Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Docker Best Practices in development and Production

43 views

Published on

You should come if you know or have tried Docker but are thinking about how to get more serious about containers.

What are the best practices with docker in Development, Staging and Production with regards to security.

Key takeaways:

Security is not an afterthought with containers.

Know what is some of the new features docker support eg. multistage, secrets, docker-compose, local kubernetes

Best practices in development and production

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Docker Best Practices in development and Production

  1. 1. Docker�Best�Practices Development�and Production 1 / 44
  2. 2. Why�should�you�be�serious about�using�it 2 / 44
  3. 3. development: 3 / 44
  4. 4. docker-compose 4 / 44
  5. 5. version: "3" services: app: build: ./app 5 / 44
  6. 6. bring�up�in�1�command 6 / 44
  7. 7. run�as�another�user 7 / 44
  8. 8. image�size 8 / 44
  9. 9. multi-stage�builds 9 / 44
  10. 10. FROM gcr.io/connectedcars-staging/connectedcars-node:9.3 as builder ARG GITHUB_AT WORKDIR /app RUN apt-get update && apt-get install -y mysql-client ADD . /app RUN yarn global add node-gyp RUN yarn ENV NODE_ENV production RUN npm run compile RUN rm -rf node_modules && yarn FROM gcr.io/connectedcars-staging/connectedcars-node-production:9.3 ENV NODE_ENV production WORKDIR /app EXPOSE 9000 COPY --from=builder /app . CMD npm run production 10 / 44
  11. 11. use�official�images 11 / 44
  12. 12. create�your�own�base images 12 / 44
  13. 13. don't�use�latest,�use�git�sha images�are�mutable 13 / 44
  14. 14. Continues�Integration 14 / 44
  15. 15. Google�Cloud�Builder 15 / 44
  16. 16. Google�Container�Registry 16 / 44
  17. 17. overlay�network multiple�networks 17 / 44
  18. 18. version: "3" services: proxy: build: ./proxy networks: - frontend app: build: ./app networks: - frontend - backend db: image: postgres networks: - backend networks: frontend: backend: 18 / 44
  19. 19. docker�volumes 19 / 44
  20. 20. version: "3" services: db: image: db volumes: - data-volume:/var/lib/db backup: image: backup-service volumes: - data-volume:/var/lib/backup/data volumes: data-volume: 20 / 44
  21. 21. service�discovery 21 / 44
  22. 22. version: "3" services: app: build: ./app db: image: db 22 / 44
  23. 23. limits? 23 / 44
  24. 24. version: '3' services: redis: image: myapp deploy: resources: limits: cpus: '0.50' memory: 500M reservations: cpus: '0.25' memory: 200M 24 / 44
  25. 25. Kubernetes�for development? 25 / 44
  26. 26. # deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: kevin-myapp spec: selector: matchLabels: app: kevin-myapp replicas: 2 # tells deployment to run 2 pods matching the template template: # create pods using pod definition in this template metadata: labels: app: kevin-myapp spec: containers: - name: kevin-myapp image: gcr.io/dd-decaf-cfbf6/kevin-myapp:latest ports: - containerPort: 8000 26 / 44
  27. 27. production: 27 / 44
  28. 28. secrets�should�be�files 28 / 44
  29. 29. docker run -v $(pwd)/secrets/db.json:/secrets/db.json myapp 29 / 44
  30. 30. run�as�read-only 30 / 44
  31. 31. docker run -d -p 80:80 --read-only nginx 31 / 44
  32. 32. seccomp�/�apparmour 32 / 44
  33. 33. 33 / 44
  34. 34. gvisor Google�Container�Runtime�Sandbox 34 / 44
  35. 35. 35 / 44
  36. 36. 36 / 44
  37. 37. 37 / 44
  38. 38. Jessie�Franzelle https://blog.jessfraz.com/post/containers-security-and-echo-chambers/ 38 / 44
  39. 39. $ docker run --rm -it --security-opt seccomp=/path/to/seccomp/profile.json hello-world 39 / 44
  40. 40. demo�seccomp https://docs.docker.com/engine/security/seccomp/#significant-syscalls-blocked-by-the- default-profile https://raw.githubusercontent.com/moby/moby/master/profiles/seccomp/default.json 40 / 44
  41. 41. Connected�Cars 41 / 44
  42. 42. Startup,�Serverless... 42 / 44
  43. 43. Summary bring�up�in�1�command read-only secrets�as�files seccomp�is�power�full 43 / 44
  44. 44. kevin.simper@gmail.com @kevinsimper 44 / 44

×