Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Docker for Ops - Scott Coulton, Puppet


Published on

In this talk, Scott Coulton will take you through Docker's cluster solution Swarm mode with his operations hat on. We will start from the beginning by describing what swarm mode is, what it does, and how it works behind the scenes. From there, we will look at very basic configurations of Swarm mode from the point of view of the operations team as well as a production-ready workflow including deployments of the cluster, logging and CD best practices. Attendees will be able to apply their learnings to their use cases.

Published in: Technology
  • Be the first to comment

Docker for Ops - Scott Coulton, Puppet

  1. 1. Docker For Ops Scott Coulton Senior Software Engineer, 
  2. 2. John Zaccone Scott Coulton “Dev” Cloud Engineer, 
 IBM “Ops” Senior Software Engineer, 
  3. 3. Docker for ops 1. What we are going to cover 2. Build for failure 3. Make sure it’s secure 4. Can we log that? 5. Deploy, Deploy, Deploy !!! Agenda
  4. 4. Docker Captain Snr Software Engineer @ About me
  5. 5. As you saw in Docker for dev we have an awesome application that is going to make us some money taking it from the evil corp Initech. To host the app we will use the following: • Both Docker UCP and Docker Swarm mode and make sure the infrastructure is highly available • We will host our images in a Docker trusted registry • We have to make sure the app is logging, the image is signed and there is no vulnerability in our images What we are going to cover
  6. 6. Build for failure
  7. 7. In this day and age an outage is going to cost your business money. Docker have two solutions to help you. • The open source offering is swarm mode • The enterprise offering is universal control plane We don't want our application to go down
  8. 8. Swarm mode is the native clustering solution that is included in the Docker engine from v1.12 until present. Enabling swarm mode on your engine gives you the following : • Scheduling of containers across compute nodes • Overlay networking for container communication • Service discovery via DNS • Load balancing • Secure by default, all comms between node for cluster operations are configured to use SSL Swarm mode
  9. 9. Swarm mode reference architecture
  10. 10. Universal control plane is built on top of Docker swarm mode. In addition to the features you get with swarm mode you also get: • A graphical interface for management • TLS authentication to protect your Docker API • Real time metrics on the cluster via dashboards • LDAP and RBAC Universal control plane
  11. 11. UCP reference architecture Docker swarm worker node CS Docker Engine UCP agent UCP worker worker node CS Docker Engine UCP agent UCP worker manager node CS Docker Engine UCP agent UCP manager manager node CS Docker Engine UCP agent UCP manager manager node CS Docker Engine UCP agent UCP manager
  12. 12. UCP LB architecture
  13. 13. UCP service discovery architecture
  14. 14. How we are building our infrastructure
  15. 15. Make sure it’s secure !!!
  16. 16. As we already have a base image created from our developers. We should make sure that firstly, the image does not have any vulnerable packages in it. Then we want to make sure our image is trusted and has not been tampered with. To do this we will use • Docker trusted registry security scanning • Docker notary • Protect our container with apparmor Let’s make it secure
  17. 17. Security scanning in DTR allows the following to happen at rest: • Images are scanned for vulnerabilities • Scanning is automated on a Docker push • Prebuilt dashboards to display the scan results Security scanning
  18. 18. Secure scanning dashboard
  19. 19. Image signing with notary allows us to make sure our images : • Our images are signed • Sets up a trust model between the registry and the engine Image signing with Notary
  20. 20. Notary architecture
  21. 21. Notary signer interaction credentials auth X TUF server >_ Upload new metadata 401 - please auth bearer token verify(metadata) get metadata generate( timestamp,snapshot) sign( timestamp, snapshot) private keystimestamp/snapshot signatures Token + Upload new metadata timestamp/snapshot store metadata200 OK Token + Get new metadata get metadata200 OK + Latest metadata 1 2 3 4 5 6 7 (signer) (server DB) (signer DB) (client)
  22. 22. Applying apparmor allows us to run only the process we wont to run in our containers : • Wont allow unwanted process to spawn • Locks down file system for unwanted reads or rights Protect our container’s processes
  23. 23. docker run --rm -it --security-opt apparmor=docker-default hello-world How do we apply a policy
  24. 24. Can we log that ?
  25. 25. Applying logging to your container ecosystem is easy using a project called logspout • Allows you to capture logs from all your container • Works with most existing logging infrastructure • Allows you to easily encrypt logs on transit Can we log that?
  26. 26. Can we log that?
  27. 27. Deploy, Deploy, Deploy
  28. 28. Now we have everything set up from our security stack through to our logging we can deploy: • How images get into our Docker trusted registry • The flow of request if the clusters need an image Deploy, Deploy, Deploy
  29. 29. Images to our DTR
  30. 30. The flow of request if the clusters need an image
  31. 31. Demo time dockercon-17
  32. 32. Thank You ! Go containerise your life ! @scottcoulton #dockercon