SlideShare a Scribd company logo

Solving Real World Production Problems with Docker

Marc Campbell
Marc Campbell

Talk from the Oct 11, 2016 LA Docker Meetup

Technology
1 of 29
Download to read offline
SOLVING REAL WORLD PRODUCTION PROBLEMS WITH DOCKER OCTOBER 11TH, 2016 DOCKER MEETUP, LOS ANGELES
MARC CAMPBELL @mccode
GOALS • Review Docker features that enable a more reliable, secure production environment • Present a secure build-deliver-execute process that includes Docker in production • Provide solutions you can start using today
“The only difference between a process in a container and a process not in a container is a few labels on top of a process that say ‘this is in container X’” Jérôme Petazzoni, Docker July 06, 2015
SECURE DELIVERY PIPELINE BUILD DELIVER EXECUTE
BUILD DELIVER EXECUTE
BUILD DELIVER EXECUTE BUILD Choosing and creating container images that will run in your production environment.
THREE DIFFERENT ROLES, EQUALLY IMPORTANT Operations Development Security Does it work? Can it be supported? Can it be safely run? Is it Elasticsearch? I don’t want “elasticsearch-like”, I want Elasticsearch and I want version 2.4.1. Will it send alerts when it breaks? Does it support zero-downtime upgrades? There are 2,532 Elasticsearch containers in DockerHub. Why this one? BUILD DELIVER EXECUTE
• Development images do not have to be the same as production images • Prefer library (official) images when possible BUILD DELIVER EXECUTE • Always look at the Dockerfile, regardless of pull count • Be cautious when bind mounting the docker.sock file
BUILD DELIVER EXECUTE
Best practices - whitelist (or choose) base images - don’t trust “pull count” from DockerHub, find and read the dockerfile - use the most specific tag possible
 redis:sha256@abc > redis:3.2.4 > redis:3.2 > redis:3 > redis:latest - adopt a tagging pattern for your own images - use security scanning (coreos clair or dockerhub) - use docker content trust BUILD DELIVER EXECUTE
Monitor images with DockerHub Security Scanning or CoreOS Clair The current nginx container on DockerHub has: 13 Critical CVEs 23 Major CVEs Including 1 CRITICAL OpenSSL CVE BUILD DELIVER EXECUTE
BUILD DELIVER EXECUTE
DELIVER Ensure the images you want to run are the images you are running BUILD DELIVER EXECUTE
I typed `docker run redis` so now i’m running redis…right?…right??? BUILD DELIVER EXECUTE
What happens when you type `docker run redis` DOCKER RUN REDIS REDIS:LATEST IMAGE EXISTS? CREATE REDIS CONTAINER PULL REDIS:LATEST START REDIS CONTAINER NO YES BUILD DELIVER EXECUTE
BUILD DELIVER EXECUTE DOCKER RUN REDIS DOCKER CLI DOCKER ENGINE DOCKER HUB CREATE NO IMAGE PULL GET /V2 PARSE HEADER Trust Boundaries 401 AUTH REQUIRED POST /LOGIN GET /V2/…/MANIFEST GET /V2/…/LAYER IMAGE COMPLETE CREATE START
Connect to a trusted host Deliver the content over a secure channel Sent the content you requested Verify the author of the content A. B. C. D. To securely download data from the Internet BUILD DELIVER EXECUTE HTTPS TLS Content Addressable IDs Signed Images The problems The solutions
Downloading and executing software from the Internet is dangerous Don’t download from untrusted hosts. e.g.: `docker pull [—insecure-registry] 52.207.178.113/redis:latest` Don’t download on insecure channels. e.g.: `docker pull [—insecure-registry] registry.mycompany.com/redis:latest` Don’t trust the remote server to look up the content. e.g.: `docker pull redis:latest` Don’t trust content that isn’t signed by the publisher. e.g.: `docker pull --disable-content-trust redis:latest` 1. 2. 3. 4. BUILD DELIVER EXECUTE
Docker Content Trust “Content trust gives you the ability to verify both the integrity and the publisher of all the data received from a registry over any channel” BUILD DELIVER EXECUTE
$ docker pull redis Using default tag: latest latest: Pulling from library/redis 6a5a5368e0c2: Pull complete <...> 2bcdfa1b63bf: Pull complete Digest: sha256:38e873a...912 Status: Downloaded newer image for redis:latest WITHOUT TRUST: PULL BY TAG BUILD DELIVER EXECUTE
$ export DOCKER_CONTENT_TRUST=1 $ docker pull redis Using default tag: latest Pull (1 of 1): redis:latest@sha256:c4365e...680 sha256:c4365ec...680: Pulling from library/redis 6a5a5368e0c2: Pull complete <...> 58e3d55f4ce5: Pull complete Digest: sha256:c4365e...680 Status: Downloaded newer image for redis@sha256:c4365e...680 Tagging redis@sha256:c4365e...680 as redis:latest WITH TRUST: PULL BY SHA BUILD DELIVER EXECUTE
BUILD DELIVER EXECUTE DEMO •Create a signed image •Run a signed image •Update the image from an untrusted source •Pull and run the new image
BUILD DELIVER EXECUTE
EXECUTE Provide a consistent, secure environment with continuous auditing BUILD DELIVER EXECUTE
Center For Internet Security • Use AppArmor / SELinux • Enable Kernel Auditing • User namespaces • /var/lib/docker volume • Enable an authorization plugin • Use a centralized log driver • Prevent registry v1 access https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.11.0_Benchmark_v1.0.0.pdf BUILD DELIVER EXECUTE
Docker Bench for Security https://dockerbench.com/ docker run -it --net host --pid host --cap-add audit_control -v /var/lib:/var/lib -v /var/run/docker.sock:/var/run/docker.sock -v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc --label docker_bench_security docker/docker-bench-security BUILD DELIVER EXECUTE
2.1 - Restrict network traffic between containers 2.2 - Set the logging level 2.3 - Allow Docker to make changes to iptables 2.4 - Do not use insecure registries 2.5 - Do not use the aufs storage driver 2.6 - Configure TLS authentication for Docker daemon * Docker daemon not listening on TCP 2.7 - Set default ulimit as appropriate * Default ulimit doesn't appear to be set 2.8 - Enable user namespace support 2.9 - Confirm default cgroup usage 2.10 - Do not change base device size until needed 2.11 - Use authorization plugin 2.12 - Configure centralized and remote logging 2.13 - Disable operations on legacy registry (v1) [WARN] [PASS] [PASS] [PASS] [WARN] [INFO] [INFO] [INFO] [INFO] [WARN] [PASS] [PASS] [WARN] [WARN] [WARN] BUILD DELIVER EXECUTE
Review ☑ Choose images carefully ☑ Scan your Dockerfiles ☑ Enable Docker Content Trust ☑ Run Docker Benchmark for Security

Recommended

Using Docker in the Real World
Using Docker in the Real WorldUsing Docker in the Real World
Using Docker in the Real WorldTim Haak
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned RightScale
 
Learn docker in 90 minutes
Learn docker in 90 minutesLearn docker in 90 minutes
Learn docker in 90 minutesLarry Cai
 
Perspectives on Docker
Perspectives on DockerPerspectives on Docker
Perspectives on DockerRightScale
 
From development environments to production deployments with Docker, Compose,...
From development environments to production deployments with Docker, Compose,...From development environments to production deployments with Docker, Compose,...
From development environments to production deployments with Docker, Compose,...Jérôme Petazzoni
 
Docker by Example - Basics
Docker by Example - Basics Docker by Example - Basics
Docker by Example - Basics Ganesh Samarthyam
 
Docker All The Things - ASP.NET 4.x and Windows Server Containers
Docker All The Things - ASP.NET 4.x and Windows Server ContainersDocker All The Things - ASP.NET 4.x and Windows Server Containers
Docker All The Things - ASP.NET 4.x and Windows Server ContainersAnthony Chu
 
The Lies We Tell Our Code (#seascale 2015 04-22)
The Lies We Tell Our Code (#seascale 2015 04-22)The Lies We Tell Our Code (#seascale 2015 04-22)
The Lies We Tell Our Code (#seascale 2015 04-22)Casey Bisson
 

Recommended

Using Docker in the Real World
Using Docker in the Real WorldUsing Docker in the Real World
Using Docker in the Real WorldTim Haak
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned RightScale
 
Learn docker in 90 minutes
Learn docker in 90 minutesLearn docker in 90 minutes
Learn docker in 90 minutesLarry Cai
 
Perspectives on Docker
Perspectives on DockerPerspectives on Docker
Perspectives on DockerRightScale
 
From development environments to production deployments with Docker, Compose,...
From development environments to production deployments with Docker, Compose,...From development environments to production deployments with Docker, Compose,...
From development environments to production deployments with Docker, Compose,...Jérôme Petazzoni
 
Docker by Example - Basics
Docker by Example - Basics Docker by Example - Basics
Docker by Example - Basics Ganesh Samarthyam
 
Docker All The Things - ASP.NET 4.x and Windows Server Containers
Docker All The Things - ASP.NET 4.x and Windows Server ContainersDocker All The Things - ASP.NET 4.x and Windows Server Containers
Docker All The Things - ASP.NET 4.x and Windows Server ContainersAnthony Chu
 
The Lies We Tell Our Code (#seascale 2015 04-22)
The Lies We Tell Our Code (#seascale 2015 04-22)The Lies We Tell Our Code (#seascale 2015 04-22)
The Lies We Tell Our Code (#seascale 2015 04-22)Casey Bisson
 
Docker and Containers for Development and Deployment — SCALE12X
Docker and Containers for Development and Deployment — SCALE12XDocker and Containers for Development and Deployment — SCALE12X
Docker and Containers for Development and Deployment — SCALE12XJérôme Petazzoni
 
Docker 101 @KACST Saudi HPC 2016
Docker 101 @KACST Saudi HPC 2016Docker 101 @KACST Saudi HPC 2016
Docker 101 @KACST Saudi HPC 2016Walid Shaari
 
Architecting .NET Applications for Docker and Container Based Deployments
Architecting .NET Applications for Docker and Container Based DeploymentsArchitecting .NET Applications for Docker and Container Based Deployments
Architecting .NET Applications for Docker and Container Based DeploymentsBen Hall
 
Introduction To Docker
Introduction To DockerIntroduction To Docker
Introduction To DockerHamilton Turner
 
Shipping Applications to Production in Containers with Docker
Shipping Applications to Production in Containers with DockerShipping Applications to Production in Containers with Docker
Shipping Applications to Production in Containers with DockerJérôme Petazzoni
 
How to Dockerize Web Application using Docker Compose
How to Dockerize Web Application using Docker ComposeHow to Dockerize Web Application using Docker Compose
How to Dockerize Web Application using Docker ComposeEvoke Technologies
 
What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16
What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16 What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16
What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16 Docker, Inc.
 
Docker-Hanoi @DKT , Presentation about Docker Ecosystem
Docker-Hanoi @DKT , Presentation about Docker EcosystemDocker-Hanoi @DKT , Presentation about Docker Ecosystem
Docker-Hanoi @DKT , Presentation about Docker EcosystemVan Phuc
 
Docker - The Linux Container
Docker - The Linux ContainerDocker - The Linux Container
Docker - The Linux ContainerBalaji Rajan
 
Hide your development environment and application in a container
Hide your development environment and application in a containerHide your development environment and application in a container
Hide your development environment and application in a containerJohan Janssen
 
Docker presentation | Paris Docker Meetup
Docker presentation | Paris Docker MeetupDocker presentation | Paris Docker Meetup
Docker presentation | Paris Docker MeetupdotCloud
 
Docker in production: reality, not hype (OSCON 2015)
Docker in production: reality, not hype (OSCON 2015)Docker in production: reality, not hype (OSCON 2015)
Docker in production: reality, not hype (OSCON 2015)bridgetkromhout
 
Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)Jérôme Petazzoni
 
Docker, the Future of DevOps
Docker, the Future of DevOpsDocker, the Future of DevOps
Docker, the Future of DevOpsandersjanmyr
 
Docker at Djangocon 2013 | Talk by Ken Cochrane
Docker at Djangocon 2013 | Talk by Ken CochraneDocker at Djangocon 2013 | Talk by Ken Cochrane
Docker at Djangocon 2013 | Talk by Ken CochranedotCloud
 
Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Arun prasath
 
Dockerizing stashboard - Docker meetup at Twilio
Dockerizing stashboard - Docker meetup at TwilioDockerizing stashboard - Docker meetup at Twilio
Dockerizing stashboard - Docker meetup at TwiliodotCloud
 
Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015Jérôme Petazzoni
 
Docker Tips And Tricks at the Docker Beijing Meetup
Docker Tips And Tricks at the Docker Beijing MeetupDocker Tips And Tricks at the Docker Beijing Meetup
Docker Tips And Tricks at the Docker Beijing MeetupJérôme Petazzoni
 
Introduction to Docker and deployment and Azure
Introduction to Docker and deployment and AzureIntroduction to Docker and deployment and Azure
Introduction to Docker and deployment and AzureJérôme Petazzoni
 
Up and running with docker
Up and running with dockerUp and running with docker
Up and running with dockerMichelle Liu
 
Let's dockerize
Let's dockerizeLet's dockerize
Let's dockerizeAhmed Sorour
 

More Related Content

What's hot

Docker and Containers for Development and Deployment — SCALE12X
Docker and Containers for Development and Deployment — SCALE12XDocker and Containers for Development and Deployment — SCALE12X
Docker and Containers for Development and Deployment — SCALE12XJérôme Petazzoni
 
Docker 101 @KACST Saudi HPC 2016
Docker 101 @KACST Saudi HPC 2016Docker 101 @KACST Saudi HPC 2016
Docker 101 @KACST Saudi HPC 2016Walid Shaari
 
Architecting .NET Applications for Docker and Container Based Deployments
Architecting .NET Applications for Docker and Container Based DeploymentsArchitecting .NET Applications for Docker and Container Based Deployments
Architecting .NET Applications for Docker and Container Based DeploymentsBen Hall
 
Shipping Applications to Production in Containers with Docker
Shipping Applications to Production in Containers with DockerShipping Applications to Production in Containers with Docker
Shipping Applications to Production in Containers with DockerJérôme Petazzoni
 
How to Dockerize Web Application using Docker Compose
How to Dockerize Web Application using Docker ComposeHow to Dockerize Web Application using Docker Compose
How to Dockerize Web Application using Docker ComposeEvoke Technologies
 
What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16
What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16 What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16
What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16 Docker, Inc.
 
Docker-Hanoi @DKT , Presentation about Docker Ecosystem
Docker-Hanoi @DKT , Presentation about Docker EcosystemDocker-Hanoi @DKT , Presentation about Docker Ecosystem
Docker-Hanoi @DKT , Presentation about Docker EcosystemVan Phuc
 
Docker - The Linux Container
Docker - The Linux ContainerDocker - The Linux Container
Docker - The Linux ContainerBalaji Rajan
 
Hide your development environment and application in a container
Hide your development environment and application in a containerHide your development environment and application in a container
Hide your development environment and application in a containerJohan Janssen
 
Docker presentation | Paris Docker Meetup
Docker presentation | Paris Docker MeetupDocker presentation | Paris Docker Meetup
Docker presentation | Paris Docker MeetupdotCloud
 
Docker in production: reality, not hype (OSCON 2015)
Docker in production: reality, not hype (OSCON 2015)Docker in production: reality, not hype (OSCON 2015)
Docker in production: reality, not hype (OSCON 2015)bridgetkromhout
 
Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)Jérôme Petazzoni
 
Docker, the Future of DevOps
Docker, the Future of DevOpsDocker, the Future of DevOps
Docker, the Future of DevOpsandersjanmyr
 
Docker at Djangocon 2013 | Talk by Ken Cochrane
Docker at Djangocon 2013 | Talk by Ken CochraneDocker at Djangocon 2013 | Talk by Ken Cochrane
Docker at Djangocon 2013 | Talk by Ken CochranedotCloud
 
Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Arun prasath
 
Dockerizing stashboard - Docker meetup at Twilio
Dockerizing stashboard - Docker meetup at TwilioDockerizing stashboard - Docker meetup at Twilio
Dockerizing stashboard - Docker meetup at TwiliodotCloud
 
Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015Jérôme Petazzoni
 
Docker Tips And Tricks at the Docker Beijing Meetup
Docker Tips And Tricks at the Docker Beijing MeetupDocker Tips And Tricks at the Docker Beijing Meetup
Docker Tips And Tricks at the Docker Beijing MeetupJérôme Petazzoni
 
Introduction to Docker and deployment and Azure
Introduction to Docker and deployment and AzureIntroduction to Docker and deployment and Azure
Introduction to Docker and deployment and AzureJérôme Petazzoni
 

What's hot (20)

Docker and Containers for Development and Deployment — SCALE12X
Docker and Containers for Development and Deployment — SCALE12XDocker and Containers for Development and Deployment — SCALE12X
Docker and Containers for Development and Deployment — SCALE12X
 
Docker 101 @KACST Saudi HPC 2016
Docker 101 @KACST Saudi HPC 2016Docker 101 @KACST Saudi HPC 2016
Docker 101 @KACST Saudi HPC 2016
 
Architecting .NET Applications for Docker and Container Based Deployments
Architecting .NET Applications for Docker and Container Based DeploymentsArchitecting .NET Applications for Docker and Container Based Deployments
Architecting .NET Applications for Docker and Container Based Deployments
 
Introduction To Docker
Introduction To DockerIntroduction To Docker
Introduction To Docker
 
Shipping Applications to Production in Containers with Docker
Shipping Applications to Production in Containers with DockerShipping Applications to Production in Containers with Docker
Shipping Applications to Production in Containers with Docker
 
How to Dockerize Web Application using Docker Compose
How to Dockerize Web Application using Docker ComposeHow to Dockerize Web Application using Docker Compose
How to Dockerize Web Application using Docker Compose
 
What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16
What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16 What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16
What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16
 
Docker-Hanoi @DKT , Presentation about Docker Ecosystem
Docker-Hanoi @DKT , Presentation about Docker EcosystemDocker-Hanoi @DKT , Presentation about Docker Ecosystem
Docker-Hanoi @DKT , Presentation about Docker Ecosystem
 
Docker - The Linux Container
Docker - The Linux ContainerDocker - The Linux Container
Docker - The Linux Container
 
Hide your development environment and application in a container
Hide your development environment and application in a containerHide your development environment and application in a container
Hide your development environment and application in a container
 
Docker presentation | Paris Docker Meetup
Docker presentation | Paris Docker MeetupDocker presentation | Paris Docker Meetup
Docker presentation | Paris Docker Meetup
 
Docker in production: reality, not hype (OSCON 2015)
Docker in production: reality, not hype (OSCON 2015)Docker in production: reality, not hype (OSCON 2015)
Docker in production: reality, not hype (OSCON 2015)
 
Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)
 
Docker, the Future of DevOps
Docker, the Future of DevOpsDocker, the Future of DevOps
Docker, the Future of DevOps
 
Docker at Djangocon 2013 | Talk by Ken Cochrane
Docker at Djangocon 2013 | Talk by Ken CochraneDocker at Djangocon 2013 | Talk by Ken Cochrane
Docker at Djangocon 2013 | Talk by Ken Cochrane
 
Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment
 
Dockerizing stashboard - Docker meetup at Twilio
Dockerizing stashboard - Docker meetup at TwilioDockerizing stashboard - Docker meetup at Twilio
Dockerizing stashboard - Docker meetup at Twilio
 
Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015
 
Docker Tips And Tricks at the Docker Beijing Meetup
Docker Tips And Tricks at the Docker Beijing MeetupDocker Tips And Tricks at the Docker Beijing Meetup
Docker Tips And Tricks at the Docker Beijing Meetup
 
Introduction to Docker and deployment and Azure
Introduction to Docker and deployment and AzureIntroduction to Docker and deployment and Azure
Introduction to Docker and deployment and Azure
 

Similar to Solving Real World Production Problems with Docker

Up and running with docker
Up and running with dockerUp and running with docker
Up and running with dockerMichelle Liu
 
DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline Docker, Inc.
 
Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker, Inc.
 
Package your Java EE Application using Docker and Kubernetes
Package your Java EE Application using Docker and KubernetesPackage your Java EE Application using Docker and Kubernetes
Package your Java EE Application using Docker and KubernetesArun Gupta
 
PuppetConf 2017: What’s in the Box?!- Leveraging Puppet Enterprise & Docker- ...
PuppetConf 2017: What’s in the Box?!- Leveraging Puppet Enterprise & Docker- ...PuppetConf 2017: What’s in the Box?!- Leveraging Puppet Enterprise & Docker- ...
PuppetConf 2017: What’s in the Box?!- Leveraging Puppet Enterprise & Docker- ...Puppet
 
Build, Publish, Deploy and Test Docker images and containers with Jenkins Wor...
Build, Publish, Deploy and Test Docker images and containers with Jenkins Wor...Build, Publish, Deploy and Test Docker images and containers with Jenkins Wor...
Build, Publish, Deploy and Test Docker images and containers with Jenkins Wor...Docker, Inc.
 
DCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDocker, Inc.
 
[@NaukriEngineering] Docker 101
[@NaukriEngineering] Docker 101[@NaukriEngineering] Docker 101
[@NaukriEngineering] Docker 101Naukri.com
 
Docker, a new LINUX container technology based light weight virtualization
Docker, a new LINUX container technology based light weight virtualizationDocker, a new LINUX container technology based light weight virtualization
Docker, a new LINUX container technology based light weight virtualizationSuresh Balla
 
Running the Oracle SOA Suite Environment in a Docker Container
Running the Oracle SOA Suite Environment in a Docker ContainerRunning the Oracle SOA Suite Environment in a Docker Container
Running the Oracle SOA Suite Environment in a Docker ContainerGuido Schmutz
 
Oracle WebLogic Server 12c with Docker
Oracle WebLogic Server 12c with DockerOracle WebLogic Server 12c with Docker
Oracle WebLogic Server 12c with DockerGuatemala User Group
 
Cohesion Techsessie Docker - Daniel Palstra
Cohesion Techsessie Docker - Daniel PalstraCohesion Techsessie Docker - Daniel Palstra
Cohesion Techsessie Docker - Daniel PalstraDaniel Palstra
 
O'Reilly Software Architecture Conference London 2017: Building Resilient Mic...
O'Reilly Software Architecture Conference London 2017: Building Resilient Mic...O'Reilly Software Architecture Conference London 2017: Building Resilient Mic...
O'Reilly Software Architecture Conference London 2017: Building Resilient Mic...Ambassador Labs
 

Similar to Solving Real World Production Problems with Docker (20)

Up and running with docker
Up and running with dockerUp and running with docker
Up and running with docker
 
Let's dockerize
Let's dockerizeLet's dockerize
Let's dockerize
 
DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline
 
Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker 101 - Nov 2016
Docker 101 - Nov 2016
 
Docker
DockerDocker
Docker
 
Package your Java EE Application using Docker and Kubernetes
Package your Java EE Application using Docker and KubernetesPackage your Java EE Application using Docker and Kubernetes
Package your Java EE Application using Docker and Kubernetes
 
PuppetConf 2017: What’s in the Box?!- Leveraging Puppet Enterprise & Docker- ...
PuppetConf 2017: What’s in the Box?!- Leveraging Puppet Enterprise & Docker- ...PuppetConf 2017: What’s in the Box?!- Leveraging Puppet Enterprise & Docker- ...
PuppetConf 2017: What’s in the Box?!- Leveraging Puppet Enterprise & Docker- ...
 
Docker
DockerDocker
Docker
 
Build, Publish, Deploy and Test Docker images and containers with Jenkins Wor...
Build, Publish, Deploy and Test Docker images and containers with Jenkins Wor...Build, Publish, Deploy and Test Docker images and containers with Jenkins Wor...
Build, Publish, Deploy and Test Docker images and containers with Jenkins Wor...
 
Docker, LinuX Container
Docker, LinuX ContainerDocker, LinuX Container
Docker, LinuX Container
 
DCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development Pipeline
 
[@NaukriEngineering] Docker 101
[@NaukriEngineering] Docker 101[@NaukriEngineering] Docker 101
[@NaukriEngineering] Docker 101
 
Docker lxc win
Docker lxc winDocker lxc win
Docker lxc win
 
Docker, a new LINUX container technology based light weight virtualization
Docker, a new LINUX container technology based light weight virtualizationDocker, a new LINUX container technology based light weight virtualization
Docker, a new LINUX container technology based light weight virtualization
 
Running the Oracle SOA Suite Environment in a Docker Container
Running the Oracle SOA Suite Environment in a Docker ContainerRunning the Oracle SOA Suite Environment in a Docker Container
Running the Oracle SOA Suite Environment in a Docker Container
 
Oracle WebLogic Server 12c with Docker
Oracle WebLogic Server 12c with DockerOracle WebLogic Server 12c with Docker
Oracle WebLogic Server 12c with Docker
 
Docker intro
Docker introDocker intro
Docker intro
 
Cohesion Techsessie Docker - Daniel Palstra
Cohesion Techsessie Docker - Daniel PalstraCohesion Techsessie Docker - Daniel Palstra
Cohesion Techsessie Docker - Daniel Palstra
 
O'Reilly Software Architecture Conference London 2017: Building Resilient Mic...
O'Reilly Software Architecture Conference London 2017: Building Resilient Mic...O'Reilly Software Architecture Conference London 2017: Building Resilient Mic...
O'Reilly Software Architecture Conference London 2017: Building Resilient Mic...
 
The Docker Ecosystem
The Docker EcosystemThe Docker Ecosystem
The Docker Ecosystem
 

Recently uploaded

Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 

Recently uploaded (20)

Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

Solving Real World Production Problems with Docker

  • 1. SOLVING REAL WORLD PRODUCTION PROBLEMS WITH DOCKER OCTOBER 11TH, 2016 DOCKER MEETUP, LOS ANGELES
  • 3. GOALS • Review Docker features that enable a more reliable, secure production environment • Present a secure build-deliver-execute process that includes Docker in production • Provide solutions you can start using today
  • 4. “The only difference between a process in a container and a process not in a container is a few labels on top of a process that say ‘this is in container X’” Jérôme Petazzoni, Docker July 06, 2015
  • 7. BUILD DELIVER EXECUTE BUILD Choosing and creating container images that will run in your production environment.
  • 8. THREE DIFFERENT ROLES, EQUALLY IMPORTANT Operations Development Security Does it work? Can it be supported? Can it be safely run? Is it Elasticsearch? I don’t want “elasticsearch-like”, I want Elasticsearch and I want version 2.4.1. Will it send alerts when it breaks? Does it support zero-downtime upgrades? There are 2,532 Elasticsearch containers in DockerHub. Why this one? BUILD DELIVER EXECUTE
  • 9. • Development images do not have to be the same as production images • Prefer library (official) images when possible BUILD DELIVER EXECUTE • Always look at the Dockerfile, regardless of pull count • Be cautious when bind mounting the docker.sock file
  • 11. Best practices - whitelist (or choose) base images - don’t trust “pull count” from DockerHub, find and read the dockerfile - use the most specific tag possible
 redis:sha256@abc > redis:3.2.4 > redis:3.2 > redis:3 > redis:latest - adopt a tagging pattern for your own images - use security scanning (coreos clair or dockerhub) - use docker content trust BUILD DELIVER EXECUTE
  • 12. Monitor images with DockerHub Security Scanning or CoreOS Clair The current nginx container on DockerHub has: 13 Critical CVEs 23 Major CVEs Including 1 CRITICAL OpenSSL CVE BUILD DELIVER EXECUTE
  • 14. DELIVER Ensure the images you want to run are the images you are running BUILD DELIVER EXECUTE
  • 15. I typed `docker run redis` so now i’m running redis…right?…right??? BUILD DELIVER EXECUTE
  • 16. What happens when you type `docker run redis` DOCKER RUN REDIS REDIS:LATEST IMAGE EXISTS? CREATE REDIS CONTAINER PULL REDIS:LATEST START REDIS CONTAINER NO YES BUILD DELIVER EXECUTE
  • 17. BUILD DELIVER EXECUTE DOCKER RUN REDIS DOCKER CLI DOCKER ENGINE DOCKER HUB CREATE NO IMAGE PULL GET /V2 PARSE HEADER Trust Boundaries 401 AUTH REQUIRED POST /LOGIN GET /V2/…/MANIFEST GET /V2/…/LAYER IMAGE COMPLETE CREATE START
  • 18. Connect to a trusted host Deliver the content over a secure channel Sent the content you requested Verify the author of the content A. B. C. D. To securely download data from the Internet BUILD DELIVER EXECUTE HTTPS TLS Content Addressable IDs Signed Images The problems The solutions
  • 19. Downloading and executing software from the Internet is dangerous Don’t download from untrusted hosts. e.g.: `docker pull [—insecure-registry] 52.207.178.113/redis:latest` Don’t download on insecure channels. e.g.: `docker pull [—insecure-registry] registry.mycompany.com/redis:latest` Don’t trust the remote server to look up the content. e.g.: `docker pull redis:latest` Don’t trust content that isn’t signed by the publisher. e.g.: `docker pull --disable-content-trust redis:latest` 1. 2. 3. 4. BUILD DELIVER EXECUTE
  • 20. Docker Content Trust “Content trust gives you the ability to verify both the integrity and the publisher of all the data received from a registry over any channel” BUILD DELIVER EXECUTE
  • 21. $ docker pull redis Using default tag: latest latest: Pulling from library/redis 6a5a5368e0c2: Pull complete <...> 2bcdfa1b63bf: Pull complete Digest: sha256:38e873a...912 Status: Downloaded newer image for redis:latest WITHOUT TRUST: PULL BY TAG BUILD DELIVER EXECUTE
  • 22. $ export DOCKER_CONTENT_TRUST=1 $ docker pull redis Using default tag: latest Pull (1 of 1): redis:latest@sha256:c4365e...680 sha256:c4365ec...680: Pulling from library/redis 6a5a5368e0c2: Pull complete <...> 58e3d55f4ce5: Pull complete Digest: sha256:c4365e...680 Status: Downloaded newer image for redis@sha256:c4365e...680 Tagging redis@sha256:c4365e...680 as redis:latest WITH TRUST: PULL BY SHA BUILD DELIVER EXECUTE
  • 23. BUILD DELIVER EXECUTE DEMO •Create a signed image •Run a signed image •Update the image from an untrusted source •Pull and run the new image
  • 25. EXECUTE Provide a consistent, secure environment with continuous auditing BUILD DELIVER EXECUTE
  • 26. Center For Internet Security • Use AppArmor / SELinux • Enable Kernel Auditing • User namespaces • /var/lib/docker volume • Enable an authorization plugin • Use a centralized log driver • Prevent registry v1 access https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.11.0_Benchmark_v1.0.0.pdf BUILD DELIVER EXECUTE
  • 27. Docker Bench for Security https://dockerbench.com/ docker run -it --net host --pid host --cap-add audit_control -v /var/lib:/var/lib -v /var/run/docker.sock:/var/run/docker.sock -v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc --label docker_bench_security docker/docker-bench-security BUILD DELIVER EXECUTE
  • 28. 2.1 - Restrict network traffic between containers 2.2 - Set the logging level 2.3 - Allow Docker to make changes to iptables 2.4 - Do not use insecure registries 2.5 - Do not use the aufs storage driver 2.6 - Configure TLS authentication for Docker daemon * Docker daemon not listening on TCP 2.7 - Set default ulimit as appropriate * Default ulimit doesn't appear to be set 2.8 - Enable user namespace support 2.9 - Confirm default cgroup usage 2.10 - Do not change base device size until needed 2.11 - Use authorization plugin 2.12 - Configure centralized and remote logging 2.13 - Disable operations on legacy registry (v1) [WARN] [PASS] [PASS] [PASS] [WARN] [INFO] [INFO] [INFO] [INFO] [WARN] [PASS] [PASS] [WARN] [WARN] [WARN] BUILD DELIVER EXECUTE
  • 29. Review ☑ Choose images carefully ☑ Scan your Dockerfiles ☑ Enable Docker Content Trust ☑ Run Docker Benchmark for Security