26. A commercial product,
built on
a development platform,
built on
infrastructure,
built on
standards.
Docker is building a stack to program the Internet
27. Isolation using Linux kernel features
namespaces
pid
mnt
net
uts
ipc
user
cgroups
memory
cpu
blkio
devices
33. Run a container
docker run
—env MONGODB_URI=mongodb://mongo:27017/test
-p 8090:8080
chanezon/spring-doge
34. docker-compose: running multiple containers
Run your stack with one command: docker-compose up
Describe your stack with one file: docker-compose.yml
version: '2'
services:
web:
image: chanezon/spring-doge
ports:
- "8080:8080"
links: ["mongo"]
environment:
- MONGODB_URI=mongodb://mongo:27017/test
mongo:
image: mongo
35. docker stack deploy
Deploy your stack with one command: docker stack deploy
Describe your stack with one file: docker-compose.yml
version: '3'
services:
web:
image: chanezon/spring-doge
ports:
- "8004:8080"
environment:
- MONGODB_URI=mongodb://mongo:27017/test
depends_on:
- mongo
deploy:
replicas: 2
update_config:
parallelism: 2
delay: 10s
restart_policy:
condition: on-failure
mongo:
image: mongo
37. • Spring Boot, Spring Data
• AngularJS front-end
• docker 1.12
• compose 1.8.1
Spring Boot App using MongoDB
https://github.com/joshlong/spring-doge
https://github.com/chanezon/docker-tips/
https://github.com/chanezon/spring-doge
48. Deep integration with native load-balancers, templates,
SSH keys, ACLs, scaling groups, firewall rules…
49.
50. Docker & Microsoft
• Build
• Docker Toolbox & Kitematic for Windows
• Docker for Windows beta
• Docker engine on Windows Server 2016 TP4
• yo-docker to dockerize existing projects
• Visual Studio Docker Tools
• Ship
• VSTS extension for Docker beta
• Run
• Azure Docker agent
• ACS
• Docker datacenter on Azure ARM template
52. What’s New in Docker 1.13
• Compose file support for Swarm mode service deployment
• docker stack deploy --compose-file=docker-compose.yml my_stack
• System commands
• docker system df
• docker system prune
• Monitoring
• docker service logs
• Prometheus experiment endpoint
• Build
• docker build —squash
• CPU management —cpus 2.5
• Docker for AWS & Azure GA
58. 5
Goldilocks and the 3 XaaS
Platform As A Service
Infrastructure As A Service
Software
As A Service
Too high
Too low
Just right
Container As A Service
59. Example
“- When do you guys support FORT
- Sorry it’s not supported by Cloud F
63. Usable
Security
Secure defaults with tooling that is native to both dev
and ops
The Key Components of Container Security
63
Infrastructure
Independent
Trusted
Delivery
Safer Apps
Everything needed for a full functioning app is delivered
safely and guaranteed to not be tampered with
All of these things in your system are in the app
platform and can move across infrastructure without
disrupting the app
+
+
=
68. What’s New in Docker Datacenter on Docker 1.13
Application Services
Content Trust and
Distribution
Platform Enhancements
• Secrets Management
• HTTP Routing Mesh (GA)
• Docker Compose for
Services
• Access control for Secrets
and Volumes
• Image Content Cache
• On premises image security
scanning and vulnerability
monitoring
• Registry Webhooks
• DTR install command from
UI
• UI Enhancements
• Additional LDAP configs
• Templates for AWS, Azure
69. Integrated Secrets Management
69
WorkerWorker
Manager
Internal Distributed Store
Raft Consensus Group
ManagerManager
Worker
External
App
Web UI
• Management
– Admins can add/remove/list/update
secrets in the cluster
– Exposed to a container via a ”/secrets”
tmpfs volume
• Authorization
– Tag secrets to a specific service
– Admins can authorize secrets access
to users/teams via RBAC
• Rotation
– Use GUI to update a secret to all
containers in a service
• Auditing
– Each user request for secret access
logged in cluster for auditing
74. Compose for Services
• Deploy stacks (services, volumes, networks, secrets) using new
Compose file v3.1 format
• Manage and monitor stacks directly from UCP UI
75. Built in HTTP Routing Mesh (Now GA!)
• Extend TCP routing mesh to HTTP
hostname routing for services
• HTTPS support via SNI protocol
• Support for multiple HRM networks for
enhanced app isolation
• External LB routes hostnames to
nodes
• Can add hostname routing via UI
• Non-service containers continue to
use Interlock ref arch
WorkerWorkerWorker
External Load Balancer
Traffic via DNS
(http to port 80 or other)
Foo.com Bar.com Qux.com
R RR
77. Docker users already
running in production
60%
Docker in Production
Docker Survey: State of Applications
Q1 2016
Cluster HQ: State of Container Usage
June 2016
Companies running container
technology in production
(500+ employees)
79. Docker Enabling Critical Transformations
80%
Docker is central to
cloud strategy
Docker Survey: State of App development : Q1 - 2016
3 out 4
Top initiatives revolve
around applications
44%
Looking to adopt DevOps
App
Modernization
DevOpsCloud
80. The Data Shows Hybrid Infrastructure and
Applications
2016 Docker Use Cases
Docker Survey: State of App development : Q1 - 2016
Docker Workloads
81. • Spring Boot, MongoDB, compose, swarm, networking
• https://github.com/joshlong/spring-doge
• https://github.com/chanezon/docker-tips/orchestration-networking
• Java EE 7 / Angular App with Docker Swarm by @mgreau
Compose for build and deploy, Wildfly, Apache, Angular, Mysql, Redis,
batch and API apps
• https://github.com/mgreau/docker4dev-tennistour-app
• Java EE Docker & Kubernetes by @arun-gupta
• https://github.com/javaee-samples/docker-java
Java Examples
Local development environments
Self service app images
Build, Test, Deploy applications
Define app behavior and infra needs
Registry services for image storage, management and distribution
IT Ops maintains library of secure base content
Manage role based access to repos/images
Management consoles
Provision, manage infrastructure resources
Monitor, manage, scale infrastructure and applications
When approaching app containers and the security surrounding them, Docker believes there are three key components or characteristics that are critical.
Usable security - This means that it has to be usable by both the people at both ends of the app pipeline. Secure by default with usable tooling that makes sense for developers and operators -- workflows that work for them
Trusted Delivery - Meaning that apps move around, so you need ensure that it safely gets from point A to point B with proof that is hasn’t been tampered with. Securely delivered signed, encrypted --security that is required for delivering app
Infrastructure independent - totally portable to whatever infrastructure you deliver it on. The security configurations are defined at the app and can then move from a developer’s workstation to a test in the cloud to a production datacenter without losing any of it’s security or requiring re-coding of the app to make it work.
Build each point so the final slide has all 3 points.
Safer apps mean that when you build and deploy your app in docker, it is intrinsically more secure
TD is everything is needed for the full functioning of your app is delivered in a secure and trusted manner
All of these things in your system are in the app platform itself and move across
Secrets enable: secure API handshakes, encrypted communication what else?
Assign secrets to services when they are ready to run and need to connect to other services (both internal and external)
Build each point so the final slide has all 3 points.
Safer apps mean that when you build and deploy your app in docker, it is intrinsicly more secure
TD is everything is needed for the full fucntioning of your app is delivered in a secure and trusted manner
All of these things in your system are in the app platform itself and move across
= usable = people are not leaning in to security
Secrets enable: secure API handshakes, encrypted communication what else?
Assign secrets to services when they are ready to run and need to connect to other services (both internal and external)
Docker delivers secrets management architected for containerized applications
Usable Security: Integrated and designed with dev and ops workflows in mind
Trusted Delivery: Encrypted storage and secure transit with TLS
Infrastructure Independent: A portable security model across any infrastructure across the lifecycle
All apps are safer - Only the assigned app can access the secret, even with multiple apps on the same cluster
Docker Datacenter provides integrated secrets and container management with granular access controls for a secure software supply chain.
Local development environments
Self service app images
Build, Test, Deploy applications
Define app behavior and infra needs
Registry services for image storage, management and distribution
IT Ops maintains library of secure base content
Manage role based access to repos/images
Management consoles
Provision, manage infrastructure resources
Monitor, manage, scale infrastructure and applications
The http routing mesh service uses these labels to route hostname pings to the correct service (e.g. “foo.com” → “S1”)
Customer can set up an external LB of choice (e.g. F5, ELB) to route hostnames to nodes via DNS
Services only; Interlock reference architecture for UCP 1.1.x should continue to function for non-service containers
Each app service can have a label corresponding to a host address
External LB routes hostnames to nodes
Non services containers continue to use RA w/Interlock
Now Generally Available
Support for routing multiple hostnames to the same docker service
HTTPS pass-through via SNI
Sticky sessions (use named cookie to always route to same task)
Support for multiple HRM networks for increased app isolation
Increased stability during config loading and app routing failures
Improved UI
Configure hostname routing directly from service deploy/inspect pages
View app routing configs status