Post on 15-Apr-2017
transcript
DevOps & Automation Tech/Team Leader at Cisco DRM EngineeringRoman Dembitsky – romande@gmail.com
Released: November 16, 2015
Docker OverviewDockerCon EU 2015
Agenda• What is Docker?• Docker Solutions• Docker Security
Docker allows you to package an application with all of its dependencies into a standardized unit for software development.
Docker
Docker Engine
How is this different from virtual machines?
• Docker Machine – Machine provisioning• Docker Engine – Creates and runs Docker containers• Docker Registry – Docker image distribution repository• Docker Kitematic – Desktop GUI for Docker• Docker Compose – Define multi-container applications• Docker Swarm – Host clustering and container scheduling• Docker Universal Control Plane - Management Platform
Docker Solutions
Docker Stack
Docker Engine
Docker Container
Docker Compose
Docker Swarm
Docker Orca (UCP)
Platform Layer
Application
Multi-container applications
Distributed Cluster Management
Platform Management
18© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Docker Machine
• Create Hosts Anywhere• Docker Machine can create hosts on most major
virtualization hypervisors and in cloud service providers. Docker Machine has driver support for
• AWS, Digital Ocean, Google Cloud Platform, IBM Softlayer, Microsoft Azure and Hyper-V, OpenStack, Rackspace, VirtualBox, VMware Fusion®, vCloud® Air™ and vSphere®
Docker Machine
• Install Docker Engine• Configure Docker
Registry• Join nodes to Swarm
21© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Docker Kitematic
•Kitematic – nice GUI for containers management
•Video
Kitematic
Kitematic
24© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Docker Registry
Docker Registry
Docker Registry is an open source application dedicated to the storage and distribution of your Docker images. Its seamless architecture allows both for fine grain integration with other systems and high-level scalability. Aggressively developed, its vibrant community includes industry leaders and users using it at the core of their images distribution solutions.
Docker Registry
27© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Docker Stages
Docker Stages
Docker File - SampleSource
To Run:
docker run -d -p 27017:27017 -p 28017:28017 --name mongo -e AUTH=no tutum/mongodb
30© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Docker Compose
Docker Compose - Example
• Compose facilitates the orchestration of linked containers
• Compose allows to have a single script for all the environments
• Developers can start/stop/rebuild containers without any deep knowledge of Docker
Docker Compose
35© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Docker Swarm
Docker Swarm
• Swarm – container distribution manager, clustering and scheduling
• Swarm 1.0 – ready for production
Docker Swarm
•Built-in multi-host networking•Built-in persistent storage• Attach any volume to any container dynamically
Docker Swarm
• Scalable• Libkv (abstraction layer on top of etcd, zookeeper, consul kv stores)
Docker Swarm
41© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Docker Security
Hardware Key for signing images
• Docker Images signing and verifying• Key compromise protection• Content trust allows operations with a remote Docker registry to enforce
client-side signing and verification of image tags. Content trust provides the ability to use digital signatures for data sent to and received from remote Docker registries. These signatures allow client-side verification of the integrity and publisher of specific image tags.
• https://blog.docker.com/2015/08/content-trust-docker-1-8/
Docker Content Trust
• Hardware crypto + docker content trust• Hardware root key (usb security device) used for
starting key ladder• Allows quickly changing/updating keys so it won’t be
possible pushing images with the old keys (that were compromised)
Docker Security
• Sign docker images before pushing images to repos
• Uses root key inside the yubikey for creating new singing keys to sign the images
• To see existing keys: notary key list
Docker Security
• Project Nautilus• Built-in container security analysis• Soon will be as a self service• Deep content analysis• Checks against its own vulnerability db
Docker Security Analysis
47© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Docker Networking
• New Docker Networking APIs• Multi-Host networking• Networks are scoped: Local / Global• Container can participate in multiple
networks
Docker Networking
• VXLAN Layer 2 over Layer 4• VXLAN is a network virtualization technology that attempts to
ameliorate the scalability problems associated with large cloud computing deployments. It uses a VLAN-like encapsulation technique to encapsulate MAC-based OSI layer 2 Ethernet frames within layer 4 UDP packets, using 4789 as the default IANA-assigned destination UDP port number.[1]
Docker Networking uses VXLAN
53© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Docker Universal Control PlaneContainers as a service
• Management Platform – deploy and manage dockerized apps in production
• running containers on any infrastructure• Infrastructure agnostic (on premises, cloud)• Language agnostic
Universal Control Plane
• Provisioning of compute, network, and storage on any infrastructure, with integration of enterprise security and monitoring
• Support for any:• application: stateful and stateless, legacy and next-generation, for any
programming language• bare-metal server, VM or cloud instance• Linux distribution and Windows Server and Solaris• stage of the application lifecycle, from dev to test to QA to staging to
production
Docker Universal Control Plane
• Enterprise ready (LDAP/AD authN) on premise deployment integrated with Trusted Registry
• Security – TLS• Resource Management (visibility and
monitoring)• HA
Docker Universal Control Plane
60© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Linux Kernel IP Virtual Server
• Forwarder Layer 4 OSI• IPVS is incorporated into the Linux Virtual Server (LVS), where it
runs on a host and acts as a load balancer in front of a cluster of real servers. IPVS can direct requests for TCP- and UDP-based services to the real servers, and make services of the real servers appear as virtual services on a single IP address. IPVS is built on top of the Netfilter.[1]
IP Virtual Server (IPVS)
• IPIP mode: Returns packets directly to client (rather that via LB)
• DNAT• DSR
IP Virtual Server - Modes
• http://github.com/kobolog/gorb• BGP – load balance lbs• Better that lb box
GORB – REST Iinterface of IPVS
66© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Jenkins CI with Docker and Compose at Oxford Press
• Commit to Github -> • Jenkins Build with unit tests ->• Build docker image ->• After all the desired components are
stablely built run docker compose
Jenkins Flow
• Push images to docker registry• Bind docker socket – share dockers• /var/run/docker.sock
Docker Con EU 2015
https://blog.docker.com/tag/dockercon/
http://www.vmtocloud.com/how-to-run-a-docker-swarm-cluster-on-vsphere-with-photon/
http://docker.com
http://www.tomsitpro.com/articles/docker-enterprise-hub-orchestration,1-2375.html
http://blog.octo.com/en/docker-registry-first-steps/
http://blog.arungupta.me/docker-compose-orchestrate-containers-techtip77/
http://learning-continuous-deployment.github.io/dockercompose/multi-app/2015/05/30/docker-compose/
References