Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Docker EE Deep Dive

808 views

Published on

Docker Enterprise Edition (EE) is a secure, scalable, and supported container platform for building and orchestrating applications across multi-tenant Linux and Windows environments. Join Docker product managers as they dive into how Docker EE addresses challenges faced by enterprise customers, as well as the technical architecture of the solution. They will also walk through demos for the latest and upcoming features around application runtime and image management.

Published in: Technology
  • Be the first to comment

Docker EE Deep Dive

  1. 1. Product Deep Dive Docker Enterprise Edition Patrick Devine Product Manager, Docker @pdev110
  2. 2. A little about me...
  3. 3. Enterprise Edition (EE) • Paid Docker subscription • Includes support from Docker • Predictable biannual releases • Certified partner ecosystem • Enterprise-grade features (security, management, automation) Recommended for production use Enterprise & Community Editions • Free for “do it yourself” dev & ops • Does not include support • Quarterly Stable release for ops • Monthly Edge release for developers Community Edition (CE)
  4. 4. Docker Enterprise Edition (EE) CaaS enabled platform for the modern software supply chain • Integrated orchestration, security and management • Stable releases with 1 year of support and maintenance • Security patches and hotfixes backported to all supported versions • Enterprise class support (9am-6pm or 24x7x365) • Certified Infrastructure, Containers and Plugins docker enterprise edition
  5. 5. Docker EE Components Public Cloud Virtual Physical docker enterprise edition ADVANCED INTEGRATED SECURITY docker trusted registry image management docker universal control plane app & cluster management docker engine container runtime, orchestration, networking, volumes, plugins CI/CD Images Operating Systems Volumes Monitoring Logging more...
  6. 6. Docker EE Architecture Node UCP manager Raft consensus group Internal distributed store Node UCP manager Node UCP manager
  7. 7. Docker EE Architecture Node UCP manager Raft consensus group Internal distributed store Node UCP manager Node UCP manager Node UCP worker Node UCP worker Node UCP worker Node UCP workerAdmin / User Deploy / Manage
  8. 8. Docker EE Architecture Node UCP manager Raft consensus group Internal distributed store Node UCP manager Node UCP manager Node UCP worker Node UCP worker Node UCP worker Node UCP workerAdmin / User Deploy / Manage Pull / Push Image registry BYO TCP load balancer Node DTR replica Logging Monitoring Image storage External CALDAP/AD Add-ons Node DTR replica Node DTR replica
  9. 9. Image Security: ● Image Scanning ● Image Signing Let’s dive into the features!
  10. 10. • Scans at a binary level ○ Not just looking at package versions • Works both online and offline ○ New vulnerability database released daily ○ Great for air gapped scenarios (sneaker net!) • Scans both Linux (x86_64) and Windows • Coming soon for IBM z Series Image Scanning available now
  11. 11. $ docker history pdevine/partyparrot:1.0 IMAGE CREATED CREATED BY 4e21821ad0d9 5 minutes ago /bin/sh -c #(nop) ENTRYPOINT [“/parrot”] 880254b79668 5 minutes ago /bin/sh -c #(nop) ADD file:6e64234... 6aa638b57d74 5 minutes ago /bin/sh -c apk update && apk add pcre 4a415e366388 6 weeks ago /bin/sh -c #(nop) ADD file:730030a...
  12. 12. {... “layer_details”: [ “components”: [ { “component”: “coreutils”, “version”: “8.22”, … }, … ], ], }
  13. 13. {... “layer_details”: [ “components”: [ { “component”: “coreutils”, “version”: “8.22”, “vulns”: [ { “vuln”: { “cve”: “CVE-2014-3639”, “cvss”: 2.1, … } }, … ], }, … ], ], }
  14. 14. Image Signing ● Docker Content Trust built in to DTR ● Enforcement can be done in UCP ○ Only valid signers can deploy containers ● docker trust makes things easier than ever ● More to come at Ashwini and Andy’s talk at 13h30 coming soon
  15. 15. Image Distribution: ● Image Caching ● Image Promotion ● Image Mirroring Let’s dive into the features! coming soon
  16. 16. Phase 1: image content cache Phase 2: image promotion Phase 3: image mirroring Image Caching, Promotion, & Mirroring docker dtr docker dtr slow fast dtr dev / qa / staging / prod / repo / dtr dev repo / dtr stage
  17. 17. Image Caching ● Caches image layers closer to where it’s being consumed for faster pulls (CDN for docker images) ● Works globally for all repositories in DTR ● Preserves access permission for each individual repository of the DTR available now docker dt r docker dt r slow fast
  18. 18. Use Case: Without Content Cache... slow... San Francisco, USA Copenhagen, Denmark dtr dev/hello-world:latest build layer A layer B 1 2
  19. 19. Use Case: With Content Cache! fast San Francisco, USA Copenhagen, Denmark Content Cache dtr dev/hello-world:latest build layer A layer B 1 2 3 4 layer A layer B
  20. 20. Image Promotion ● Promotes “blessed” images from one repository to a different repository in the same DTR ● Repositories each have their own access control ● Images can be re-tagged automatically to a new tag ● Can be done “manually” or automatically by a “policy” available now dev / qa / staging / prod /
  21. 21. Use Case: Promotion Flow
  22. 22. Promotion Policy Criteria ● Tagged with a certain tag ● Doesn’t contain any vulnerabilities above a threshold (critical, major, minor) ● Package exists or is greater or less than a certain version ● Is greater than (or less than) a certain size ● Doesn’t contain a certain type of license (e.g. GPLv3)
  23. 23. Advanced Use Case: Promotion Chaining
  24. 24. Advanced Use Case: Promotion Branching
  25. 25. Image Mirroring ● Promotes “blessed” images from one repository to a different one in a different DTR ● Registries each have their own access control ● Mirroring is bi-directional. Can be done via “push” or “pull” ● Policies can be used to automatically push to remote DTRs com ing soon repo / docker dtr dev repo / docker dtr stage
  26. 26. Image Mirroring (push based) ● Image is pushed to DTR 1 ● If the policy is met (e.g. no vulnerabilities) image is pushed to DTR 2 ● AuthN and AuthZ managed by each individual DTR ● Signing / Scan data not (yet) preserved dtr 2dtr 1 1 2 Build
  27. 27. Image Mirroring (pull based) ● Image is pushed to DTR 1 ● DTR 2 polls DTR 1 at specified intervals to check for updates ● If new images are found, image is pulled to DTR 2 dtr 2dtr 1 1 2 3 Build
  28. 28. Image Mirroring (pull based w/ webhook) ● Image is pushed to DTR 1 ● DTR 1 notifies DTR 2 that a new image exists ● DTR 2 contacts DTR 1 and pulls the image dtr 2dtr 1 Build 1 2 3 4
  29. 29. Image Management Demo!
  30. 30. San Francisco, USA build dev/hello-world dtr us-west qa/hello-world Push1
  31. 31. San Francisco, USA build dev/hello-world dtr us-west qa/hello-world Promote after clean scan 2 Push1
  32. 32. San Francisco, USA build dev/hello-world dtr us-west qa/hello-world Copenhagen, Denmark Content Cache Push1 Cache3 Promote after clean scan 2
  33. 33. San Francisco, USA build dev/hello-world dtr us-west qa/hello-world Copenhagen, Denmark Content Cache Push1 Cache3 New York, USA stage/hello-world dtr us-east prod/hello-world Mirror4 Promote after clean scan 2
  34. 34. San Francisco, USA build dev/hello-world dtr us-west qa/hello-world Copenhagen, Denmark Content Cache Push1 Cache3 New York, USA stage/hello-world dtr us-east prod/hello-world Mirror4 Promote5 Promote after clean scan 2
  35. 35. Docker EE Hosted Demo ● Free 4 Hour Demo ● No Servers Required ● Full Docker EE Cluster Access docker.com/trial
  36. 36. Thank You! @pdev110 @docker #dockercon

×