This document provides an overview of Docker technologies including Docker Engine, Docker Machine, Docker Kitematic, Docker Compose, Docker Swarm, Docker Registry, Docker Content Trust, Docker Networking, and Docker Universal Control Plane. It describes what each technology is used for, provides examples, and references additional resources for further information.

1. DevOps & Automation Tech/Team Leader at Cisco DRM Engineering
Roman Dembitsky – romande@gmail.com
Released: November 16, 2015
Docker Overview
DockerCon EU 2015

2. Agenda
• What is Docker?
• Docker Solutions
• Docker Security

10. What is Docker?

11. Docker allows you to package an
application with all of its
dependencies into a standardized
unit for software development.
Docker

14. Docker Engine

15. How is this different from virtual machines?

16. • Docker Machine – Machine provisioning
• Docker Engine – Creates and runs Docker containers
• Docker Registry – Docker image distribution repository
• Docker Kitematic – Desktop GUI for Docker
• Docker Compose – Define multi-container applications
• Docker Swarm – Host clustering and container scheduling
• Docker Universal Control Plane - Management Platform
Docker Solutions

17. Docker Stack
Docker Engine
Docker Container
Docker Compose
Docker Swarm
Docker Orca (UCP)
Platform Layer
Application
Multi-container
applications
Distributed Cluster
Management
Platform
Management

18. Docker Machine

19. • Create Hosts Anywhere
• Docker Machine can create hosts on most major
virtualization hypervisors and in cloud service
providers. Docker Machine has driver support for
• AWS, Digital Ocean, Google Cloud Platform, IBM Softlayer, Microsoft Azure
and Hyper-V, OpenStack, Rackspace, VirtualBox, VMware Fusion®, vCloud®
Air™ and vSphere®
Docker Machine

20. • Install Docker Engine
• Configure Docker
Registry
• Join nodes to Swarm

21. Docker Kitematic

22. •Kitematic – nice GUI for
containers management
•Video
Kitematic

23. Kitematic

24. Docker Registry

25. Docker Registry

26. Docker Registry is an open source application dedicated
to the storage and distribution of your Docker images.
Its seamless architecture allows both for fine grain
integration with other systems and high-level scalability.
Aggressively developed, its vibrant community includes
industry leaders and users using it at the core of their
images distribution solutions.
Docker Registry

27. Docker Stages

28. Docker Stages

29. Docker File - Sample
Source
To Run:
docker run -d -p 27017:27017 -p
28017:28017 --name mongo -e
AUTH=no tutum/mongodb

30. Docker Compose

33. Docker Compose - Example

34. • Compose facilitates the orchestration of linked
containers
• Compose allows to have a single script for all
the environments
• Developers can start/stop/rebuild containers
without any deep knowledge of Docker
Docker Compose

35. Docker Swarm

36. Docker Swarm

37. •Swarm – container distribution
manager, clustering and
scheduling
•Swarm 1.0 – ready for production
Docker Swarm

38. •Built-in multi-host networking
•Built-in persistent storage
• Attach any volume to any container dynamically
Docker Swarm

39. • Scalable
• Libkv (abstraction layer on top of
etcd, zookeeper, consul kv stores)
Docker Swarm

40. Docker Swarm - Demo

41. Docker Security

42. Hardware Key for signing images

43. • Docker Images signing and verifying
• Key compromise protection
• Content trust allows operations with a remote Docker registry to enforce
client-side signing and verification of image tags. Content trust provides the
ability to use digital signatures for data sent to and received from remote
Docker registries. These signatures allow client-side verification of the
integrity and publisher of specific image tags.
• https://blog.docker.com/2015/08/content-trust-docker-1-8/
Docker Content Trust

44. • Hardware crypto + docker content trust
• Hardware root key (usb security device) used for
starting key ladder
• Allows quickly changing/updating keys so it won’t be
possible pushing images with the old keys (that were
compromised)
Docker Security

45. • Sign docker images before pushing images to
repos
• Uses root key inside the yubikey for creating
new singing keys to sign the images
• To see existing keys: notary key list
Docker Security

46. • Project Nautilus
• Built-in container security analysis
• Soon will be as a self service
• Deep content analysis
• Checks against its own vulnerability db
Docker Security Analysis

47. Docker Networking

48. • New Docker Networking APIs
• Multi-Host networking
• Networks are scoped: Local / Global
• Container can participate in multiple
networks
Docker Networking

49. • VXLAN Layer 2 over Layer 4
• VXLAN is a network virtualization technology that attempts to
ameliorate the scalability problems associated with large cloud
computing deployments. It uses a VLAN-like encapsulation
technique to encapsulate MAC-based OSI layer 2 Ethernet
frames within layer 4 UDP packets, using 4789 as the
default IANA-assigned destination UDP port number.[1]
Docker Networking uses VXLAN

53. Docker Universal Control Plane
Containers as a service

57. • Management Platform – deploy and manage
dockerized apps in production
• running containers on any infrastructure
• Infrastructure agnostic (on premises, cloud)
• Language agnostic
Universal Control Plane

58. • Provisioning of compute, network, and storage on any infrastructure, with
integration of enterprise security and monitoring
• Support for any:
• application: stateful and stateless, legacy and next-generation, for any
programming language
• bare-metal server, VM or cloud instance
• Linux distribution and Windows Server and Solaris
• stage of the application lifecycle, from dev to test to QA to staging to
production
Docker Universal Control Plane

59. • Enterprise ready (LDAP/AD authN) on premise
deployment integrated with Trusted Registry
• Security – TLS
• Resource Management (visibility and
monitoring)
• HA
Docker Universal Control Plane

60. Linux Kernel IP Virtual Server

61. • Forwarder Layer 4 OSI
• IPVS is incorporated into the Linux Virtual Server (LVS), where it
runs on a host and acts as a load balancer in front of a cluster
of real servers. IPVS can direct requests for TCP- and UDP-based
services to the real servers, and make services of the real
servers appear as virtual services on a single IP address. IPVS is
built on top of the Netfilter.[1]
•
IP Virtual Server (IPVS)

62. • IPIP mode: Returns packets directly to
client (rather that via LB)
• DNAT
• DSR
IP Virtual Server - Modes

63. • http://github.com/kobolog/gorb
• BGP – load balance lbs
• Better that lb box
GORB – REST Iinterface of IPVS

66. Jenkins CI with Docker and
Compose at Oxford Press

67. • Commit to Github ->
• Jenkins Build with unit tests ->
• Build docker image ->
• After all the desired components are
stablely built run docker compose
Jenkins Flow

68. • Push images to docker registry
• Bind docker socket – share dockers
• /var/run/docker.sock

75. Docker Con EU 2015
https://blog.docker.com/tag/dockercon/
http://www.vmtocloud.com/how-to-run-a-docker-swarm-cluster-on-vsphere-with-
photon/
http://docker.com
http://www.tomsitpro.com/articles/docker-enterprise-hub-orchestration,1-2375.html
http://blog.octo.com/en/docker-registry-first-steps/
http://blog.arungupta.me/docker-compose-orchestrate-containers-techtip77/
http://learning-continuous-deployment.github.io/dockercompose/multi-
app/2015/05/30/docker-compose/
References