This document provides an overview of developing and deploying Java applications on Azure using Docker. It discusses using Docker to build Java applications, running containers, and deploying stacks. It also covers Docker Enterprise Edition, including subscriptions, certifications, and security features. Finally, it demonstrates using Docker on Azure, such as with Azure Container Service, and shows examples of building, running, and deploying Java applications with Docker.
8. A commercial product,
built on
a development platform,
built on
infrastructure,
built on
standards.
Docker is building a stack to program the Internet
11. Docker Platform constituencies
Many purposes, users and infrastructure
Today
Developer
Community
Need to experiment
and innovate with
leading edge tech
Ops
Community
Enterprise
Partner
Ecosystem
Run business critical
apps at scale
anywhere
Extend and add
value to a platform
with a shared path to
monetization
Need a predictable
system to deploy
and run apps
12. The Docker Platform
Developers Ops Enterprise Ecosystem
ONE PLATFORM
For Developers and IT
For Linux and Windows
On Premises and in the Cloud
Traditional Homegrown, Commercial ISV, Microservices
Docker Community Edition (CE)
Docker Enterprise Edition (EE)
Docker Certified
Docker Store
13. Docker Enterprise Edition (EE) and Community Edition (CE)
• Free Docker platform for “do it
yourself” dev and ops
• Monthly Edge release with latest
features for developers
• Quarterly release with maintenance
for ops
Community Edition (CE)Enterprise Edition (EE)
• CaaS enabled platform subscription
(integrated container orchestration,
management and security)
• Enterprise class support
• Quarterly releases, supported for one
year each with backported patches
and hotfixes.
• Certified Infrastructure, Plugins,
Containers
14. What is a Docker Edition
Making things simple for a great user experience
Virtual Network VMSS
Blob Storage Azure LB ARM
AAD
15. Enterprises need support and assurances
NEW Certification program for Infrastructure, Plugins and Containers
Infrastructure
Platform
Community EditionEnterprise Edition
17. Docker Store
• A commercial marketplace for
partners and customers
• Publishers gain instant access
to Docker users with product
delivery in containers
• Customers gain ability to
search, browse, purchase and
manage from a single UX
18. Docker EE Subscription Tiers
EE Basic EE Standard
(Docker Datacenter)
EE Advanced
CaaS enabled platform x x x
Container engine and built in
orchestration, networking, security
x x x
Docker Certified
Infra, Plugins and ISV Containers
x x x
Image management
With private registry, caching
x x
Integrated container app management x x
Multi-tenancy with RBAC, LDAP/AD x x
Integrated secrets mgmt, image
signing, policy
x x
Image security scanning and
continuous vulnerability monitoring
x
DockerDatacenter
19. CaaS is the modern software supply chain framework
20. Isolation using Linux kernel features
namespaces
pid
mnt
net
uts
ipc
user
cgroups
memory
cpu
blkio
devices
23. What’s New in Docker 17.03
• Docker EE and CE
• Compose file support for Swarm mode service deployment
• docker stack deploy --compose-file=docker-compose.yml my_stack
• Secrets Management
• System commands
• docker system df, prune
• Monitoring
• docker service logs
• Prometheus experiment endpoint
• Build
• docker build —squash
• CPU management —cpus 2.5
• Docker for AWS & Azure GA
25. Docker & Microsoft: collaboration on all fronts
• Build
• Docker for Windows
• Docker EE for Windows Servers
• Visual Studio Tools for Docker
• Visual Studio Code Docker extension
• Ship
• Visual Studio team Services Docker Integration
• Azure Container Registry
• Run
• Azure Docker agent
• Azure Container Service Swarm and Swarm Mode
• Docker EE in Azure MarketPlace
28. spring-doge.jar
Example: Spring Boot App using MongoDB
https://github.com/chanezon/docker-tips/
spring-doge
spring-doge-web
spring-doge-photo
API: Spring Boot, Spring Data
UI: AngularJS
Business Logic: java.awt
java -Dserver.port=8080
-Dspring.data.mongodb.uri=mongodb://mongo:27017/test
-jar spring-doge.jar
32. Run a container
docker run
—env MONGODB_URI=mongodb://mongo:27017/test
-p 8090:8080
chanezon/spring-doge
33. docker-compose: running multiple containers
Run your stack with one command: docker-compose up
Describe your stack with one file: docker-compose.yml
version: '3'
services:
web:
image: chanezon/spring-doge
ports:
- "8080:8080"
environment:
- MONGODB_URI=mongodb://mongo:27017/test
mongo:
image: mongo
39. ACS Engine
open-source project that enables power users to customize the cluster configuration
Where Docker can work directly with Microsoft on newer versions of both Docker & ACS
https://github.com/Azure/acs-engine/blob/master/docs/swarmmode.md
40. Azure Container Service Swarm Mode
https://github.com/Azure/acs-engine/blob/master/docs/swarmmode.md
acs-engine ARM template generator
acs-engine swarmmode.json
cd _output/SwarmMode...
az group create --name "pat_az_5" --location "westus"
az group deployment create -g pat_az_5 -n pat_acs_5
--template-file=azuredeploy.json
--parameters=@azuredeploy.parameters.json
41. docker stack deploy
Deploy your stack with one command: docker stack deploy
Describe your stack with one file: docker-compose.yml
version: '3'
services:
web:
image: chanezon/spring-doge
ports:
- "8004:8080"
environment:
- MONGODB_URI=mongodb://mongo:27017/test
deploy:
replicas: 2
update_config:
parallelism: 2
delay: 10s
restart_policy:
condition: on-failure
mongo:
image: mongo
45. Docker EE Subscription Tiers
EE Basic EE Standard
(Docker Datacenter)
EE Advanced
CaaS enabled platform x x x
Container engine and built in
orchestration, networking, security
x x x
Docker Certified
Infra, Plugins and ISV Containers
x x x
Image management
With private registry, caching
x x
Integrated container app management x x
Multi-tenancy with RBAC, LDAP/AD x x
Integrated secrets mgmt, image
signing, policy
x x
Image security scanning and
continuous vulnerability monitoring
x
DockerDatacenter
Docker 2017 - Confidential
47. Usable
Security
Secure defaults with tooling that is native to both dev
and ops
The Key Components of Container Security
47
Infrastructure
Independent
Trusted
Delivery
Safer Apps
Everything needed for a full functioning app is delivered
safely and guaranteed to not be tampered with
All of these things in your system are in the app
platform and can move across infrastructure without
disrupting the app
+
+
=
48. Usable
Security
Integrated Security with Docker EE
48
Infrastructure
Independent
Trusted
Delivery
Safer Apps
Image Scanning
TLS Encryption
Encryption at
Rest
App Secrets
Image Signing
& Verification
Public CloudVirtualizationPhysical
Users & RBAC
Dev/Ops
Workflow
+
+
=
Secure by
default runtime
52. What’s New in Docker EE 17.03
Application Services
Content Trust and
Distribution
Platform Enhancements
• Secrets Management
• HTTP Routing Mesh (GA)
• Docker Compose for
Services
• Access control for Secrets
and Volumes
• Image Content Cache
• On premises image security
scanning and vulnerability
monitoring
• Registry Webhooks
• DTR install command from
UI
• UI Enhancements
• Additional LDAP configs
• Templates for AWS, Azure
53. Integrated Secrets Management
53
WorkerWorker
Manager
Internal Distributed Store
Raft Consensus Group
ManagerManager
Worker
External
App
Web UI
• Management
– Admins can add/remove/list/update
secrets in the cluster
– Exposed to a container via a ”/secrets”
tmpfs volume
• Authorization
– Tag secrets to a specific service
– Admins can authorize secrets access
to users/teams via RBAC
• Rotation
– Use GUI to update a secret to all
containers in a service
• Auditing
– Each user request for secret access
logged in cluster for auditing
58. Compose for Services
• Deploy stacks (services, volumes, networks, secrets) using new
Compose file v3.1 format
• Manage and monitor stacks directly from UCP UI
59. Built in HTTP Routing Mesh (Now GA!)
• Extend TCP routing mesh to HTTP
hostname routing for services
• HTTPS support via SNI protocol
• Support for multiple HRM networks for
enhanced app isolation
• External LB routes hostnames to
nodes
• Can add hostname routing via UI
• Non-service containers continue to
use Interlock ref arch
WorkerWorkerWorker
External Load Balancer
Traffic via DNS
(http to port 80 or other)
Foo.com Bar.com Qux.com
R RR
Deep integration with native load-balancers, templates,
SSH keys, ACLs, scaling groups, firewall rules…
When approaching app containers and the security surrounding them, Docker believes there are three key components or characteristics that are critical.
Usable security - This means that it has to be usable by both the people at both ends of the app pipeline. Secure by default with usable tooling that makes sense for developers and operators -- workflows that work for them
Trusted Delivery - Meaning that apps move around, so you need ensure that it safely gets from point A to point B with proof that is hasn’t been tampered with. Securely delivered signed, encrypted --security that is required for delivering app
Infrastructure independent - totally portable to whatever infrastructure you deliver it on. The security configurations are defined at the app and can then move from a developer’s workstation to a test in the cloud to a production datacenter without losing any of it’s security or requiring re-coding of the app to make it work.
Build each point so the final slide has all 3 points.
Safer apps mean that when you build and deploy your app in docker, it is intrinsically more secure
TD is everything is needed for the full functioning of your app is delivered in a secure and trusted manner
All of these things in your system are in the app platform itself and move across
Secrets enable: secure API handshakes, encrypted communication what else?
Assign secrets to services when they are ready to run and need to connect to other services (both internal and external)
Build each point so the final slide has all 3 points.
Safer apps mean that when you build and deploy your app in docker, it is intrinsicly more secure
TD is everything is needed for the full fucntioning of your app is delivered in a secure and trusted manner
All of these things in your system are in the app platform itself and move across
= usable = people are not leaning in to security
Secrets enable: secure API handshakes, encrypted communication what else?
Assign secrets to services when they are ready to run and need to connect to other services (both internal and external)
Docker delivers secrets management architected for containerized applications
Usable Security: Integrated and designed with dev and ops workflows in mind
Trusted Delivery: Encrypted storage and secure transit with TLS
Infrastructure Independent: A portable security model across any infrastructure across the lifecycle
All apps are safer - Only the assigned app can access the secret, even with multiple apps on the same cluster
Docker Datacenter provides integrated secrets and container management with granular access controls for a secure software supply chain.
Local development environments
Self service app images
Build, Test, Deploy applications
Define app behavior and infra needs
Registry services for image storage, management and distribution
IT Ops maintains library of secure base content
Manage role based access to repos/images
Management consoles
Provision, manage infrastructure resources
Monitor, manage, scale infrastructure and applications
The http routing mesh service uses these labels to route hostname pings to the correct service (e.g. “foo.com” → “S1”)
Customer can set up an external LB of choice (e.g. F5, ELB) to route hostnames to nodes via DNS
Services only; Interlock reference architecture for UCP 1.1.x should continue to function for non-service containers
Each app service can have a label corresponding to a host address
External LB routes hostnames to nodes
Non services containers continue to use RA w/Interlock
Now Generally Available
Support for routing multiple hostnames to the same docker service
HTTPS pass-through via SNI
Sticky sessions (use named cookie to always route to same task)
Support for multiple HRM networks for increased app isolation
Increased stability during config loading and app routing failures
Improved UI
Configure hostname routing directly from service deploy/inspect pages
View app routing configs status
Build each point so the final slide has all 3 points.
Safer apps mean that when you build and deploy your app in docker, it is intrinsicly more secure
TD is everything is needed for the full fucntioning of your app is delivered in a secure and trusted manner
All of these things in your system are in the app platform itself and move across
= usable = people are not leaning in to security
Secrets enable: secure API handshakes, encrypted communication what else?
Assign secrets to services when they are ready to run and need to connect to other services (both internal and external)
Build each point so the final slide has all 3 points.
Safer apps mean that when you build and deploy your app in docker, it is intrinsicly more secure
TD is everything is needed for the full fucntioning of your app is delivered in a secure and trusted manner
All of these things in your system are in the app platform itself and move across
= usable = people are not leaning in to security
Secrets enable: secure API handshakes, encrypted communication what else?
Assign secrets to services when they are ready to run and need to connect to other services (both internal and external)