6. Docker 101
โข Virtualization platform
โข Virtualizes at the process level
โข Runs in Linux
โข Uses Linux kernel isolation primitives
7. Ok, But
Why?
โข Consider traditional application of virtualization
โข Significant overhead (single virtual host -> single virtual
application)
โข Why virtualize at the OS level?
10. โฆStill Not
Convinced?
โข When virtualization occurs at the process level, new
possibilities emerge
โข Docker is not the first attempt, but has gotten a lot
right with their attempt
12. Docker
Engine
โข Daemon that listens onTCP 2376 (3376 for swarm)
โข Functionality invoked through API
โข Command line interface provided by Docker
โข Takes in images and settings, spins up โcontainersโ
(processes)
15. Docker Build
Example
Build an image through โdocker buildโ
List all images available to the Docker
daemon through โdocker imagesโ
16. Docker
Engine
Steps
1. Create image
2. Ensure target docker daemon has access to image
3. Tell the daemon to run the image, and pass
arguments as necessary
4. ???
5. Profit
17. Docker
Engine
Perks
โข Hierarchical organization of Docker images works well
with standard DevOps practices
โข If an image runs in one location through a Docker
daemon, it is guaranteed to work on all other same-
version Docker daemons
โข Rid yourself of dealing with dependency headaches
18. Docker
Registry
โข Where Git has GitHub, Docker has Docker Registry
โข Version control-esque endpoint for storing Docker
images
โข Docker officially offers Docker Hub
โข Can (and should) create and run your own Docker
registry
20. Docker
Registry
Perks
โข Single, authoritative location to store your Docker
images
โข Follows the central repository model of Git, SVN, other
version control systems
โข โฆmy least favorite part of Docker
21. Docker
Machine
โข Create new Docker daemons on local or remote hosts
โข Remote hosts supported across all major hosting and
cloud providers
โข Commands to create machines mostly the same โ only
changes reflect API differences between providers
โข Spins up host, installs docker, installs cryptographic
artifacts for secure communication
25. Docker
Machine
Perks
โข Provider agnostic, and very easy to switch between
hosting providers (change a few command line
arguments)
โข Go from no infrastructure to full infrastructure in <5
minutes
โข Go from full infrastructure to no infrastructure in <30
seconds
26. Docker
Compose
โข The โorchestrationโ tool of the Docker ecosystem
โข Enables spinning up N-tier applications in one fell
swoop
โข Can spin up N-tier applications locally
โข Only requires a docker-compose.yml file to spin up
complicated N-tier applications
27. Docker
Compose File
Example
Defines the various applications contained
within the N-tier application
Configuration passed to applications
through environment variables
Defines relationships between applications
and host OS
28. Docker
Compose
Example
Call docker-compose in a directory
containing docker-compose.yml file
File is read, images are retrieved,
containers are created
N-tier application goes from non-existent
to up and running in <30 seconds
29. Docker
Compose
Contโd
โข Reduces configuration management complexity to a
single config file
โข Spin up overlay networks across disparate hosting
providers on the fly
โข View logs across N-tier application in real time
30. Docker
Compose
Perks
โข Can configure entire environment with one
configuration file
โข Reduces the complexity of N-tier application
deployment and debugging
โข Go from 0->60 and 60->0 faster than all traditional
approaches
31. Docker
Swarm
โข Turn multiple separate physical hosts into a single
logical host
โข Out of the box management of which containers are
deployed where without headache of configuration
โข Fully configurable to any depth
34. Docker
Swarm
Perks
โข Difference between deploying to a single host and
deploying to 100 hosts is minimal โ code does not
change between the two
โข Transparently increase / decrease the power of your
distributed applications on the fly
โข Single logical host across disparate hosts โ even if
those hosts are in completely differeny physical
locations
35. Docker
Ecosystem
Review
โข Docker Engine
โ The core โruntimeโ of the Docker ecosystem โ takes in
Docker images and spins up isolated โcontainers.โ
โข Docker Registry
โ Enables the storage of Docker images in centralized fashion
โข Docker Machine
โ Create and/or destroy Docker daemons on local or remote
computing resources, automatically configure access to
these daemons
โข Docker Compose
โ Spin up/down N-tier applications in rapid fashion, drill down
into N-tier deployment options as necessary
โข Docker Swarm
โ Turn multiple physical or virtual hosts into a single logical
host as far as Docker daemon is concerned
37. Putting it
All Together
โข Docker is a core component ofWeb Sight.IO
โข One of the main reasons Iโve been able to stay a one-
man shop
โข Reduced my need for DevOps assistance to nearly
nothing
39. Nothing is
Perfect
โข Various Docker offerings written in different languages
โข Terminology has not been consolidated across
offerings
โข Still very much in development โ breaking bugs
introduced in even minor version updates
โข Docker networking not particularly robust (userland
UDP proxy?)
โข Documentation could use work
โข Standard ways of working with virtualization platforms
donโt necessarily translate to working with Docker
(learning curve)
โข Not sure what the business plan is for Docker
enterprise
โข Isolation is not as strong as traditionalVM isolation
41. The Good โข Dockerโs security team is top-notch
โข Traditional security flaws in Docker have been rapidly
addressed, and their respective fixes have been either
industry-leading or industry-standard
โข Enterprise business depends heavily on building secure
software, so large incentives to continue improving
โข Logical abstraction of N-tier application -> single
application reduces complexity
โข New defenses possible when set up and tear down of
environments takes seconds
42. The Bad
โข Docker containers designed to run as root out-of-the-
box, require additional configuration and headaches to
change
โข Intra-container communication may be restricted, but
otherwise Docker containers have same network
access as host machine
โข Lots of code written by lots of people in different
languages doing complex things at all levels of the OS โ
plenty of places for things to go wrong
43. The Ugly โข Biggest dangers of using Docker are architectural
โข If you thought losing your source code was bad, what
happens when you lose all of your images?
โข Documentation for setting up your own Registry is very
poor
โข Docker Registry has two levels of authentication โ authโed
and not authโed
โข Docker daemons, if compromised, would allow malicious
third-parties to spin up arbitrary software without dealing
with dependencies behind your firewall
45. On Docker
Ecosystem
โข Throw out what you think you know about
virtualization when first wrapping your head around
the Docker ecosystem
โข Dockerโs individual offerings are impressive, but their
utility pales in comparison to what all of their offerings
taken as a complete whole can accomplish
46. On Docker
Security
โข For the most part, Docker security is good
โข Traditional security flaws will still be present within
Docker and the applications built upon it, and the
speed of operations with Docker gives Docker the leg
up when compared to traditional approaches
โข The biggest security concern organizations should
have when deploying with Docker should revolve
around architectural implications of their Docker
deployment and considerations around the possibility
of compromised Docker assets