In this deck from the Docker Workshop at ISC 2015, Andreas Schmidt from Cassini Consulting describes Docker in a Nutshell
"As the newest flavor of Linux Containers, Docker gained a lot of momentum in the last 12 months. With a very convenient and open API-driven architecture Docker is able to help decrease the complexity of operations and increase the productivity of computation. During the last two years Andreas, Christian, and Wolfgang gained a lot of experience with Docker and were thrilled by its possible impact early on. Andreas started working with Docker in mid-2013 and is interested in developing tools for solving Enterprise IT requirements on networking and security. In 2014 he held talks and workshops about these topics. Christian started using Docker in 2013 to virtualize a complete HPC cluster stack and since then held multiple talks about how Docker might impact HPC. Wolfgang and his partner Burak Yenier introduced Docker as a corner-stone of the UberCloud Marketplace to drastically improve and simplify access to HPC cloud resources. UberCloud just announced their new containers for computational fluid dynamics software like Fluent, STAR-CCM+ and OpenFOAM."
Watch the video presentation: http://wp.me/p3RLHQ-enP
Sign up for our insideHPC Newsletter: http://insidehpc.com/newsletter
20. Docker Engine technology foundation
Isolation through Kernel Namespaces
Linux Capabilities
Resource limitation through Linux control groups
Filesystem isolation, Copy-On-Write & Union FS
20 16.07.15 Cassini Consulting
24. From Development to Production: Challenges ahead!
24 16.07.15 Cassini Consulting
25. What Docker gives to developers
25 16.07.15 Cassini Consulting
Easy sandbox approach
Easy way to deliver software
Dev / Prod parity
26. Easy Sandbox approach
§ Create build and test environments
§ Choose Libraries and Framework Dependencies, per application
§ Deal with incompatible version mismatches
(Ruby 1.9 vs. Ruby 2.1, including libs, bundler, version switchers, ...)
§ Lightweight alternative to using virtual machines
26 16.07.15 Cassini Consulting
27. Easy Sandbox approach
A Docker Image contains its own userland libraries and binaries
§ separated from other images
§ take exactly the versions of libraries you need
§ leave out things you do not need
§ reproducible, lightweight, easily testable
§ look at it as a unit of delivery
27 16.07.15 Cassini Consulting
28. Easy way to deliver software
28 16.07.15 Cassini Consulting
Code Deliverables (i.e. RPM
packages) are not runnable.
An installed instance (i.e. in a
VM) is hard to transport.
30. Easy way to deliver software
Dockerfile as a Contract between Development and Operations
30 16.07.15 Cassini Consulting
what to base from
set environment params
prepare the image, i.e.
install something,
configure it
describe the interface
what to run
31. Easy way to deliver software
Dockerfile as the blueprint for reusable building blocks
31 16.07.15 Cassini Consulting
what to base from
Redis is an official repository
at dockerhub
32. Easy way to deliver software
Dockerfile as the blueprint for reusable building blocks
32 16.07.15 Cassini Consulting
what to base from
Redis is an official repository
at dockerhub
33. Pave the way for Dev/Prod parity
33 16.07.15 Cassini Consulting
§ From Applications to Systems
§ Describe not only compute, but also storage and networking.
§ Example: docker-compose
36. Let's ask this question more specific.
Is the docker daemon secure?
Are images transported securely?
Are images built in a secure fashion?
Are containers as secure as virtual machines?
Are application processes more or less secure
when containerized?
36 16.07.15 Cassini Consulting
37. Are containers as secure as virtual machines?
Control group-separated,
chroot-like,
namespaced resources,
running on a shared kernel.
37 16.07.15 Cassini Consulting
Application Containers Virtual Machines
Virtualized pieces of hardware,
running its own kernel
with process/user/network
spaces separated on
hypervisor level.
38. Are application processes more or less secure
when containerized?
Definitely more secure, if "used properly(*)"
Docker Container ~ Application process,
ideally a single process, without management daemons
Smaller attack surface
Namespaced process, network, FS mounts, ...:
~ Application cannot see "the outside OS world"
Reduced Linux Capabilities, can be fine tuned
Additional isolation mechanisms at hand:
SELinux Type Enforcement, AppArmor profiles, Libseccomp System Call Filtering
38 16.07.15 Cassini Consulting
(*) http://container-solutions.com/is-docker-safe-for-production
39. Docker Hardening – Docker Security Benchmark
39 16.07.15 Cassini Consulting
§ Extensive Guide on
hardening docker hosts,
images and containers,
including checks
§ Automated tools are in
development
§ benchmarks.cisecurity.org
41. Tooling around Docker
41 16.07.15 Cassini Consulting
Where to run Specialised Operating systems
Where to pull images from Registries (Private, On Premise, ...)
How to operate it Orchestration, Scheduling,
Management, Monitoring
From Infrastructure to
Applications
Platform-As-a-Service
How to build containers Config Management, Developer
Tools
Technical topics Networking, Security, Storage