SlideShare a Scribd company logo

Blue Whale in an Enterprise Pond

Download as PPTX, PDF
Digia Plc
Digia Plc

- Tero Niemistö discusses using Docker in the Finnish public sector, where there are many regulatory requirements around data security, privacy, and infrastructure. This results in obstacles to building Docker solutions. - He outlines some of the key requirements around auditing, server compliance, data residency, personnel clearances, and more. He then provides examples of processes for securely building, deploying, and managing containers within this regulated environment. - Key aspects of their approach include building secure containers, automating compliance checks, duplicating systems across secure server rooms, and scanning for vulnerabilities at every stage of the development process.

Technology
1 of 21
Blue Whale in an Enterprise Pond – Docker experiences from the real world (in Finland) Tero Niemistö
Who am I? • Tero Niemistö • Group Manager @Digia • 18 years in the industry, past 6 years in Digia • Cloud/Devops/Docker enthusiast • Father of 3 (1 hairy, 2 hairless) https://www.linkedin.com/in/teroniemisto https://twitter.com/tero_niemisto
DOCKER HUB Your Typical Docker Architecture
DOCKER HUB …with Finnish ICT Requirements…
DOCKER HUB …results in this!
VAHTI Treasury Order 54 Finnish Communications Regulatory Authority KATAKRI Ministry of Foreign Affairs Obstacles in building a Docker solution • Authorative requirements to all ICT competitive biddings in Finnish public sector • Auditing tool for Vahti • Often a mandatory requirement • Order gives set of requirements aimed to secure Finnish communications network Reform of EU data protection rules European Union • Privacy by design • Privacy by default
How do we solve server (or even Docker) compliance to CIS Benchmarks? Solutions often have SLA demands (ie. 99.9%). How can this be quaranteed? Servers need to reside in 2 different data centers (or in same data center but in 2 rooms with different fire compartments) Servers often need to reside in Katakri-audited data centers People who operate servers need to have been cleared by SUPO Data needs to reside in EU or in some cases only in Finland Open source licenses. Do we have any GPL components? Are we using any blacklisted open sourcce components? Cyber Security responsibility in the end, supplier is responsible for all issues related to cyber security (Just) Some issues for consideration
Checklist with Docker in and Enterprise Pond Build our own secure containers1 Maintain own environment for CI pipeline Double-check security on that the CI pipeline Automate Docker server compliance Duplicate entire system into 2 different server rooms 2 3 4 5 6 Automate container vulnerability scan on every level of the CI pipeline
Simple Container Creation Process Developer Dockerfile Git Jenkins Sonatype Nexus Creatingcontainers Commit Dockerfile to Git Repository Jenkins detects changes from Git Application container is built according to dockerfile Container file is uploaded to Sonatype Nexus Container stored and served from a private Docker Registery Application container is inspected by Blackduck plugin Define container contents with Dockerfile config
Slightly More Advanced Creation Process Developer Docker Compose Git Jenkins Sonatype Nexus Creatingcontainers Commit Docker Compose file to Git Repository Jenkins detects changes from Git Application container is built according to docker compose file Container file is uploaded to Sonatype Nexus Container stored and served from a private Docker Registery Application container is inspected by Blackduck plugin Define service connections of the containers Dependencies are retrieved from private registry
Application Build Process Developer YAML Git Jenkins Sonatype Nexus Creatingapplicationcontainers Commit yaml-file and application code to Git repository Jenkins detects changes from Git Inspect code quality with Sonarqube + Blackduck Application container is built according to yaml configuration file Container file is uploaded to Sonatype Nexus Container stored and served from a private Docker Registery Application container is inspected by Blackduck plugin Create application yaml-file with dependencies Container stored and served from a private Docker Registery Dependencies are retrieved from private registry
Docker containers Infra level containers (middleware) Application level containers Base level containers Application 1 Alpine Linux Java 8 Ruby Tomcat Ubuntu Python Application 2 Application 3 Served from private repository JBoss MySQL RabbitMQ Jenkins
Deployment Process Operations Jenkins Kontena Sonatype Nexus Docker Server Deployingapplicationcontainers Kontena Master starts deployment process Kontena retrieves containers from private registry Operations starts deployment process with Jenkins Container is deployed according to strategy and load balancers are updated Kontena deploys container to target runtime environment Jenkins connects to Kontena Master Continuous Compliance To CIS Benchmarks
Our Typical Docker Architecture
Our Typical Docker Architecture
Real Life Issues: Docker Push through proxy • The problem is that docker sends PATCH request with over HTTP but not HTTPS while pushing image. • If nginx (or any) proxy is tuned to redirect any HTTP requests to HTTPS, then docker receives “Method not Allowed” response and push fails • Hint: Configure your proxy to add request header X-Forwarded-Proto DOCKER PUSH (HTTP) HTTPS ”METHOD NOT ALLOWED”
Real Life Issues: No access to frontend proxy • Often access to customers HTTP internet proxy is very limited or it takes 3 days to change it. • Hint: Even if your system has loadbalancing by service provider, use your own. Makes everything so much easier and you can actually have blue-green setup ”TAKES 3 DAYS…” HAProxy”TAKES 3 SECONDS …”
Real Life Issues: Attacking with SSH container • We lost access to Docker server due to raising filehandlers too high which crashed ssh process and we couldn’t ssh in anymore • We hijacked the server by deploying SSH container with mount into server’s filesystem. • We then used SED to fix the issue  • Hint: Your CI server or local docker orchestration client becomes a new attack vector. Secure it!
DevOps & CyberSecurity Meetup 14.9. @Digia + We are hiring! 
Kiitos! #digiarki www.digia.com

Recommended

Orchestrating Microservices with Kubernetes
Orchestrating Microservices with Kubernetes Orchestrating Microservices with Kubernetes
Orchestrating Microservices with Kubernetes
Weaveworks
 
DCEU 18: Docker Enterprise Platform and Architecture
DCEU 18: Docker Enterprise Platform and ArchitectureDCEU 18: Docker Enterprise Platform and Architecture
DCEU 18: Docker Enterprise Platform and Architecture
Docker, Inc.
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in Production
Gianluca Arbezzano
 
Kubernetes and Istio
Kubernetes and IstioKubernetes and Istio
Kubernetes and Istio
Ketan Gote
 
Introducing LinuxKit
Introducing LinuxKitIntroducing LinuxKit
Introducing LinuxKit
Docker, Inc.
 
DockerCon EU 2015: The Missing Piece: when Docker networking unleashing soft ...
DockerCon EU 2015: The Missing Piece: when Docker networking unleashing soft ...DockerCon EU 2015: The Missing Piece: when Docker networking unleashing soft ...
DockerCon EU 2015: The Missing Piece: when Docker networking unleashing soft ...
Docker, Inc.
 
LlinuxKit security, Security Scanning and Notary
LlinuxKit security, Security Scanning and NotaryLlinuxKit security, Security Scanning and Notary
LlinuxKit security, Security Scanning and Notary
Docker, Inc.
 
Flowchain: A case study on building a Blockchain for the IoT
Flowchain: A case study on building a Blockchain for the IoTFlowchain: A case study on building a Blockchain for the IoT
Flowchain: A case study on building a Blockchain for the IoT
LinuxCon ContainerCon CloudOpen China
 

Recommended

Orchestrating Microservices with Kubernetes
Orchestrating Microservices with Kubernetes Orchestrating Microservices with Kubernetes
Orchestrating Microservices with Kubernetes
Weaveworks
 
DCEU 18: Docker Enterprise Platform and Architecture
DCEU 18: Docker Enterprise Platform and ArchitectureDCEU 18: Docker Enterprise Platform and Architecture
DCEU 18: Docker Enterprise Platform and Architecture
Docker, Inc.
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in Production
Gianluca Arbezzano
 
Kubernetes and Istio
Kubernetes and IstioKubernetes and Istio
Kubernetes and Istio
Ketan Gote
 
Introducing LinuxKit
Introducing LinuxKitIntroducing LinuxKit
Introducing LinuxKit
Docker, Inc.
 
DockerCon EU 2015: The Missing Piece: when Docker networking unleashing soft ...
DockerCon EU 2015: The Missing Piece: when Docker networking unleashing soft ...DockerCon EU 2015: The Missing Piece: when Docker networking unleashing soft ...
DockerCon EU 2015: The Missing Piece: when Docker networking unleashing soft ...
Docker, Inc.
 
LlinuxKit security, Security Scanning and Notary
LlinuxKit security, Security Scanning and NotaryLlinuxKit security, Security Scanning and Notary
LlinuxKit security, Security Scanning and Notary
Docker, Inc.
 
Flowchain: A case study on building a Blockchain for the IoT
Flowchain: A case study on building a Blockchain for the IoTFlowchain: A case study on building a Blockchain for the IoT
Flowchain: A case study on building a Blockchain for the IoT
LinuxCon ContainerCon CloudOpen China
 
DockerCon EU 2015: Day 1 General Session
DockerCon EU 2015: Day 1 General SessionDockerCon EU 2015: Day 1 General Session
DockerCon EU 2015: Day 1 General Session
Docker, Inc.
 
Practical Design Patterns in Docker Networking
Practical Design Patterns in Docker NetworkingPractical Design Patterns in Docker Networking
Practical Design Patterns in Docker Networking
Docker, Inc.
 
Using Docker Containers to Improve Reproducibility in Software and Web Engine...
Using Docker Containers to Improve Reproducibility in Software and Web Engine...Using Docker Containers to Improve Reproducibility in Software and Web Engine...
Using Docker Containers to Improve Reproducibility in Software and Web Engine...
Vincenzo Ferme
 
DevOps at FSOFT as BOI | Nguyễn Hoài Nam, Vũ Xuân Lộc
DevOps at FSOFT as BOI | Nguyễn Hoài Nam, Vũ Xuân LộcDevOps at FSOFT as BOI | Nguyễn Hoài Nam, Vũ Xuân Lộc
DevOps at FSOFT as BOI | Nguyễn Hoài Nam, Vũ Xuân Lộc
Vietnam Open Infrastructure User Group
 
Weave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 RecapWeave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 Recap
Patrick Chanezon
 
Introduction to Kubernetes Security (Aqua & Weaveworks)
Introduction to Kubernetes Security (Aqua & Weaveworks)Introduction to Kubernetes Security (Aqua & Weaveworks)
Introduction to Kubernetes Security (Aqua & Weaveworks)
Weaveworks
 
Kubernetes and bluemix
Kubernetes and bluemixKubernetes and bluemix
Kubernetes and bluemix
DuckDuckGo
 
Using Docker EE to Scale Operational Intelligence at Splunk
Using Docker EE to Scale Operational Intelligence at SplunkUsing Docker EE to Scale Operational Intelligence at Splunk
Using Docker EE to Scale Operational Intelligence at Splunk
Docker, Inc.
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
Karthik Gaekwad
 
DevOps Days Boston 2017: Real-world Kubernetes for DevOps
DevOps Days Boston 2017: Real-world Kubernetes for DevOpsDevOps Days Boston 2017: Real-world Kubernetes for DevOps
DevOps Days Boston 2017: Real-world Kubernetes for DevOps
Ambassador Labs
 
DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...
DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...
DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...
Docker, Inc.
 
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREMicroservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Araf Karsh Hamid
 
MongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local Austin 2018: MongoDB Ops Manager + KubernetesMongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB
 
Docker containerd Kubernetes sig node
Docker containerd Kubernetes sig nodeDocker containerd Kubernetes sig node
Docker containerd Kubernetes sig node
Patrick Chanezon
 
MongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local DC 2018: MongoDB Ops Manager + KubernetesMongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
MongoDB
 
DCEU 18: State of the Docker Engine
DCEU 18: State of the Docker EngineDCEU 18: State of the Docker Engine
DCEU 18: State of the Docker Engine
Docker, Inc.
 
Introduction to Kubernetes
Introduction to KubernetesIntroduction to Kubernetes
Introduction to Kubernetes
Paul Czarkowski
 
The top 5 Kubernetes metrics to monitor
The top 5 Kubernetes metrics to monitorThe top 5 Kubernetes metrics to monitor
The top 5 Kubernetes metrics to monitor
Sysdig
 
Build Robust Blockchain Services with Hyperledger and Containers
Build Robust Blockchain Services with Hyperledger and ContainersBuild Robust Blockchain Services with Hyperledger and Containers
Build Robust Blockchain Services with Hyperledger and Containers
LinuxCon ContainerCon CloudOpen China
 
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
brendandburns
 
Lessons learned running large real-world Docker environments
Lessons learned running large real-world Docker environmentsLessons learned running large real-world Docker environments
Lessons learned running large real-world Docker environments
Alois Mayr
 
Using Docker in the Real World
Using Docker in the Real WorldUsing Docker in the Real World
Using Docker in the Real World
Tim Haak
 

More Related Content

What's hot

DockerCon EU 2015: Day 1 General Session
DockerCon EU 2015: Day 1 General SessionDockerCon EU 2015: Day 1 General Session
DockerCon EU 2015: Day 1 General Session
Docker, Inc.
 
Practical Design Patterns in Docker Networking
Practical Design Patterns in Docker NetworkingPractical Design Patterns in Docker Networking
Practical Design Patterns in Docker Networking
Docker, Inc.
 
Using Docker Containers to Improve Reproducibility in Software and Web Engine...
Using Docker Containers to Improve Reproducibility in Software and Web Engine...Using Docker Containers to Improve Reproducibility in Software and Web Engine...
Using Docker Containers to Improve Reproducibility in Software and Web Engine...
Vincenzo Ferme
 
DevOps at FSOFT as BOI | Nguyễn Hoài Nam, Vũ Xuân Lộc
DevOps at FSOFT as BOI | Nguyễn Hoài Nam, Vũ Xuân LộcDevOps at FSOFT as BOI | Nguyễn Hoài Nam, Vũ Xuân Lộc
DevOps at FSOFT as BOI | Nguyễn Hoài Nam, Vũ Xuân Lộc
Vietnam Open Infrastructure User Group
 
Weave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 RecapWeave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 Recap
Patrick Chanezon
 
Introduction to Kubernetes Security (Aqua & Weaveworks)
Introduction to Kubernetes Security (Aqua & Weaveworks)Introduction to Kubernetes Security (Aqua & Weaveworks)
Introduction to Kubernetes Security (Aqua & Weaveworks)
Weaveworks
 
Kubernetes and bluemix
Kubernetes and bluemixKubernetes and bluemix
Kubernetes and bluemix
DuckDuckGo
 
Using Docker EE to Scale Operational Intelligence at Splunk
Using Docker EE to Scale Operational Intelligence at SplunkUsing Docker EE to Scale Operational Intelligence at Splunk
Using Docker EE to Scale Operational Intelligence at Splunk
Docker, Inc.
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
Karthik Gaekwad
 
DevOps Days Boston 2017: Real-world Kubernetes for DevOps
DevOps Days Boston 2017: Real-world Kubernetes for DevOpsDevOps Days Boston 2017: Real-world Kubernetes for DevOps
DevOps Days Boston 2017: Real-world Kubernetes for DevOps
Ambassador Labs
 
DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...
DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...
DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...
Docker, Inc.
 
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREMicroservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Araf Karsh Hamid
 
MongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local Austin 2018: MongoDB Ops Manager + KubernetesMongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB
 
Docker containerd Kubernetes sig node
Docker containerd Kubernetes sig nodeDocker containerd Kubernetes sig node
Docker containerd Kubernetes sig node
Patrick Chanezon
 
MongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local DC 2018: MongoDB Ops Manager + KubernetesMongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
MongoDB
 
DCEU 18: State of the Docker Engine
DCEU 18: State of the Docker EngineDCEU 18: State of the Docker Engine
DCEU 18: State of the Docker Engine
Docker, Inc.
 
Introduction to Kubernetes
Introduction to KubernetesIntroduction to Kubernetes
Introduction to Kubernetes
Paul Czarkowski
 
The top 5 Kubernetes metrics to monitor
The top 5 Kubernetes metrics to monitorThe top 5 Kubernetes metrics to monitor
The top 5 Kubernetes metrics to monitor
Sysdig
 
Build Robust Blockchain Services with Hyperledger and Containers
Build Robust Blockchain Services with Hyperledger and ContainersBuild Robust Blockchain Services with Hyperledger and Containers
Build Robust Blockchain Services with Hyperledger and Containers
LinuxCon ContainerCon CloudOpen China
 
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
brendandburns
 

What's hot (20)

DockerCon EU 2015: Day 1 General Session
DockerCon EU 2015: Day 1 General SessionDockerCon EU 2015: Day 1 General Session
DockerCon EU 2015: Day 1 General Session
 
Practical Design Patterns in Docker Networking
Practical Design Patterns in Docker NetworkingPractical Design Patterns in Docker Networking
Practical Design Patterns in Docker Networking
 
Using Docker Containers to Improve Reproducibility in Software and Web Engine...
Using Docker Containers to Improve Reproducibility in Software and Web Engine...Using Docker Containers to Improve Reproducibility in Software and Web Engine...
Using Docker Containers to Improve Reproducibility in Software and Web Engine...
 
DevOps at FSOFT as BOI | Nguyễn Hoài Nam, Vũ Xuân Lộc
DevOps at FSOFT as BOI | Nguyễn Hoài Nam, Vũ Xuân LộcDevOps at FSOFT as BOI | Nguyễn Hoài Nam, Vũ Xuân Lộc
DevOps at FSOFT as BOI | Nguyễn Hoài Nam, Vũ Xuân Lộc
 
Weave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 RecapWeave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 Recap
 
Introduction to Kubernetes Security (Aqua & Weaveworks)
Introduction to Kubernetes Security (Aqua & Weaveworks)Introduction to Kubernetes Security (Aqua & Weaveworks)
Introduction to Kubernetes Security (Aqua & Weaveworks)
 
Kubernetes and bluemix
Kubernetes and bluemixKubernetes and bluemix
Kubernetes and bluemix
 
Using Docker EE to Scale Operational Intelligence at Splunk
Using Docker EE to Scale Operational Intelligence at SplunkUsing Docker EE to Scale Operational Intelligence at Splunk
Using Docker EE to Scale Operational Intelligence at Splunk
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
 
DevOps Days Boston 2017: Real-world Kubernetes for DevOps
DevOps Days Boston 2017: Real-world Kubernetes for DevOpsDevOps Days Boston 2017: Real-world Kubernetes for DevOps
DevOps Days Boston 2017: Real-world Kubernetes for DevOps
 
DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...
DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...
DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...
 
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREMicroservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SRE
 
MongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local Austin 2018: MongoDB Ops Manager + KubernetesMongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local Austin 2018: MongoDB Ops Manager + Kubernetes
 
Docker containerd Kubernetes sig node
Docker containerd Kubernetes sig nodeDocker containerd Kubernetes sig node
Docker containerd Kubernetes sig node
 
MongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local DC 2018: MongoDB Ops Manager + KubernetesMongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
MongoDB.local DC 2018: MongoDB Ops Manager + Kubernetes
 
DCEU 18: State of the Docker Engine
DCEU 18: State of the Docker EngineDCEU 18: State of the Docker Engine
DCEU 18: State of the Docker Engine
 
Introduction to Kubernetes
Introduction to KubernetesIntroduction to Kubernetes
Introduction to Kubernetes
 
The top 5 Kubernetes metrics to monitor
The top 5 Kubernetes metrics to monitorThe top 5 Kubernetes metrics to monitor
The top 5 Kubernetes metrics to monitor
 
Build Robust Blockchain Services with Hyperledger and Containers
Build Robust Blockchain Services with Hyperledger and ContainersBuild Robust Blockchain Services with Hyperledger and Containers
Build Robust Blockchain Services with Hyperledger and Containers
 
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
 

Viewers also liked

Lessons learned running large real-world Docker environments
Lessons learned running large real-world Docker environmentsLessons learned running large real-world Docker environments
Lessons learned running large real-world Docker environments
Alois Mayr
 
Using Docker in the Real World
Using Docker in the Real WorldUsing Docker in the Real World
Using Docker in the Real World
Tim Haak
 
Solving Real World Production Problems with Docker
Solving Real World Production Problems with DockerSolving Real World Production Problems with Docker
Solving Real World Production Problems with Docker
Marc Campbell
 
A Fabric/Puppet Build/Deploy System
A Fabric/Puppet Build/Deploy SystemA Fabric/Puppet Build/Deploy System
A Fabric/Puppet Build/Deploy System
adrian_nye
 
Real World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and ProductionReal World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and Production
Ben Hall
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned
RightScale
 
Programming the world with Docker
Programming the world with DockerProgramming the world with Docker
Programming the world with Docker
Patrick Chanezon
 

Viewers also liked (7)

Lessons learned running large real-world Docker environments
Lessons learned running large real-world Docker environmentsLessons learned running large real-world Docker environments
Lessons learned running large real-world Docker environments
 
Using Docker in the Real World
Using Docker in the Real WorldUsing Docker in the Real World
Using Docker in the Real World
 
Solving Real World Production Problems with Docker
Solving Real World Production Problems with DockerSolving Real World Production Problems with Docker
Solving Real World Production Problems with Docker
 
A Fabric/Puppet Build/Deploy System
A Fabric/Puppet Build/Deploy SystemA Fabric/Puppet Build/Deploy System
A Fabric/Puppet Build/Deploy System
 
Real World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and ProductionReal World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and Production
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned
 
Programming the world with Docker
Programming the world with DockerProgramming the world with Docker
Programming the world with Docker
 

Similar to Blue Whale in an Enterprise Pond

Dockerizing Aurea - Docker Con EU 2017
Dockerizing Aurea - Docker Con EU 2017Dockerizing Aurea - Docker Con EU 2017
Dockerizing Aurea - Docker Con EU 2017
Matias Lespiau
 
Containers 101
Containers 101Containers 101
Containers 101
Black Duck by Synopsys
 
Webinar : Docker in Production
Webinar : Docker in ProductionWebinar : Docker in Production
Webinar : Docker in Production
Newt Global Consulting LLC
 
DCA. certificate slide Session 1
DCA. certificate slide Session 1DCA. certificate slide Session 1
DCA. certificate slide Session 1
Hadi Tayanloo
 
You, and Me, and Docker Makes Three
You, and Me, and Docker Makes ThreeYou, and Me, and Docker Makes Three
You, and Me, and Docker Makes Three
Christopher Grayson
 
Continuous Delivery in the Cloud with Bitbucket Pipelines
Continuous Delivery in the Cloud with Bitbucket PipelinesContinuous Delivery in the Cloud with Bitbucket Pipelines
Continuous Delivery in the Cloud with Bitbucket Pipelines
Atlassian
 
Docker Concepts for Oracle/MySQL DBAs and DevOps
Docker Concepts for Oracle/MySQL DBAs and DevOpsDocker Concepts for Oracle/MySQL DBAs and DevOps
Docker Concepts for Oracle/MySQL DBAs and DevOps
Zohar Elkayam
 
DockerCon 15 Keynote - Day 2
DockerCon 15 Keynote - Day 2DockerCon 15 Keynote - Day 2
DockerCon 15 Keynote - Day 2
Docker, Inc.
 
Evénement Docker Paris: Anticipez les nouveaux business model et réduisez vos...
Evénement Docker Paris: Anticipez les nouveaux business model et réduisez vos...Evénement Docker Paris: Anticipez les nouveaux business model et réduisez vos...
Evénement Docker Paris: Anticipez les nouveaux business model et réduisez vos...
Docker, Inc.
 
Docker Global Hack Day #3
Docker Global Hack Day #3 Docker Global Hack Day #3
Docker Global Hack Day #3
Docker, Inc.
 
Docker adventures in Continuous Delivery - Alex Vranceanu
Docker adventures in Continuous Delivery - Alex VranceanuDocker adventures in Continuous Delivery - Alex Vranceanu
Docker adventures in Continuous Delivery - Alex Vranceanu
ITCamp
 
Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker 101 - Nov 2016
Docker 101 - Nov 2016
Docker, Inc.
 
Docker
DockerDocker
Docker
Vu Duc Du
 
Docker at DevTable
Docker at DevTableDocker at DevTable
Docker at DevTableDocker, Inc.
 
Docker at DevTable
Docker at DevTableDocker at DevTable
Docker at DevTable
dotCloud
 
Docker 101 Workshop slides (JavaOne 2017)
Docker 101 Workshop slides (JavaOne 2017)Docker 101 Workshop slides (JavaOne 2017)
Docker 101 Workshop slides (JavaOne 2017)
Eric Smalling
 
20220406 - SDAN_Presentation1_SDANOverview.pdf
20220406 - SDAN_Presentation1_SDANOverview.pdf20220406 - SDAN_Presentation1_SDANOverview.pdf
20220406 - SDAN_Presentation1_SDANOverview.pdf
ssuser34f58c1
 
DevNexus 2015: Kubernetes & Container Engine
DevNexus 2015: Kubernetes & Container EngineDevNexus 2015: Kubernetes & Container Engine
DevNexus 2015: Kubernetes & Container Engine
Kit Merker
 
Containerization using docker and its applications
Containerization using docker and its applicationsContainerization using docker and its applications
Containerization using docker and its applications
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 

Similar to Blue Whale in an Enterprise Pond (20)

Dockerizing Aurea - Docker Con EU 2017
Dockerizing Aurea - Docker Con EU 2017Dockerizing Aurea - Docker Con EU 2017
Dockerizing Aurea - Docker Con EU 2017
 
Containers 101
Containers 101Containers 101
Containers 101
 
Webinar : Docker in Production
Webinar : Docker in ProductionWebinar : Docker in Production
Webinar : Docker in Production
 
DCA. certificate slide Session 1
DCA. certificate slide Session 1DCA. certificate slide Session 1
DCA. certificate slide Session 1
 
You, and Me, and Docker Makes Three
You, and Me, and Docker Makes ThreeYou, and Me, and Docker Makes Three
You, and Me, and Docker Makes Three
 
Continuous Delivery in the Cloud with Bitbucket Pipelines
Continuous Delivery in the Cloud with Bitbucket PipelinesContinuous Delivery in the Cloud with Bitbucket Pipelines
Continuous Delivery in the Cloud with Bitbucket Pipelines
 
Docker Concepts for Oracle/MySQL DBAs and DevOps
Docker Concepts for Oracle/MySQL DBAs and DevOpsDocker Concepts for Oracle/MySQL DBAs and DevOps
Docker Concepts for Oracle/MySQL DBAs and DevOps
 
DockerCon 15 Keynote - Day 2
DockerCon 15 Keynote - Day 2DockerCon 15 Keynote - Day 2
DockerCon 15 Keynote - Day 2
 
Evénement Docker Paris: Anticipez les nouveaux business model et réduisez vos...
Evénement Docker Paris: Anticipez les nouveaux business model et réduisez vos...Evénement Docker Paris: Anticipez les nouveaux business model et réduisez vos...
Evénement Docker Paris: Anticipez les nouveaux business model et réduisez vos...
 
Docker Global Hack Day #3
Docker Global Hack Day #3 Docker Global Hack Day #3
Docker Global Hack Day #3
 
Docker adventures in Continuous Delivery - Alex Vranceanu
Docker adventures in Continuous Delivery - Alex VranceanuDocker adventures in Continuous Delivery - Alex Vranceanu
Docker adventures in Continuous Delivery - Alex Vranceanu
 
Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker 101 - Nov 2016
Docker 101 - Nov 2016
 
Docker
DockerDocker
Docker
 
Docker at DevTable
Docker at DevTableDocker at DevTable
Docker at DevTable
 
Docker at DevTable
Docker at DevTableDocker at DevTable
Docker at DevTable
 
Docker 101 Workshop slides (JavaOne 2017)
Docker 101 Workshop slides (JavaOne 2017)Docker 101 Workshop slides (JavaOne 2017)
Docker 101 Workshop slides (JavaOne 2017)
 
20220406 - SDAN_Presentation1_SDANOverview.pdf
20220406 - SDAN_Presentation1_SDANOverview.pdf20220406 - SDAN_Presentation1_SDANOverview.pdf
20220406 - SDAN_Presentation1_SDANOverview.pdf
 
DevNexus 2015: Kubernetes & Container Engine
DevNexus 2015: Kubernetes & Container EngineDevNexus 2015: Kubernetes & Container Engine
DevNexus 2015: Kubernetes & Container Engine
 
Containerization using docker and its applications
Containerization using docker and its applicationsContainerization using docker and its applications
Containerization using docker and its applications
 
Containerization using docker and its applications
Containerization using docker and its applicationsContainerization using docker and its applications
Containerization using docker and its applications
 

More from Digia Plc

Konttiratkaisujen tietoturva - Tero Niemistö
Konttiratkaisujen tietoturva - Tero NiemistöKonttiratkaisujen tietoturva - Tero Niemistö
Konttiratkaisujen tietoturva - Tero Niemistö
Digia Plc
 
Tuloksellisen kaikkikanavaisen liiketoiminnan rakentaminen
Tuloksellisen kaikkikanavaisen liiketoiminnan rakentaminenTuloksellisen kaikkikanavaisen liiketoiminnan rakentaminen
Tuloksellisen kaikkikanavaisen liiketoiminnan rakentaminen
Digia Plc
 
AgileJKL Meetup 2016 - Timo Relander
AgileJKL Meetup 2016 - Timo RelanderAgileJKL Meetup 2016 - Timo Relander
AgileJKL Meetup 2016 - Timo Relander
Digia Plc
 
AgileJKL Meetup 2016 - Taneli Hartikainen
AgileJKL Meetup 2016 - Taneli HartikainenAgileJKL Meetup 2016 - Taneli Hartikainen
AgileJKL Meetup 2016 - Taneli Hartikainen
Digia Plc
 
AgileJKL Meetup 2016 - Antti Vartiainen
AgileJKL Meetup 2016 - Antti VartiainenAgileJKL Meetup 2016 - Antti Vartiainen
AgileJKL Meetup 2016 - Antti Vartiainen
Digia Plc
 
Case Varma: Ketterän integraatiokeskuksen rakennusaineet
Case Varma: Ketterän integraatiokeskuksen rakennusaineetCase Varma: Ketterän integraatiokeskuksen rakennusaineet
Case Varma: Ketterän integraatiokeskuksen rakennusaineet
Digia Plc
 
Continuous Compliance 14.9.2016
Continuous Compliance 14.9.2016Continuous Compliance 14.9.2016
Continuous Compliance 14.9.2016
Digia Plc
 

More from Digia Plc (7)

Konttiratkaisujen tietoturva - Tero Niemistö
Konttiratkaisujen tietoturva - Tero NiemistöKonttiratkaisujen tietoturva - Tero Niemistö
Konttiratkaisujen tietoturva - Tero Niemistö
 
Tuloksellisen kaikkikanavaisen liiketoiminnan rakentaminen
Tuloksellisen kaikkikanavaisen liiketoiminnan rakentaminenTuloksellisen kaikkikanavaisen liiketoiminnan rakentaminen
Tuloksellisen kaikkikanavaisen liiketoiminnan rakentaminen
 
AgileJKL Meetup 2016 - Timo Relander
AgileJKL Meetup 2016 - Timo RelanderAgileJKL Meetup 2016 - Timo Relander
AgileJKL Meetup 2016 - Timo Relander
 
AgileJKL Meetup 2016 - Taneli Hartikainen
AgileJKL Meetup 2016 - Taneli HartikainenAgileJKL Meetup 2016 - Taneli Hartikainen
AgileJKL Meetup 2016 - Taneli Hartikainen
 
AgileJKL Meetup 2016 - Antti Vartiainen
AgileJKL Meetup 2016 - Antti VartiainenAgileJKL Meetup 2016 - Antti Vartiainen
AgileJKL Meetup 2016 - Antti Vartiainen
 
Case Varma: Ketterän integraatiokeskuksen rakennusaineet
Case Varma: Ketterän integraatiokeskuksen rakennusaineetCase Varma: Ketterän integraatiokeskuksen rakennusaineet
Case Varma: Ketterän integraatiokeskuksen rakennusaineet
 
Continuous Compliance 14.9.2016
Continuous Compliance 14.9.2016Continuous Compliance 14.9.2016
Continuous Compliance 14.9.2016
 

Recently uploaded

zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
Jen Stirrup
 
UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..
UiPathCommunity
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Enhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZEnhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZ
Globus
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 

Recently uploaded (20)

zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
 
UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Enhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZEnhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZ
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 

Blue Whale in an Enterprise Pond

  • 1. Blue Whale in an Enterprise Pond – Docker experiences from the real world (in Finland) Tero Niemistö
  • 2. Who am I? • Tero Niemistö • Group Manager @Digia • 18 years in the industry, past 6 years in Digia • Cloud/Devops/Docker enthusiast • Father of 3 (1 hairy, 2 hairless) https://www.linkedin.com/in/teroniemisto https://twitter.com/tero_niemisto
  • 3. DOCKER HUB Your Typical Docker Architecture
  • 4. DOCKER HUB …with Finnish ICT Requirements…
  • 6.
  • 7. VAHTI Treasury Order 54 Finnish Communications Regulatory Authority KATAKRI Ministry of Foreign Affairs Obstacles in building a Docker solution • Authorative requirements to all ICT competitive biddings in Finnish public sector • Auditing tool for Vahti • Often a mandatory requirement • Order gives set of requirements aimed to secure Finnish communications network Reform of EU data protection rules European Union • Privacy by design • Privacy by default
  • 8. How do we solve server (or even Docker) compliance to CIS Benchmarks? Solutions often have SLA demands (ie. 99.9%). How can this be quaranteed? Servers need to reside in 2 different data centers (or in same data center but in 2 rooms with different fire compartments) Servers often need to reside in Katakri-audited data centers People who operate servers need to have been cleared by SUPO Data needs to reside in EU or in some cases only in Finland Open source licenses. Do we have any GPL components? Are we using any blacklisted open sourcce components? Cyber Security responsibility in the end, supplier is responsible for all issues related to cyber security (Just) Some issues for consideration
  • 9. Checklist with Docker in and Enterprise Pond Build our own secure containers1 Maintain own environment for CI pipeline Double-check security on that the CI pipeline Automate Docker server compliance Duplicate entire system into 2 different server rooms 2 3 4 5 6 Automate container vulnerability scan on every level of the CI pipeline
  • 10. Simple Container Creation Process Developer Dockerfile Git Jenkins Sonatype Nexus Creatingcontainers Commit Dockerfile to Git Repository Jenkins detects changes from Git Application container is built according to dockerfile Container file is uploaded to Sonatype Nexus Container stored and served from a private Docker Registery Application container is inspected by Blackduck plugin Define container contents with Dockerfile config
  • 11. Slightly More Advanced Creation Process Developer Docker Compose Git Jenkins Sonatype Nexus Creatingcontainers Commit Docker Compose file to Git Repository Jenkins detects changes from Git Application container is built according to docker compose file Container file is uploaded to Sonatype Nexus Container stored and served from a private Docker Registery Application container is inspected by Blackduck plugin Define service connections of the containers Dependencies are retrieved from private registry
  • 12. Application Build Process Developer YAML Git Jenkins Sonatype Nexus Creatingapplicationcontainers Commit yaml-file and application code to Git repository Jenkins detects changes from Git Inspect code quality with Sonarqube + Blackduck Application container is built according to yaml configuration file Container file is uploaded to Sonatype Nexus Container stored and served from a private Docker Registery Application container is inspected by Blackduck plugin Create application yaml-file with dependencies Container stored and served from a private Docker Registery Dependencies are retrieved from private registry
  • 13. Docker containers Infra level containers (middleware) Application level containers Base level containers Application 1 Alpine Linux Java 8 Ruby Tomcat Ubuntu Python Application 2 Application 3 Served from private repository JBoss MySQL RabbitMQ Jenkins
  • 14. Deployment Process Operations Jenkins Kontena Sonatype Nexus Docker Server Deployingapplicationcontainers Kontena Master starts deployment process Kontena retrieves containers from private registry Operations starts deployment process with Jenkins Container is deployed according to strategy and load balancers are updated Kontena deploys container to target runtime environment Jenkins connects to Kontena Master Continuous Compliance To CIS Benchmarks
  • 15. Our Typical Docker Architecture
  • 16. Our Typical Docker Architecture
  • 17. Real Life Issues: Docker Push through proxy • The problem is that docker sends PATCH request with over HTTP but not HTTPS while pushing image. • If nginx (or any) proxy is tuned to redirect any HTTP requests to HTTPS, then docker receives “Method not Allowed” response and push fails • Hint: Configure your proxy to add request header X-Forwarded-Proto DOCKER PUSH (HTTP) HTTPS ”METHOD NOT ALLOWED”
  • 18. Real Life Issues: No access to frontend proxy • Often access to customers HTTP internet proxy is very limited or it takes 3 days to change it. • Hint: Even if your system has loadbalancing by service provider, use your own. Makes everything so much easier and you can actually have blue-green setup ”TAKES 3 DAYS…” HAProxy”TAKES 3 SECONDS …”
  • 19. Real Life Issues: Attacking with SSH container • We lost access to Docker server due to raising filehandlers too high which crashed ssh process and we couldn’t ssh in anymore • We hijacked the server by deploying SSH container with mount into server’s filesystem. • We then used SED to fix the issue  • Hint: Your CI server or local docker orchestration client becomes a new attack vector. Secure it!
  • 20. DevOps & CyberSecurity Meetup 14.9. @Digia + We are hiring! 

Editor's Notes

  1. Asiakkaidemme muuttuva digiarki
  2. Asiakkaamme kertoivat meille, että hyvä ICT-kumppani ymmärtää paljon muutakin kuin vain ohjelmistoja ja laitteita. Käytännön elämää. Ohjelmistomme ja palvelumme ovat merkittävä osa yhteiskuntaa - ne on rakennettu, jotta ihmiset ulottuisivat arjessa pidemmälle ja saisivat jokaisesta päivästä eniten irti. Ohjelmistomme ja palvelumme auttavat asiakastamme ymmärtämään asiakkaitaan, kehittämään heille tuotteita ja palveluja, ohjaamaan toimintaansa sekä hyödyntämään tehokkaasti syntyvää tietoa sekä kytkeä nämä asiat tiiviiseen vuorovaikutukseen.