Patrick Chanezon, Docker Inc.@chanezon

Developing and deploying Java & Linux on Azure with Docker

March 2017

French

Polyglot

Platforms

Software Plumber

San Francisco

Developer Relations

@chanezon

PublicHybridPrivate

Ops Devops Developers

Linux Container Ecosystem

glusterfs

weavecalicomidokuracisconuage

Cloud

OS

Plugins

Orchestration

Docker

The world needstools of mass innovation

A programmable Internet would be the ultimate tool of mass innovation

A commercial product,

built ona development platform,

built oninfrastructure,

built onstandards.

Docker is building a stack to program the Internet

Docker Platform

Docker Platform constituencies

Many purposes, users and infrastructure

Today

Developer Community

Need to experiment and innovate with leading edge tech

Ops Community Enterprise Partner

Ecosystem

Run business critical apps at scale

anywhere

Extend and add value to a platform

with a shared path to monetization

Need a predictable system to deploy

and run apps

The Docker Platform

Developers Ops Enterprise Ecosystem

ONE PLATFORMFor Developers and ITFor Linux and Windows

On Premises and in the CloudTraditional Homegrown, Commercial ISV, Microservices

Docker Community Edition (CE) Docker Enterprise Edition (EE)

Docker Certified Docker Store

Docker Enterprise Edition (EE) and Community Edition (CE)

• Free Docker platform for “do it yourself” dev and ops

• Monthly Edge release with latest features for developers

• Quarterly release with maintenance for ops

Community Edition (CE)Enterprise Edition (EE)

• CaaS enabled platform subscription (integrated container orchestration, management and security)

• Enterprise class support• Quarterly releases, supported for one

year each with backported patches and hotfixes.

• Certified Infrastructure, Plugins, Containers

What is a Docker Edition

Making things simple for a great user experience

Virtual Network VMSS

Blob Storage Azure LB ARM

AAD

Enterprises need support and assurances

NEW Certification program for Infrastructure, Plugins and Containers

Infrastructure

Platform Community EditionEnterprise Edition

Docker Certified Launch Partners

Docker Store

• A commercial marketplace for partners and customers

• Publishers gain instant access to Docker users with product delivery in containers

• Customers gain ability to search, browse, purchase and manage from a single UX

Docker EE Subscription Tiers

EE Basic EE Standard(Docker Datacenter)

EE Advanced

CaaS enabled platform x x x

Container engine and built in orchestration, networking, security

x x x

Docker Certified Infra, Plugins and ISV Containers

x x x

Image management With private registry, caching

x x

Integrated container app management x x

Multi-tenancy with RBAC, LDAP/AD x x

Integrated secrets mgmt, image signing, policy

x x

Image security scanning and continuous vulnerability monitoring

x

Doc

ker D

atac

ente

r

CaaS is the modern software supply chain framework

Isolation using Linux kernel featuresnamespaces pid mnt net uts ipc user

cgroups memory cpu blkio devices

Union File Systems & Image Layers

Swarm mode

Service API

Cryptographic node identity

Built-in routing mesh

Docker built-in orchestration

What’s New in Docker 17.03• Docker EE and CE• Compose file support for Swarm mode service deployment

• docker stack deploy --compose-file=docker-compose.yml my_stack• Secrets Management• System commands

• docker system df, prune• Monitoring

• docker service logs• Prometheus experiment endpoint

• Build• docker build —squash

• CPU management —cpus 2.5• Docker for AWS & Azure GA

Docker & Microsoft: a great Open Source collaboration

Docker & Microsoft: collaboration on all fronts• Build

• Docker for Windows• Docker EE for Windows Servers• Visual Studio Tools for Docker• Visual Studio Code Docker extension

• Ship• Visual Studio team Services Docker Integration• Azure Container Registry

• Run• Azure Docker agent• Azure Container Service Swarm and Swarm Mode• Docker EE in Azure MarketPlace

Docker for Developers

Docker for Mac Docker for Windows

spring-doge.jar

Example: Spring Boot App using MongoDB

https://github.com/chanezon/docker-tips/

spring-doge

spring-doge-web

spring-doge-photo

API: Spring Boot, Spring Data

UI: AngularJS

Business Logic: java.awt

java -Dserver.port=8080 \-Dspring.data.mongodb.uri=mongodb://mongo:27017/test \-jar spring-doge.jar

Dockerfile

FROM java:8MAINTAINER Patrick Chanezon <patrick@chanezon.com>EXPOSE 8080COPY spring-doge/target/*.jar /usr/src/spring-doge/spring-doge.jarWORKDIR /usr/src/spring-dogeCMD java -Dserver.port=8080 -Dspring.data.mongodb.uri=$MONGODB_URI -jar spring-doge.jarHEALTHCHECK --interval=5m --timeout=3s --retries=3 \ CMD curl -f http://localhost:8080/ || exit 1

Using Docker to compile your jar/war

https://registry.hub.docker.com/_/maven/

docker run -it --rm \-v $PWD:/usr/src/spring-doge \-v maven:/root/.m2 \-w /usr/src/spring-doge \maven:3.3-jdk-8 \mvn package

Build an imagedocker build -t chanezon/spring-doge .FROM java:8MAINTAINER Patrick Chanezon <patrick@chanezon.com>EXPOSE 8080COPY spring-doge/target/*.jar /usr/src/spring-doge/spring-doge.jarWORKDIR /usr/src/spring-dogeCMD java -Dserver.port=8080 -Dspring.data.mongodb.uri=$MONGODB_URI -jar spring-doge.jarHEALTHCHECK --interval=5m --timeout=3s --retries=3 \ CMD curl -f http://localhost:8080/ || exit 1

Run a containerdocker run \—env MONGODB_URI=mongodb://mongo:27017/test \-p 8090:8080 \chanezon/spring-doge

docker-compose: running multiple containers Run your stack with one command: docker-compose

up Describe your stack with one file: docker-compose.ymlversion: '3'services: web: image: chanezon/spring-doge ports: - "8080:8080" environment: - MONGODB_URI=mongodb://mongo:27017/test mongo: image: mongo

Demo

Docker Java Labs

https://github.com/docker/labs/tree/master/developer-tools/

• Wildfly and Couchbase J2EE App• Debugging a Java app in Docker using Eclipse

Docker for Ops

Docker for Azure

Azure Container Service

SLA-backed Azure serviceaz acs create…

ACS Engine

open-source project that enables power users to customize the cluster configuration

Where Docker can work directly with Microsoft on newer versions of both Docker & ACS

https://github.com/Azure/acs-engine/blob/master/docs/swarmmode.md

Azure Container Service Swarm Mode

https://github.com/Azure/acs-engine/blob/master/docs/swarmmode.md

acs-engine ARM template generator

acs-engine swarmmode.json cd _output/SwarmMode...az group create --name "pat_az_5" --location "westus"az group deployment create -g pat_az_5 -n pat_acs_5 \--template-file=azuredeploy.json \--parameters=@azuredeploy.parameters.json

docker stack deploy Deploy your stack with one command: docker stack deploy

Describe your stack with one file: docker-compose.ymlversion: '3'services: web: image: chanezon/spring-doge ports: - "8004:8080" environment: - MONGODB_URI=mongodb://mongo:27017/test deploy: replicas: 2 update_config: parallelism: 2 delay: 10s restart_policy: condition: on-failure mongo: image: mongo

Demo

Docker for Enterprise

Goals

+ +

Agility Portability Control

Docker EE Subscription Tiers

EE Basic EE Standard(Docker Datacenter)

EE Advanced

CaaS enabled platform x x x

Container engine and built in orchestration, networking, security

x x x

Docker Certified Infra, Plugins and ISV Containers

x x x

Image management With private registry, caching

x x

Integrated container app management x x

Multi-tenancy with RBAC, LDAP/AD x x

Integrated secrets mgmt, image signing, policy

x x

Image security scanning and continuous vulnerability monitoring

x

Doc

ker D

atac

ente

r

Docker 2017 - Confidential

Docker Universal Control Plane

Integrated Security

Docker EngineContainer runtime, orchestration, networking, volumes, plugins

Docker Trusted Registry

Operating Systems Config Mgt Monitoring LoggingCI/CD ..more..Images Networking Volumes

VirtualizationPublic Cloud Physical

Docker Datacenter

Docker EE Platform

Usable Security

Secure defaults with tooling that is native to both dev and ops

The Key Components of Container Security

Infrastructure Independent

Trusted Delivery

Safer Apps

Everything needed for a full functioning app is delivered safely and guaranteed to not be tampered with

All of these things in your system are in the app platform and can move across infrastructure without disrupting the app

+

+

=

Usable Security

Integrated Security with Docker EE

Infrastructure Independent

Trusted Delivery

Safer Apps

Image Scanning

TLS EncryptionEncryption at Rest

App Secrets

Image Signing & Verification

Public CloudVirtualizationPhysical

Users & RBAC

Dev/Ops Workflow

+

+

=

Secure by default runtime

Docker Universal Control Plane

UCP Permission Model

What’s New in Docker Datacenter

What’s New in Docker EE 17.03

Application Services Content Trust and Distribution

Platform Enhancements

• Secrets Management

• HTTP Routing Mesh (GA)

• Docker Compose for Services

• Access control for Secrets and Volumes

• Image Content Cache

• On premises image security scanning and vulnerability monitoring

• Registry Webhooks

• DTR install command from UI

• UI Enhancements

• Additional LDAP configs

• Templates for AWS, Azure

Integrated Secrets Management

WorkerWorker

Manager

Internal Distributed Store

Raft Consensus Group

ManagerManager

Worker

External App

Web UI

• Management– Admins can add/remove/list/update

secrets in the cluster– Exposed to a container via a ”/secrets”

tmpfs volume• Authorization

– Tag secrets to a specific service– Admins can authorize secrets access

to users/teams via RBAC• Rotation

– Use GUI to update a secret to all containers in a service

• Auditing– Each user request for secret access

logged in cluster for auditing

Security Scanning: Get a full BOM for a Docker Image

Security Scanning: Vulnerabilities and Licensing for Each Component

Security Scanning: Set Automated Policy for Scanning

Security Scanning: Online and Offline Updates

Compose for Services

• Deploy stacks (services, volumes, networks, secrets) using new Compose file v3.1 format

• Manage and monitor stacks directly from UCP UI

Built in HTTP Routing Mesh (Now GA!)

• Extend TCP routing mesh to HTTP hostname routing for services

• HTTPS support via SNI protocol

• Support for multiple HRM networks for enhanced app isolation

• External LB routes hostnames to nodes

• Can add hostname routing via UI

• Non-service containers continue to use Interlock ref arch

WorkerWorkerWorker

External Load Balancer

Traffic via DNS (http to port 80 or other)

Foo.com Bar.com Qux.com

R RR

Docker EE on Azure

Docker EE on Azure

Free 30 Days Test Drive from Docker Store

Docker EE on Azure

Demo

• Software• https://www.docker.com/get-docker

• Slides • https://www.slideshare.net/chanezon

• Samples • https://github.com/chanezon/docker-tips• https://github.com/docker/labs

Resources

THANK YOU