Containers in the Enterprise

Transform the way you deploy applications
Ken Thompson
Senior Cloud Solution Architect
Technical Event Series August 2015
Containers in the Enterprise
Australia & New Zealand

Containers in the Enterprise - Technical Event Series - August 2015
2
AGENDA
● What are Linux Containers?
● Enterprise Challenges for Container Adoption and
How Red Hat Solves These
● Kubernetes Architecture
● Real World Container Adoption
● Red Hat's Container Roadmap

Containers in the Enterprise - Technical
Event Series - August 2015
3
What are Linux Containers?

4
WHAT ARE LINUX CONTAINERS?
Software packaging concept that typically includes an application and all of
its runtime dependencies
● Easy to deploy and portable
across host systems
● Isolates applications on a
host operating system
● In RHEL, this is done through:
● Control Groups (cgroups)
● Kernel namespaces
● SELinux, sVirt, iptables
● Docker
HOST OS
SERVER
CONTAINER
LIBS
APP

5
TRADITIONAL OS VS. CONTAINERS
Traditional OS Containers
HARDWARE
HOST OS
HARDWARE
HOST OS
CONTAINER
LIBS
APP A
LIBS A LIBS B LIBS LIBS
APP A APP B
CONTAINER
LIBS
APP B
Packaged dependencies = faster boot times + greater portability

6
CONTAINERS DELIVER MANY
BENEFITS
Base: 171 IT and Developer/programmer decision-makers at companies with 500+ employees in APAC, EMEA, and NA
Source: A commissioned study conducted by Forrester Consulting on behalf of Red Hat, January, 2015
Faster provisioning
Greater deployment flexibility
Ability to deliver/deploy applications faster
Greater application mobility/portability
69%
70%
72%
73%
How important are the following benefits of containers to your organization?
Critically or Very Important
73%
72%
70%
69%

Why are Containers “new”
and cool...again?

8
public class HelloWorld {
public static void
main(String[] args) {
System.out.println
("Hello, World");
}
}
#include<stdio.h>
main()
{
printf("Hello World");
}
var http = require('http');
var server = http.createServer(
function (request, response) {
response.writeHead(200,
{"Content-Type": "text/plain"});
response.end("Hello Worldn");
});
server.listen(8000);
$_ = "hello world";
$_ =~ s/^(bw)(Bw+)s(D)(D+)$/
U$1E$2 U$3E$4!n/;
print $_;
PHYSICAL VIRTUAL PRIVATE CLOUD PUBLIC CLOUD
<?php Print "Hello, World!"; ?>
CONSISTENT PACKAGING FORMAT
Docker provides a language agnostic packaging format and runtime API

9
public static void
System.out.println
("Hello, World");
}
}
#include<stdio.h>
main()
{
}
});
$_ = "hello world";
$_ =~ s/^(bw)(Bw+)s(D)(D+)$/
U$1E$2 U$3E$4!n/;
print $_;
bash glibc
...
bash glibc
jre
libssl libv8
...
bash glibc
nodejs perl php
...
bash glibc
PACKAGED DEPENDENCIES
Package dependencies ensure consistency and portability*
*The one thing not packaged
is the Linux Kernel! Therefore
host systems need to be the
same distribution and version to
guarantee portability.

10
STEP 1- LAPTOP
> docker run dockerfile/nodejs

11
SUCCESS!

12
STEP 2 - PRODUCTION
> containerise the datacenter

13
...STEP 1.1?

14
Organisations need a secure and reliable foundation on which they can run and
orchestrate multi-container based applications at scale
CONTAINER ADOPTION
CHALLENGES
Containerising the datacenter requires planning...

15
CONCERNS ABOUT ENTERPRISE
READINESS OF CONTAINERS
The world of containers
doesn't end with Docker
“The open-source app
containerization startup has built
up quite a bit of momentum, but
it's still not entirely ready for
enterprise.”
Matt Weinberger
Computerworld | Feb 9, 2015
Combined with hardened OS technologies & Orchestration, they are

16
TOP CURRENT CONTAINER
CHALLENGES
Training and Education (lack of skills)
Consistency (lack of standards)
Scalability
Lack of certification or digital structure
Management
Integration with existing development tools and processes
Variable performance
Security
29%
31%
32%
35%
35%
41%
44%
53%
What are the top three challenges your organization
has experienced so far in its use of containers?

17
TOP ADOPTION CONCERNS
While container adoption will surge in the next few years, concerns around
security, certification, and more remain.
#1.
SECURITY
#2.
PERFORMANCE
#3.
INTEGRATION
#5.
CERTIFICATION
#4.
MANAGEMENT
Red Hat already has solutions for these...

Enterprise Challenge #1:
Security

19
public static void
System.out.println
("Hello, World");
}
}
#include<stdio.h>
main()
{
}
});
$_ = "hello world";
$_ =~ s/^(bw)(Bw+)s(D)(D+)$/
U$1E$2 U$3E$4!n/;
print $_;
bash glibc
...
bash glibc
jre
libssl libv8
...
bash glibc
nodejs perl php
...
bash glibc
4
?
66
4 6
5
5
6
4
29
29
4 6
# of critical,
important and
moderate
vulnerabilities
identified and fixed
by Red Hat in RHEL
7 since GA
SECURITY IMPLICATIONS
What's inside the container and where it comes from matters
6

20
WHAT'S INSIDE THE CONTAINER
MATTERS
● High vulnerabilities: ShellShock
(bash), Heartbleed (OpenSSL), etc.
● Medium vulnerabilities: Poodle
(OpenSSL), etc.
● Low vulnerabilities: gcc: array
memory allocations could cause
integer overflow
All Images (n=962)
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
36%
28%
Medium priority
High priority
Source: Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities, Jayanth Gummaraju, Tarun Desikan,
and Yoshio Turner, BanyanOps, May 2015 (http://www.banyanops.com/pdf/BanyanOps-AnalyzingDockerHub-WhitePaper.pdf)
36% of official images in Docker Hub contain high priority
security vulnerabilities

21
Once upon a time there were Three Little Pigs, who had different types of homes to
choose from...
CONTAINER SECURITY
As explained by The Three Little Pigs (Credit: Dan Walsh & Máirín Duffy)

22
If one house is broken into, the rest remain secure...a lot more maintenance though!
STANDALONE HOMES
Separate Physical Machines

23
Hypervisor, sVirt and the host kernel provide separating..but still cost of
maintaining separate OSes
DUPLEX HOME
Virtual Machines

24
APARTMENT BUILDING
Containers
Excellent sharing of services, lower cost of maintenance and decent separation

25
Limited isolation between services, better if you have SELinux
HOSTEL
Services on the same machine

26
Don't let this be you...
PARK
# setenforce 0

27
Best combination of resource sharing, ease of maintenance & security.
PIGS IN APARTMENT BUILDINGS
The best combination

28
What platform should host your containers?
CHAPTER 2
What kind of apartment building?

29
Running containers on a do it yourself platform.
STRAW?
No Huff & Puff Tolerance

30
Running containers on community platform.
STICKS?
Low Huff & Puff Tolerance

31
Running containers on RHEL.
BRICK?
Highest Huff & Puff Tolerance

32
How do you ensure container separation? - SELinux, Cgroups, Kernel Namespaces
& certified images
CHAPTER 3 – SECURING BRICK HOUSES
How do I separate/secure Pig apartments?

33
Red Hat Security response team.
RHEL MAINTENANCE
How will you respond to CVEs?

34
SECURITY BEST PRACTICES
● Drop privileges as quickly as possible
● Run your services as non Root wherever possible
● Treat root within a container the same as root outside of
the container
● Only run containers from trusted parties!
– “Docker is about running random crap from the internet as
root on your host”
Treat container services just like regular services

Performance

36
PERFORMANCE-IMPACTING FEAT.
What can we tune for container performance?
● Volumes
– Bind mount storage from data container (or host)
● Device Mapper
– Production mature, well documented storage driver
● --net=host
– Expose host network to container; performs better at a cost
● C Groups
– CPU Shares, CPUSets, Memory Limits, nsinit
● Sysctls
– Used to modify kernel parameters at runtime
Can't I just push a button and make it go fast!?!?...

37
Source: http://redhat.slides.com/jeremyeder/performance-analysis-of-docker#/
CUSTOM TUNED PROFILES
Create Custom Tuning Profiles

38
TUNED PROFILES
Available Throughout Red Hat's Product Line

39
Within 1.5-3% of Bare Metal performance
MARIA DB BENCHMARK
SysBench Results

40
Small (~2ms) Bridge overhead
NETWORK LATENCY
Sysbench Results

41
Almost no loss of throughput
NETWORK THROUGHPUT
Sysbench Results

Integration

43
OPENSHIFT
Enabling Dev & Ops

44
DOCKER BUILDS
Integrated container image builds
Bring existing Docker applications and leverage the orchestration of OpenShift
DEVELOPER DOCKERFILE BUILD IMAGE DEPLOY

45
Developer provides Git repo
DEVOPS EXPERIENCE
Source-to-Image (S2I) - Step 1

46
Developer chooses build image from registry
DEVOPS EXPERIENCE

47
Application layer is applied to image
DEVOPS EXPERIENCE

48
Layer is added back to registry
DEVOPS EXPERIENCE

49
Image is scheduled and deployed
DEVOPS EXPERIENCE

50
Developer can declare webhooks
DEVOPS EXPERIENCE

51
Updated image is added back to the registry
DEVOPS EXPERIENCE

52
New image is deployed as rolling update
DEVOPS EXPERIENCE
Step 8

53
Are your developers going to patch their applications for every CVE? Do they want to?
Image Streams provide a mechanism to automatically update apps when base images
change
IMAGE-STREAMS
Trigger build & deployment actions upon changes to base images
4

Management & Orchestration

55
CONTAINER ORCHESTRATION
Kubernetes
Docker is an engine, container and image
format with limited orchestration &
networking between hosts
Kubernetes is a way to
● Describe and launch containers
● Monitor and maintain state
● Do container oriented networking
Kubernetes builds on Docker to make
management of many containers like
managing containers on a single system
More technical detail later...

56
OPEN HYBRID CLOUD
Red Hat's Vision for Consistent Container Management

Certification & Standards

58
RED HAT CONTAINER CERTIFICATION
UNTRUSTED
● Will what’s inside the containers
compromise your infrastructure?
● How and when will apps and libraries be
updated?
● Will it work from host to host?
RED HAT CERTIFIED
● Trusted source for the host and the
containers
● Trusted content inside the container with
security fixes available as part of an
enterprise lifecycle
● Portability across hosts

59
ESTABLISHING CONTAINER STANDARDS
Red Hat works with the community to drive standards for containerisation
ISOLATION WITH
LINUX CONTAINERS
● Isolating
applications on host
operating system
● Security
● Portability across
host systems
CONTAINER FORMAT
WITH DOCKER
● Interface for
communications,
configuration, data
persistence,
provisioning
● Content agnostic
● Infrastructure
agnostic
ORCHESTRATION
WITH KUBERNETES
● Orchestrate
containers at scale
● Define application
topologies
● Handle container
networking
● Manage container
state
● Schedule across
hosts
REGISTRY
CONTAINER
DISCOVERY
● Trusted container
images
● Federate
consumption
libraries
● Promote
consistency and
reuse

60
Kubernetes Architecture

61
Nodes are instances of RHEL where apps run
KUBERNETES ARCHITECTURE
Nodes

62
App services run in docker containers on each node
Pods

63
Pods run one or more docker containers as a unit
Pods

64
Registries are where application images are stored
Container Registries

65
Masters leverage kubernetes to orchestrate nodes / apps
Masters

66
Master provides authenticated API for users & clients
Masters

67
Master uses etcd key-value store for persistence
Masters

68
Master provides scheduler for pod placement on nodes
Masters

69
Pod placement is determined based on defined policy
Masters

70
Management / Replication controller manages the pod lifecycle
Masters

71
What if a pod goes down?
Management/Replication

72
Replication controller automatically recovers and deploys a new pod
Management/Replication

73
Pods can attach to shared storage for stateful services
Storage Volumes

74
Routing layer routes external app requests to pods
External Routing

75
Developers can access OpenShift via Web, CLI or IDE
OPENSHIFT 3
Turn-key solution for Developer Productivity + Container Orchestration

76
Docker Kubernetes
● Docker Files
● Basic Docker Commands
● Example YAML config file
● Dynamically scaling applications
DOCKER & KUBERNETES DEMO
From the lens of OpenShift 3

77
CONTAINER-BASED APPLICATION
DELIVERY SOLUTIONS
CERTIFIED HARDWARE ECOSYSTEM
MIDDLEWARE AND MOBILITY SERVICES
CERTIFIED
APPLICATIONS
VIA
ISV
ECOSYSTEM
RED HAT ENTERPRISE LINUX, INCLUDING ATOMIC HOST
✔ Application lifecycle management
✔ Continuous integration
✔ Developer experience
✔ Source-to-image
✔ Unified management from bare metal to containers
✔ Scalable infrastructure
✔ Hybrid deployment management
✔ Managed cluster of container-optimized hosts
✔ Orchestration and service aggregation
Seamlessly manage from infrastructure to applications
Build scalable infrastructure based on OpenStack
Develop, build, and manage container-based
applications
Run and orchestrate multi-container based applications
at scale
Develop, build, and manage container-based
applications
at scale
at scale

78
Real World Container Adoption

79
GOOGLE & OPENSHIFT ONLINE
Some of the most advanced infrastructures run on containers
“Everything at Google, from Search to
Gmail, is packaged and run in a Linux
container.”1
- Eric Brewer, VP of Infrastructure,
Google
1
Source: http://googlecloudplatform.blogspot.com/2014/06/an-update-on-container-support-on-google-cloud-platform.html

80
Deploying their new hybrid-cloud on OpenShift
● 1.6+ billion data requests
processed per day
● 525+ million travel agency bookings
processed in 2014
● 95% of the worlds scheduled
network airline seats
● December 2014
– At peak: ~210,000 queries per
second
– Average: ~145,000 queries per
second
● 100+ TB of compressed data
logged every day!

81
LINUX CONTAINERS AREN'T NEW
Neither are the technologies that Red Hat is using to secure, isolate and manage containers
● The technologies Red Hat is
using for container security,
● In RHEL, this is done through:
● SELinux, sVirt – RHEL 4
● Control Groups (cgroups) –
RHEL 6
● Kernel namespaces – RHEL 6
(include. network)
● Docker – RHEL 7, Ok… so this
one is new!
HOST OS
SERVER
CONTAINER
LIBS
APP

83
SCAN ALL CONTAINERS FOR
KNOWN VULNERABILITIES
MEASURE CONTAINER IMAGE
SECURITY POSTURE TO POLICY
FUTURE CONSIDERATIONS
# docker-oscap cve --all --download
--arf report-arf.xml
Fetching OVAL definitions for
RHSA ........ ok
Inflating ....... ok
Scanning rhel7-elasticsearch ...... ok
(compliant, no CVE identified)
Scanning rhel7-mongodb ......... fail
(2 CVE found)
Scanning ubuntu-httpd .........
notchecked (no CVE definitions)
Exporting Asset Report ......... ok
CVE Scan finished in 1m35s
# docker pull fedora
# docker-oscap image fedora xccdf eval
--profile
xccdf_org.ssgproject.content_profile_com
mon
/usr/share/xml/scap/ssg/fedora/ssg-
fedora-ds.xml
OpenSCAP for Container Compliance
https://github.com/OpenSCAP/container-compliance

84
OPENSTACK & CLOUDFORMS
Expanded Integration
● Automating deployment of
OpenShift clusters, add &
remove Kubernetes Nodes
● Networking provider
integration with Neutron
● Storage integration with
OpenStack Cinder (Block) and
Manila (File)
● Manage OpenStack and
OpenShift with CloudForms

85
CLOUDFORMS
Administration & Container Management

86
RED HAT ATOMIC
ENTERPRISE PLATFORM
Run and orchestrate multi-container based applications at scale
An integrated infrastructure platform
powered by Red Hat Enterprise Linux
that is designed to run, orchestrate, and
scale container-based applications and
services
● Easily manage and scale
applications and infrastructure
through a managed cluster of
container hosts
● Gain application resiliency and
elasticity via orchestration and
service aggregation

87
xPaaS SERVICES
Additional Jboss & Middleware Services

88
SATELLITE
Red Hat Satellite & Containers Vision

89
OPENSHIFT ONLINE
OpenShift Online & OpenShift Dedicated Services
OpenShift 3 Public Cloud services
managed by Red Hat
● OpenShift Dedicated - dedicated
clusters (Nodes & Masters) for
each customer
– Deploy and run your
applications on your own
dedicated infrastructure
– Integrate with on-premise
services
– Available now in Tech Preview
● OpenShift Online will also be
migrating to v3

90
OPENSHIFT ENTERPRISE
3.x Roadmap Enhancements
● Metric-driven autoscaling
● External service bridge/registry
● Pod/container idling
● SCL 2 image runtime version
updates
● Enhanced GIT/SCM & CI
integration
● User interface enhancements
● Logging & metrics / ELK
integration
● Additional storage plugins
● Networking enhancements

91
TRUSTED PORTABLE INTEGRATED
Red Hat transforms application delivery with the first credible
hybrid cloud platform for container-based applications and services.
CONTAINERS IN THE ENTERPRISE
They're ready today with Red Hat

92
Get Started with Docker Formatted
Container Images on Red Hat Systems
http://red.ht/1vcxBVv
Container Discovery Workshops
Consulting services to help your business realise the
value of container technologies
Managing Containers with Red Hat
Enterprise Linux Atomic Host (RH270)
http://red.ht/1MNkAN5
WHERE TO GET STARTED
Next steps

93
THANK YOU. QUESTIONS?
ken@redhat.com / @mekenthompson
plus.google.com/+RedHat
linkedin.com/company/red-hat
youtube.com/user/RedHatVideos
facebook.com/redhatinc
twitter.com/RedHatNews

94
Appendix – Additional Links
● Kubernetes Book – Promotion on OpenShift site:
https://www.openshift.com/promotions/kubernetes
● Docker Image examples from Project Atomic:
https://github.com/projectatomic/docker-image-examples
● OpenShift GitHub including sub-projects like Source-2-Image (STI) and
Image-Streams: https://github.com/openshift/

Containers in the Enterprise

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (16)

Similar to Containers in the Enterprise

Similar to Containers in the Enterprise (20)

Recently uploaded

Recently uploaded (20)

Containers in the Enterprise