describe not only compute, but also storage and networking.

§  Example: docker-compose

16.07.15 Cassini Consulting 34

Technical Perspective

Developer Perspective

Security

Ecosystem & Partners

35 16.07.15 Cassini Consulting

Is Docker secure?

Let's ask this question more specific.

Is the docker daemon secure? Are images transported securely? Are images built in a secure fashion? Are containers as secure as virtual machines? Are application processes more or less secure when containerized?

36 16.07.15 Cassini Consulting

Are containers as secure as virtual machines?

Control group-separated, chroot-like, namespaced resources, running on a shared kernel.

37 16.07.15 Cassini Consulting

Application Containers Virtual Machines

Virtualized pieces of hardware, running its own kernel with process/user/network spaces separated on hypervisor level.

Are application processes more or less secure when containerized?

Definitely more secure, if "used properly(*)" Docker Container ~ Application process, ideally a single process, without management daemons Smaller attack surface Namespaced process, network, FS mounts, ...: ~ Application cannot see "the outside OS world" Reduced Linux Capabilities, can be fine tuned Additional isolation mechanisms at hand: SELinux Type Enforcement, AppArmor profiles, Libseccomp System Call Filtering

38 16.07.15 Cassini Consulting (*) http://container-solutions.com/is-docker-safe-for-production

Docker Hardening – Docker Security Benchmark

39 16.07.15 Cassini Consulting

§  Extensive Guide on hardening docker hosts, images and containers, including checks

§  Automated tools are in development

§  benchmarks.cisecurity.org

16.07.15 Cassini Consulting 40

Technical Perspective

Developer Perspective

Security

Ecosystem & Partners

Tooling around Docker

41 16.07.15 Cassini Consulting

Where to run Specialised Operating systems

Where to pull images from Registries (Private, On Premise, ...)

How to operate it Orchestration, Scheduling, Management, Monitoring

From Infrastructure to Applications

Platform-As-a-Service

How to build containers Config Management, Developer Tools

Technical topics Networking, Security, Storage

42 16.07.15 Cassini Consulting

Competitors & Container Runtime Alternatives

LXC + LXD

CoreOS Rocket (rkt), Application Container Spec (appc)

Open Container Project (www.opencontainers.org)

43 16.07.15 Cassini Consulting

16.07.15 Cassini Consulting 44

Technical Perspective

16.07.15 Cassini Consulting 45

Technical Perspective Developer Perspective

16.07.15 Cassini Consulting 46

Technical Perspective Developer Perspective Security

16.07.15 Cassini Consulting 47

Technical Perspective Developer Perspective Security Ecosystem & Partners

16.07.15 Cassini Consulting 48

Technical Perspective Developer Perspective Security Ecosystem & Competitors Thank you!