SlideShare a Scribd company logo

Dockers zero to hero

Nicolas De Loof
Nicolas De Loof

présentation de l'utilisation de Docker, du niveau 0 "je joue avec sur mon poste" au niveau Docker Hero "je tourne en prod". Ce talk fait suite à l'intro de @dgageot et ne comporte donc pas l'intro "c'est quoi Docker ?".

Engineering
1 of 73
Download to read offline
@ndeloof
Who are you ? ! ! ✓ Dev ✓ Integration/Test ✓ Acceptance / Qualif ✓ Sysdamin / Ops
level 0
DEV ✓Exact reproduction for target environment ! ! ! !
Not on Linux ?
DEV ✓Quickly get third party tools up-and-running
level 1
Test ✓ Define build / test infra in your SCM
QA ✓ Quickly get low-cost iso-production environment
level 2
Dev/Ops a WAR archive is NOT what a sysadmin expect as delivery ! ! +
best DevOps tool so far (imho)
Separation of concern Inside container /var/log/myapp ! ! ! On host /mnt/backup/myapp/log
Separation of concerns Inside container /var/log/myapp VOLUME ! ! ! On host /mnt/backup/myapp/log
Ops ✓ Manage hardware / infrastructure ✓ Monitoring / backups - Not apps « implementation details »
✓ Develop simplest possible solution ✓ Configuration is a runtime constraint - Not extra-extra-flexibile application ! ! new WebServer().start(8080); Dev
level 3
Continuous Delivery •100% Reproducible environments « docker build . » to replace « mvn install » Dockerfile build WAR from sources Dockerfile run acceptance test suite Dockerfile build deployable container docker run COPY
Continuous Delivery
Pour quoi ? ! ✓ Cloud ! ✓ devices more to come soon … ! ✓ on-premises
docker @ Cloud •« build and deploy » PaaS ! ! ! ! •binaries-based PaaS
“ Everything at Google, from Search to Gmail, is packaged and run in a Linux container. ! Each week we launch more than 2 billion container instances across our global data centers, and the power of containers has enabled both more reliable services and higher, more-­‐efficient scalability. “ http://googlecloudplatform.blogspot.fr/2014/06/an-update-on-container-support-on-google-cloud-platform.html Google and Containers
your VM your docker image Managed VM Compute Engine your app AppEngine runtime Google Managed VM flexibility management
Bonus Code gde-in
level 4
New architectures
Diviser pour mieux régner Stop the monolithes ! ! ! ! ! ! ! !
Diviser pour mieux régner embrace Micro-services ‣ « the unix way » ‣ domain focussed ‣ quick release cycles ‣ segregate resources ! ! http://yobriefca.se/blog/2013/04/29/micro-service-architecture/ !
Micro-­‐service avec Docker LINK
sample : syslog host rsyslog /dev/log /tmp/syslogdev logger "hello" /dev/log http://jpetazzo.github.io/2014/08/24/syslog-docker/
durée de vie Un serveur ou une VM : des mois, voir plus ! Un (ou des) containeur(s) : parfois juste quelques minutes !
Immutable infrastructures
Upgrades ! Upgrade applicatif = build d’une nouvelle image
What about CM ?
pimp my Dockerfile Dockerfile BUILD chef-solo Dockerfile COPY /cookbooks
Orchestrate Docker load balancer - hosts: web webapp webapp cache monitoring database replica sudo: yes tasks: - name: run tomcat servers docker: image=webapp ports=8080
level 5
En PROD si, si
Ops is cool now ! #o
#Sexists you said ?
CoreOS Système hôte minimaliste (160Mb RAM) cluster-ready service discovery etcd cgroup + systemd boot in ~ seconds
Apache Mesos
schedule state N replicas for a service pod = containers tied together service discovery & routage ! Kubernetes
and (lots) more « orchestration » Kubelet maestro-ng Shipper Fleet Hellios Centurion
images: - name: jenkins_master source: ryfow/jenkins:0.2 type: Default ports: - host_port: '9080' container_port: '8080' proto: TCP volumes: - host_path: "/var/jenkins" container_path: "/var/jenkins_home" - name: jenkins_slave_1 source: ryfow/docker-jenkins-slave:0.2 type: Default links: - service: jenkins_master alias: jenkins environment: - variable: SLAVE_NAME value: slave1 { "containers":[ { "name":"rockmongo", "count":1, "image":"openshift/centos-rockmongo", "publicports":[{"internal":80,"external":6060}], "links":[{"to":"mongodb"}] }, { "name":"mongodb", "count":1, "image":"openshift/centos-mongodb", "publicports":[{"internal":27017}] } ] } name: demo registries: my-private-registry: registry: https://my-private-registry/v1/ ships: vm1.ore1: {ip: c414.ore1.domain.com} vm2.ore2: {ip: c415.ore2.domain.com, docker_port: 4243} services: zookeeper: image: zookeeper:3.4.5 instances: zk-1: ship: vm1.ore1 ports: {client: 2181, peer: 2888, leader_election: 3888} volumes: /var/lib/zookeeper: /data/zookeeper limits: memory: 1g cpu: 2
Distribute Docker images •DockerHub private registry •Run your own internal registry (docker image) •Docker load/save with CM •Dogistry / s3
Monitoring •collect cgroup metrics •cAdvisor •dedicated docker plugin LogScape
What about Data ?
flocker
Container live migration
level 5
security
container security Containers are NOT secured ! ! ! ! ! ! http://blog.docker.com/2014/07/new-dockercon-video-docker- security-renamed-from-docker-and-selinux/
do you care ? Treat containers like regular services ! ✓ drop privileges as soon as possible ✓ run as non-root as much as possible ✓ treat root within container as root on host ✓ don’t run untrusted container
drop capabilities capabilities - overview of Linux capabilities ! Description ! For the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process's credentials (usually: effective UID, effective GID, and supplementary group list). ! Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute. ! CAP_NET_ADMIN, CAP_SYS_ADMIN, …
User Name Space Map non root user to root within container
AppArmor / SELinux http://stopdisablingselinux.com/
Multi Category Security (MCS) Protect containers from each other
level 42 DHocJkeerro
what’s next
disclaimer
de facto Standard Adoption both for Cloud and on-premises ! ! ! ! !
Extensibility Alt. backends (AUFS is not an approved linux patch) ‣ devicemapper ‣ BTRFS ‣ ZFS ‣ … ! Alt. implementations ‣ Solaris Zones ‣ BSD Jails
Tooling
Orchestration
security signature & authorization
Config Management Chef/Puppet/Salt/Ansible vs Docker
Q?

Recommended

Build Your Own SaaS using Docker
Build Your Own SaaS using DockerBuild Your Own SaaS using Docker
Build Your Own SaaS using DockerJulien Barbier
 
DCEU 18: Docker Containers in a Serverless World
DCEU 18: Docker Containers in a Serverless WorldDCEU 18: Docker Containers in a Serverless World
DCEU 18: Docker Containers in a Serverless WorldDocker, Inc.
 
Docker and Windows: The State of the Union
Docker and Windows: The State of the UnionDocker and Windows: The State of the Union
Docker and Windows: The State of the UnionElton Stoneman
 
DockerDay2015: Docker Security
DockerDay2015: Docker SecurityDockerDay2015: Docker Security
DockerDay2015: Docker SecurityDocker-Hanoi
 
Docker, the Future of Distributed Applications | Docker Tour de France 2014
Docker, the Future of Distributed Applications | Docker Tour de France 2014Docker, the Future of Distributed Applications | Docker Tour de France 2014
Docker, the Future of Distributed Applications | Docker Tour de France 2014Julien Barbier
 
Activision's Skypilot: Delivering Amazing Game Experiences Through Containeri...
Activision's Skypilot: Delivering Amazing Game Experiences Through Containeri...Activision's Skypilot: Delivering Amazing Game Experiences Through Containeri...
Activision's Skypilot: Delivering Amazing Game Experiences Through Containeri...Docker, Inc.
 
Aws ug dxb 2021 container series iv
Aws ug dxb 2021 container series ivAws ug dxb 2021 container series iv
Aws ug dxb 2021 container series ivWalid Shaari
 
Containers without docker
Containers without dockerContainers without docker
Containers without dockerBen Hall
 

Recommended

Build Your Own SaaS using Docker
Build Your Own SaaS using DockerBuild Your Own SaaS using Docker
Build Your Own SaaS using DockerJulien Barbier
 
DCEU 18: Docker Containers in a Serverless World
DCEU 18: Docker Containers in a Serverless WorldDCEU 18: Docker Containers in a Serverless World
DCEU 18: Docker Containers in a Serverless WorldDocker, Inc.
 
Docker and Windows: The State of the Union
Docker and Windows: The State of the UnionDocker and Windows: The State of the Union
Docker and Windows: The State of the UnionElton Stoneman
 
DockerDay2015: Docker Security
DockerDay2015: Docker SecurityDockerDay2015: Docker Security
DockerDay2015: Docker SecurityDocker-Hanoi
 
Docker, the Future of Distributed Applications | Docker Tour de France 2014
Docker, the Future of Distributed Applications | Docker Tour de France 2014Docker, the Future of Distributed Applications | Docker Tour de France 2014
Docker, the Future of Distributed Applications | Docker Tour de France 2014Julien Barbier
 
Activision's Skypilot: Delivering Amazing Game Experiences Through Containeri...
Activision's Skypilot: Delivering Amazing Game Experiences Through Containeri...Activision's Skypilot: Delivering Amazing Game Experiences Through Containeri...
Activision's Skypilot: Delivering Amazing Game Experiences Through Containeri...Docker, Inc.
 
Aws ug dxb 2021 container series iv
Aws ug dxb 2021 container series ivAws ug dxb 2021 container series iv
Aws ug dxb 2021 container series ivWalid Shaari
 
Containers without docker
Containers without dockerContainers without docker
Containers without dockerBen Hall
 
Docker Meetup 08 03-2016
Docker Meetup 08 03-2016Docker Meetup 08 03-2016
Docker Meetup 08 03-2016Docker
 
DCSF19 How To Build Your Containerization Strategy
DCSF19 How To Build Your Containerization Strategy DCSF19 How To Build Your Containerization Strategy
DCSF19 How To Build Your Containerization Strategy Docker, Inc.
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in ProductionGianluca Arbezzano
 
Docker and Microsoft - Windows Server 2016 Technical Deep Dive
Docker and Microsoft - Windows Server 2016 Technical Deep DiveDocker and Microsoft - Windows Server 2016 Technical Deep Dive
Docker and Microsoft - Windows Server 2016 Technical Deep DiveDocker, Inc.
 
Continuous Delivery of Containers with Drone & Kontena
Continuous Delivery of Containers with Drone & KontenaContinuous Delivery of Containers with Drone & Kontena
Continuous Delivery of Containers with Drone & KontenaJussi Nummelin
 
Containerizing a REST API and Deploying to Kubernetes
Containerizing a REST API and Deploying to KubernetesContainerizing a REST API and Deploying to Kubernetes
Containerizing a REST API and Deploying to KubernetesAshley Roach
 
Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Arun prasath
 
DCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDocker, Inc.
 
Running Docker in Production - The Good, the Bad and The Ugly
Running Docker in Production - The Good, the Bad and The UglyRunning Docker in Production - The Good, the Bad and The Ugly
Running Docker in Production - The Good, the Bad and The UglyKontena, Inc.
 
Windows Server Containers- How we hot here and architecture deep dive
Windows Server Containers- How we hot here and architecture deep diveWindows Server Containers- How we hot here and architecture deep dive
Windows Server Containers- How we hot here and architecture deep diveDocker, Inc.
 
DockerCon EU 2015: Deploying and Managing Containers for Developers
DockerCon EU 2015: Deploying and Managing Containers for DevelopersDockerCon EU 2015: Deploying and Managing Containers for Developers
DockerCon EU 2015: Deploying and Managing Containers for DevelopersDocker, Inc.
 
Jenkins & IaC
Jenkins & IaCJenkins & IaC
Jenkins & IaCHungWei Chiu
 
Modernizing .NET Apps
Modernizing .NET AppsModernizing .NET Apps
Modernizing .NET AppsDocker, Inc.
 
Docker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EEDocker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EEDocker, Inc.
 
Docker, what's next ?
Docker, what's next ?Docker, what's next ?
Docker, what's next ?DevOps Indonesia
 
Innovating Out In The Open - OSCON 2016
Innovating Out In The Open - OSCON 2016Innovating Out In The Open - OSCON 2016
Innovating Out In The Open - OSCON 2016Phil Estes
 
Configuration Management and Transforming Legacy Applications in the Enterpri...
Configuration Management and Transforming Legacy Applications in the Enterpri...Configuration Management and Transforming Legacy Applications in the Enterpri...
Configuration Management and Transforming Legacy Applications in the Enterpri...Docker, Inc.
 
Docker Networking in Production at Visa - Sasi Kannappan, Visa and Mark Churc...
Docker Networking in Production at Visa - Sasi Kannappan, Visa and Mark Churc...Docker Networking in Production at Visa - Sasi Kannappan, Visa and Mark Churc...
Docker Networking in Production at Visa - Sasi Kannappan, Visa and Mark Churc...Docker, Inc.
 
DCEU 18: State of the Docker Engine
DCEU 18: State of the Docker EngineDCEU 18: State of the Docker Engine
DCEU 18: State of the Docker EngineDocker, Inc.
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriDocker, Inc.
 
Linux containers and docker
Linux containers and dockerLinux containers and docker
Linux containers and dockerFabio Fumarola
 
The State of Linux Containers
The State of Linux ContainersThe State of Linux Containers
The State of Linux Containersinside-BigData.com
 

More Related Content

What's hot

Docker Meetup 08 03-2016
Docker Meetup 08 03-2016Docker Meetup 08 03-2016
Docker Meetup 08 03-2016Docker
 
DCSF19 How To Build Your Containerization Strategy
DCSF19 How To Build Your Containerization Strategy DCSF19 How To Build Your Containerization Strategy
DCSF19 How To Build Your Containerization Strategy Docker, Inc.
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in ProductionGianluca Arbezzano
 
Docker and Microsoft - Windows Server 2016 Technical Deep Dive
Docker and Microsoft - Windows Server 2016 Technical Deep DiveDocker and Microsoft - Windows Server 2016 Technical Deep Dive
Docker and Microsoft - Windows Server 2016 Technical Deep DiveDocker, Inc.
 
Continuous Delivery of Containers with Drone & Kontena
Continuous Delivery of Containers with Drone & KontenaContinuous Delivery of Containers with Drone & Kontena
Continuous Delivery of Containers with Drone & KontenaJussi Nummelin
 
Containerizing a REST API and Deploying to Kubernetes
Containerizing a REST API and Deploying to KubernetesContainerizing a REST API and Deploying to Kubernetes
Containerizing a REST API and Deploying to KubernetesAshley Roach
 
Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Arun prasath
 
DCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDocker, Inc.
 
Running Docker in Production - The Good, the Bad and The Ugly
Running Docker in Production - The Good, the Bad and The UglyRunning Docker in Production - The Good, the Bad and The Ugly
Running Docker in Production - The Good, the Bad and The UglyKontena, Inc.
 
Windows Server Containers- How we hot here and architecture deep dive
Windows Server Containers- How we hot here and architecture deep diveWindows Server Containers- How we hot here and architecture deep dive
Windows Server Containers- How we hot here and architecture deep diveDocker, Inc.
 
DockerCon EU 2015: Deploying and Managing Containers for Developers
DockerCon EU 2015: Deploying and Managing Containers for DevelopersDockerCon EU 2015: Deploying and Managing Containers for Developers
DockerCon EU 2015: Deploying and Managing Containers for DevelopersDocker, Inc.
 
Modernizing .NET Apps
Modernizing .NET AppsModernizing .NET Apps
Modernizing .NET AppsDocker, Inc.
 
Docker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EEDocker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EEDocker, Inc.
 
Innovating Out In The Open - OSCON 2016
Innovating Out In The Open - OSCON 2016Innovating Out In The Open - OSCON 2016
Innovating Out In The Open - OSCON 2016Phil Estes
 
Configuration Management and Transforming Legacy Applications in the Enterpri...
Configuration Management and Transforming Legacy Applications in the Enterpri...Configuration Management and Transforming Legacy Applications in the Enterpri...
Configuration Management and Transforming Legacy Applications in the Enterpri...Docker, Inc.
 
Docker Networking in Production at Visa - Sasi Kannappan, Visa and Mark Churc...
Docker Networking in Production at Visa - Sasi Kannappan, Visa and Mark Churc...Docker Networking in Production at Visa - Sasi Kannappan, Visa and Mark Churc...
Docker Networking in Production at Visa - Sasi Kannappan, Visa and Mark Churc...Docker, Inc.
 
DCEU 18: State of the Docker Engine
DCEU 18: State of the Docker EngineDCEU 18: State of the Docker Engine
DCEU 18: State of the Docker EngineDocker, Inc.
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriDocker, Inc.
 

What's hot (20)

Docker Meetup 08 03-2016
Docker Meetup 08 03-2016Docker Meetup 08 03-2016
Docker Meetup 08 03-2016
 
DCSF19 How To Build Your Containerization Strategy
DCSF19 How To Build Your Containerization Strategy DCSF19 How To Build Your Containerization Strategy
DCSF19 How To Build Your Containerization Strategy
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in Production
 
Docker and Microsoft - Windows Server 2016 Technical Deep Dive
Docker and Microsoft - Windows Server 2016 Technical Deep DiveDocker and Microsoft - Windows Server 2016 Technical Deep Dive
Docker and Microsoft - Windows Server 2016 Technical Deep Dive
 
Continuous Delivery of Containers with Drone & Kontena
Continuous Delivery of Containers with Drone & KontenaContinuous Delivery of Containers with Drone & Kontena
Continuous Delivery of Containers with Drone & Kontena
 
Containerizing a REST API and Deploying to Kubernetes
Containerizing a REST API and Deploying to KubernetesContainerizing a REST API and Deploying to Kubernetes
Containerizing a REST API and Deploying to Kubernetes
 
Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment
 
DCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development PipelineDCEU 18: Building Your Development Pipeline
DCEU 18: Building Your Development Pipeline
 
Running Docker in Production - The Good, the Bad and The Ugly
Running Docker in Production - The Good, the Bad and The UglyRunning Docker in Production - The Good, the Bad and The Ugly
Running Docker in Production - The Good, the Bad and The Ugly
 
Windows Server Containers- How we hot here and architecture deep dive
Windows Server Containers- How we hot here and architecture deep diveWindows Server Containers- How we hot here and architecture deep dive
Windows Server Containers- How we hot here and architecture deep dive
 
DockerCon EU 2015: Deploying and Managing Containers for Developers
DockerCon EU 2015: Deploying and Managing Containers for DevelopersDockerCon EU 2015: Deploying and Managing Containers for Developers
DockerCon EU 2015: Deploying and Managing Containers for Developers
 
Jenkins & IaC
Jenkins & IaCJenkins & IaC
Jenkins & IaC
 
Modernizing .NET Apps
Modernizing .NET AppsModernizing .NET Apps
Modernizing .NET Apps
 
Docker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EEDocker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EE
 
Docker, what's next ?
Docker, what's next ?Docker, what's next ?
Docker, what's next ?
 
Innovating Out In The Open - OSCON 2016
Innovating Out In The Open - OSCON 2016Innovating Out In The Open - OSCON 2016
Innovating Out In The Open - OSCON 2016
 
Configuration Management and Transforming Legacy Applications in the Enterpri...
Configuration Management and Transforming Legacy Applications in the Enterpri...Configuration Management and Transforming Legacy Applications in the Enterpri...
Configuration Management and Transforming Legacy Applications in the Enterpri...
 
Docker Networking in Production at Visa - Sasi Kannappan, Visa and Mark Churc...
Docker Networking in Production at Visa - Sasi Kannappan, Visa and Mark Churc...Docker Networking in Production at Visa - Sasi Kannappan, Visa and Mark Churc...
Docker Networking in Production at Visa - Sasi Kannappan, Visa and Mark Churc...
 
DCEU 18: State of the Docker Engine
DCEU 18: State of the Docker EngineDCEU 18: State of the Docker Engine
DCEU 18: State of the Docker Engine
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
 

Similar to Dockers zero to hero

Linux containers and docker
Linux containers and dockerLinux containers and docker
Linux containers and dockerFabio Fumarola
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization WSO2
 
Evoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationEvoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationImesh Gunaratne
 
Revolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualizationRevolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualizationWSO2
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
Containers and workload security an overview
Containers and workload security an overview Containers and workload security an overview
Containers and workload security an overview Krishna-Kumar
 
Container & kubernetes
Container & kubernetesContainer & kubernetes
Container & kubernetesTed Jung
 
2 Linux Container and Docker
2 Linux Container and Docker2 Linux Container and Docker
2 Linux Container and DockerFabio Fumarola
 
Develop with linux containers and docker
Develop with linux containers and dockerDevelop with linux containers and docker
Develop with linux containers and dockerFabio Fumarola
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned RightScale
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudSalman Baset
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityPhil Estes
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!Sysdig
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 
Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Jérôme Petazzoni
 
Containerize! Between Docker and Jube.
Containerize! Between Docker and Jube.Containerize! Between Docker and Jube.
Containerize! Between Docker and Jube.Henryk Konsek
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
 
Kubernetes - training micro-dragons without getting burnt
Kubernetes - training micro-dragons without getting burntKubernetes - training micro-dragons without getting burnt
Kubernetes - training micro-dragons without getting burntAmir Moghimi
 

Similar to Dockers zero to hero (20)

Linux containers and docker
Linux containers and dockerLinux containers and docker
Linux containers and docker
 
The State of Linux Containers
The State of Linux ContainersThe State of Linux Containers
The State of Linux Containers
 
Docker dDessi november 2015
Docker dDessi november 2015Docker dDessi november 2015
Docker dDessi november 2015
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization
 
Evoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationEvoluation of Linux Container Virtualization
Evoluation of Linux Container Virtualization
 
Revolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualizationRevolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualization
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
Containers and workload security an overview
Containers and workload security an overview Containers and workload security an overview
Containers and workload security an overview
 
Container & kubernetes
Container & kubernetesContainer & kubernetes
Container & kubernetes
 
2 Linux Container and Docker
2 Linux Container and Docker2 Linux Container and Docker
2 Linux Container and Docker
 
Develop with linux containers and docker
Develop with linux containers and dockerDevelop with linux containers and docker
Develop with linux containers and docker
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production Cloud
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker Security
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
 
Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...
 
Containerize! Between Docker and Jube.
Containerize! Between Docker and Jube.Containerize! Between Docker and Jube.
Containerize! Between Docker and Jube.
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
Kubernetes - training micro-dragons without getting burnt
Kubernetes - training micro-dragons without getting burntKubernetes - training micro-dragons without getting burnt
Kubernetes - training micro-dragons without getting burnt
 

More from Nicolas De Loof

Quand Internet sera gouvernée par les |chats> de Shrödinger
Quand Internet sera gouvernée par les |chats> de ShrödingerQuand Internet sera gouvernée par les |chats> de Shrödinger
Quand Internet sera gouvernée par les |chats> de ShrödingerNicolas De Loof
 
Quand Internet sera gouvernée par les |chats> de Shrödinger
Quand Internet sera gouvernée par les |chats> de ShrödingerQuand Internet sera gouvernée par les |chats> de Shrödinger
Quand Internet sera gouvernée par les |chats> de ShrödingerNicolas De Loof
 
Breaking the RpiDocker challenge
Breaking the RpiDocker challenge Breaking the RpiDocker challenge
Breaking the RpiDocker challenge Nicolas De Loof
 
( jenkins, docker ) -> { Continuous Delivery }
( jenkins, docker ) -> { Continuous Delivery }( jenkins, docker ) -> { Continuous Delivery }
( jenkins, docker ) -> { Continuous Delivery }Nicolas De Loof
 
Orchestrate Continuous Delivery with Jenkins and Docker
Orchestrate Continuous Delivery with Jenkins and DockerOrchestrate Continuous Delivery with Jenkins and Docker
Orchestrate Continuous Delivery with Jenkins and DockerNicolas De Loof
 
Développer en Java et en Caleçon
Développer en Java et en CaleçonDévelopper en Java et en Caleçon
Développer en Java et en CaleçonNicolas De Loof
 
Dockers zero to hero - (medium version)
Dockers zero to hero - (medium version)Dockers zero to hero - (medium version)
Dockers zero to hero - (medium version)Nicolas De Loof
 
Likebox - votre avis nous intéresse
Likebox - votre avis nous intéresseLikebox - votre avis nous intéresse
Likebox - votre avis nous intéresseNicolas De Loof
 
Cloud patterns - softshake 2013
Cloud patterns - softshake 2013Cloud patterns - softshake 2013
Cloud patterns - softshake 2013Nicolas De Loof
 
Doing Business with OpenSource - a short (unofficial) CloudBees story
Doing Business with OpenSource - a short (unofficial) CloudBees storyDoing Business with OpenSource - a short (unofficial) CloudBees story
Doing Business with OpenSource - a short (unofficial) CloudBees storyNicolas De Loof
 
Opening opensource : The Jenkins Way
Opening opensource : The Jenkins WayOpening opensource : The Jenkins Way
Opening opensource : The Jenkins WayNicolas De Loof
 
Jenkins user meetup @paris
Jenkins user meetup @parisJenkins user meetup @paris
Jenkins user meetup @parisNicolas De Loof
 

More from Nicolas De Loof (19)

Quand Internet sera gouvernée par les |chats> de Shrödinger
Quand Internet sera gouvernée par les |chats> de ShrödingerQuand Internet sera gouvernée par les |chats> de Shrödinger
Quand Internet sera gouvernée par les |chats> de Shrödinger
 
Quand Internet sera gouvernée par les |chats> de Shrödinger
Quand Internet sera gouvernée par les |chats> de ShrödingerQuand Internet sera gouvernée par les |chats> de Shrödinger
Quand Internet sera gouvernée par les |chats> de Shrödinger
 
Breaking the RpiDocker challenge
Breaking the RpiDocker challenge Breaking the RpiDocker challenge
Breaking the RpiDocker challenge
 
( jenkins, docker ) -> { Continuous Delivery }
( jenkins, docker ) -> { Continuous Delivery }( jenkins, docker ) -> { Continuous Delivery }
( jenkins, docker ) -> { Continuous Delivery }
 
Docker slaves
Docker slavesDocker slaves
Docker slaves
 
Orchestrate Continuous Delivery with Jenkins and Docker
Orchestrate Continuous Delivery with Jenkins and DockerOrchestrate Continuous Delivery with Jenkins and Docker
Orchestrate Continuous Delivery with Jenkins and Docker
 
Développer en Java et en Caleçon
Développer en Java et en CaleçonDévelopper en Java et en Caleçon
Développer en Java et en Caleçon
 
Dockers zero to hero - (medium version)
Dockers zero to hero - (medium version)Dockers zero to hero - (medium version)
Dockers zero to hero - (medium version)
 
Docker bdxio
Docker bdxioDocker bdxio
Docker bdxio
 
Likebox - votre avis nous intéresse
Likebox - votre avis nous intéresseLikebox - votre avis nous intéresse
Likebox - votre avis nous intéresse
 
La révolution Docker
La révolution DockerLa révolution Docker
La révolution Docker
 
Cloud patterns - softshake 2013
Cloud patterns - softshake 2013Cloud patterns - softshake 2013
Cloud patterns - softshake 2013
 
Cloud patterns
Cloud patternsCloud patterns
Cloud patterns
 
Objectif cloud
Objectif cloudObjectif cloud
Objectif cloud
 
Doing Business with OpenSource - a short (unofficial) CloudBees story
Doing Business with OpenSource - a short (unofficial) CloudBees storyDoing Business with OpenSource - a short (unofficial) CloudBees story
Doing Business with OpenSource - a short (unofficial) CloudBees story
 
Ma forge++ : @Cloud
Ma forge++ : @CloudMa forge++ : @Cloud
Ma forge++ : @Cloud
 
Javavs net
Javavs netJavavs net
Javavs net
 
Opening opensource : The Jenkins Way
Opening opensource : The Jenkins WayOpening opensource : The Jenkins Way
Opening opensource : The Jenkins Way
 
Jenkins user meetup @paris
Jenkins user meetup @parisJenkins user meetup @paris
Jenkins user meetup @paris
 

Recently uploaded

FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756dollysharma2066
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaOmar Fathy
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueBhangaleSonal
 
Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startQuintin Balsdon
 
2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projects2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projectssmsksolar
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...roncy bisnoi
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdfKamal Acharya
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTbhaskargani46
 
22-prompt engineering noted slide shown.pdf
22-prompt engineering noted slide shown.pdf22-prompt engineering noted slide shown.pdf
22-prompt engineering noted slide shown.pdf203318pmpc
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...tanu pandey
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VDineshKumar4165
 
Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayEpec Engineered Technologies
 
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...soginsider
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptMsecMca
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfKamal Acharya
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptDineshKumar4165
 
chapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringchapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringmulugeta48
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlysanyuktamishra911
 

Recently uploaded (20)

FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS Lambda
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the start
 
2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projects2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projects
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdf
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
22-prompt engineering noted slide shown.pdf
22-prompt engineering noted slide shown.pdf22-prompt engineering noted slide shown.pdf
22-prompt engineering noted slide shown.pdf
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power Play
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
chapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringchapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineering
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
 

Dockers zero to hero

  • 2.
  • 3.
  • 4. Who are you ? ! ! ✓ Dev ✓ Integration/Test ✓ Acceptance / Qualif ✓ Sysdamin / Ops
  • 6. DEV ✓Exact reproduction for target environment ! ! ! !
  • 8. DEV ✓Quickly get third party tools up-and-running
  • 10. Test ✓ Define build / test infra in your SCM
  • 11. QA ✓ Quickly get low-cost iso-production environment
  • 13. Dev/Ops a WAR archive is NOT what a sysadmin expect as delivery ! ! +
  • 14. best DevOps tool so far (imho)
  • 15. Separation of concern Inside container /var/log/myapp ! ! ! On host /mnt/backup/myapp/log
  • 16. Separation of concerns Inside container /var/log/myapp VOLUME ! ! ! On host /mnt/backup/myapp/log
  • 17. Ops ✓ Manage hardware / infrastructure ✓ Monitoring / backups - Not apps « implementation details »
  • 18. ✓ Develop simplest possible solution ✓ Configuration is a runtime constraint - Not extra-extra-flexibile application ! ! new WebServer().start(8080); Dev
  • 20. Continuous Delivery •100% Reproducible environments « docker build . » to replace « mvn install » Dockerfile build WAR from sources Dockerfile run acceptance test suite Dockerfile build deployable container docker run COPY
  • 22. Pour quoi ? ! ✓ Cloud ! ✓ devices more to come soon … ! ✓ on-premises
  • 23. docker @ Cloud •« build and deploy » PaaS ! ! ! ! •binaries-based PaaS
  • 24. “ Everything at Google, from Search to Gmail, is packaged and run in a Linux container. ! Each week we launch more than 2 billion container instances across our global data centers, and the power of containers has enabled both more reliable services and higher, more-­‐efficient scalability. “ http://googlecloudplatform.blogspot.fr/2014/06/an-update-on-container-support-on-google-cloud-platform.html Google and Containers
  • 25. your VM your docker image Managed VM Compute Engine your app AppEngine runtime Google Managed VM flexibility management
  • 29. Diviser pour mieux régner Stop the monolithes ! ! ! ! ! ! ! !
  • 30. Diviser pour mieux régner embrace Micro-services ‣ « the unix way » ‣ domain focussed ‣ quick release cycles ‣ segregate resources ! ! http://yobriefca.se/blog/2013/04/29/micro-service-architecture/ !
  • 32. sample : syslog host rsyslog /dev/log /tmp/syslogdev logger "hello" /dev/log http://jpetazzo.github.io/2014/08/24/syslog-docker/
  • 33. durée de vie Un serveur ou une VM : des mois, voir plus ! Un (ou des) containeur(s) : parfois juste quelques minutes !
  • 35. Upgrades ! Upgrade applicatif = build d’une nouvelle image
  • 37. pimp my Dockerfile Dockerfile BUILD chef-solo Dockerfile COPY /cookbooks
  • 38. Orchestrate Docker load balancer - hosts: web webapp webapp cache monitoring database replica sudo: yes tasks: - name: run tomcat servers docker: image=webapp ports=8080
  • 41. Ops is cool now ! #o
  • 43. CoreOS Système hôte minimaliste (160Mb RAM) cluster-ready service discovery etcd cgroup + systemd boot in ~ seconds
  • 45. schedule state N replicas for a service pod = containers tied together service discovery & routage ! Kubernetes
  • 46.
  • 47. and (lots) more « orchestration » Kubelet maestro-ng Shipper Fleet Hellios Centurion
  • 48. images: - name: jenkins_master source: ryfow/jenkins:0.2 type: Default ports: - host_port: '9080' container_port: '8080' proto: TCP volumes: - host_path: "/var/jenkins" container_path: "/var/jenkins_home" - name: jenkins_slave_1 source: ryfow/docker-jenkins-slave:0.2 type: Default links: - service: jenkins_master alias: jenkins environment: - variable: SLAVE_NAME value: slave1 { "containers":[ { "name":"rockmongo", "count":1, "image":"openshift/centos-rockmongo", "publicports":[{"internal":80,"external":6060}], "links":[{"to":"mongodb"}] }, { "name":"mongodb", "count":1, "image":"openshift/centos-mongodb", "publicports":[{"internal":27017}] } ] } name: demo registries: my-private-registry: registry: https://my-private-registry/v1/ ships: vm1.ore1: {ip: c414.ore1.domain.com} vm2.ore2: {ip: c415.ore2.domain.com, docker_port: 4243} services: zookeeper: image: zookeeper:3.4.5 instances: zk-1: ship: vm1.ore1 ports: {client: 2181, peer: 2888, leader_election: 3888} volumes: /var/lib/zookeeper: /data/zookeeper limits: memory: 1g cpu: 2
  • 49. Distribute Docker images •DockerHub private registry •Run your own internal registry (docker image) •Docker load/save with CM •Dogistry / s3
  • 50. Monitoring •collect cgroup metrics •cAdvisor •dedicated docker plugin LogScape
  • 56. container security Containers are NOT secured ! ! ! ! ! ! http://blog.docker.com/2014/07/new-dockercon-video-docker- security-renamed-from-docker-and-selinux/
  • 57. do you care ? Treat containers like regular services ! ✓ drop privileges as soon as possible ✓ run as non-root as much as possible ✓ treat root within container as root on host ✓ don’t run untrusted container
  • 58. drop capabilities capabilities - overview of Linux capabilities ! Description ! For the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process's credentials (usually: effective UID, effective GID, and supplementary group list). ! Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute. ! CAP_NET_ADMIN, CAP_SYS_ADMIN, …
  • 59. User Name Space Map non root user to root within container
  • 60. AppArmor / SELinux http://stopdisablingselinux.com/
  • 61. Multi Category Security (MCS) Protect containers from each other
  • 65. de facto Standard Adoption both for Cloud and on-premises ! ! ! ! !
  • 66. Extensibility Alt. backends (AUFS is not an approved linux patch) ‣ devicemapper ‣ BTRFS ‣ ZFS ‣ … ! Alt. implementations ‣ Solaris Zones ‣ BSD Jails
  • 69. security signature & authorization
  • 70.
  • 72.
  • 73. Q?