Top 5 benefits of docker

1. Top 5 Benefits of Docker 1 December 2nd, 2016

2. Ippon Technologies © 2016 Ippon Technologies Founded in 2002 by Stephane Nomis, former professional French judoka ● Consulting in Agile Development, Big Data and DevOps / Cloud ● Expertise in project delivery with short time-to-market and high quality ● Located in France, USA, Australia, Morocco ● 250 engineers ● 80% enterprise customers ● $32 million revenue and 20% annual growth rate We support innovative open-source projects such as the popular application generator JHipster We released a fully managed data platform based on Docker a full point scored in judo - a win 2

3. Ippon Technologies © 2016 Ippon Technologies USA Founded in March 2014 40 employees ● Richmond, VA (HQ) ● Washington DC 10+ Customers ● Top 10 US Bank ● Insurance & Health ○ Allianz ○ Genworth ○ CMS ○ Envera Specialties ● Big Data ● Agile Dev./ Digital ● Devops / Cloud 3

5. Ippon Technologies © 2016 What is Docker? ● Your application… PLUS stuff your application needs to run ➔Libraries, file system, webserver, etc. ● Docker images == Shippable Artifact ● Docker containers/images are lightweight ➔Fast spin-up ➔Small footprint ➔Fast shipping between hosts ● Built on top of Linux kernel features: namespaces and cgroups ➔Features that have been part of the linux kernel for a few years 5

7. Top 5 Benefits of Docker 7

8. Benefit #1 Solve “Works on my machine” Syndrome 8

9. Ippon Technologies © 2016 Problem: Environmental Drift ● Overtime, changes to servers cause environments to diverge ➔Example: security patches in production environment ● Bugs in production cannot be reproduced ➔Hours wasted debugging 9

10. Ippon Technologies © 2016 Solution: Immutable Infrastructure ● Docker images are immutable ● Don’t change servers directly! ● Need to update? ➔Implement change in Dockerfile, then deploy immutable image to all environments ➔Remove old containers with new containers from new Image ➔Changes are traceable, versioned and reproducible ● Bugs in production? ➔Pull image locally, and debug! 10

11. Benefit #2 - Security 11

12. Ippon Technologies © 2016 Security “Containers offer many overall advantages. From a security perspective, they create a method to reduce attack surfaces and isolate applications to only the required components, interfaces, libraries and network connections.” “In this modern age, I believe that there is little excuse for not running a Linux application in some form of a Linux container, MAC or lightweight sandbox.” – Aaron Grattafiori, Formerly Principal Consultant at NCC Group “Gartner asserts that applications deployed in containers are more secure than applications deployed on the bare OS” because even if a container is cracked “they greatly limit the damage of a successful compromise because applications and users are isolated on a per-container basis so that they cannot compromise other containers or the host OS”. – Joerg Fritsch , Gartner 12

13. Ippon Technologies © 2016 Security with Isolation and Granular Controls ● Isolated containers provide better defense in depth ➔Network, PID, and other namespace isolation ● Only have libraries installed needed for your applications ➔Smaller attack surfaces ➔Don’t give hackers tools they can utilize (linux tools) ● Granular access for mandatory access controls (MAC) ➔Selinux, AppArmor ➔Whitelisting is best practice ➔Each container has exactly the permission required to run the application 13

14. Ippon Technologies © 2016 Security Scan Service ● Available with Docker Cloud and Docker Hub ● Scans against a database of known vulnerabilities ● Scans new layers as they are pushed through the pipeline ● New vulnerability? Scan all images again and notify developers 14

15. Ippon Technologies © 2016 Want to learn more about security? ● Aaron Grattafiori, Security lead of NCC Group wrote a good whitepaper on container security (very technical) https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2016/april/understanding-and-hardening-linux-containers/ 15

16. Benefit #3 - Faster Time to Market with Microservices 16

18. Ippon Technologies © 2016 Microservices! Oh Wait... ● Service orchestration / discovery ● Centralized monitoring and logging ● Resiliency / self-healing ● Need lots of environments ➔Dev, QA, Prod, Build environments, Test environments All these problems are harder when you have different types of applications 18

20. Ippon Technologies © 2016 Docker Helps with Microservices ● Standard container interface ➔Operations problems become more generic ➔Ecosystem tools exist ● Spin up new environments quickly ➔ For all of your Dev, QA, Prod, needs ● Containers are isolated ➔Deploy multiple apps with conflicting dependencies on the same VM ➔Fully utilize your allocated infrastructure. Save $$$! ● Use containers for build and test environments ➔ Riot Games does it right: https://engineering.riotgames.com/ 20

24. Benefit #4 - Unlock the Ecosystem 24

25. Ippon Technologies © 2016 Ecosystem Tools 25 Clustering and Container Manager Docker Swarm Mesos Kubernetes Marathon (Mesos) Hosting (and PaaS) Docker Cloud (PaaS with plugin hosting) Amazon ECS Google Container Engine (Kubernetes) Digital Ocean OpenShift (Redhat Paas) Service Discovery Consul Etcd zookeeper Monitoring / Logging Datadog cAdvisor Sysdig Splunk FluentD ELK (or EFK) https://github.com/veggiemonk/awesome-docker

26. Benefit #5 - “Developed in the Open” 26

27. Ippon Technologies © 2016 Community Relationship ● Docker is open-source with >1000 contributors ● Docker extracts internals and publishes as separate OS projects ➔ libnetwork , swarmkit, infrakit, etc. ➔Non are Docker dependent ● Experimental releases to collect feedback ● Programs such as the Docker Captains group and community slack channels ➔Join the community! https://community.docker.com/registrations/groups/4316o 27

28. Ippon Technologies © 2016 Docker is Built on Open Standards ● Open Container Initiative (OCI) define open Industry standards for container format and runtime ● Backed by big companies (Google, Docker, Redhat) ● Docker donated reference implementation runc: https://runc.io/ ● Starting with Docker 1.11 runs OCI compliant images using OCI- compliant OS projects: runc and containerd. 28

31. Thank You 31

32. Ippon Technologies © 2016 John Zaccone Software Engineer, RVA jzaccone@ipponusa.com @JohnZaccone Romain Lhéritier Managing Director, USA romain@ipponusa.com (804) 482-1515 www.ippon.tech Olivia Deputy Business Dev. Assoc., RVA odeputy@ipponusa.com (540) 421-3861 Addresses: Ippon @PowerPlant 2700 East Cary Street Richmond, VA 23223 Ippon @WeWork 718 7th St NW Washington, DC 20001 Contact Us 32