SlideShare a Scribd company logo

moscmy2016: Extending Docker

Download as PPTX, PDF
Mohammad Fairus Khalid
Mohammad Fairus Khalid

Extending docker using plugin example. Example using go language

Software
1 of 42
Extending Docker: Image Whitelist Plugin mohammad fairus khalid fairus.khalid@gmail.com fairus.khalid@mimos.my
2 hours quite long to talk • Background (3 min) • Motivation (2 min) • Docker (25 min) • Image whitelist concept (5) • Setup (15 min) • Demo (15 min) • going through the code (15 min) • Troubleshoot (10 min) • Build & Package (10 min) • Improvement (5 min) • Q & A (15 min)
Background generation processing
Edge Computing DCThing Own by Telco Base station Own by entities Malls, schools, clinics Voluntary Computing Laptops, desktops, smartphones ETSI – European Telecommunication Standards Institute Control QoS Control QoS
Motivation • Put control at uncontrolled environment • Only allow image/workload that is sanction to run on the remote resources
Docker • Docker Architecture • Docker Plugin • Plugin examples
Docker’s architecture https://docs.docker.com/engine/understanding-docker/
Docker Plugin • Docker plugins are out-of-process extensions which add capabilities to the Docker Engine. • They come in specific types. For example, a volume plugin might enable Docker volumes to persist across multiple Docker hosts and a network plugin might provide network plumbing. • A plugin is a process running on the same or a different host as the docker daemon, which registers itself by placing a file on the same docker host in one of the plugin directories described in Plugin discovery. https://docs.docker.com/engine/extend/plugins/
Plugin Discovery • Docker discovers plugins by looking for them in the plugin directory whenever a user or container tries to use one by name. • There are three types of files which can be put in the plugin directory. – .sock files are UNIX domain sockets. – .spec files are text files containing a URL, such as unix:///other.sock or tcp://localhost:8080. – .json files are text files containing a full json specification for the plugin. • Plugins with UNIX domain socket files must run on the same docker host, whereas plugins with spec or json files can run on a different host if a remote URL is specified. https://docs.docker.com/engine/extend/plugin_api/
Plugin API design • The Plugin API is RPC-style JSON over HTTP, much like webhooks. • Requests flow from the Docker daemon to the plugin. So the plugin needs to implement an HTTP server and bind this to the UNIX socket mentioned in the “plugin discovery” section. • All requests are HTTP POST requests. • The API is versioned via an Accept header, which currently is always set to application/vnd.docker.plugins.v1+json.
2 ways of Plugin Deployment Host 1 dockerd plugin Host 2 plugin unix socket tcp socket 1 2
Plugin Type Plugin Type Description Documentation Authorization Extend API authorization mechanism https://docs.docker.com/engine/ext end/authorization/ Network Extend network management https://docs.docker.com/engine/ext end/plugins_network/ Volume Extend persistent storage https://docs.docker.com/engine/ext end/plugins_volume/ IPAM Extend IP address management https://github.com/docker/libnetwo rk/blob/master/docs/ipam.md
Volume Plugin • Docker Engine volume plugins enable Engine deployments to be integrated with external storage systems, such as Amazon EBS, and enable data volumes to persist beyond the lifetime of a single Engine host. • A volume plugin makes use of the -v and --volume- driver flag on the docker run command. The -v flag accepts a volume name and the--volume-driver flag a driver type, for example: – $ docker run -ti -v volumename:/data --volume- driver=flocker busybox sh https://docs.docker.com/engine/extend/plugins_volume/
Example Plugin Volume: Flocker https://clusterhq.com/flocker/introduction/
Network Plugin • Docker Engine network plugins enable Engine deployments to be extended to support a wide range of networking technologies, such as VXLAN, IPVLAN, MACVLAN or something completely different.
Docker Bridge Network https://docs.docker.com/engine/userguide/networking/dockernetworks/ A bridge network is useful in cases where you want to run a relatively small network on a single host. You can, however, create significantly larger networks by creating an overlay network
Example Network plugin: Weave Net https://www.weave.works/products/weave-net/ Weave Net creates a virtual network that connects Docker containers deployed across multiple hosts. To application containers, the network established by Weave resembles a giant Ethernet switch, where all containers are connected and can easily access services from one another.
Weave Net Demo • Install weave on 2 hosts – sudo curl -L git.io/weave -o /usr/local/bin/weave – sudo chmod a+x /usr/local/bin/weave • Launch weave on both hosts – weave launch <ip peer host> fairus@ubuntu:~$ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 21e88b0b71e7 weaveworks/plugin:1.5.0 "/home/weave/plugin" 21 minutes ago Up 21 minutes weaveplugin 4ff36b0361b0 weaveworks/weaveexec:1.5.0 "/home/weave/weavepro" 21 minutes ago Up 21 minutes weaveproxy b9944c11dadf weaveworks/weave:1.5.0 "/home/weave/weaver -" 21 minutes ago Up 21 minutes weave – check connection status fairus@ubuntu:~$ weave status connections -> 192.168.56.101:6783 established fastdp 56:d7:c9:8e:d3:c3(ubuntu) – If fail reset and launch again • weave reset; weave launch <ip peer host>
Weave Net Demo • Test the weave network – List weave network fairus@ubuntu:~$ docker network ls NETWORK ID NAME DRIVER 88033f39d3bf bridge bridge 02ae59ef8859 docker_gwbridge bridge f610c728464c host host 41b5fa0b4ff7 none null ff85a0ceb3cd weave weavemesh – Run cntrn on both hosts • docker run --net weave -it alpine sh – Ping each other using ipaddress – Run cntrn with hostname on both machine • docker run --net weave -h c1.weave.local $(weave dns-args) -it alpine sh • docker run --net weave -h c2.weave.local $(weave dns-args) -it alpine sh – From the cntr ping each other using hostname (i.e. c1 & c2) – From host check the dns entry fairus@ubuntu:~$ weave status dns c1 10.32.0.1 47097e28f5ee 56:d7:c9:8e:d3:c3 c2 10.40.0.1 acd772f5b19e 3e:40:22:84:b7:e7
Authorization Plugin • An authorization plugin approves or denies requests to the Docker daemon based on both the current authentication context and the command context. • The authentication context contains all user details and the authentication method. • The command context contains all the relevant request data.
Authorization Scenarios https://docs.docker.com/engine/extend/plugins_authorization/
hands on
What is Image Whitelist • https://github.com/fairuskhalid/whitelist • Image Whitelist Docker plugin implementation is based on Docker Authorization plugin model. The plugin will look for the allowed images from the whitelist before an image can be run. With this the owner or administrator of the host machine can control what can be run on the machine.
Image Whitelist Docker daemon whitelist plugin Docker client whitelist server getlist: get updated list Every specified interval run: Try to run a container start: Try to start container Check either image in the whitelist or not. If yes allow otherwise disallow. Admin update the whitelist.dat allow/disallow Command success or failed 1 2 3 4 5
Setup • To use image whitelist plugin – Install docker – Pull image whitelist plugin from docker hub – Try out the image whitelist • To update and build the code – Install go – Setup environment – Install make – Build
Install docker • https://docs.docker.com/engine/installation/ • Make sure it works: – sudo docker run hello-world • Allow user to run docker – sudo groupadd docker – sudo usermod –aG docker username – Logout and login again
Try out image whitelist • Pull the image from docker hub – docker pull fairus/wlserver:v1 – docker pull fairus/wlplugin:v1 • Run the container – docker run -d --restart=always -p 8080:8080 fairus/wlserver:v1 – docker run -d --restart=always -v /var/run:/var/run -v /run/docker/plugins/:/run/docker/plugins -v /etc/group:/etc/group fairus/wlplugin:v1 /wlplugin - wlhost http://localhost:8080/getlist
Try out image whitelist # pull image from docker hub fairus@ubuntu:~$ docker pull fairus/wlserver:v1 fairus@ubuntu:~$ docker pull fairus/wlplugin:v1 # run the plugin and server fairus@ubuntu:~$ docker run -d --restart=always -p 8080:8080 fairus/wlserver:v1 fairus@ubuntu:~$ docker run -d --restart=always -v /var/run:/var/run -v /run/docker/plugins/:/run/docker/plugins -v /etc/group:/etc/group fairus/wlplugin:v1 /wlplugin -wlhost http://192.168.56.101/getlist # update docker service in systemd root@ubuntu:/run/docker/plugins# systemctl edit --full docker.service .. . ExecStart=/usr/bin/docker daemon -H fd:// --authorization-plugin=whitelist-plugin .. . # restart docker service root@ubuntu:/run/docker/plugins# service docker restart Terminal 1 Terminal 2 root user # try run alpine container fairus@ubuntu:~$ docker run -it alpine sh docker: Error response from daemon: authorization denied by plugin whitelist-plugin: Unauthorized Image. Terminal 1
Try out image whitelist # check alpine image id fairus@ubuntu:~$ docker inspect alpine | grep Id "Id": "sha256:d7a513a663c1a6dcdba9ed832ca53c02ac2af0c333322cd6ca92936d1d9917ac", # copy whitelist.dat from wlserver container to the host fairus@ubuntu:~$ docker ps | grep wlserver 5c561b1cd9b2 fairus/wlserver:v1 "/wlserver" 24 minutes ago Up 21 minutes 0.0.0.0:8080->8080/tcp prickly_jang fairus@ubuntu:~$ docker cp 5c561b1cd9b2:whitelist.dat whitelist.dat fairus@ubuntu:~$ ls goenv.sh src whitelist.dat work # update whitelist.dat with alpine image id and copy back into wlserver container fairus@ubuntu:~$ docker inspect alpine | grep Id "Id": "sha256:d7a513a663c1a6dcdba9ed832ca53c02ac2af0c333322cd6ca92936d1d9917ac", fairus@ubuntu:~$ echo sha256:d7a513a663c1a6dcdba9ed832ca53c02ac2af0c333322cd6ca92936d1d9917ac > whitelist.dat fairus@ubuntu:~$ docker cp whitelist.dat 5c561b1cd9b2:whitelist.dat # wait for couple of minutes before run the alpine container again fairus@ubuntu:~$ docker cp whitelist.dat 5c561b1cd9b2:whitelist.dat fairus@ubuntu:~$ docker run -it alpine sh / # Terminal 1
Setup Build Environment • Install go – follow guide in: https://golang.org/doc/install – wget https://storage.googleapis.com/golang/go1.6.2.linux-amd64.tar.gz – sudo tar -C /usr/local -xzf go1.6.2.linux-amd64.tar.gz – export PATH=$PATH:/usr/local/go/bin • Test go – go version • Create and export working dir (e.g. work) – mkdir work – export GOPATH=$HOME/work • Install godep – go get github.com/tools/godep • Install make – sudo apt-get install make
Going Through The Code • Go helpers package: – https://github.com/docker/go-plugins-helpers – https://godoc.org/github.com/docker/go-plugins-helpers/authorization
Bare Minimum Include Package Plugin socket you bind to Plugin class Plugin instantiation Interface Implementation
build and run plugin # build the code fairus@ubuntu:wshop$ go build -o wplugin main.go fairus@ubuntu:wshop$ ls -l total 8200 -rw-rw-r-- 1 fairus fairus 624 May 10 08:15 main.go -rwxrwxr-x 1 fairus fairus 8382368 May 10 08:46 wplugin # run the plugin fairus@ubuntu:wshop$ sudo ./wplugin # check the plugin is running root@ubuntu:/run/docker/plugins# ls -l total 0 srw-rw---- 1 root root 0 May 10 08:47 plugin.sock srwxr-xr-x 1 root root 0 May 9 15:39 weavemesh.sock srwxr-xr-x 1 root root 0 May 9 15:39 weave.sock Terminal 1 Terminal 2 root user
setup dockerd & run test # update docker service in systemd root@ubuntu:/run/docker/plugins# systemctl edit --full docker.service .. . ExecStart=/usr/bin/docker daemon -H fd:// --authorization-plugin=plugin .. . # restart docker service root@ubuntu:/run/docker/plugins# service docker restart # try it out root@ubuntu:/run/docker/plugins# docker ps Terminal 2 Root user # kill the plugin fairus@ubuntu:wshop$ sudo ./wplugin ^C # try it out again root@ubuntu:/run/docker/plugins# docker ps Error response from daemon: plugin plugin failed with error: Post http://%2Frun%2Fdocker%2Fplugins%2Fplugin.sock/AuthZPlugin.AuthZReq: dial unix /run/docker/plugins/plugin.sock: connect: connection refused Terminal 2 Root user Terminal 1
Looking at the message https://github.com/docker/docker/blob/master/pkg/authorization/api.go
build and run again This how the message looks like. Now we can add in our logic.
Image whitelist implementation • Package engineapi provides libraries to implement client and server components compatible with the Docker engine. The client package in github.com/docker/engine-api/client implements all necessary requests to implement the official Docker engine cli. – Create a new client, then use it to send and receive messages to the Docker engine API: defaultHeaders := map[string]string{"User-Agent": "engine-api-cli-1.0"} cli, err := client.NewClient("unix:///var/run/docker.sock", "v1.22", nil, defaultHeaders) – https://godoc.org/github.com/docker/engine-api • This library implements a cron spec parser and runner. – https://godoc.org/github.com/robfig/cron • Package logrus is a structured logger for Go, completely API compatible with the standard library logger. – https://godoc.org/github.com/Sirupsen/logrus
Build and Package • Get the code from github using go – go get github.com/fairuskhalid/whitelist • Restore the dependencies (this will take a while) – cd $HOME/work/src/github.com/fairuskhalid/whitelist – godep restore • Build – make • Create a docker image – cp wlplugin executable and Dockerfile.plugin into empty dir – Rename Dockerfile.plugin into Dockerfile – docker build –t plugin .
Troubleshoot Docker daemon whitelist plugin Docker client /run/docker/plugins/whitelist-plugin.sock Create fake socket /run/docker/plugins/fake.sock /var/run/docker.sock 1. Install socat • Sudo apt-get install socat 2. Run Plugin 3. Run socat • sudo socat -v UNIX-LISTEN:/run/docker/plugins/fake.sock UNIX-CONNECT:/run/docker/plugins/whitelist-plugin.sock 4. Run docker daemon with plugin option point to fake socat • --authorization-plugin=fake 5. Run docker command and view message output at terminal
Improvement • Any suggestion?
Q & A
Terima Kasih

Recommended

Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Jérôme Petazzoni
 
Running High Performance and Fault Tolerant Elasticsearch Clusters on Docker
Running High Performance and Fault Tolerant Elasticsearch Clusters on DockerRunning High Performance and Fault Tolerant Elasticsearch Clusters on Docker
Running High Performance and Fault Tolerant Elasticsearch Clusters on DockerSematext Group, Inc.
 
Ansible not only for Dummies
Ansible not only for DummiesAnsible not only for Dummies
Ansible not only for DummiesŁukasz Proszek
 
Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Docker, Inc.
 
Docker and Containers for Development and Deployment — SCALE12X
Docker and Containers for Development and Deployment — SCALE12XDocker and Containers for Development and Deployment — SCALE12X
Docker and Containers for Development and Deployment — SCALE12XJérôme Petazzoni
 
Lightweight Virtualization: LXC containers & AUFS
Lightweight Virtualization: LXC containers & AUFSLightweight Virtualization: LXC containers & AUFS
Lightweight Virtualization: LXC containers & AUFSJérôme Petazzoni
 
Container Torture: Run any binary, in any container
Container Torture: Run any binary, in any containerContainer Torture: Run any binary, in any container
Container Torture: Run any binary, in any containerDocker, Inc.
 
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionIntroduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionJérôme Petazzoni
 

Recommended

Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Jérôme Petazzoni
 
Running High Performance and Fault Tolerant Elasticsearch Clusters on Docker
Running High Performance and Fault Tolerant Elasticsearch Clusters on DockerRunning High Performance and Fault Tolerant Elasticsearch Clusters on Docker
Running High Performance and Fault Tolerant Elasticsearch Clusters on DockerSematext Group, Inc.
 
Ansible not only for Dummies
Ansible not only for DummiesAnsible not only for Dummies
Ansible not only for DummiesŁukasz Proszek
 
Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Docker, Inc.
 
Docker and Containers for Development and Deployment — SCALE12X
Docker and Containers for Development and Deployment — SCALE12XDocker and Containers for Development and Deployment — SCALE12X
Docker and Containers for Development and Deployment — SCALE12XJérôme Petazzoni
 
Lightweight Virtualization: LXC containers & AUFS
Lightweight Virtualization: LXC containers & AUFSLightweight Virtualization: LXC containers & AUFS
Lightweight Virtualization: LXC containers & AUFSJérôme Petazzoni
 
Container Torture: Run any binary, in any container
Container Torture: Run any binary, in any containerContainer Torture: Run any binary, in any container
Container Torture: Run any binary, in any containerDocker, Inc.
 
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionIntroduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionJérôme Petazzoni
 
Docker - container and lightweight virtualization
Docker - container and lightweight virtualization Docker - container and lightweight virtualization
Docker - container and lightweight virtualization Sim Janghoon
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Jérôme Petazzoni
 
Testing Wi-Fi with OSS Tools
Testing Wi-Fi with OSS ToolsTesting Wi-Fi with OSS Tools
Testing Wi-Fi with OSS ToolsAll Things Open
 
Docker.io
Docker.ioDocker.io
Docker.ioLadislav Prskavec
 
Cassandra and docker
Cassandra and dockerCassandra and docker
Cassandra and dockerBen Bromhead
 
Docker Tips And Tricks at the Docker Beijing Meetup
Docker Tips And Tricks at the Docker Beijing MeetupDocker Tips And Tricks at the Docker Beijing Meetup
Docker Tips And Tricks at the Docker Beijing MeetupJérôme Petazzoni
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConJérôme Petazzoni
 
LXC
LXCLXC
LXCWu Fan-Cheng
 
LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?Jérôme Petazzoni
 
Scaling and Managing Cassandra with docker, CoreOS and Presto
Scaling and Managing Cassandra with docker, CoreOS and PrestoScaling and Managing Cassandra with docker, CoreOS and Presto
Scaling and Managing Cassandra with docker, CoreOS and PrestoVali-Marius Malinoiu
 
CoreOS, or How I Learned to Stop Worrying and Love Systemd
CoreOS, or How I Learned to Stop Worrying and Love SystemdCoreOS, or How I Learned to Stop Worrying and Love Systemd
CoreOS, or How I Learned to Stop Worrying and Love SystemdRichard Lister
 
Bare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefBare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefMatt Ray
 
Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...
Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...
Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...Jérôme Petazzoni
 
Techtalks: taking docker to production
Techtalks: taking docker to productionTechtalks: taking docker to production
Techtalks: taking docker to productionmuayyad alsadi
 
Docker from A to Z, including Swarm and OCCS
Docker from A to Z, including Swarm and OCCSDocker from A to Z, including Swarm and OCCS
Docker from A to Z, including Swarm and OCCSFrank Munz
 
KVM and docker LXC Benchmarking with OpenStack
KVM and docker LXC Benchmarking with OpenStackKVM and docker LXC Benchmarking with OpenStack
KVM and docker LXC Benchmarking with OpenStackBoden Russell
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to DockerAlan Forbes
 
Puppet and Vagrant in development
Puppet and Vagrant in developmentPuppet and Vagrant in development
Puppet and Vagrant in developmentAdam Culp
 
Docker on openstack by OpenSource Consulting
Docker on openstack by OpenSource ConsultingDocker on openstack by OpenSource Consulting
Docker on openstack by OpenSource ConsultingOpen Source Consulting
 
Performance characteristics of traditional v ms vs docker containers (dockerc...
Performance characteristics of traditional v ms vs docker containers (dockerc...Performance characteristics of traditional v ms vs docker containers (dockerc...
Performance characteristics of traditional v ms vs docker containers (dockerc...Boden Russell
 
georchestra SDI: Project Status Report
georchestra SDI: Project Status Reportgeorchestra SDI: Project Status Report
georchestra SDI: Project Status ReportCamptocamp
 
Deploying 3 times a day without a downtime @ Rocket Tech Summit in Berlin
Deploying 3 times a day without a downtime @ Rocket Tech Summit in BerlinDeploying 3 times a day without a downtime @ Rocket Tech Summit in Berlin
Deploying 3 times a day without a downtime @ Rocket Tech Summit in BerlinAlessandro Nadalin
 

More Related Content

What's hot

Docker - container and lightweight virtualization
Docker - container and lightweight virtualization Docker - container and lightweight virtualization
Docker - container and lightweight virtualization Sim Janghoon
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Jérôme Petazzoni
 
Testing Wi-Fi with OSS Tools
Testing Wi-Fi with OSS ToolsTesting Wi-Fi with OSS Tools
Testing Wi-Fi with OSS ToolsAll Things Open
 
Cassandra and docker
Cassandra and dockerCassandra and docker
Cassandra and dockerBen Bromhead
 
Docker Tips And Tricks at the Docker Beijing Meetup
Docker Tips And Tricks at the Docker Beijing MeetupDocker Tips And Tricks at the Docker Beijing Meetup
Docker Tips And Tricks at the Docker Beijing MeetupJérôme Petazzoni
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConJérôme Petazzoni
 
LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?Jérôme Petazzoni
 
Scaling and Managing Cassandra with docker, CoreOS and Presto
Scaling and Managing Cassandra with docker, CoreOS and PrestoScaling and Managing Cassandra with docker, CoreOS and Presto
Scaling and Managing Cassandra with docker, CoreOS and PrestoVali-Marius Malinoiu
 
CoreOS, or How I Learned to Stop Worrying and Love Systemd
CoreOS, or How I Learned to Stop Worrying and Love SystemdCoreOS, or How I Learned to Stop Worrying and Love Systemd
CoreOS, or How I Learned to Stop Worrying and Love SystemdRichard Lister
 
Bare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefBare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefMatt Ray
 
Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...
Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...
Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...Jérôme Petazzoni
 
Techtalks: taking docker to production
Techtalks: taking docker to productionTechtalks: taking docker to production
Techtalks: taking docker to productionmuayyad alsadi
 
Docker from A to Z, including Swarm and OCCS
Docker from A to Z, including Swarm and OCCSDocker from A to Z, including Swarm and OCCS
Docker from A to Z, including Swarm and OCCSFrank Munz
 
KVM and docker LXC Benchmarking with OpenStack
KVM and docker LXC Benchmarking with OpenStackKVM and docker LXC Benchmarking with OpenStack
KVM and docker LXC Benchmarking with OpenStackBoden Russell
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to DockerAlan Forbes
 
Puppet and Vagrant in development
Puppet and Vagrant in developmentPuppet and Vagrant in development
Puppet and Vagrant in developmentAdam Culp
 
Docker on openstack by OpenSource Consulting
Docker on openstack by OpenSource ConsultingDocker on openstack by OpenSource Consulting
Docker on openstack by OpenSource ConsultingOpen Source Consulting
 
Performance characteristics of traditional v ms vs docker containers (dockerc...
Performance characteristics of traditional v ms vs docker containers (dockerc...Performance characteristics of traditional v ms vs docker containers (dockerc...
Performance characteristics of traditional v ms vs docker containers (dockerc...Boden Russell
 

What's hot (20)

Docker - container and lightweight virtualization
Docker - container and lightweight virtualization Docker - container and lightweight virtualization
Docker - container and lightweight virtualization
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
 
Testing Wi-Fi with OSS Tools
Testing Wi-Fi with OSS ToolsTesting Wi-Fi with OSS Tools
Testing Wi-Fi with OSS Tools
 
Docker.io
Docker.ioDocker.io
Docker.io
 
Cassandra and docker
Cassandra and dockerCassandra and docker
Cassandra and docker
 
Docker Tips And Tricks at the Docker Beijing Meetup
Docker Tips And Tricks at the Docker Beijing MeetupDocker Tips And Tricks at the Docker Beijing Meetup
Docker Tips And Tricks at the Docker Beijing Meetup
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
 
LXC
LXCLXC
LXC
 
LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?
 
Scaling and Managing Cassandra with docker, CoreOS and Presto
Scaling and Managing Cassandra with docker, CoreOS and PrestoScaling and Managing Cassandra with docker, CoreOS and Presto
Scaling and Managing Cassandra with docker, CoreOS and Presto
 
CoreOS, or How I Learned to Stop Worrying and Love Systemd
CoreOS, or How I Learned to Stop Worrying and Love SystemdCoreOS, or How I Learned to Stop Worrying and Love Systemd
CoreOS, or How I Learned to Stop Worrying and Love Systemd
 
Bare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefBare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and Chef
 
Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...
Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...
Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...
 
Techtalks: taking docker to production
Techtalks: taking docker to productionTechtalks: taking docker to production
Techtalks: taking docker to production
 
Docker from A to Z, including Swarm and OCCS
Docker from A to Z, including Swarm and OCCSDocker from A to Z, including Swarm and OCCS
Docker from A to Z, including Swarm and OCCS
 
KVM and docker LXC Benchmarking with OpenStack
KVM and docker LXC Benchmarking with OpenStackKVM and docker LXC Benchmarking with OpenStack
KVM and docker LXC Benchmarking with OpenStack
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
 
Puppet and Vagrant in development
Puppet and Vagrant in developmentPuppet and Vagrant in development
Puppet and Vagrant in development
 
Docker on openstack by OpenSource Consulting
Docker on openstack by OpenSource ConsultingDocker on openstack by OpenSource Consulting
Docker on openstack by OpenSource Consulting
 
Performance characteristics of traditional v ms vs docker containers (dockerc...
Performance characteristics of traditional v ms vs docker containers (dockerc...Performance characteristics of traditional v ms vs docker containers (dockerc...
Performance characteristics of traditional v ms vs docker containers (dockerc...
 

Viewers also liked

georchestra SDI: Project Status Report
georchestra SDI: Project Status Reportgeorchestra SDI: Project Status Report
georchestra SDI: Project Status ReportCamptocamp
 
Deploying 3 times a day without a downtime @ Rocket Tech Summit in Berlin
Deploying 3 times a day without a downtime @ Rocket Tech Summit in BerlinDeploying 3 times a day without a downtime @ Rocket Tech Summit in Berlin
Deploying 3 times a day without a downtime @ Rocket Tech Summit in BerlinAlessandro Nadalin
 
Introduction to Docker - Learning containerization XP conference 2016
Introduction to Docker - Learning containerization XP conference 2016Introduction to Docker - Learning containerization XP conference 2016
Introduction to Docker - Learning containerization XP conference 2016XP Conference India
 
Using docker to develop NAS applications
Using docker to develop NAS applicationsUsing docker to develop NAS applications
Using docker to develop NAS applicationsTerry Chen
 
Docker for the Brave
Docker for the BraveDocker for the Brave
Docker for the BraveDavid Schmitz
 
Containers for sensor web services, applications and research @ Sensor Web Co...
Containers for sensor web services, applications and research @ Sensor Web Co...Containers for sensor web services, applications and research @ Sensor Web Co...
Containers for sensor web services, applications and research @ Sensor Web Co...Daniel Nüst
 
Hybrid Mobile Development with Apache Cordova and
Hybrid Mobile Development with Apache Cordova and Hybrid Mobile Development with Apache Cordova and
Hybrid Mobile Development with Apache Cordova and Ryan Cuprak
 
Docker Dhahran Nov 2016 meetup
Docker Dhahran Nov 2016 meetupDocker Dhahran Nov 2016 meetup
Docker Dhahran Nov 2016 meetupWalid Shaari
 
Cordova / PhoneGap, mobile apps development with HTML5/JS/CSS
Cordova / PhoneGap, mobile apps development with HTML5/JS/CSSCordova / PhoneGap, mobile apps development with HTML5/JS/CSS
Cordova / PhoneGap, mobile apps development with HTML5/JS/CSSGabriel Huecas
 
Hybrid Mobile Development with Apache Cordova and Java EE 7 (JavaOne 2014)
Hybrid Mobile Development with Apache Cordova and Java EE 7 (JavaOne 2014)Hybrid Mobile Development with Apache Cordova and Java EE 7 (JavaOne 2014)
Hybrid Mobile Development with Apache Cordova and Java EE 7 (JavaOne 2014)Ryan Cuprak
 
Building a private CI/CD pipeline with Java and Docker in the Cloud as presen...
Building a private CI/CD pipeline with Java and Docker in the Cloud as presen...Building a private CI/CD pipeline with Java and Docker in the Cloud as presen...
Building a private CI/CD pipeline with Java and Docker in the Cloud as presen...Baruch Sadogursky
 
Advanced Docker Developer Workflows on MacOS X and Windows
Advanced Docker Developer Workflows on MacOS X and WindowsAdvanced Docker Developer Workflows on MacOS X and Windows
Advanced Docker Developer Workflows on MacOS X and WindowsAnil Madhavapeddy
 
Jelastic - DevOps for Java with Docker Containers - Madrid 2015
Jelastic - DevOps for Java with Docker Containers - Madrid 2015Jelastic - DevOps for Java with Docker Containers - Madrid 2015
Jelastic - DevOps for Java with Docker Containers - Madrid 2015Jelastic Multi-Cloud PaaS
 
Top 50 java ee 7 best practices [con5669]
Top 50 java ee 7 best practices [con5669]Top 50 java ee 7 best practices [con5669]
Top 50 java ee 7 best practices [con5669]Ryan Cuprak
 
Ionic framework one day training
Ionic framework one day trainingIonic framework one day training
Ionic framework one day trainingTroy Miles
 
50 EJB 3 Best Practices in 50 Minutes - JavaOne 2014
50 EJB 3 Best Practices in 50 Minutes - JavaOne 201450 EJB 3 Best Practices in 50 Minutes - JavaOne 2014
50 EJB 3 Best Practices in 50 Minutes - JavaOne 2014Ryan Cuprak
 
Microservices Minus the Hype: How to Build and Why
Microservices Minus the Hype: How to Build and WhyMicroservices Minus the Hype: How to Build and Why
Microservices Minus the Hype: How to Build and WhyMark Heckler
 
Docker and java, at Montréal JUG
Docker and java, at Montréal JUGDocker and java, at Montréal JUG
Docker and java, at Montréal JUGAnthony Dahanne
 

Viewers also liked (20)

georchestra SDI: Project Status Report
georchestra SDI: Project Status Reportgeorchestra SDI: Project Status Report
georchestra SDI: Project Status Report
 
Deploying 3 times a day without a downtime @ Rocket Tech Summit in Berlin
Deploying 3 times a day without a downtime @ Rocket Tech Summit in BerlinDeploying 3 times a day without a downtime @ Rocket Tech Summit in Berlin
Deploying 3 times a day without a downtime @ Rocket Tech Summit in Berlin
 
Introduction to Docker - Learning containerization XP conference 2016
Introduction to Docker - Learning containerization XP conference 2016Introduction to Docker - Learning containerization XP conference 2016
Introduction to Docker - Learning containerization XP conference 2016
 
Using docker to develop NAS applications
Using docker to develop NAS applicationsUsing docker to develop NAS applications
Using docker to develop NAS applications
 
Docker for the Brave
Docker for the BraveDocker for the Brave
Docker for the Brave
 
Containers for sensor web services, applications and research @ Sensor Web Co...
Containers for sensor web services, applications and research @ Sensor Web Co...Containers for sensor web services, applications and research @ Sensor Web Co...
Containers for sensor web services, applications and research @ Sensor Web Co...
 
Hybrid Mobile Development with Apache Cordova and
Hybrid Mobile Development with Apache Cordova and Hybrid Mobile Development with Apache Cordova and
Hybrid Mobile Development with Apache Cordova and
 
Docker Dhahran Nov 2016 meetup
Docker Dhahran Nov 2016 meetupDocker Dhahran Nov 2016 meetup
Docker Dhahran Nov 2016 meetup
 
Cordova / PhoneGap, mobile apps development with HTML5/JS/CSS
Cordova / PhoneGap, mobile apps development with HTML5/JS/CSSCordova / PhoneGap, mobile apps development with HTML5/JS/CSS
Cordova / PhoneGap, mobile apps development with HTML5/JS/CSS
 
Hybrid Mobile Development with Apache Cordova and Java EE 7 (JavaOne 2014)
Hybrid Mobile Development with Apache Cordova and Java EE 7 (JavaOne 2014)Hybrid Mobile Development with Apache Cordova and Java EE 7 (JavaOne 2014)
Hybrid Mobile Development with Apache Cordova and Java EE 7 (JavaOne 2014)
 
Building a private CI/CD pipeline with Java and Docker in the Cloud as presen...
Building a private CI/CD pipeline with Java and Docker in the Cloud as presen...Building a private CI/CD pipeline with Java and Docker in the Cloud as presen...
Building a private CI/CD pipeline with Java and Docker in the Cloud as presen...
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
 
Advanced Docker Developer Workflows on MacOS X and Windows
Advanced Docker Developer Workflows on MacOS X and WindowsAdvanced Docker Developer Workflows on MacOS X and Windows
Advanced Docker Developer Workflows on MacOS X and Windows
 
Jelastic - DevOps for Java with Docker Containers - Madrid 2015
Jelastic - DevOps for Java with Docker Containers - Madrid 2015Jelastic - DevOps for Java with Docker Containers - Madrid 2015
Jelastic - DevOps for Java with Docker Containers - Madrid 2015
 
Docker and java
Docker and javaDocker and java
Docker and java
 
Top 50 java ee 7 best practices [con5669]
Top 50 java ee 7 best practices [con5669]Top 50 java ee 7 best practices [con5669]
Top 50 java ee 7 best practices [con5669]
 
Ionic framework one day training
Ionic framework one day trainingIonic framework one day training
Ionic framework one day training
 
50 EJB 3 Best Practices in 50 Minutes - JavaOne 2014
50 EJB 3 Best Practices in 50 Minutes - JavaOne 201450 EJB 3 Best Practices in 50 Minutes - JavaOne 2014
50 EJB 3 Best Practices in 50 Minutes - JavaOne 2014
 
Microservices Minus the Hype: How to Build and Why
Microservices Minus the Hype: How to Build and WhyMicroservices Minus the Hype: How to Build and Why
Microservices Minus the Hype: How to Build and Why
 
Docker and java, at Montréal JUG
Docker and java, at Montréal JUGDocker and java, at Montréal JUG
Docker and java, at Montréal JUG
 

Similar to moscmy2016: Extending Docker

Killer Docker Workflows for Development
Killer Docker Workflows for DevelopmentKiller Docker Workflows for Development
Killer Docker Workflows for DevelopmentChris Tankersley
 
Docker advance topic
Docker advance topicDocker advance topic
Docker advance topicKalkey
 
Docker and Puppet for Continuous Integration
Docker and Puppet for Continuous IntegrationDocker and Puppet for Continuous Integration
Docker and Puppet for Continuous IntegrationGiacomo Vacca
 
Docker engine - Indroduc
Docker engine - IndroducDocker engine - Indroduc
Docker engine - IndroducAl Gifari
 
Running the Oracle SOA Suite Environment in a Docker Container
Running the Oracle SOA Suite Environment in a Docker ContainerRunning the Oracle SOA Suite Environment in a Docker Container
Running the Oracle SOA Suite Environment in a Docker ContainerGuido Schmutz
 
DevOPS training - Day 2/2
DevOPS training - Day 2/2DevOPS training - Day 2/2
DevOPS training - Day 2/2Vincent Mercier
 
Intro docker and demo monitor on docker
Intro docker and demo monitor on dockerIntro docker and demo monitor on docker
Intro docker and demo monitor on dockerWatcharin Yang-Ngam
 
Getting Started with Docker
Getting Started with DockerGetting Started with Docker
Getting Started with DockerGeeta Vinnakota
 
Docker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesDocker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesSreenivas Makam
 
Docker fundamentals
Docker fundamentalsDocker fundamentals
Docker fundamentalsAlper Unal
 
ExpoQA 2017 Using docker to build and test in your laptop and Jenkins
ExpoQA 2017 Using docker to build and test in your laptop and JenkinsExpoQA 2017 Using docker to build and test in your laptop and Jenkins
ExpoQA 2017 Using docker to build and test in your laptop and JenkinsElasTest Project
 
[Codelab 2017] Docker 기초 및 활용 방안
[Codelab 2017] Docker 기초 및 활용 방안[Codelab 2017] Docker 기초 및 활용 방안
[Codelab 2017] Docker 기초 및 활용 방안양재동 코드랩
 
Introction to docker swarm
Introction to docker swarmIntroction to docker swarm
Introction to docker swarmHsi-Kai Wang
 
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz LachJDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz LachPROIDEA
 

Similar to moscmy2016: Extending Docker (20)

Docker, but what it is?
Docker, but what it is?Docker, but what it is?
Docker, but what it is?
 
Killer Docker Workflows for Development
Killer Docker Workflows for DevelopmentKiller Docker Workflows for Development
Killer Docker Workflows for Development
 
Docker advance topic
Docker advance topicDocker advance topic
Docker advance topic
 
Docker advance1
Docker advance1Docker advance1
Docker advance1
 
Docker and Puppet for Continuous Integration
Docker and Puppet for Continuous IntegrationDocker and Puppet for Continuous Integration
Docker and Puppet for Continuous Integration
 
Docker engine - Indroduc
Docker engine - IndroducDocker engine - Indroduc
Docker engine - Indroduc
 
Running the Oracle SOA Suite Environment in a Docker Container
Running the Oracle SOA Suite Environment in a Docker ContainerRunning the Oracle SOA Suite Environment in a Docker Container
Running the Oracle SOA Suite Environment in a Docker Container
 
DevOPS training - Day 2/2
DevOPS training - Day 2/2DevOPS training - Day 2/2
DevOPS training - Day 2/2
 
Intro docker and demo monitor on docker
Intro docker and demo monitor on dockerIntro docker and demo monitor on docker
Intro docker and demo monitor on docker
 
Docker From Scratch
Docker From ScratchDocker From Scratch
Docker From Scratch
 
How to _docker
How to _dockerHow to _docker
How to _docker
 
Docker
DockerDocker
Docker
 
Getting Started with Docker
Getting Started with DockerGetting Started with Docker
Getting Started with Docker
 
Docker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesDocker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting Techniques
 
Docker
DockerDocker
Docker
 
Docker fundamentals
Docker fundamentalsDocker fundamentals
Docker fundamentals
 
ExpoQA 2017 Using docker to build and test in your laptop and Jenkins
ExpoQA 2017 Using docker to build and test in your laptop and JenkinsExpoQA 2017 Using docker to build and test in your laptop and Jenkins
ExpoQA 2017 Using docker to build and test in your laptop and Jenkins
 
[Codelab 2017] Docker 기초 및 활용 방안
[Codelab 2017] Docker 기초 및 활용 방안[Codelab 2017] Docker 기초 및 활용 방안
[Codelab 2017] Docker 기초 및 활용 방안
 
Introction to docker swarm
Introction to docker swarmIntroction to docker swarm
Introction to docker swarm
 
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz LachJDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
 

Recently uploaded

EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
Best Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfBest Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfIdiosysTechnologies1
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationvaddepallysandeep122
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 

Recently uploaded (20)

EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Best Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfBest Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdf
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentation
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 

moscmy2016: Extending Docker

  • 1. Extending Docker: Image Whitelist Plugin mohammad fairus khalid fairus.khalid@gmail.com fairus.khalid@mimos.my
  • 2. 2 hours quite long to talk • Background (3 min) • Motivation (2 min) • Docker (25 min) • Image whitelist concept (5) • Setup (15 min) • Demo (15 min) • going through the code (15 min) • Troubleshoot (10 min) • Build & Package (10 min) • Improvement (5 min) • Q & A (15 min)
  • 4. Edge Computing DCThing Own by Telco Base station Own by entities Malls, schools, clinics Voluntary Computing Laptops, desktops, smartphones ETSI – European Telecommunication Standards Institute Control QoS Control QoS
  • 5. Motivation • Put control at uncontrolled environment • Only allow image/workload that is sanction to run on the remote resources
  • 6. Docker • Docker Architecture • Docker Plugin • Plugin examples
  • 8. Docker Plugin • Docker plugins are out-of-process extensions which add capabilities to the Docker Engine. • They come in specific types. For example, a volume plugin might enable Docker volumes to persist across multiple Docker hosts and a network plugin might provide network plumbing. • A plugin is a process running on the same or a different host as the docker daemon, which registers itself by placing a file on the same docker host in one of the plugin directories described in Plugin discovery. https://docs.docker.com/engine/extend/plugins/
  • 9. Plugin Discovery • Docker discovers plugins by looking for them in the plugin directory whenever a user or container tries to use one by name. • There are three types of files which can be put in the plugin directory. – .sock files are UNIX domain sockets. – .spec files are text files containing a URL, such as unix:///other.sock or tcp://localhost:8080. – .json files are text files containing a full json specification for the plugin. • Plugins with UNIX domain socket files must run on the same docker host, whereas plugins with spec or json files can run on a different host if a remote URL is specified. https://docs.docker.com/engine/extend/plugin_api/
  • 10. Plugin API design • The Plugin API is RPC-style JSON over HTTP, much like webhooks. • Requests flow from the Docker daemon to the plugin. So the plugin needs to implement an HTTP server and bind this to the UNIX socket mentioned in the “plugin discovery” section. • All requests are HTTP POST requests. • The API is versioned via an Accept header, which currently is always set to application/vnd.docker.plugins.v1+json.
  • 11. 2 ways of Plugin Deployment Host 1 dockerd plugin Host 2 plugin unix socket tcp socket 1 2
  • 12. Plugin Type Plugin Type Description Documentation Authorization Extend API authorization mechanism https://docs.docker.com/engine/ext end/authorization/ Network Extend network management https://docs.docker.com/engine/ext end/plugins_network/ Volume Extend persistent storage https://docs.docker.com/engine/ext end/plugins_volume/ IPAM Extend IP address management https://github.com/docker/libnetwo rk/blob/master/docs/ipam.md
  • 13. Volume Plugin • Docker Engine volume plugins enable Engine deployments to be integrated with external storage systems, such as Amazon EBS, and enable data volumes to persist beyond the lifetime of a single Engine host. • A volume plugin makes use of the -v and --volume- driver flag on the docker run command. The -v flag accepts a volume name and the--volume-driver flag a driver type, for example: – $ docker run -ti -v volumename:/data --volume- driver=flocker busybox sh https://docs.docker.com/engine/extend/plugins_volume/
  • 14. Example Plugin Volume: Flocker https://clusterhq.com/flocker/introduction/
  • 15. Network Plugin • Docker Engine network plugins enable Engine deployments to be extended to support a wide range of networking technologies, such as VXLAN, IPVLAN, MACVLAN or something completely different.
  • 16. Docker Bridge Network https://docs.docker.com/engine/userguide/networking/dockernetworks/ A bridge network is useful in cases where you want to run a relatively small network on a single host. You can, however, create significantly larger networks by creating an overlay network
  • 17. Example Network plugin: Weave Net https://www.weave.works/products/weave-net/ Weave Net creates a virtual network that connects Docker containers deployed across multiple hosts. To application containers, the network established by Weave resembles a giant Ethernet switch, where all containers are connected and can easily access services from one another.
  • 18. Weave Net Demo • Install weave on 2 hosts – sudo curl -L git.io/weave -o /usr/local/bin/weave – sudo chmod a+x /usr/local/bin/weave • Launch weave on both hosts – weave launch <ip peer host> fairus@ubuntu:~$ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 21e88b0b71e7 weaveworks/plugin:1.5.0 "/home/weave/plugin" 21 minutes ago Up 21 minutes weaveplugin 4ff36b0361b0 weaveworks/weaveexec:1.5.0 "/home/weave/weavepro" 21 minutes ago Up 21 minutes weaveproxy b9944c11dadf weaveworks/weave:1.5.0 "/home/weave/weaver -" 21 minutes ago Up 21 minutes weave – check connection status fairus@ubuntu:~$ weave status connections -> 192.168.56.101:6783 established fastdp 56:d7:c9:8e:d3:c3(ubuntu) – If fail reset and launch again • weave reset; weave launch <ip peer host>
  • 19. Weave Net Demo • Test the weave network – List weave network fairus@ubuntu:~$ docker network ls NETWORK ID NAME DRIVER 88033f39d3bf bridge bridge 02ae59ef8859 docker_gwbridge bridge f610c728464c host host 41b5fa0b4ff7 none null ff85a0ceb3cd weave weavemesh – Run cntrn on both hosts • docker run --net weave -it alpine sh – Ping each other using ipaddress – Run cntrn with hostname on both machine • docker run --net weave -h c1.weave.local $(weave dns-args) -it alpine sh • docker run --net weave -h c2.weave.local $(weave dns-args) -it alpine sh – From the cntr ping each other using hostname (i.e. c1 & c2) – From host check the dns entry fairus@ubuntu:~$ weave status dns c1 10.32.0.1 47097e28f5ee 56:d7:c9:8e:d3:c3 c2 10.40.0.1 acd772f5b19e 3e:40:22:84:b7:e7
  • 20. Authorization Plugin • An authorization plugin approves or denies requests to the Docker daemon based on both the current authentication context and the command context. • The authentication context contains all user details and the authentication method. • The command context contains all the relevant request data.
  • 23. What is Image Whitelist • https://github.com/fairuskhalid/whitelist • Image Whitelist Docker plugin implementation is based on Docker Authorization plugin model. The plugin will look for the allowed images from the whitelist before an image can be run. With this the owner or administrator of the host machine can control what can be run on the machine.
  • 24. Image Whitelist Docker daemon whitelist plugin Docker client whitelist server getlist: get updated list Every specified interval run: Try to run a container start: Try to start container Check either image in the whitelist or not. If yes allow otherwise disallow. Admin update the whitelist.dat allow/disallow Command success or failed 1 2 3 4 5
  • 25. Setup • To use image whitelist plugin – Install docker – Pull image whitelist plugin from docker hub – Try out the image whitelist • To update and build the code – Install go – Setup environment – Install make – Build
  • 26. Install docker • https://docs.docker.com/engine/installation/ • Make sure it works: – sudo docker run hello-world • Allow user to run docker – sudo groupadd docker – sudo usermod –aG docker username – Logout and login again
  • 27. Try out image whitelist • Pull the image from docker hub – docker pull fairus/wlserver:v1 – docker pull fairus/wlplugin:v1 • Run the container – docker run -d --restart=always -p 8080:8080 fairus/wlserver:v1 – docker run -d --restart=always -v /var/run:/var/run -v /run/docker/plugins/:/run/docker/plugins -v /etc/group:/etc/group fairus/wlplugin:v1 /wlplugin - wlhost http://localhost:8080/getlist
  • 28. Try out image whitelist # pull image from docker hub fairus@ubuntu:~$ docker pull fairus/wlserver:v1 fairus@ubuntu:~$ docker pull fairus/wlplugin:v1 # run the plugin and server fairus@ubuntu:~$ docker run -d --restart=always -p 8080:8080 fairus/wlserver:v1 fairus@ubuntu:~$ docker run -d --restart=always -v /var/run:/var/run -v /run/docker/plugins/:/run/docker/plugins -v /etc/group:/etc/group fairus/wlplugin:v1 /wlplugin -wlhost http://192.168.56.101/getlist # update docker service in systemd root@ubuntu:/run/docker/plugins# systemctl edit --full docker.service .. . ExecStart=/usr/bin/docker daemon -H fd:// --authorization-plugin=whitelist-plugin .. . # restart docker service root@ubuntu:/run/docker/plugins# service docker restart Terminal 1 Terminal 2 root user # try run alpine container fairus@ubuntu:~$ docker run -it alpine sh docker: Error response from daemon: authorization denied by plugin whitelist-plugin: Unauthorized Image. Terminal 1
  • 29. Try out image whitelist # check alpine image id fairus@ubuntu:~$ docker inspect alpine | grep Id "Id": "sha256:d7a513a663c1a6dcdba9ed832ca53c02ac2af0c333322cd6ca92936d1d9917ac", # copy whitelist.dat from wlserver container to the host fairus@ubuntu:~$ docker ps | grep wlserver 5c561b1cd9b2 fairus/wlserver:v1 "/wlserver" 24 minutes ago Up 21 minutes 0.0.0.0:8080->8080/tcp prickly_jang fairus@ubuntu:~$ docker cp 5c561b1cd9b2:whitelist.dat whitelist.dat fairus@ubuntu:~$ ls goenv.sh src whitelist.dat work # update whitelist.dat with alpine image id and copy back into wlserver container fairus@ubuntu:~$ docker inspect alpine | grep Id "Id": "sha256:d7a513a663c1a6dcdba9ed832ca53c02ac2af0c333322cd6ca92936d1d9917ac", fairus@ubuntu:~$ echo sha256:d7a513a663c1a6dcdba9ed832ca53c02ac2af0c333322cd6ca92936d1d9917ac > whitelist.dat fairus@ubuntu:~$ docker cp whitelist.dat 5c561b1cd9b2:whitelist.dat # wait for couple of minutes before run the alpine container again fairus@ubuntu:~$ docker cp whitelist.dat 5c561b1cd9b2:whitelist.dat fairus@ubuntu:~$ docker run -it alpine sh / # Terminal 1
  • 30. Setup Build Environment • Install go – follow guide in: https://golang.org/doc/install – wget https://storage.googleapis.com/golang/go1.6.2.linux-amd64.tar.gz – sudo tar -C /usr/local -xzf go1.6.2.linux-amd64.tar.gz – export PATH=$PATH:/usr/local/go/bin • Test go – go version • Create and export working dir (e.g. work) – mkdir work – export GOPATH=$HOME/work • Install godep – go get github.com/tools/godep • Install make – sudo apt-get install make
  • 31. Going Through The Code • Go helpers package: – https://github.com/docker/go-plugins-helpers – https://godoc.org/github.com/docker/go-plugins-helpers/authorization
  • 32. Bare Minimum Include Package Plugin socket you bind to Plugin class Plugin instantiation Interface Implementation
  • 33. build and run plugin # build the code fairus@ubuntu:wshop$ go build -o wplugin main.go fairus@ubuntu:wshop$ ls -l total 8200 -rw-rw-r-- 1 fairus fairus 624 May 10 08:15 main.go -rwxrwxr-x 1 fairus fairus 8382368 May 10 08:46 wplugin # run the plugin fairus@ubuntu:wshop$ sudo ./wplugin # check the plugin is running root@ubuntu:/run/docker/plugins# ls -l total 0 srw-rw---- 1 root root 0 May 10 08:47 plugin.sock srwxr-xr-x 1 root root 0 May 9 15:39 weavemesh.sock srwxr-xr-x 1 root root 0 May 9 15:39 weave.sock Terminal 1 Terminal 2 root user
  • 34. setup dockerd & run test # update docker service in systemd root@ubuntu:/run/docker/plugins# systemctl edit --full docker.service .. . ExecStart=/usr/bin/docker daemon -H fd:// --authorization-plugin=plugin .. . # restart docker service root@ubuntu:/run/docker/plugins# service docker restart # try it out root@ubuntu:/run/docker/plugins# docker ps Terminal 2 Root user # kill the plugin fairus@ubuntu:wshop$ sudo ./wplugin ^C # try it out again root@ubuntu:/run/docker/plugins# docker ps Error response from daemon: plugin plugin failed with error: Post http://%2Frun%2Fdocker%2Fplugins%2Fplugin.sock/AuthZPlugin.AuthZReq: dial unix /run/docker/plugins/plugin.sock: connect: connection refused Terminal 2 Root user Terminal 1
  • 35. Looking at the message https://github.com/docker/docker/blob/master/pkg/authorization/api.go
  • 36. build and run again This how the message looks like. Now we can add in our logic.
  • 37. Image whitelist implementation • Package engineapi provides libraries to implement client and server components compatible with the Docker engine. The client package in github.com/docker/engine-api/client implements all necessary requests to implement the official Docker engine cli. – Create a new client, then use it to send and receive messages to the Docker engine API: defaultHeaders := map[string]string{"User-Agent": "engine-api-cli-1.0"} cli, err := client.NewClient("unix:///var/run/docker.sock", "v1.22", nil, defaultHeaders) – https://godoc.org/github.com/docker/engine-api • This library implements a cron spec parser and runner. – https://godoc.org/github.com/robfig/cron • Package logrus is a structured logger for Go, completely API compatible with the standard library logger. – https://godoc.org/github.com/Sirupsen/logrus
  • 38. Build and Package • Get the code from github using go – go get github.com/fairuskhalid/whitelist • Restore the dependencies (this will take a while) – cd $HOME/work/src/github.com/fairuskhalid/whitelist – godep restore • Build – make • Create a docker image – cp wlplugin executable and Dockerfile.plugin into empty dir – Rename Dockerfile.plugin into Dockerfile – docker build –t plugin .
  • 39. Troubleshoot Docker daemon whitelist plugin Docker client /run/docker/plugins/whitelist-plugin.sock Create fake socket /run/docker/plugins/fake.sock /var/run/docker.sock 1. Install socat • Sudo apt-get install socat 2. Run Plugin 3. Run socat • sudo socat -v UNIX-LISTEN:/run/docker/plugins/fake.sock UNIX-CONNECT:/run/docker/plugins/whitelist-plugin.sock 4. Run docker daemon with plugin option point to fake socat • --authorization-plugin=fake 5. Run docker command and view message output at terminal
  • 41. Q & A