docker roadshow 2016
TRANSCRIPT
![Page 1: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/1.jpg)
Docker and the Modern Application PlatformMarc Verstaen, EVP Product Development
![Page 2: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/2.jpg)
2
The application landscape is changing
Loosely Coupled Services
Many Small Servers or devices
~2000 Today
Monolithic
Big Servers
Slow changing
Rapidly updated
![Page 3: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/3.jpg)
Development VM
QA Server
Public Cloud
Disaster Recovery
Contributor’s Laptop
Production Servers
Production Cluster
Data Center
Containers are the catalyst
Static Website
Web Front End
Background Workers
User DB
Analytics DB
QueueAPI Endpoint
![Page 4: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/4.jpg)
Docker users alreadyrunning in production
60%
Docker driving the containerization movement
Docker Survey: State of ApplicationsQ1 2016
Cluster HQ: State of Container Usage June 2016
Companies running container technology in production
(500+ employees)
![Page 5: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/5.jpg)
At the center of enterprise IT transformation
80%Docker is central to
cloud strategy
Docker Survey: State of App development : Q1 - 2016
3 out 4 Top initiatives revolve around applications
44%Looking to adopt DevOps
App Modernization
DevOpsCloud
State of App development Survey: Q1 2016
![Page 6: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/6.jpg)
6
Docker delivers innovation, speed and savings
+ +Agility Portability Control
State of App development Survey: Q1 2016, Cornell University case study
13X More software releases
62%Report reduction in MTTR
10X Cost reduction in maintaining
existing applications
Eliminate“works on my machine”
issues
41%Move workloads across
private/public clouds
65% Reduction in developer
onboarding time
![Page 7: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/7.jpg)
Docker Containers as a Service
![Page 8: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/8.jpg)
Cloud Zone 1
Cloud Zone 2 Data Center
Development Center
Headquarters
Docker aims to build a programmable layer for the internet to connect your global supply chain
Build, ship and run any application anywhere
The enterprise software supply chain is global
![Page 9: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/9.jpg)
Enterprise IT is hybrid apps and infrastructure
x86 server operating systems worldwide Docker State of App development Survey: Q1 2016
Morgan Stanley CIO Survey: June 30, 2016Study of Gartner reports re: x86 shipments
• 80% looking to Docker to enable hybrid cloud initiatives.
• Public Cloud adoption expected to increase to 30% by 2017.
• 46% plan to build new microservices
![Page 10: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/10.jpg)
˝
DEVELOPERS IT OPERATIONS
BUILDDevelopment Environments
SHIPSecure Content & Collaboration
RUNDeploy, Manage, Scale
Docker enables a new workflow with Containers as a Service
![Page 11: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/11.jpg)
Docker Universal Control Plane
Integrated Security
Docker EngineContainer runtime, orchestration, networking, volumes, plugins
Docker Trusted Registry
Operating Systems Config Mgt Monitoring LoggingCI/CD ..more..Images Networking Volumes
VirtualizationPublic Cloud Physical
Docker CaaS platform is flexible, pluggable and portable
Docker Datacenter
![Page 12: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/12.jpg)
One platform and one journey for all applications
1 Containerize Legacy ApplicationsLift and shift for portability and efficiency
2
3
Transform Legacy to Microservices Look for shared services to transform
Accelerate New ApplicationsGreenfield innovation
![Page 13: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/13.jpg)
![Page 14: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/14.jpg)
Servers ship with Docker Commercial Engine/Support
Docker Datacenter available through all HPE channels
Integrated Solution with Hardware, Software, Support, and Services
![Page 15: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/15.jpg)
Docker Datacenter
Steven Thwaites, Solutions Engineer
![Page 16: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/16.jpg)
DEVELOPERS IT OPERATIONS
BUILDDevelopment Environments
SHIPSecure Content & Collaboration
RUNDeploy, Manage, Scale
Docker Datacenter workflow
Docker Trusted RegistryDocker Content Trust
Universal Control PlaneDocker for MacDocker for Windows
![Page 17: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/17.jpg)
17
Docker Datacenter core values
+ +Agility Portability Control
Extends the Docker developer experience to production
Easy to setup and use
Native Docker solution
Ease of management at scale
Integrated security and policy for content and access (RBAC)
Integrates with existing systems
Full support of Docker API
Seamless dev to prod workflow
Infrastructure, network and storage portability
![Page 18: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/18.jpg)
18
Key use cases for Docker Datacenter
Cloud Microservices
Cloud MigrationHybrid CloudMulti-Cloud
ContainerizationMicroservices
App Modernization
DevOpsCI/CD
Self Service
DevOps
![Page 19: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/19.jpg)
Portability: Frictionless across environments
19
Dev Test / QA Staging Production
Same code in dev runs unchanged in every environmentContainer, network, storage portability
ServicesNetworksVolumes
![Page 20: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/20.jpg)
Control: Orchestration and integrations at scale
Universal Control Plane
High Availability Access Control
3rd Party PluginsSwarm Managed
GUI Management
Docker Native Integration
Monitoring
20
![Page 21: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/21.jpg)
Control: Ease of use and management
• Quick and easy to deploy• Easy GUI based configurations• Simple and non-disruptive upgrades• Intuitive GUI and dashboards• Point and click, search and browse• Support for Docker CLI and Toolbox
21
![Page 22: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/22.jpg)
Control : Easy to deploy and use
22
![Page 23: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/23.jpg)
Control: Granular control of applications
23
Manage Compose apps• Start, stop or delete Compose apps• Click to inspect individual
containers
Manage Containers• Start, stop, destroy or rename• Scale number of containers• View details, stats, logs• Use console to log into
![Page 24: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/24.jpg)
Control: Secure Runtime Access
Set up options• LDAP/AD support• Built-in
Granular RBAC• Users and Teams• Roles• Permission labels
User Experience• Single sign on
24
![Page 25: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/25.jpg)
Control: Unified Authentication Service
25
UCP
LDAP/AD
External CA
DTR
eNZi
•Provides shared authentication for entire DDC stack•Install/configure with UCP (including HA replication)•Users created in UCP show up in DTR and vice-versa•Streamlined UCP and DTR setup for SSO
![Page 26: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/26.jpg)
Control: Secure Image Collaboration
Trusted Registry
Log Aggregator
Authorization Server
Registry ServiceContent Trust
26
LDAP/AD
Logs
Storage
Image Repo
Image Repo
Image Repo
Admin Server
Notary Server
Web UI
CLI
![Page 27: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/27.jpg)
Control: Integrated Content TrustDevelopers IT Operations
BUILDDevelopment Environments
SHIPSecure Content & Collaboration
RUNDeploy, Manage, Scale
27
Library of signed and trusted images
Enforce use of only trusted images
![Page 28: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/28.jpg)
Control: Granular Image Management
• Search and browse repos
• RBAC by repo
–Users, Teams, Orgs
–Read, Read-Write, Admin
• Garbage collection
• Integrated Content Trust
28
![Page 29: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/29.jpg)
Docker Datacenter Subscription
29
Docker Universal Control Plane
Docker Trusted Registry
Docker Engine
Business Day Support
$1,500 /node/year
Docker Universal Control Plane
Docker Trusted Registry
Docker Engine
Business Critical Support
$3,000 /node/year
![Page 30: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/30.jpg)
Value of a Docker Subscription
30
Validated Configurations
Enterprise Class Support with SLAs
and hotfixes
Docker Universal Control Plane
Docker Trusted Registry(Integrated Docker Content Trust)
Commercially Supported Docker Engine
Integrations and API Support
![Page 31: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/31.jpg)
Value of Docker Subscription
Official Technical Support• Dedicated support engineers and SLAs• Only available from Docker and IBM
Secure• Address vulnerabilities• Hotfixes
Stable• Predictable release cadence • Long supported versions• Backport defect fixes
31
Integrations and API Support• Docker native toolset• Access to the broadest ecosystem
Validated Configurations• Validated operating systems, configurations
and interoperability
Direct Product Roadmap Ownership• Directly responsible for proprietary and open
source product roadmap
![Page 32: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/32.jpg)
Secure the Enterprise Software Lifecycle with Docker Diogo Monica, Security Lead
![Page 33: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/33.jpg)
source/dependencies
build systems/engineers
network
application
repositorydeploye
dsystems
Software supply chain
![Page 34: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/34.jpg)
Identity
![Page 35: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/35.jpg)
IMAGEname: alpine:3.4sha256: ea08...950ID: f70c828098f5
expires: 2019-06-20
USERname: userorg: organization
DOCKER HOSTname: node-1ID:
9j1kxp7cd1z...22c*manager
expires: 2016-06-21
ID: 58slx2ra5qiee92n4uf56ocvf
![Page 36: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/36.jpg)
source/dependencies
build systems/engineers
Consistent builds
![Page 37: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/37.jpg)
Consistent Builds: Good input = good output
![Page 38: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/38.jpg)
network
Application signing
![Page 39: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/39.jpg)
Docker Content Trust
![Page 40: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/40.jpg)
40
Security: Trusted image chaining
Add image layer, sign then push image to private registryContinue until complete for a trusted chain of image layers
pypy3 Django app
Additional Libraries
debian:jessie pypy:3 user/pypybase:latest user/myapp:latest
![Page 41: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/41.jpg)
application
repository
Security Scanning and Gating
![Page 42: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/42.jpg)
Docker Security Scanning Architecture
![Page 43: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/43.jpg)
![Page 44: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/44.jpg)
44
Trusted image chaining with signing
Add image layer, sign, security scan then push image to private registryContinue until complete for a trusted chain of image layersNow a security BOM exists for each image tag
pypy3 Django app
Additional Libraries
debian:jessie pypy:3 user/pypybase:latest user/myapp:latest
![Page 45: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/45.jpg)
45
Threshold signing and gating
CI Security Scanning Staging Production
UCP WorkerUCP Worker UCP Worker
UCP Manager
Sign image to “approve” passing of each stage.Policy to check for signatures before deployment
![Page 46: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/46.jpg)
deployedsystems
Orchestration
![Page 47: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/47.jpg)
$ docker run -it --net host --pid host --cap-add audit_control ... docker/docker-bench-security
[INFO] 1 - Host Configuration[WARN] 1.1 - Create a separate partition for containers[PASS] 1.2 - Use an updated Linux Kernel[PASS] 1.4 - Remove all non-essential services from the host - Network[PASS] 1.5 - Keep Docker up to date[INFO] * Using 1.12.04 which is current as of 2016-08-16[INFO] * Check with your operating system vendor for support and security maintenance for docker[INFO] 1.6 - Only allow trusted users to control Docker daemon[INFO] * docker:x:999:docker[WARN] 1.7 - Failed to inspect: auditctl command not found.[WARN] 1.8 - Failed to inspect: auditctl command not found.[WARN] 1.9 - Failed to inspect: auditctl command not found.[INFO] 1.10 - Audit Docker files and directories - docker.service[INFO] * File not found[INFO] 1.11 - Audit Docker files and directories - docker.socket[INFO] * File not found...
![Page 48: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/48.jpg)
• Docker 1.12 with built in orchestration (clustering and scheduling)
• Strong default cluster security
Secure Cluster Management
![Page 49: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/49.jpg)
•Leader acts as CA.
•Any Manager can be promoted to leader.
•Workers and managers identified by their certificate.
•Communications secured with Mutual TLS.
Mutual TLS by default
![Page 50: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/50.jpg)
• Managers support BYO CA.• Forwards CSRs to external
CA.• Customizable certificate
rotation periods.• Occurs automatically• Ensures potentially
compromised or leaked certificates are rotated out of use.
• Whitelist of currently valid certificates.
Support for External CA’s and Automatic Rotation
![Page 51: Docker Roadshow 2016](https://reader036.vdocuments.mx/reader036/viewer/2022062905/586e8c091a28aba0038b82c7/html5/thumbnails/51.jpg)