SlideShare a Scribd company logo

Solving Real World Production Problems with Docker

Marc Campbell
Marc Campbell

Talk from the Oct 11, 2016 LA Docker Meetup

Technology
1 of 29
Download to read offline
SOLVING REAL WORLD PRODUCTION PROBLEMS WITH DOCKER OCTOBER 11TH, 2016 DOCKER MEETUP, LOS ANGELES
MARC CAMPBELL @mccode
GOALS • Review Docker features that enable a more reliable, secure production environment • Present a secure build-deliver-execute process that includes Docker in production • Provide solutions you can start using today
“The only difference between a process in a container and a process not in a container is a few labels on top of a process that say ‘this is in container X’” Jérôme Petazzoni, Docker July 06, 2015
SECURE DELIVERY PIPELINE BUILD DELIVER EXECUTE
BUILD DELIVER EXECUTE
BUILD DELIVER EXECUTE BUILD Choosing and creating container images that will run in your production environment.
THREE DIFFERENT ROLES, EQUALLY IMPORTANT Operations Development Security Does it work? Can it be supported? Can it be safely run? Is it Elasticsearch? I don’t want “elasticsearch-like”, I want Elasticsearch and I want version 2.4.1. Will it send alerts when it breaks? Does it support zero-downtime upgrades? There are 2,532 Elasticsearch containers in DockerHub. Why this one? BUILD DELIVER EXECUTE
• Development images do not have to be the same as production images • Prefer library (official) images when possible BUILD DELIVER EXECUTE • Always look at the Dockerfile, regardless of pull count • Be cautious when bind mounting the docker.sock file
BUILD DELIVER EXECUTE
Best practices - whitelist (or choose) base images - don’t trust “pull count” from DockerHub, find and read the dockerfile - use the most specific tag possible
 redis:sha256@abc > redis:3.2.4 > redis:3.2 > redis:3 > redis:latest - adopt a tagging pattern for your own images - use security scanning (coreos clair or dockerhub) - use docker content trust BUILD DELIVER EXECUTE
Monitor images with DockerHub Security Scanning or CoreOS Clair The current nginx container on DockerHub has: 13 Critical CVEs 23 Major CVEs Including 1 CRITICAL OpenSSL CVE BUILD DELIVER EXECUTE
BUILD DELIVER EXECUTE
DELIVER Ensure the images you want to run are the images you are running BUILD DELIVER EXECUTE
I typed `docker run redis` so now i’m running redis…right?…right??? BUILD DELIVER EXECUTE
What happens when you type `docker run redis` DOCKER RUN REDIS REDIS:LATEST IMAGE EXISTS? CREATE REDIS CONTAINER PULL REDIS:LATEST START REDIS CONTAINER NO YES BUILD DELIVER EXECUTE
BUILD DELIVER EXECUTE DOCKER RUN REDIS DOCKER CLI DOCKER ENGINE DOCKER HUB CREATE NO IMAGE PULL GET /V2 PARSE HEADER Trust Boundaries 401 AUTH REQUIRED POST /LOGIN GET /V2/…/MANIFEST GET /V2/…/LAYER IMAGE COMPLETE CREATE START
Connect to a trusted host Deliver the content over a secure channel Sent the content you requested Verify the author of the content A. B. C. D. To securely download data from the Internet BUILD DELIVER EXECUTE HTTPS TLS Content Addressable IDs Signed Images The problems The solutions
Downloading and executing software from the Internet is dangerous Don’t download from untrusted hosts. e.g.: `docker pull [—insecure-registry] 52.207.178.113/redis:latest` Don’t download on insecure channels. e.g.: `docker pull [—insecure-registry] registry.mycompany.com/redis:latest` Don’t trust the remote server to look up the content. e.g.: `docker pull redis:latest` Don’t trust content that isn’t signed by the publisher. e.g.: `docker pull --disable-content-trust redis:latest` 1. 2. 3. 4. BUILD DELIVER EXECUTE
Docker Content Trust “Content trust gives you the ability to verify both the integrity and the publisher of all the data received from a registry over any channel” BUILD DELIVER EXECUTE
$ docker pull redis Using default tag: latest latest: Pulling from library/redis 6a5a5368e0c2: Pull complete <...> 2bcdfa1b63bf: Pull complete Digest: sha256:38e873a...912 Status: Downloaded newer image for redis:latest WITHOUT TRUST: PULL BY TAG BUILD DELIVER EXECUTE
$ export DOCKER_CONTENT_TRUST=1 $ docker pull redis Using default tag: latest Pull (1 of 1): redis:latest@sha256:c4365e...680 sha256:c4365ec...680: Pulling from library/redis 6a5a5368e0c2: Pull complete <...> 58e3d55f4ce5: Pull complete Digest: sha256:c4365e...680 Status: Downloaded newer image for redis@sha256:c4365e...680 Tagging redis@sha256:c4365e...680 as redis:latest WITH TRUST: PULL BY SHA BUILD DELIVER EXECUTE
BUILD DELIVER EXECUTE DEMO •Create a signed image •Run a signed image •Update the image from an untrusted source •Pull and run the new image
BUILD DELIVER EXECUTE
EXECUTE Provide a consistent, secure environment with continuous auditing BUILD DELIVER EXECUTE
Center For Internet Security • Use AppArmor / SELinux • Enable Kernel Auditing • User namespaces • /var/lib/docker volume • Enable an authorization plugin • Use a centralized log driver • Prevent registry v1 access https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.11.0_Benchmark_v1.0.0.pdf BUILD DELIVER EXECUTE
Docker Bench for Security https://dockerbench.com/ docker run -it --net host --pid host --cap-add audit_control -v /var/lib:/var/lib -v /var/run/docker.sock:/var/run/docker.sock -v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc --label docker_bench_security docker/docker-bench-security BUILD DELIVER EXECUTE
2.1 - Restrict network traffic between containers 2.2 - Set the logging level 2.3 - Allow Docker to make changes to iptables 2.4 - Do not use insecure registries 2.5 - Do not use the aufs storage driver 2.6 - Configure TLS authentication for Docker daemon * Docker daemon not listening on TCP 2.7 - Set default ulimit as appropriate * Default ulimit doesn't appear to be set 2.8 - Enable user namespace support 2.9 - Confirm default cgroup usage 2.10 - Do not change base device size until needed 2.11 - Use authorization plugin 2.12 - Configure centralized and remote logging 2.13 - Disable operations on legacy registry (v1) [WARN] [PASS] [PASS] [PASS] [WARN] [INFO] [INFO] [INFO] [INFO] [WARN] [PASS] [PASS] [WARN] [WARN] [WARN] BUILD DELIVER EXECUTE
Review ☑ Choose images carefully ☑ Scan your Dockerfiles ☑ Enable Docker Content Trust ☑ Run Docker Benchmark for Security

Recommended

Using Docker in the Real World
Using Docker in the Real WorldUsing Docker in the Real World
Using Docker in the Real WorldTim Haak
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned RightScale
 
Learn docker in 90 minutes
Learn docker in 90 minutesLearn docker in 90 minutes
Learn docker in 90 minutesLarry Cai
 
Perspectives on Docker
Perspectives on DockerPerspectives on Docker
Perspectives on DockerRightScale
 
From development environments to production deployments with Docker, Compose,...
From development environments to production deployments with Docker, Compose,...From development environments to production deployments with Docker, Compose,...
From development environments to production deployments with Docker, Compose,...Jérôme Petazzoni
 
Docker by Example - Basics
Docker by Example - Basics Docker by Example - Basics
Docker by Example - Basics Ganesh Samarthyam
 
Docker All The Things - ASP.NET 4.x and Windows Server Containers
Docker All The Things - ASP.NET 4.x and Windows Server ContainersDocker All The Things - ASP.NET 4.x and Windows Server Containers
Docker All The Things - ASP.NET 4.x and Windows Server ContainersAnthony Chu
 
The Lies We Tell Our Code (#seascale 2015 04-22)
The Lies We Tell Our Code (#seascale 2015 04-22)The Lies We Tell Our Code (#seascale 2015 04-22)
The Lies We Tell Our Code (#seascale 2015 04-22)Casey Bisson
 

Recommended

Using Docker in the Real World
Using Docker in the Real WorldUsing Docker in the Real World
Using Docker in the Real WorldTim Haak
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned RightScale
 
Learn docker in 90 minutes
Learn docker in 90 minutesLearn docker in 90 minutes
Learn docker in 90 minutesLarry Cai
 
Perspectives on Docker
Perspectives on DockerPerspectives on Docker
Perspectives on DockerRightScale
 
From development environments to production deployments with Docker, Compose,...
From development environments to production deployments with Docker, Compose,...From development environments to production deployments with Docker, Compose,...
From development environments to production deployments with Docker, Compose,...Jérôme Petazzoni
 
Docker by Example - Basics
Docker by Example - Basics Docker by Example - Basics
Docker by Example - Basics Ganesh Samarthyam
 
Docker All The Things - ASP.NET 4.x and Windows Server Containers
Docker All The Things - ASP.NET 4.x and Windows Server ContainersDocker All The Things - ASP.NET 4.x and Windows Server Containers
Docker All The Things - ASP.NET 4.x and Windows Server ContainersAnthony Chu
 
The Lies We Tell Our Code (#seascale 2015 04-22)
The Lies We Tell Our Code (#seascale 2015 04-22)The Lies We Tell Our Code (#seascale 2015 04-22)
The Lies We Tell Our Code (#seascale 2015 04-22)Casey Bisson
 
Docker and Containers for Development and Deployment — SCALE12X
Docker and Containers for Development and Deployment — SCALE12XDocker and Containers for Development and Deployment — SCALE12X
Docker and Containers for Development and Deployment — SCALE12XJérôme Petazzoni
 
Docker 101 @KACST Saudi HPC 2016
Docker 101 @KACST Saudi HPC 2016Docker 101 @KACST Saudi HPC 2016
Docker 101 @KACST Saudi HPC 2016Walid Shaari
 
Architecting .NET Applications for Docker and Container Based Deployments
Architecting .NET Applications for Docker and Container Based DeploymentsArchitecting .NET Applications for Docker and Container Based Deployments
Architecting .NET Applications for Docker and Container Based DeploymentsBen Hall
 
Introduction To Docker
Introduction To DockerIntroduction To Docker
Introduction To DockerHamilton Turner
 
Shipping Applications to Production in Containers with Docker
Shipping Applications to Production in Containers with DockerShipping Applications to Production in Containers with Docker
Shipping Applications to Production in Containers with DockerJérôme Petazzoni
 
How to Dockerize Web Application using Docker Compose
How to Dockerize Web Application using Docker ComposeHow to Dockerize Web Application using Docker Compose
How to Dockerize Web Application using Docker ComposeEvoke Technologies
 
What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16
What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16 What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16
What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16 Docker, Inc.
 
Docker-Hanoi @DKT , Presentation about Docker Ecosystem
Docker-Hanoi @DKT , Presentation about Docker EcosystemDocker-Hanoi @DKT , Presentation about Docker Ecosystem
Docker-Hanoi @DKT , Presentation about Docker EcosystemVan Phuc
 
Docker - The Linux Container
Docker - The Linux ContainerDocker - The Linux Container
Docker - The Linux ContainerBalaji Rajan
 
Hide your development environment and application in a container
Hide your development environment and application in a containerHide your development environment and application in a container
Hide your development environment and application in a containerJohan Janssen
 
Docker presentation | Paris Docker Meetup
Docker presentation | Paris Docker MeetupDocker presentation | Paris Docker Meetup
Docker presentation | Paris Docker MeetupdotCloud
 
Docker in production: reality, not hype (OSCON 2015)
Docker in production: reality, not hype (OSCON 2015)Docker in production: reality, not hype (OSCON 2015)
Docker in production: reality, not hype (OSCON 2015)bridgetkromhout
 
Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)Jérôme Petazzoni
 
Docker, the Future of DevOps
Docker, the Future of DevOpsDocker, the Future of DevOps
Docker, the Future of DevOpsandersjanmyr
 
Docker at Djangocon 2013 | Talk by Ken Cochrane
Docker at Djangocon 2013 | Talk by Ken CochraneDocker at Djangocon 2013 | Talk by Ken Cochrane
Docker at Djangocon 2013 | Talk by Ken CochranedotCloud
 
Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Arun prasath
 
Dockerizing stashboard - Docker meetup at Twilio
Dockerizing stashboard - Docker meetup at TwilioDockerizing stashboard - Docker meetup at Twilio
Dockerizing stashboard - Docker meetup at TwiliodotCloud
 
Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015Jérôme Petazzoni
 
Docker Tips And Tricks at the Docker Beijing Meetup
Docker Tips And Tricks at the Docker Beijing MeetupDocker Tips And Tricks at the Docker Beijing Meetup
Docker Tips And Tricks at the Docker Beijing MeetupJérôme Petazzoni
 
Introduction to Docker and deployment and Azure
Introduction to Docker and deployment and AzureIntroduction to Docker and deployment and Azure
Introduction to Docker and deployment and AzureJérôme Petazzoni
 
Up and running with docker
Up and running with dockerUp and running with docker
Up and running with dockerMichelle Liu
 
Let's dockerize
Let's dockerizeLet's dockerize
Let's dockerizeAhmed Sorour
 

More Related Content

What's hot

Docker and Containers for Development and Deployment — SCALE12X
Docker and Containers for Development and Deployment — SCALE12XDocker and Containers for Development and Deployment — SCALE12X
Docker and Containers for Development and Deployment — SCALE12XJérôme Petazzoni
 
Docker 101 @KACST Saudi HPC 2016
Docker 101 @KACST Saudi HPC 2016Docker 101 @KACST Saudi HPC 2016
Docker 101 @KACST Saudi HPC 2016Walid Shaari
 
Architecting .NET Applications for Docker and Container Based Deployments
Architecting .NET Applications for Docker and Container Based DeploymentsArchitecting .NET Applications for Docker and Container Based Deployments
Architecting .NET Applications for Docker and Container Based DeploymentsBen Hall
 
Shipping Applications to Production in Containers with Docker
Shipping Applications to Production in Containers with DockerShipping Applications to Production in Containers with Docker
Shipping Applications to Production in Containers with DockerJérôme Petazzoni
 
How to Dockerize Web Application using Docker Compose
How to Dockerize Web Application using Docker ComposeHow to Dockerize Web Application using Docker Compose
How to Dockerize Web Application using Docker ComposeEvoke Technologies
 
What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16
What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16 What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16
What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16 Docker, Inc.
 
Docker-Hanoi @DKT , Presentation about Docker Ecosystem
Docker-Hanoi @DKT , Presentation about Docker EcosystemDocker-Hanoi @DKT , Presentation about Docker Ecosystem
Docker-Hanoi @DKT , Presentation about Docker EcosystemVan Phuc
 
Docker - The Linux Container
Docker - The Linux ContainerDocker - The Linux Container
Docker - The Linux ContainerBalaji Rajan
 
Hide your development environment and application in a container
Hide your development environment and application in a containerHide your development environment and application in a container
Hide your development environment and application in a containerJohan Janssen
 
Docker presentation | Paris Docker Meetup
Docker presentation | Paris Docker MeetupDocker presentation | Paris Docker Meetup
Docker presentation | Paris Docker MeetupdotCloud
 
Docker in production: reality, not hype (OSCON 2015)
Docker in production: reality, not hype (OSCON 2015)Docker in production: reality, not hype (OSCON 2015)
Docker in production: reality, not hype (OSCON 2015)bridgetkromhout
 
Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)Jérôme Petazzoni
 
Docker, the Future of DevOps
Docker, the Future of DevOpsDocker, the Future of DevOps
Docker, the Future of DevOpsandersjanmyr
 
Docker at Djangocon 2013 | Talk by Ken Cochrane
Docker at Djangocon 2013 | Talk by Ken CochraneDocker at Djangocon 2013 | Talk by Ken Cochrane
Docker at Djangocon 2013 | Talk by Ken CochranedotCloud
 
Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Arun prasath
 
Dockerizing stashboard - Docker meetup at Twilio
Dockerizing stashboard - Docker meetup at TwilioDockerizing stashboard - Docker meetup at Twilio
Dockerizing stashboard - Docker meetup at TwiliodotCloud
 
Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015Jérôme Petazzoni
 
Docker Tips And Tricks at the Docker Beijing Meetup
Docker Tips And Tricks at the Docker Beijing MeetupDocker Tips And Tricks at the Docker Beijing Meetup
Docker Tips And Tricks at the Docker Beijing MeetupJérôme Petazzoni
 
Introduction to Docker and deployment and Azure
Introduction to Docker and deployment and AzureIntroduction to Docker and deployment and Azure
Introduction to Docker and deployment and AzureJérôme Petazzoni
 

What's hot (20)

Docker and Containers for Development and Deployment — SCALE12X
Docker and Containers for Development and Deployment — SCALE12XDocker and Containers for Development and Deployment — SCALE12X
Docker and Containers for Development and Deployment — SCALE12X
 
Docker 101 @KACST Saudi HPC 2016
Docker 101 @KACST Saudi HPC 2016Docker 101 @KACST Saudi HPC 2016
Docker 101 @KACST Saudi HPC 2016
 
Architecting .NET Applications for Docker and Container Based Deployments
Architecting .NET Applications for Docker and Container Based DeploymentsArchitecting .NET Applications for Docker and Container Based Deployments
Architecting .NET Applications for Docker and Container Based Deployments
 
Introduction To Docker
Introduction To DockerIntroduction To Docker
Introduction To Docker
 
Shipping Applications to Production in Containers with Docker
Shipping Applications to Production in Containers with DockerShipping Applications to Production in Containers with Docker
Shipping Applications to Production in Containers with Docker
 
How to Dockerize Web Application using Docker Compose
How to Dockerize Web Application using Docker ComposeHow to Dockerize Web Application using Docker Compose
How to Dockerize Web Application using Docker Compose
 
What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16
What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16 What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16
What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16
 
Docker-Hanoi @DKT , Presentation about Docker Ecosystem
Docker-Hanoi @DKT , Presentation about Docker EcosystemDocker-Hanoi @DKT , Presentation about Docker Ecosystem
Docker-Hanoi @DKT , Presentation about Docker Ecosystem
 
Docker - The Linux Container
Docker - The Linux ContainerDocker - The Linux Container
Docker - The Linux Container
 
Hide your development environment and application in a container
Hide your development environment and application in a containerHide your development environment and application in a container
Hide your development environment and application in a container
 
Docker presentation | Paris Docker Meetup
Docker presentation | Paris Docker MeetupDocker presentation | Paris Docker Meetup
Docker presentation | Paris Docker Meetup
 
Docker in production: reality, not hype (OSCON 2015)
Docker in production: reality, not hype (OSCON 2015)Docker in production: reality, not hype (OSCON 2015)
Docker in production: reality, not hype (OSCON 2015)
 
Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)
 
Docker, the Future of DevOps
Docker, the Future of DevOpsDocker, the Future of DevOps
Docker, the Future of DevOps
 
Docker at Djangocon 2013 | Talk by Ken Cochrane
Docker at Djangocon 2013 | Talk by Ken CochraneDocker at Djangocon 2013 | Talk by Ken Cochrane
Docker at Djangocon 2013 | Talk by Ken Cochrane
 
Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment
 
Dockerizing stashboard - Docker meetup at Twilio
Dockerizing stashboard - Docker meetup at TwilioDockerizing stashboard - Docker meetup at Twilio
Dockerizing stashboard - Docker meetup at Twilio
 
Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015
 
Docker Tips And Tricks at the Docker Beijing Meetup
Docker Tips And Tricks at the Docker Beijing MeetupDocker Tips And Tricks at the Docker Beijing Meetup
Docker Tips And Tricks at the Docker Beijing Meetup
 
Introduction to Docker and deployment and Azure
Introduction to Docker and deployment and AzureIntroduction to Docker and deployment and Azure
Introduction to Docker and deployment and Azure
 

Similar to Solving Real World Production Problems with Docker

Up and running with docker
Up and running with dockerUp and running with docker
Up and running with dockerMichelle Liu
 
DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline Docker, Inc.
 
Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker, Inc.
 
Package your Java EE Application using Docker and Kubernetes
Package your Java EE Application using Docker and KubernetesPackage your Java EE Application using Docker and Kubernetes
Package your Java EE Application using Docker and KubernetesArun Gupta
 
PuppetConf 2017: What’s in the Box?!- Leveraging Puppet Enterprise & Docker- ...
PuppetConf 2017: What’s in the Box?!- Leveraging Puppet Enterprise & Docker- ...PuppetConf 2017: What’s in the Box?!- Leveraging Puppet Enterprise & Docker- ...
PuppetConf 2017: What’s in the Box?!- Leveraging Puppet Enterprise & Docker- ...Puppet
 
Build, Publish, Deploy and Test Docker images and containers with Jenkins Wor...
Build, Publish, Deploy and Test Docker images and containers with Jenkins Wor...Build, Publish, Deploy and Test Docker images and containers with Jenkins Wor...
Build, Publish, Deploy and Test Docker images and containers with Jenkins Wor...Docker, Inc.
 
DCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDocker, Inc.
 
[@NaukriEngineering] Docker 101
[@NaukriEngineering] Docker 101[@NaukriEngineering] Docker 101
[@NaukriEngineering] Docker 101Naukri.com
 
Docker, a new LINUX container technology based light weight virtualization
Docker, a new LINUX container technology based light weight virtualizationDocker, a new LINUX container technology based light weight virtualization
Docker, a new LINUX container technology based light weight virtualizationSuresh Balla
 
Running the Oracle SOA Suite Environment in a Docker Container
Running the Oracle SOA Suite Environment in a Docker ContainerRunning the Oracle SOA Suite Environment in a Docker Container
Running the Oracle SOA Suite Environment in a Docker ContainerGuido Schmutz
 
Oracle WebLogic Server 12c with Docker
Oracle WebLogic Server 12c with DockerOracle WebLogic Server 12c with Docker
Oracle WebLogic Server 12c with DockerGuatemala User Group
 
Cohesion Techsessie Docker - Daniel Palstra
Cohesion Techsessie Docker - Daniel PalstraCohesion Techsessie Docker - Daniel Palstra
Cohesion Techsessie Docker - Daniel PalstraDaniel Palstra
 
O'Reilly Software Architecture Conference London 2017: Building Resilient Mic...
O'Reilly Software Architecture Conference London 2017: Building Resilient Mic...O'Reilly Software Architecture Conference London 2017: Building Resilient Mic...
O'Reilly Software Architecture Conference London 2017: Building Resilient Mic...Ambassador Labs
 

Similar to Solving Real World Production Problems with Docker (20)

Up and running with docker
Up and running with dockerUp and running with docker
Up and running with docker
 
Let's dockerize
Let's dockerizeLet's dockerize
Let's dockerize
 
DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline
 
Docker
DockerDocker
Docker
 
Docker 101 - Nov 2016
Docker 101 - Nov 2016Docker 101 - Nov 2016
Docker 101 - Nov 2016
 
Package your Java EE Application using Docker and Kubernetes
Package your Java EE Application using Docker and KubernetesPackage your Java EE Application using Docker and Kubernetes
Package your Java EE Application using Docker and Kubernetes
 
PuppetConf 2017: What’s in the Box?!- Leveraging Puppet Enterprise & Docker- ...
PuppetConf 2017: What’s in the Box?!- Leveraging Puppet Enterprise & Docker- ...PuppetConf 2017: What’s in the Box?!- Leveraging Puppet Enterprise & Docker- ...
PuppetConf 2017: What’s in the Box?!- Leveraging Puppet Enterprise & Docker- ...
 
Docker
DockerDocker
Docker
 
Build, Publish, Deploy and Test Docker images and containers with Jenkins Wor...
Build, Publish, Deploy and Test Docker images and containers with Jenkins Wor...Build, Publish, Deploy and Test Docker images and containers with Jenkins Wor...
Build, Publish, Deploy and Test Docker images and containers with Jenkins Wor...
 
Docker, LinuX Container
Docker, LinuX ContainerDocker, LinuX Container
Docker, LinuX Container
 
DCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development Pipeline
 
[@NaukriEngineering] Docker 101
[@NaukriEngineering] Docker 101[@NaukriEngineering] Docker 101
[@NaukriEngineering] Docker 101
 
Docker lxc win
Docker lxc winDocker lxc win
Docker lxc win
 
Docker, a new LINUX container technology based light weight virtualization
Docker, a new LINUX container technology based light weight virtualizationDocker, a new LINUX container technology based light weight virtualization
Docker, a new LINUX container technology based light weight virtualization
 
Running the Oracle SOA Suite Environment in a Docker Container
Running the Oracle SOA Suite Environment in a Docker ContainerRunning the Oracle SOA Suite Environment in a Docker Container
Running the Oracle SOA Suite Environment in a Docker Container
 
Oracle WebLogic Server 12c with Docker
Oracle WebLogic Server 12c with DockerOracle WebLogic Server 12c with Docker
Oracle WebLogic Server 12c with Docker
 
Docker intro
Docker introDocker intro
Docker intro
 
Cohesion Techsessie Docker - Daniel Palstra
Cohesion Techsessie Docker - Daniel PalstraCohesion Techsessie Docker - Daniel Palstra
Cohesion Techsessie Docker - Daniel Palstra
 
O'Reilly Software Architecture Conference London 2017: Building Resilient Mic...
O'Reilly Software Architecture Conference London 2017: Building Resilient Mic...O'Reilly Software Architecture Conference London 2017: Building Resilient Mic...
O'Reilly Software Architecture Conference London 2017: Building Resilient Mic...
 
The Docker Ecosystem
The Docker EcosystemThe Docker Ecosystem
The Docker Ecosystem
 

Recently uploaded

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 

Recently uploaded (20)

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 

Solving Real World Production Problems with Docker

  • 1. SOLVING REAL WORLD PRODUCTION PROBLEMS WITH DOCKER OCTOBER 11TH, 2016 DOCKER MEETUP, LOS ANGELES
  • 3. GOALS • Review Docker features that enable a more reliable, secure production environment • Present a secure build-deliver-execute process that includes Docker in production • Provide solutions you can start using today
  • 4. “The only difference between a process in a container and a process not in a container is a few labels on top of a process that say ‘this is in container X’” Jérôme Petazzoni, Docker July 06, 2015
  • 7. BUILD DELIVER EXECUTE BUILD Choosing and creating container images that will run in your production environment.
  • 8. THREE DIFFERENT ROLES, EQUALLY IMPORTANT Operations Development Security Does it work? Can it be supported? Can it be safely run? Is it Elasticsearch? I don’t want “elasticsearch-like”, I want Elasticsearch and I want version 2.4.1. Will it send alerts when it breaks? Does it support zero-downtime upgrades? There are 2,532 Elasticsearch containers in DockerHub. Why this one? BUILD DELIVER EXECUTE
  • 9. • Development images do not have to be the same as production images • Prefer library (official) images when possible BUILD DELIVER EXECUTE • Always look at the Dockerfile, regardless of pull count • Be cautious when bind mounting the docker.sock file
  • 11. Best practices - whitelist (or choose) base images - don’t trust “pull count” from DockerHub, find and read the dockerfile - use the most specific tag possible
 redis:sha256@abc > redis:3.2.4 > redis:3.2 > redis:3 > redis:latest - adopt a tagging pattern for your own images - use security scanning (coreos clair or dockerhub) - use docker content trust BUILD DELIVER EXECUTE
  • 12. Monitor images with DockerHub Security Scanning or CoreOS Clair The current nginx container on DockerHub has: 13 Critical CVEs 23 Major CVEs Including 1 CRITICAL OpenSSL CVE BUILD DELIVER EXECUTE
  • 14. DELIVER Ensure the images you want to run are the images you are running BUILD DELIVER EXECUTE
  • 15. I typed `docker run redis` so now i’m running redis…right?…right??? BUILD DELIVER EXECUTE
  • 16. What happens when you type `docker run redis` DOCKER RUN REDIS REDIS:LATEST IMAGE EXISTS? CREATE REDIS CONTAINER PULL REDIS:LATEST START REDIS CONTAINER NO YES BUILD DELIVER EXECUTE
  • 17. BUILD DELIVER EXECUTE DOCKER RUN REDIS DOCKER CLI DOCKER ENGINE DOCKER HUB CREATE NO IMAGE PULL GET /V2 PARSE HEADER Trust Boundaries 401 AUTH REQUIRED POST /LOGIN GET /V2/…/MANIFEST GET /V2/…/LAYER IMAGE COMPLETE CREATE START
  • 18. Connect to a trusted host Deliver the content over a secure channel Sent the content you requested Verify the author of the content A. B. C. D. To securely download data from the Internet BUILD DELIVER EXECUTE HTTPS TLS Content Addressable IDs Signed Images The problems The solutions
  • 19. Downloading and executing software from the Internet is dangerous Don’t download from untrusted hosts. e.g.: `docker pull [—insecure-registry] 52.207.178.113/redis:latest` Don’t download on insecure channels. e.g.: `docker pull [—insecure-registry] registry.mycompany.com/redis:latest` Don’t trust the remote server to look up the content. e.g.: `docker pull redis:latest` Don’t trust content that isn’t signed by the publisher. e.g.: `docker pull --disable-content-trust redis:latest` 1. 2. 3. 4. BUILD DELIVER EXECUTE
  • 20. Docker Content Trust “Content trust gives you the ability to verify both the integrity and the publisher of all the data received from a registry over any channel” BUILD DELIVER EXECUTE
  • 21. $ docker pull redis Using default tag: latest latest: Pulling from library/redis 6a5a5368e0c2: Pull complete <...> 2bcdfa1b63bf: Pull complete Digest: sha256:38e873a...912 Status: Downloaded newer image for redis:latest WITHOUT TRUST: PULL BY TAG BUILD DELIVER EXECUTE
  • 22. $ export DOCKER_CONTENT_TRUST=1 $ docker pull redis Using default tag: latest Pull (1 of 1): redis:latest@sha256:c4365e...680 sha256:c4365ec...680: Pulling from library/redis 6a5a5368e0c2: Pull complete <...> 58e3d55f4ce5: Pull complete Digest: sha256:c4365e...680 Status: Downloaded newer image for redis@sha256:c4365e...680 Tagging redis@sha256:c4365e...680 as redis:latest WITH TRUST: PULL BY SHA BUILD DELIVER EXECUTE
  • 23. BUILD DELIVER EXECUTE DEMO •Create a signed image •Run a signed image •Update the image from an untrusted source •Pull and run the new image
  • 25. EXECUTE Provide a consistent, secure environment with continuous auditing BUILD DELIVER EXECUTE
  • 26. Center For Internet Security • Use AppArmor / SELinux • Enable Kernel Auditing • User namespaces • /var/lib/docker volume • Enable an authorization plugin • Use a centralized log driver • Prevent registry v1 access https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.11.0_Benchmark_v1.0.0.pdf BUILD DELIVER EXECUTE
  • 27. Docker Bench for Security https://dockerbench.com/ docker run -it --net host --pid host --cap-add audit_control -v /var/lib:/var/lib -v /var/run/docker.sock:/var/run/docker.sock -v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc --label docker_bench_security docker/docker-bench-security BUILD DELIVER EXECUTE
  • 28. 2.1 - Restrict network traffic between containers 2.2 - Set the logging level 2.3 - Allow Docker to make changes to iptables 2.4 - Do not use insecure registries 2.5 - Do not use the aufs storage driver 2.6 - Configure TLS authentication for Docker daemon * Docker daemon not listening on TCP 2.7 - Set default ulimit as appropriate * Default ulimit doesn't appear to be set 2.8 - Enable user namespace support 2.9 - Confirm default cgroup usage 2.10 - Do not change base device size until needed 2.11 - Use authorization plugin 2.12 - Configure centralized and remote logging 2.13 - Disable operations on legacy registry (v1) [WARN] [PASS] [PASS] [PASS] [WARN] [INFO] [INFO] [INFO] [INFO] [WARN] [PASS] [PASS] [WARN] [WARN] [WARN] BUILD DELIVER EXECUTE
  • 29. Review ☑ Choose images carefully ☑ Scan your Dockerfiles ☑ Enable Docker Content Trust ☑ Run Docker Benchmark for Security