Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

State of Union - Containerz

469 views

Published on

A take on Containers and the ecosystem

Published in: Internet
  • Be the first to comment

State of Union - Containerz

  1. 1. State of Union - Containerz --------------------- Shiva (narshiva@) -------------------- ^__^ (oo)_______ (__) )/ ||----w | || ||
  2. 2. TO BEGIN AT THE BEGINNING… Let’s start, shall we?
  3. 3. Containerized Microservices Dom 0 Instance Instance Instance OS OS OS Container Runtime Container Runtime Container Runtime App App Service Service App App Service Service App App Service Service
  4. 4. Container Orchestration Dom 0 Instance Instance Instance OS OS OS Container Runtime Container Runtime Container Runtime App Service App App Service Service Container Orchestration
  5. 5. Container Orchestration Dom 0 Instance/OS Instance/OS Instance/OS App Service App App Service Service Service Management Scheduling Resource Management Orchestration Service Management §Labels §Groups/Namespaces §Dependencies §Load Balancing §Health Check §Service Discovery
  6. 6. Container Orchestration Dom 0 Instance/OS Instance/OS Instance/OS App Service App App Service Service Service Management Scheduling Resource Management Orchestration Scheduling §Placement §Replication/Scaling §Resurrection §Rescheduling §Rolling deploys §Upgrades §Downgrades §Colocation
  7. 7. Container Orchestration Dom 0 Instance/OS Instance/OS Instance/OS App Service App App Service Service Service Management Scheduling Resource Management Orchestration Resource Management §Memory §CPU §GPU §Volumes §Ports §IPs
  8. 8. Non Functional Capabilities Scalability Performance, Responsiveness, Efficiency Availability Fault Tolerance, Reliability, DR Flexibility Extensibility, Portability, Interoperability Usability Familiarity, Debuggability, Maintainability Portability Container Runtime, Host OS, Cloud Provider, On-prem Security Isolation, Encryption, Secrets Management, Auditability
  9. 9. Container Operations Development Lifecycle Source repo, CI-CD, Artefact repo Container Orchestration Scheduling, Resource Management, Service Management BAU Operations Monitoring and Metrics, Maintenance, Debugging Did you hear that?
  10. 10. In no particular order… [ ] Schedulers and Orchestration [ ] Networking [ ] Security [ ] Operating Systems [ ] PaaS [ ] Storage [ ] Monitoring [ ] Container Integration and Container Deployment [ ] Miscellaneous
  11. 11. In no particular order… [ ] Schedulers and Orchestration [ ] General Blurb [ ] ECS [ ] Kubernetes [ ] Mesos [ ] Docker Swarm [ ] Orchestration Wars
  12. 12. Schedulers – General Blurb Cluster Machines Cluster State Information Monolothic Two-Level Shared State No Concurrency Pessimistic Concurrency (offers) Optimistic Concurrency (transactions) Scheduling Logic
  13. 13. Docker Task Container Instance Amazon ECS Container ECS Agent ELB Internet ELB User / Scheduler API Cluster Management Engine Task Container Docker Task Container Instance Container ECS Agent Task Container Docker Task Container Instance Container ECS Agent Task Container AZ 1 AZ 2 Key/Value Store Agent Communication Service ECS
  14. 14. Mesos Master Marathon ZooKeeper Mesos + Marathon Mesos Slaves Long Running Tasks Jobs Coordination & Configuration
  15. 15. Kubernetes Replication Controller API Server Kubernetes Master Kubelet KubeProxy Docker Container Container Pod Pod Kubelet KubeProxy Docker Container Container Pod Pod Kubernetes Cluster etcd
  16. 16. Docker Swarm
  17. 17. I hope we win
  18. 18. In no particular order… [X] Schedulers and Orchestration [ ] Networking [ ] Security [ ] Operating Systems [ ] PaaS [ ] Storage [ ] Monitoring [ ] Container Integration and Container Deployment [ ] Miscellaneous
  19. 19. Container Networking Dom 0 Instance Instance Instance OS OS OS Container Runtime Container Runtime Container Runtime Container Container Container Container Container Container
  20. 20. Overlay all of the thingz • Flannel • Calico • WeaveNet • Swarm Mode
  21. 21. WeaveNet
  22. 22. Mode Swarm Mode Manager Swarm Mode Node TLS CA Load Balancing Service Discovery Distributed Store Docker Engine Libnetwork Volumes Plugins Container Runtime
  23. 23. In no particular order… [X] Schedulers and Orchestration [X] Networking [ ] Security [ ] Operating Systems [ ] PaaS [ ] Storage [ ] Monitoring [ ] Container Integration and Container Deployment [ ] Miscellaneous
  24. 24. Sekkirity is everybodys biznezz
  25. 25. Host Security • Lock it down! • Namespaces and cgroups are your friends • Select few belong to docker UNIX group • SELinux is also your friend • Docker daemon runs as root!
  26. 26. Whale-say "Only trusted users should be allowed to control your Docker daemon"
  27. 27. Docker daemon security • Do not run in privileged mode • Lock down inter container comms –icc=false • Secure APIs with TLS certificates
  28. 28. Whale-say “If you run Docker on a server, it is recommended to run exclusively Docker in the server, and move all other services within containers controlled by Docker”
  29. 29. Container Image Security • Use a small selection of trusted images • Scan your images • CoreOS’s Clair scans Quay.io, • Docker Security Scanning works with Docker Trusted Registry • Red Hat has built a new scanner in Project Atomic for its Atomic Registry. • Other scanners are such as Aqua Peekr, Anchore, and Twistlock Trust work independently of specific registries
  30. 30. Lot more prescriptive advice here… https://benchmarks.cisecurity.org/tools2/docker/CIS _Docker_1.6_Benchmark_v1.0.0.pdf
  31. 31. In no particular order… [X] Schedulers and Orchestration [X] Networking [X] Security [ ] Operating Systems [ ] PaaS [ ] Storage [ ] Monitoring [ ] Container Integration and Container Deployment [ ] Miscellaneous
  32. 32. Micro OS • CoreOS • RancherOS • Ubuntu Snappy • RedHat Atom • VmWare Photon • ECS Optimized Amazon Linux RedHat Atomic VmWare Photon Ubuntu Snappy CoreOS RancherOS 395 MB 317 MB 215 MB 20 MB 150 MB
  33. 33. In no particular order… [X] Schedulers and Orchestration [X] Networking [X] Security [X] Operating Systems [ ] PaaS [ ] Storage [ ] Monitoring [ ] Container Integration and Container Deployment [ ] Miscellaneous
  34. 34. Remind Empire Twelve-Factor
  35. 35. Convox $ convox apps create go-app $ convox deploy $ convox apps info go-app $ convox build --app go-app –d "Hello Build” $ convox releases promote RLYSUALSGCT $ convox ps $ convox scale main --count=2
  36. 36. Docker Data Center Universal Control Plane (UCP) Security Content Trust Docker Trusted Registry Orchestration Swarm Container Runtime Engine Operating System
  37. 37. Others
  38. 38. In no particular order… [X] Schedulers and Orchestration [X] Networking [X] Security [X] Operating Systems [X] PaaS [ ] Storage [ ] Monitoring [ ] Container Integration and Container Deployment [ ] Miscellaneous
  39. 39. Are we there yet?
  40. 40. In no particular order… [X] Schedulers and Orchestration [X] Networking [X] Security [X] Operating Systems [X] PaaS [-] Storage [-] Monitoring [-] Container Integration and Container Deployment [-] Miscellaneous
  41. 41. Demoz • Marathon scheduler on ECS (Credit : Ryosuke-san) • Convox • Docker Swarm • Weave Net and Weave Scope • ECS (ALB, Task AutoScaling, Task IAM Role)
  42. 42. --------------------- T H A N K Y O U -------------------- ^__^ (oo)_______ (__) )/ ||----w | || ||

×