SlideShare une entreprise Scribd logo

Auth doesn't have to be a nightmare — Docker to the rescue!

Jérôme Petazzoni
Jérôme Petazzoni

How do you support many different authorization methods (OAUTH, HTTP Basic/Digest, SSL certificates…) for many different apps (a Rails website, a Python/Flask API, realtime events streaming with Node.js, and more…)? We review a bunch of options, and propose an original way to do it with Docker and Containers.

Technologie
1  sur  42
Télécharger pour lire hors ligne
Auth doesn’t have to be a nightmare Docker to the rescue! APIStrat SF October 2013 Jérôme Petazzoni — @jpetazzo
What’s The Problem?
Multiple auths in multiple apps ● ● ● ● ● ● ● OAUTH OAUTH2 OpenID SSL client certs HTTP Basic HTTP Digest IP addresses (in SSL, right?) (seriously?) ● VPNs, IPSEC ● custom tokens ● website (e.g. Ruby on Rails) ● API (e.g. Python+Flask) ● realtime events (e. g. Node.js) ● secret project (Golang, Rust…)
The “Matrix from Hell” of authentication/authorization OAUTH ? ? ? ? ? OAUTH2 ? ? ? ? ? OpenID ? ? ? ? ? SSL certs ? ? ? ? ? HTTP Basic or Digest ? ? ? ? ? IP addresses, VPN... ? ? ? ? ? custom auth ? ? ? ? ? Ruby Python Python (Django!) Java Other langs...
What’s The Solution?
are What’s The Solutions?
Solution 1
Solution 1 ● ● ● ● ● ● this is actually what most people do because at first the matrix isn’t that big then you add more services want to support more backends you end up picking one auth method N implementations instead of MxN
Solution 1 ● ● ● ● ● ● this is actually what most people do because at first the matrix isn’t that big then you add more services want to support more backends you end up picking one auth method N implementations instead of MxN Grade: C
Solution 1 ● ● ● ● ● this is actually what most people do because at first the matrix isn’t that big then you add more services want to support more backends you end up picking one (or two) auth method ○ e.g. basic auth over SSL + API tokens ● N implementations (or 2xN) instead of MxN Grade: B
Solution 2 ● delegate auth to a proxy/external process Client Here there be $AUTH Proxy Here there be simple HTTP headers Service
Solution 2: the problems ● ● ● ● ● I work on the Ruby API I don’t want to install the Node.js stuff but the auth component is in Node.js! I have to learn how to deploy Node.js also, deployment is more complex
Solution 2: the problems ● ● ● ● ● I work on the Ruby API I don’t want to install the Node.js stuff but the auth component is in Node.js! I have to learn how to deploy Node.js also, deployment is more complex Grade: B (single lang shops) Grade: D (everybody else)
Solution 3
Solution 3 ● put each component in a VM Client Here there be $AUTH Proxy VM Here there be simple HTTP headers Service VM
Solution 3: the problems ● create (and maintain) VM images ● VMs are RAM-heavy ○ now you have a good reason to get 16 GB of RAM! ● VMs are disk-heavy ○ now you need to download a 500 MB VM to update the auth proxy to test a 4-lines commit ● VM networking is not awesome ○ discovery and plumbing can require some voodoo
Solution 3 Grade: B (if you have a vagrant guru in residence, and super shiny awesome laptops) Grade: D (everybody else)
Solution 4: the container
Solution 4: the Linux container
Solution 4 ● put each component in a container Client Here there be $AUTH Proxy LXC Here there be simple HTTP headers Service LXC
Solution 4: pros and cons ● your dev env must be Linux ● or you can use a VM ○ but just one ○ no Hogwarts diploma required ● containers are lightweight ○ I can run 100 containers on my laptop ○ updating a container is more like “git pull” ● networking is easier ○ and is getting even more easier! ○ service discovery
Solution 4 Grade: ? you tell me at the end of the presentation
What’s a Linux Container?
What’s a Linux container? High level approach Lightweight Virtual Machine ● looks like a VM ● can run stuff as root ● can install packages ● can run sshd, syslog, cron... “Machine Container”
What’s a Linux container? Low level approach Chroot on steroids ● normal processes, but isolated ● share kernel with the host ● doesn’t need to run ssh, syslog, cron... “Application Container”
What’s a Linux container? Technical approach Two big sets of kernel features: ● namespaces ○ isolate containers ○ one namespace cannot see/affect another ● control groups ○ meter and limit resources ○ CPU, RAM, disk I/O… ○ prevent a single container from hogging the host Note: you can use namespaces and/or cgroups without using containers
What’s Docker? Open Source project (i.e. satisfaction guaranteed, or your money back)
1. Runtime for Linux containers jpetazzo@tarrasque:~$ sudo docker run -t -i ubuntu bash root@092ee318746f:/# → create an Ubuntu VM, and run a shell in it. Total time: less than 0.5s (If necessary, the “ubuntu” image will be downloaded automatically.)
But Docker is also...
2. Standard format for containers 3. Public place to share them ● library of standard images (ubuntu, fedora, redis, postgresql…) ● create your own images (from scratch or based on existing ones) ● upload them to the public registry (searchable index w/ social features) ● upload them to private registry ● 3rd party hosted registries already exist
Real world example: Test this new Ghost blog engine ● Look for “ghost” on http://index.docker.io/ ● Find orchardup/ghost jpetazzo@tarrasque:~$ sudo docker run -d orchardup/ghost c6000fa5ddc6 Total time: <0.5s (+5m to download the image on this hotel WiFi)
Runtime for Linux containers jpetazzo@tarrasque:~$ sudo docker inspect c6000fa5ddc6 ... "PortMapping": { "Tcp": { "2368": "49153" }, ... → if I run this on a server somewhere, the new service is publicly available on port 49153.
How does the Auth problem fit in? ● create a “HTTP Basic Auth + SSL” container ○ based on e.g. existing Nginx container ○ inject a custom auth header, e.g. x-username ○ strip rogue x-username header (duh!) ● lock the Ghost service so it doesn’t expose its TCP port anymore to the outside world ○ but it will still accept connections from containers ● patch the Ghost service to look for the header
WAIT How do I create those container images?
Creating an image with run/commit 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. docker run ubuntu bash apt-get install this and that docker commit <containerid> <imagename> docker run <imagename> bash git clone git://.../mycode pip install -r requirements.txt docker commit <containerid> <imagename> repeat steps 4-7 as necessary docker tag <imagename> <user/image> docker push <user/image>
Creating an image with a Dockerfile # This is a Dockerfile to build a CouchDB container FROM ubuntu RUN apt-get -y update RUN apt-get install -y g++ erlang-dev erlang-base-hipe … RUN apt-get install libmozjs185-dev libicu-dev libtool … RUN apt-get install make wget RUN wget http://.../apache-couchdb-1.3.1.tar.gz | tar -C /tmp -zxfRUN cd /tmp/apache-couchdb-* && ./configure && make install RUN printf "[httpd]nport = 8101nbind_address = 0.0.0.0" >/usr/local/etc/couchdb/local.d/docker.ini EXPOSE 8101 CMD ["/usr/local/bin/couchdb"] docker build -t jpetazzo/couchdb . docker push jpetazzo/couchdb
SHARE auth containers app containers
Solution 4: moment of truth ● we just built perfect packages: ○ distro-independent ○ without dependency issues ○ that can run in dev, staging, production ● without getting our hands dirty ○ and barely rolling up our sleeves ● we can share them with other projects/shops Please allow me to verbosely formulate my genuine enthusiasm.
BONUS We can ship our code with those containers
Deploying Containers ● docker pull + docker run from registry ● Docker can be controlled through REST API, so you can control a fleet of Docker hosts ● PAAS-like: Cocaine, Deis, Maestro… ♥ OpenStack? ● Nova can deploy Docker containers (since Havana) ● Heat can deploy Docker containers (since last week)
Thank you! Questions? twitter.com/jpetazzo twitter.com/docker http://docker.io/ https://github.com/dotcloud/docker
Future of Docker ● service discovery (containers will be able to discover resources) ● compatibility with Red Hat Enterprise Linux (currently Docker runs best on Ubuntu) ● support for other runtimes and storage (Jails, Zones, BTRFS, ZFS…)

Recommandé

Docker and Go: why did we decide to write Docker in Go?
Docker and Go: why did we decide to write Docker in Go?Docker and Go: why did we decide to write Docker in Go?
Docker and Go: why did we decide to write Docker in Go?Jérôme Petazzoni
 
A microservice architecture based on golang
A microservice architecture based on golangA microservice architecture based on golang
A microservice architecture based on golangGianfranco Reppucci
 
Functional go
Functional goFunctional go
Functional goGeison Goes
 
Write microservice in golang
Write microservice in golangWrite microservice in golang
Write microservice in golangBo-Yi Wu
 
Orchestration for the rest of us
Orchestration for the rest of usOrchestration for the rest of us
Orchestration for the rest of usJérôme Petazzoni
 
Docker introduction
Docker introductionDocker introduction
Docker introductiondotCloud
 
Docker by Example - Basics
Docker by Example - Basics Docker by Example - Basics
Docker by Example - Basics Ganesh Samarthyam
 
Docker Tips And Tricks at the Docker Beijing Meetup
Docker Tips And Tricks at the Docker Beijing MeetupDocker Tips And Tricks at the Docker Beijing Meetup
Docker Tips And Tricks at the Docker Beijing MeetupJérôme Petazzoni
 

Recommandé

Docker and Go: why did we decide to write Docker in Go?
Docker and Go: why did we decide to write Docker in Go?Docker and Go: why did we decide to write Docker in Go?
Docker and Go: why did we decide to write Docker in Go?Jérôme Petazzoni
 
A microservice architecture based on golang
A microservice architecture based on golangA microservice architecture based on golang
A microservice architecture based on golangGianfranco Reppucci
 
Functional go
Functional goFunctional go
Functional goGeison Goes
 
Write microservice in golang
Write microservice in golangWrite microservice in golang
Write microservice in golangBo-Yi Wu
 
Orchestration for the rest of us
Orchestration for the rest of usOrchestration for the rest of us
Orchestration for the rest of usJérôme Petazzoni
 
Docker introduction
Docker introductionDocker introduction
Docker introductiondotCloud
 
Docker by Example - Basics
Docker by Example - Basics Docker by Example - Basics
Docker by Example - Basics Ganesh Samarthyam
 
Docker Tips And Tricks at the Docker Beijing Meetup
Docker Tips And Tricks at the Docker Beijing MeetupDocker Tips And Tricks at the Docker Beijing Meetup
Docker Tips And Tricks at the Docker Beijing MeetupJérôme Petazzoni
 
Separation of concerns - DPC12
Separation of concerns - DPC12Separation of concerns - DPC12
Separation of concerns - DPC12Stephan Hochdörfer
 
CQRS without event sourcing
CQRS without event sourcingCQRS without event sourcing
CQRS without event sourcingThomas Pierrain
 
Floggers
FloggersFloggers
FloggersJulieta Monti
 
Puppet Camp Sydney Feb 2014 - A Build Engineering Team’s Journey of Infrastru...
Puppet Camp Sydney Feb 2014 - A Build Engineering Team’s Journey of Infrastru...Puppet Camp Sydney Feb 2014 - A Build Engineering Team’s Journey of Infrastru...
Puppet Camp Sydney Feb 2014 - A Build Engineering Team’s Journey of Infrastru...Peter Leschev
 
Puppet: What _not_ to do
Puppet: What _not_ to doPuppet: What _not_ to do
Puppet: What _not_ to doPuppet
 
Securite docker generique 2017-03-16
Securite docker generique 2017-03-16Securite docker generique 2017-03-16
Securite docker generique 2017-03-16SecludIT
 
Automated Puppet Testing - PuppetCamp Chicago '12 - Scott Nottingham
Automated Puppet Testing - PuppetCamp Chicago '12 - Scott NottinghamAutomated Puppet Testing - PuppetCamp Chicago '12 - Scott Nottingham
Automated Puppet Testing - PuppetCamp Chicago '12 - Scott NottinghamPuppet
 
Innovating faster with SBT, Continuous Delivery, and LXC
Innovating faster with SBT, Continuous Delivery, and LXCInnovating faster with SBT, Continuous Delivery, and LXC
Innovating faster with SBT, Continuous Delivery, and LXCkscaldef
 
Netflix API - Separation of Concerns
Netflix API - Separation of ConcernsNetflix API - Separation of Concerns
Netflix API - Separation of ConcernsDaniel Jacobson
 
WebSocket MicroService vs. REST Microservice
WebSocket MicroService vs. REST MicroserviceWebSocket MicroService vs. REST Microservice
WebSocket MicroService vs. REST MicroserviceRick Hightower
 
Docker-hanoi meetup #1: introduction about Docker
Docker-hanoi meetup #1: introduction about DockerDocker-hanoi meetup #1: introduction about Docker
Docker-hanoi meetup #1: introduction about DockerNguyen Anh Tu
 
SDN Service Provider use cases Network Function Virtualization (NFV)
SDN Service Provider use cases Network Function Virtualization (NFV)SDN Service Provider use cases Network Function Virtualization (NFV)
SDN Service Provider use cases Network Function Virtualization (NFV)Brent Salisbury
 
Implementing MITREid - CIS 2014 Presentation
Implementing MITREid - CIS 2014 PresentationImplementing MITREid - CIS 2014 Presentation
Implementing MITREid - CIS 2014 PresentationJustin Richer
 
Docker volume
Docker volumeDocker volume
Docker volumeMyoungSu Shin
 
Top 10 Lessons Learned from the Netflix API - OSCON 2014
Top 10 Lessons Learned from the Netflix API - OSCON 2014Top 10 Lessons Learned from the Netflix API - OSCON 2014
Top 10 Lessons Learned from the Netflix API - OSCON 2014Daniel Jacobson
 
Amazon Web Services and Docker
Amazon Web Services and DockerAmazon Web Services and Docker
Amazon Web Services and DockerPaolo latella
 
Ops Meta-Metrics: The Currency You Pay For Change
Ops Meta-Metrics: The Currency You Pay For ChangeOps Meta-Metrics: The Currency You Pay For Change
Ops Meta-Metrics: The Currency You Pay For ChangeJohn Allspaw
 
Blockchain use cases
Blockchain use casesBlockchain use cases
Blockchain use casesManav Gupta
 
10 reasons to be excited about go
10 reasons to be excited about go10 reasons to be excited about go
10 reasons to be excited about goDvir Volk
 
Comparative Analysis Of GoLang Testing Frameworks
Comparative Analysis Of GoLang Testing FrameworksComparative Analysis Of GoLang Testing Frameworks
Comparative Analysis Of GoLang Testing FrameworksDushyant Bhalgami
 
Use the Source or Join the Dark Side: differences between Docker Community an...
Use the Source or Join the Dark Side: differences between Docker Community an...Use the Source or Join the Dark Side: differences between Docker Community an...
Use the Source or Join the Dark Side: differences between Docker Community an...Jérôme Petazzoni
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Jérôme Petazzoni
 

Contenu connexe

En vedette

CQRS without event sourcing
CQRS without event sourcingCQRS without event sourcing
CQRS without event sourcingThomas Pierrain
 
Puppet Camp Sydney Feb 2014 - A Build Engineering Team’s Journey of Infrastru...
Puppet Camp Sydney Feb 2014 - A Build Engineering Team’s Journey of Infrastru...Puppet Camp Sydney Feb 2014 - A Build Engineering Team’s Journey of Infrastru...
Puppet Camp Sydney Feb 2014 - A Build Engineering Team’s Journey of Infrastru...Peter Leschev
 
Puppet: What _not_ to do
Puppet: What _not_ to doPuppet: What _not_ to do
Puppet: What _not_ to doPuppet
 
Securite docker generique 2017-03-16
Securite docker generique 2017-03-16Securite docker generique 2017-03-16
Securite docker generique 2017-03-16SecludIT
 
Automated Puppet Testing - PuppetCamp Chicago '12 - Scott Nottingham
Automated Puppet Testing - PuppetCamp Chicago '12 - Scott NottinghamAutomated Puppet Testing - PuppetCamp Chicago '12 - Scott Nottingham
Automated Puppet Testing - PuppetCamp Chicago '12 - Scott NottinghamPuppet
 
Innovating faster with SBT, Continuous Delivery, and LXC
Innovating faster with SBT, Continuous Delivery, and LXCInnovating faster with SBT, Continuous Delivery, and LXC
Innovating faster with SBT, Continuous Delivery, and LXCkscaldef
 
Netflix API - Separation of Concerns
Netflix API - Separation of ConcernsNetflix API - Separation of Concerns
Netflix API - Separation of ConcernsDaniel Jacobson
 
WebSocket MicroService vs. REST Microservice
WebSocket MicroService vs. REST MicroserviceWebSocket MicroService vs. REST Microservice
WebSocket MicroService vs. REST MicroserviceRick Hightower
 
Docker-hanoi meetup #1: introduction about Docker
Docker-hanoi meetup #1: introduction about DockerDocker-hanoi meetup #1: introduction about Docker
Docker-hanoi meetup #1: introduction about DockerNguyen Anh Tu
 
SDN Service Provider use cases Network Function Virtualization (NFV)
SDN Service Provider use cases Network Function Virtualization (NFV)SDN Service Provider use cases Network Function Virtualization (NFV)
SDN Service Provider use cases Network Function Virtualization (NFV)Brent Salisbury
 
Implementing MITREid - CIS 2014 Presentation
Implementing MITREid - CIS 2014 PresentationImplementing MITREid - CIS 2014 Presentation
Implementing MITREid - CIS 2014 PresentationJustin Richer
 
Top 10 Lessons Learned from the Netflix API - OSCON 2014
Top 10 Lessons Learned from the Netflix API - OSCON 2014Top 10 Lessons Learned from the Netflix API - OSCON 2014
Top 10 Lessons Learned from the Netflix API - OSCON 2014Daniel Jacobson
 
Amazon Web Services and Docker
Amazon Web Services and DockerAmazon Web Services and Docker
Amazon Web Services and DockerPaolo latella
 
Ops Meta-Metrics: The Currency You Pay For Change
Ops Meta-Metrics: The Currency You Pay For ChangeOps Meta-Metrics: The Currency You Pay For Change
Ops Meta-Metrics: The Currency You Pay For ChangeJohn Allspaw
 
Blockchain use cases
Blockchain use casesBlockchain use cases
Blockchain use casesManav Gupta
 
10 reasons to be excited about go
10 reasons to be excited about go10 reasons to be excited about go
10 reasons to be excited about goDvir Volk
 
Comparative Analysis Of GoLang Testing Frameworks
Comparative Analysis Of GoLang Testing FrameworksComparative Analysis Of GoLang Testing Frameworks
Comparative Analysis Of GoLang Testing FrameworksDushyant Bhalgami
 

En vedette (20)

Separation of concerns - DPC12
Separation of concerns - DPC12Separation of concerns - DPC12
Separation of concerns - DPC12
 
CQRS without event sourcing
CQRS without event sourcingCQRS without event sourcing
CQRS without event sourcing
 
Floggers
FloggersFloggers
Floggers
 
Puppet Camp Sydney Feb 2014 - A Build Engineering Team’s Journey of Infrastru...
Puppet Camp Sydney Feb 2014 - A Build Engineering Team’s Journey of Infrastru...Puppet Camp Sydney Feb 2014 - A Build Engineering Team’s Journey of Infrastru...
Puppet Camp Sydney Feb 2014 - A Build Engineering Team’s Journey of Infrastru...
 
Puppet: What _not_ to do
Puppet: What _not_ to doPuppet: What _not_ to do
Puppet: What _not_ to do
 
Securite docker generique 2017-03-16
Securite docker generique 2017-03-16Securite docker generique 2017-03-16
Securite docker generique 2017-03-16
 
Automated Puppet Testing - PuppetCamp Chicago '12 - Scott Nottingham
Automated Puppet Testing - PuppetCamp Chicago '12 - Scott NottinghamAutomated Puppet Testing - PuppetCamp Chicago '12 - Scott Nottingham
Automated Puppet Testing - PuppetCamp Chicago '12 - Scott Nottingham
 
Innovating faster with SBT, Continuous Delivery, and LXC
Innovating faster with SBT, Continuous Delivery, and LXCInnovating faster with SBT, Continuous Delivery, and LXC
Innovating faster with SBT, Continuous Delivery, and LXC
 
Netflix API - Separation of Concerns
Netflix API - Separation of ConcernsNetflix API - Separation of Concerns
Netflix API - Separation of Concerns
 
WebSocket MicroService vs. REST Microservice
WebSocket MicroService vs. REST MicroserviceWebSocket MicroService vs. REST Microservice
WebSocket MicroService vs. REST Microservice
 
Docker-hanoi meetup #1: introduction about Docker
Docker-hanoi meetup #1: introduction about DockerDocker-hanoi meetup #1: introduction about Docker
Docker-hanoi meetup #1: introduction about Docker
 
SDN Service Provider use cases Network Function Virtualization (NFV)
SDN Service Provider use cases Network Function Virtualization (NFV)SDN Service Provider use cases Network Function Virtualization (NFV)
SDN Service Provider use cases Network Function Virtualization (NFV)
 
Implementing MITREid - CIS 2014 Presentation
Implementing MITREid - CIS 2014 PresentationImplementing MITREid - CIS 2014 Presentation
Implementing MITREid - CIS 2014 Presentation
 
Docker volume
Docker volumeDocker volume
Docker volume
 
Top 10 Lessons Learned from the Netflix API - OSCON 2014
Top 10 Lessons Learned from the Netflix API - OSCON 2014Top 10 Lessons Learned from the Netflix API - OSCON 2014
Top 10 Lessons Learned from the Netflix API - OSCON 2014
 
Amazon Web Services and Docker
Amazon Web Services and DockerAmazon Web Services and Docker
Amazon Web Services and Docker
 
Ops Meta-Metrics: The Currency You Pay For Change
Ops Meta-Metrics: The Currency You Pay For ChangeOps Meta-Metrics: The Currency You Pay For Change
Ops Meta-Metrics: The Currency You Pay For Change
 
Blockchain use cases
Blockchain use casesBlockchain use cases
Blockchain use cases
 
10 reasons to be excited about go
10 reasons to be excited about go10 reasons to be excited about go
10 reasons to be excited about go
 
Comparative Analysis Of GoLang Testing Frameworks
Comparative Analysis Of GoLang Testing FrameworksComparative Analysis Of GoLang Testing Frameworks
Comparative Analysis Of GoLang Testing Frameworks
 

Plus de Jérôme Petazzoni

Use the Source or Join the Dark Side: differences between Docker Community an...
Use the Source or Join the Dark Side: differences between Docker Community an...Use the Source or Join the Dark Side: differences between Docker Community an...
Use the Source or Join the Dark Side: differences between Docker Community an...Jérôme Petazzoni
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Jérôme Petazzoni
 
Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...
Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...
Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...Jérôme Petazzoni
 
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...Jérôme Petazzoni
 
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...Jérôme Petazzoni
 
From development environments to production deployments with Docker, Compose,...
From development environments to production deployments with Docker, Compose,...From development environments to production deployments with Docker, Compose,...
From development environments to production deployments with Docker, Compose,...Jérôme Petazzoni
 
How to contribute to large open source projects like Docker (LinuxCon 2015)
How to contribute to large open source projects like Docker (LinuxCon 2015)How to contribute to large open source projects like Docker (LinuxCon 2015)
How to contribute to large open source projects like Docker (LinuxCon 2015)Jérôme Petazzoni
 
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...Jérôme Petazzoni
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConJérôme Petazzoni
 
Microservices. Microservices everywhere! (At OSCON 2015)
Microservices. Microservices everywhere! (At OSCON 2015)Microservices. Microservices everywhere! (At OSCON 2015)
Microservices. Microservices everywhere! (At OSCON 2015)Jérôme Petazzoni
 
Deploy microservices in containers with Docker and friends - KCDC2015
Deploy microservices in containers with Docker and friends - KCDC2015Deploy microservices in containers with Docker and friends - KCDC2015
Deploy microservices in containers with Docker and friends - KCDC2015Jérôme Petazzoni
 
Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015Jérôme Petazzoni
 
Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)Jérôme Petazzoni
 
The Docker ecosystem and the future of application deployment
The Docker ecosystem and the future of application deploymentThe Docker ecosystem and the future of application deployment
The Docker ecosystem and the future of application deploymentJérôme Petazzoni
 
Docker: automation for the rest of us
Docker: automation for the rest of usDocker: automation for the rest of us
Docker: automation for the rest of usJérôme Petazzoni
 
Docker Non Technical Presentation
Docker Non Technical PresentationDocker Non Technical Presentation
Docker Non Technical PresentationJérôme Petazzoni
 
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionIntroduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionJérôme Petazzoni
 
Introduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionIntroduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionJérôme Petazzoni
 
Containers, Docker, and Microservices: the Terrific Trio
Containers, Docker, and Microservices: the Terrific TrioContainers, Docker, and Microservices: the Terrific Trio
Containers, Docker, and Microservices: the Terrific TrioJérôme Petazzoni
 
Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Jérôme Petazzoni
 

Plus de Jérôme Petazzoni (20)

Use the Source or Join the Dark Side: differences between Docker Community an...
Use the Source or Join the Dark Side: differences between Docker Community an...Use the Source or Join the Dark Side: differences between Docker Community an...
Use the Source or Join the Dark Side: differences between Docker Community an...
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
 
Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...
Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...
Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...
 
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...
 
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
 
From development environments to production deployments with Docker, Compose,...
From development environments to production deployments with Docker, Compose,...From development environments to production deployments with Docker, Compose,...
From development environments to production deployments with Docker, Compose,...
 
How to contribute to large open source projects like Docker (LinuxCon 2015)
How to contribute to large open source projects like Docker (LinuxCon 2015)How to contribute to large open source projects like Docker (LinuxCon 2015)
How to contribute to large open source projects like Docker (LinuxCon 2015)
 
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
 
Microservices. Microservices everywhere! (At OSCON 2015)
Microservices. Microservices everywhere! (At OSCON 2015)Microservices. Microservices everywhere! (At OSCON 2015)
Microservices. Microservices everywhere! (At OSCON 2015)
 
Deploy microservices in containers with Docker and friends - KCDC2015
Deploy microservices in containers with Docker and friends - KCDC2015Deploy microservices in containers with Docker and friends - KCDC2015
Deploy microservices in containers with Docker and friends - KCDC2015
 
Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015
 
Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)
 
The Docker ecosystem and the future of application deployment
The Docker ecosystem and the future of application deploymentThe Docker ecosystem and the future of application deployment
The Docker ecosystem and the future of application deployment
 
Docker: automation for the rest of us
Docker: automation for the rest of usDocker: automation for the rest of us
Docker: automation for the rest of us
 
Docker Non Technical Presentation
Docker Non Technical PresentationDocker Non Technical Presentation
Docker Non Technical Presentation
 
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionIntroduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
 
Introduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionIntroduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" Edition
 
Containers, Docker, and Microservices: the Terrific Trio
Containers, Docker, and Microservices: the Terrific TrioContainers, Docker, and Microservices: the Terrific Trio
Containers, Docker, and Microservices: the Terrific Trio
 
Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...
 

Dernier

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 

Dernier (20)

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 

Auth doesn't have to be a nightmare — Docker to the rescue!

  • 1. Auth doesn’t have to be a nightmare Docker to the rescue! APIStrat SF October 2013 Jérôme Petazzoni — @jpetazzo
  • 3. Multiple auths in multiple apps ● ● ● ● ● ● ● OAUTH OAUTH2 OpenID SSL client certs HTTP Basic HTTP Digest IP addresses (in SSL, right?) (seriously?) ● VPNs, IPSEC ● custom tokens ● website (e.g. Ruby on Rails) ● API (e.g. Python+Flask) ● realtime events (e. g. Node.js) ● secret project (Golang, Rust…)
  • 4. The “Matrix from Hell” of authentication/authorization OAUTH ? ? ? ? ? OAUTH2 ? ? ? ? ? OpenID ? ? ? ? ? SSL certs ? ? ? ? ? HTTP Basic or Digest ? ? ? ? ? IP addresses, VPN... ? ? ? ? ? custom auth ? ? ? ? ? Ruby Python Python (Django!) Java Other langs...
  • 8. Solution 1 ● ● ● ● ● ● this is actually what most people do because at first the matrix isn’t that big then you add more services want to support more backends you end up picking one auth method N implementations instead of MxN
  • 9. Solution 1 ● ● ● ● ● ● this is actually what most people do because at first the matrix isn’t that big then you add more services want to support more backends you end up picking one auth method N implementations instead of MxN Grade: C
  • 10. Solution 1 ● ● ● ● ● this is actually what most people do because at first the matrix isn’t that big then you add more services want to support more backends you end up picking one (or two) auth method ○ e.g. basic auth over SSL + API tokens ● N implementations (or 2xN) instead of MxN Grade: B
  • 11. Solution 2 ● delegate auth to a proxy/external process Client Here there be $AUTH Proxy Here there be simple HTTP headers Service
  • 12. Solution 2: the problems ● ● ● ● ● I work on the Ruby API I don’t want to install the Node.js stuff but the auth component is in Node.js! I have to learn how to deploy Node.js also, deployment is more complex
  • 13. Solution 2: the problems ● ● ● ● ● I work on the Ruby API I don’t want to install the Node.js stuff but the auth component is in Node.js! I have to learn how to deploy Node.js also, deployment is more complex Grade: B (single lang shops) Grade: D (everybody else)
  • 15. Solution 3 ● put each component in a VM Client Here there be $AUTH Proxy VM Here there be simple HTTP headers Service VM
  • 16. Solution 3: the problems ● create (and maintain) VM images ● VMs are RAM-heavy ○ now you have a good reason to get 16 GB of RAM! ● VMs are disk-heavy ○ now you need to download a 500 MB VM to update the auth proxy to test a 4-lines commit ● VM networking is not awesome ○ discovery and plumbing can require some voodoo
  • 17. Solution 3 Grade: B (if you have a vagrant guru in residence, and super shiny awesome laptops) Grade: D (everybody else)
  • 18. Solution 4: the container
  • 19. Solution 4: the Linux container
  • 20. Solution 4 ● put each component in a container Client Here there be $AUTH Proxy LXC Here there be simple HTTP headers Service LXC
  • 21. Solution 4: pros and cons ● your dev env must be Linux ● or you can use a VM ○ but just one ○ no Hogwarts diploma required ● containers are lightweight ○ I can run 100 containers on my laptop ○ updating a container is more like “git pull” ● networking is easier ○ and is getting even more easier! ○ service discovery
  • 22. Solution 4 Grade: ? you tell me at the end of the presentation
  • 24. What’s a Linux container? High level approach Lightweight Virtual Machine ● looks like a VM ● can run stuff as root ● can install packages ● can run sshd, syslog, cron... “Machine Container”
  • 25. What’s a Linux container? Low level approach Chroot on steroids ● normal processes, but isolated ● share kernel with the host ● doesn’t need to run ssh, syslog, cron... “Application Container”
  • 26. What’s a Linux container? Technical approach Two big sets of kernel features: ● namespaces ○ isolate containers ○ one namespace cannot see/affect another ● control groups ○ meter and limit resources ○ CPU, RAM, disk I/O… ○ prevent a single container from hogging the host Note: you can use namespaces and/or cgroups without using containers
  • 27. What’s Docker? Open Source project (i.e. satisfaction guaranteed, or your money back)
  • 28. 1. Runtime for Linux containers jpetazzo@tarrasque:~$ sudo docker run -t -i ubuntu bash root@092ee318746f:/# → create an Ubuntu VM, and run a shell in it. Total time: less than 0.5s (If necessary, the “ubuntu” image will be downloaded automatically.)
  • 29. But Docker is also...
  • 30. 2. Standard format for containers 3. Public place to share them ● library of standard images (ubuntu, fedora, redis, postgresql…) ● create your own images (from scratch or based on existing ones) ● upload them to the public registry (searchable index w/ social features) ● upload them to private registry ● 3rd party hosted registries already exist
  • 31. Real world example: Test this new Ghost blog engine ● Look for “ghost” on http://index.docker.io/ ● Find orchardup/ghost jpetazzo@tarrasque:~$ sudo docker run -d orchardup/ghost c6000fa5ddc6 Total time: <0.5s (+5m to download the image on this hotel WiFi)
  • 32. Runtime for Linux containers jpetazzo@tarrasque:~$ sudo docker inspect c6000fa5ddc6 ... "PortMapping": { "Tcp": { "2368": "49153" }, ... → if I run this on a server somewhere, the new service is publicly available on port 49153.
  • 33. How does the Auth problem fit in? ● create a “HTTP Basic Auth + SSL” container ○ based on e.g. existing Nginx container ○ inject a custom auth header, e.g. x-username ○ strip rogue x-username header (duh!) ● lock the Ghost service so it doesn’t expose its TCP port anymore to the outside world ○ but it will still accept connections from containers ● patch the Ghost service to look for the header
  • 34. WAIT How do I create those container images?
  • 35. Creating an image with run/commit 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. docker run ubuntu bash apt-get install this and that docker commit <containerid> <imagename> docker run <imagename> bash git clone git://.../mycode pip install -r requirements.txt docker commit <containerid> <imagename> repeat steps 4-7 as necessary docker tag <imagename> <user/image> docker push <user/image>
  • 36. Creating an image with a Dockerfile # This is a Dockerfile to build a CouchDB container FROM ubuntu RUN apt-get -y update RUN apt-get install -y g++ erlang-dev erlang-base-hipe … RUN apt-get install libmozjs185-dev libicu-dev libtool … RUN apt-get install make wget RUN wget http://.../apache-couchdb-1.3.1.tar.gz | tar -C /tmp -zxfRUN cd /tmp/apache-couchdb-* && ./configure && make install RUN printf "[httpd]nport = 8101nbind_address = 0.0.0.0" >/usr/local/etc/couchdb/local.d/docker.ini EXPOSE 8101 CMD ["/usr/local/bin/couchdb"] docker build -t jpetazzo/couchdb . docker push jpetazzo/couchdb
  • 38. Solution 4: moment of truth ● we just built perfect packages: ○ distro-independent ○ without dependency issues ○ that can run in dev, staging, production ● without getting our hands dirty ○ and barely rolling up our sleeves ● we can share them with other projects/shops Please allow me to verbosely formulate my genuine enthusiasm.
  • 39. BONUS We can ship our code with those containers
  • 40. Deploying Containers ● docker pull + docker run from registry ● Docker can be controlled through REST API, so you can control a fleet of Docker hosts ● PAAS-like: Cocaine, Deis, Maestro… ♥ OpenStack? ● Nova can deploy Docker containers (since Havana) ● Heat can deploy Docker containers (since last week)
  • 42. Future of Docker ● service discovery (containers will be able to discover resources) ● compatibility with Red Hat Enterprise Linux (currently Docker runs best on Ubuntu) ● support for other runtimes and storage (Jails, Zones, BTRFS, ZFS…)