In this talk, Scott Coulton will take you through Docker's cluster solution Swarm mode with his operations hat on. We will start from the beginning by describing what swarm mode is, what it does, and how it works behind the scenes. From there, we will look at very basic configurations of Swarm mode from the point of view of the operations team as well as a production-ready workflow including deployments of the cluster, logging and CD best practices. Attendees will be able to apply their learnings to their use cases.
5. As you saw in Docker for dev we have an awesome application
that is going to make us some money taking it from the evil corp
Initech. To host the app we will use the following:
• Both Docker UCP and Docker Swarm mode and make sure the
infrastructure is highly available
• We will host our images in a Docker trusted registry
• We have to make sure the app is logging, the image is signed
and there is no vulnerability in our images
What we are
going to cover
7. In this day and age an outage is going to cost your business
money. Docker have two solutions to help you.
• The open source offering is swarm mode
• The enterprise offering is universal control plane
We don't want our
application to go down
8. Swarm mode is the native clustering solution that is included in the
Docker engine from v1.12 until present. Enabling swarm mode on
your engine gives you the following :
• Scheduling of containers across compute nodes
• Overlay networking for container communication
• Service discovery via DNS
• Load balancing
• Secure by default, all comms between node for cluster
operations are configured to use SSL
Swarm mode
10. Universal control plane is built on top of Docker swarm mode. In
addition to the features you get with swarm mode you also get:
• A graphical interface for management
• TLS authentication to protect your Docker API
• Real time metrics on the cluster via dashboards
• LDAP and RBAC
Universal control plane
16. As we already have a base image created from our developers.
We should make sure that firstly, the image does not have any
vulnerable packages in it. Then we want to make sure our image is
trusted and has not been tampered with. To do this we will use
• Docker trusted registry security scanning
• Docker notary
• Protect our container with apparmor
Let’s make it secure
17. Security scanning in DTR allows the following to happen at rest:
• Images are scanned for vulnerabilities
• Scanning is automated on a Docker push
• Prebuilt dashboards to display the scan results
Security scanning
19. Image signing with notary allows us to make sure our images :
• Our images are signed
• Sets up a trust model between the registry and the engine
Image signing with Notary
21. Notary signer interaction
credentials
auth
X
TUF
server
>_
Upload new metadata
401 - please auth
bearer token
verify(metadata)
get
metadata
generate(
timestamp,snapshot) sign(
timestamp, snapshot)
private
keystimestamp/snapshot
signatures
Token + Upload new metadata
timestamp/snapshot
store
metadata200 OK
Token + Get new metadata
get
metadata200 OK + Latest metadata
1
2
3
4
5
6
7
(signer)
(server DB) (signer DB)
(client)
22. Applying apparmor allows us to run only the process we wont to
run in our containers :
• Wont allow unwanted process to spawn
• Locks down file system for unwanted reads or rights
Protect our container’s
processes
23. docker run --rm -it --security-opt apparmor=docker-default hello-world
How do we apply a policy
25. Applying logging to your container ecosystem is easy using a
project called logspout https://github.com/gliderlabs/logspout:
• Allows you to capture logs from all your container
• Works with most existing logging infrastructure
• Allows you to easily encrypt logs on transit
Can we log that?
28. Now we have everything set up from our security stack through to
our logging we can deploy:
• How images get into our Docker trusted registry
• The flow of request if the clusters need an image
Deploy, Deploy, Deploy