présentation de l'utilisation de Docker, du niveau 0 "je joue avec sur mon poste" au niveau Docker Hero "je tourne en prod".
Ce talk fait suite à l'intro de @dgageot et ne comporte donc pas l'intro "c'est quoi Docker ?".
18. ✓ Develop simplest possible solution
✓ Configuration is a runtime constraint
- Not extra-extra-flexibile application
!
!
new WebServer().start(8080);
Dev
20. Continuous
Delivery
•100% Reproducible environments
« docker build . » to replace « mvn install »
Dockerfile
build WAR from
sources
Dockerfile
run acceptance
test suite
Dockerfile
build deployable
container
docker run COPY
24. “
Everything
at
Google,
from
Search
to
Gmail,
is
packaged
and
run
in
a
Linux
container.
!
Each
week
we
launch
more
than
2
billion
container
instances
across
our
global
data
centers,
and
the
power
of
containers
has
enabled
both
more
reliable
services
and
higher,
more-‐efficient
scalability.
“
http://googlecloudplatform.blogspot.fr/2014/06/an-update-on-container-support-on-google-cloud-platform.html
Google
and
Containers
25. your VM
your docker
image
Managed
VM
Compute Engine
your app
AppEngine
runtime
Google
Managed
VM
flexibility management
56. container
security
Containers are NOT secured
!
!
!
!
!
!
http://blog.docker.com/2014/07/new-dockercon-video-docker-
security-renamed-from-docker-and-selinux/
57. do
you
care
?
Treat containers like regular services
!
✓ drop privileges as soon as possible
✓ run as non-root as much as possible
✓ treat root within container as root on host
✓ don’t run untrusted container
58. drop
capabilities
capabilities - overview of Linux capabilities
!
Description
!
For the purpose of performing permission checks, traditional UNIX implementations
distinguish two categories of processes: privileged processes (whose effective user
ID is 0, referred to as superuser or root), and unprivileged processes (whose
effective UID is nonzero). Privileged processes bypass all kernel permission checks,
while unprivileged processes are subject to full permission checking based on the
process's credentials (usually: effective UID, effective GID, and supplementary
group list).
!
Starting with kernel 2.2, Linux divides the privileges traditionally associated with
superuser into distinct units, known as capabilities, which can be independently
enabled and disabled. Capabilities are a per-thread attribute.
!
CAP_NET_ADMIN, CAP_SYS_ADMIN, …
66. Extensibility
Alt. backends (AUFS is not an approved linux patch)
‣ devicemapper
‣ BTRFS
‣ ZFS
‣ …
!
Alt. implementations
‣ Solaris Zones
‣ BSD Jails