docker roadshow 2016
Post on 16-Apr-2017
1.427 Views
Preview:
TRANSCRIPT
Docker and the Modern Application PlatformMarc Verstaen, EVP Product Development
2
The application landscape is changing
Loosely Coupled Services
Many Small Servers or devices
~2000 Today
Monolithic
Big Servers
Slow changing
Rapidly updated
Development VM
QA Server
Public Cloud
Disaster Recovery
Contributor’s Laptop
Production Servers
Production Cluster
Data Center
Containers are the catalyst
Static Website
Web Front End
Background Workers
User DB
Analytics DB
QueueAPI Endpoint
Docker users alreadyrunning in production
60%
Docker driving the containerization movement
Docker Survey: State of ApplicationsQ1 2016
Cluster HQ: State of Container Usage June 2016
Companies running container technology in production
(500+ employees)
At the center of enterprise IT transformation
80%Docker is central to
cloud strategy
Docker Survey: State of App development : Q1 - 2016
3 out 4 Top initiatives revolve around applications
44%Looking to adopt DevOps
App Modernization
DevOpsCloud
State of App development Survey: Q1 2016
6
Docker delivers innovation, speed and savings
+ +Agility Portability Control
State of App development Survey: Q1 2016, Cornell University case study
13X More software releases
62%Report reduction in MTTR
10X Cost reduction in maintaining
existing applications
Eliminate“works on my machine”
issues
41%Move workloads across
private/public clouds
65% Reduction in developer
onboarding time
Docker Containers as a Service
Cloud Zone 1
Cloud Zone 2 Data Center
Development Center
Headquarters
Docker aims to build a programmable layer for the internet to connect your global supply chain
Build, ship and run any application anywhere
The enterprise software supply chain is global
Enterprise IT is hybrid apps and infrastructure
x86 server operating systems worldwide Docker State of App development Survey: Q1 2016
Morgan Stanley CIO Survey: June 30, 2016Study of Gartner reports re: x86 shipments
• 80% looking to Docker to enable hybrid cloud initiatives.
• Public Cloud adoption expected to increase to 30% by 2017.
• 46% plan to build new microservices
˝
DEVELOPERS IT OPERATIONS
BUILDDevelopment Environments
SHIPSecure Content & Collaboration
RUNDeploy, Manage, Scale
Docker enables a new workflow with Containers as a Service
Docker Universal Control Plane
Integrated Security
Docker EngineContainer runtime, orchestration, networking, volumes, plugins
Docker Trusted Registry
Operating Systems Config Mgt Monitoring LoggingCI/CD ..more..Images Networking Volumes
VirtualizationPublic Cloud Physical
Docker CaaS platform is flexible, pluggable and portable
Docker Datacenter
One platform and one journey for all applications
1 Containerize Legacy ApplicationsLift and shift for portability and efficiency
2
3
Transform Legacy to Microservices Look for shared services to transform
Accelerate New ApplicationsGreenfield innovation
Servers ship with Docker Commercial Engine/Support
Docker Datacenter available through all HPE channels
Integrated Solution with Hardware, Software, Support, and Services
Docker Datacenter
Steven Thwaites, Solutions Engineer
DEVELOPERS IT OPERATIONS
BUILDDevelopment Environments
SHIPSecure Content & Collaboration
RUNDeploy, Manage, Scale
Docker Datacenter workflow
Docker Trusted RegistryDocker Content Trust
Universal Control PlaneDocker for MacDocker for Windows
17
Docker Datacenter core values
+ +Agility Portability Control
Extends the Docker developer experience to production
Easy to setup and use
Native Docker solution
Ease of management at scale
Integrated security and policy for content and access (RBAC)
Integrates with existing systems
Full support of Docker API
Seamless dev to prod workflow
Infrastructure, network and storage portability
18
Key use cases for Docker Datacenter
Cloud Microservices
Cloud MigrationHybrid CloudMulti-Cloud
ContainerizationMicroservices
App Modernization
DevOpsCI/CD
Self Service
DevOps
Portability: Frictionless across environments
19
Dev Test / QA Staging Production
Same code in dev runs unchanged in every environmentContainer, network, storage portability
ServicesNetworksVolumes
Control: Orchestration and integrations at scale
Universal Control Plane
High Availability Access Control
3rd Party PluginsSwarm Managed
GUI Management
Docker Native Integration
Monitoring
20
Control: Ease of use and management
• Quick and easy to deploy• Easy GUI based configurations• Simple and non-disruptive upgrades• Intuitive GUI and dashboards• Point and click, search and browse• Support for Docker CLI and Toolbox
21
Control : Easy to deploy and use
22
Control: Granular control of applications
23
Manage Compose apps• Start, stop or delete Compose apps• Click to inspect individual
containers
Manage Containers• Start, stop, destroy or rename• Scale number of containers• View details, stats, logs• Use console to log into
Control: Secure Runtime Access
Set up options• LDAP/AD support• Built-in
Granular RBAC• Users and Teams• Roles• Permission labels
User Experience• Single sign on
24
Control: Unified Authentication Service
25
UCP
LDAP/AD
External CA
DTR
eNZi
•Provides shared authentication for entire DDC stack•Install/configure with UCP (including HA replication)•Users created in UCP show up in DTR and vice-versa•Streamlined UCP and DTR setup for SSO
Control: Secure Image Collaboration
Trusted Registry
Log Aggregator
Authorization Server
Registry ServiceContent Trust
26
LDAP/AD
Logs
Storage
Image Repo
Image Repo
Image Repo
Admin Server
Notary Server
Web UI
CLI
Control: Integrated Content TrustDevelopers IT Operations
BUILDDevelopment Environments
SHIPSecure Content & Collaboration
RUNDeploy, Manage, Scale
27
Library of signed and trusted images
Enforce use of only trusted images
Control: Granular Image Management
• Search and browse repos
• RBAC by repo
–Users, Teams, Orgs
–Read, Read-Write, Admin
• Garbage collection
• Integrated Content Trust
28
Docker Datacenter Subscription
29
Docker Universal Control Plane
Docker Trusted Registry
Docker Engine
Business Day Support
$1,500 /node/year
Docker Universal Control Plane
Docker Trusted Registry
Docker Engine
Business Critical Support
$3,000 /node/year
Value of a Docker Subscription
30
Validated Configurations
Enterprise Class Support with SLAs
and hotfixes
Docker Universal Control Plane
Docker Trusted Registry(Integrated Docker Content Trust)
Commercially Supported Docker Engine
Integrations and API Support
Value of Docker Subscription
Official Technical Support• Dedicated support engineers and SLAs• Only available from Docker and IBM
Secure• Address vulnerabilities• Hotfixes
Stable• Predictable release cadence • Long supported versions• Backport defect fixes
31
Integrations and API Support• Docker native toolset• Access to the broadest ecosystem
Validated Configurations• Validated operating systems, configurations
and interoperability
Direct Product Roadmap Ownership• Directly responsible for proprietary and open
source product roadmap
Secure the Enterprise Software Lifecycle with Docker Diogo Monica, Security Lead
source/dependencies
build systems/engineers
network
application
repositorydeploye
dsystems
Software supply chain
Identity
IMAGEname: alpine:3.4sha256: ea08...950ID: f70c828098f5
expires: 2019-06-20
USERname: userorg: organization
DOCKER HOSTname: node-1ID:
9j1kxp7cd1z...22c*manager
expires: 2016-06-21
ID: 58slx2ra5qiee92n4uf56ocvf
source/dependencies
build systems/engineers
Consistent builds
Consistent Builds: Good input = good output
network
Application signing
Docker Content Trust
40
Security: Trusted image chaining
Add image layer, sign then push image to private registryContinue until complete for a trusted chain of image layers
pypy3 Django app
Additional Libraries
debian:jessie pypy:3 user/pypybase:latest user/myapp:latest
application
repository
Security Scanning and Gating
Docker Security Scanning Architecture
44
Trusted image chaining with signing
Add image layer, sign, security scan then push image to private registryContinue until complete for a trusted chain of image layersNow a security BOM exists for each image tag
pypy3 Django app
Additional Libraries
debian:jessie pypy:3 user/pypybase:latest user/myapp:latest
45
Threshold signing and gating
CI Security Scanning Staging Production
UCP WorkerUCP Worker UCP Worker
UCP Manager
Sign image to “approve” passing of each stage.Policy to check for signatures before deployment
deployedsystems
Orchestration
$ docker run -it --net host --pid host --cap-add audit_control ... docker/docker-bench-security
[INFO] 1 - Host Configuration[WARN] 1.1 - Create a separate partition for containers[PASS] 1.2 - Use an updated Linux Kernel[PASS] 1.4 - Remove all non-essential services from the host - Network[PASS] 1.5 - Keep Docker up to date[INFO] * Using 1.12.04 which is current as of 2016-08-16[INFO] * Check with your operating system vendor for support and security maintenance for docker[INFO] 1.6 - Only allow trusted users to control Docker daemon[INFO] * docker:x:999:docker[WARN] 1.7 - Failed to inspect: auditctl command not found.[WARN] 1.8 - Failed to inspect: auditctl command not found.[WARN] 1.9 - Failed to inspect: auditctl command not found.[INFO] 1.10 - Audit Docker files and directories - docker.service[INFO] * File not found[INFO] 1.11 - Audit Docker files and directories - docker.socket[INFO] * File not found...
• Docker 1.12 with built in orchestration (clustering and scheduling)
• Strong default cluster security
Secure Cluster Management
•Leader acts as CA.
•Any Manager can be promoted to leader.
•Workers and managers identified by their certificate.
•Communications secured with Mutual TLS.
Mutual TLS by default
• Managers support BYO CA.• Forwards CSRs to external
CA.• Customizable certificate
rotation periods.• Occurs automatically• Ensures potentially
compromised or leaked certificates are rotated out of use.
• Whitelist of currently valid certificates.
Support for External CA’s and Automatic Rotation
top related