docker roadshow 2016

Docker and the Modern Application PlatformMarc Verstaen, EVP Product Development

2

The application landscape is changing

Loosely Coupled Services

Many Small Servers or devices

~2000 Today

Monolithic

Big Servers

Slow changing

Rapidly updated

Development VM

QA Server

Public Cloud

Disaster Recovery

Contributor’s Laptop

Production Servers

Production Cluster

Data Center

Containers are the catalyst

Static Website

Web Front End

Background Workers

User DB

Analytics DB

QueueAPI Endpoint

Docker users alreadyrunning in production

60%

Docker driving the containerization movement

Docker Survey: State of ApplicationsQ1 2016

Cluster HQ: State of Container Usage June 2016

Companies running container technology in production

(500+ employees)

At the center of enterprise IT transformation

80%Docker is central to

cloud strategy

Docker Survey: State of App development : Q1 - 2016

3 out 4 Top initiatives revolve around applications

44%Looking to adopt DevOps

App Modernization

DevOpsCloud

State of App development Survey: Q1 2016

6

Docker delivers innovation, speed and savings

+ +Agility Portability Control

State of App development Survey: Q1 2016, Cornell University case study

13X More software releases

62%Report reduction in MTTR

10X Cost reduction in maintaining

existing applications

Eliminate“works on my machine”

issues

41%Move workloads across

private/public clouds

65% Reduction in developer

onboarding time

Docker Containers as a Service

Cloud Zone 1

Cloud Zone 2 Data Center

Development Center

Headquarters

Docker aims to build a programmable layer for the internet to connect your global supply chain

Build, ship and run any application anywhere

The enterprise software supply chain is global

Enterprise IT is hybrid apps and infrastructure

x86 server operating systems worldwide Docker State of App development Survey: Q1 2016

Morgan Stanley CIO Survey: June 30, 2016Study of Gartner reports re: x86 shipments

• 80% looking to Docker to enable hybrid cloud initiatives.

• Public Cloud adoption expected to increase to 30% by 2017.

• 46% plan to build new microservices

˝

DEVELOPERS IT OPERATIONS

BUILDDevelopment Environments

SHIPSecure Content & Collaboration

RUNDeploy, Manage, Scale

Docker enables a new workflow with Containers as a Service

Docker Universal Control Plane

Integrated Security

Docker EngineContainer runtime, orchestration, networking, volumes, plugins

Docker Trusted Registry

Operating Systems Config Mgt Monitoring LoggingCI/CD ..more..Images Networking Volumes

VirtualizationPublic Cloud Physical

Docker CaaS platform is flexible, pluggable and portable

Docker Datacenter

One platform and one journey for all applications

1 Containerize Legacy ApplicationsLift and shift for portability and efficiency

2

3

Transform Legacy to Microservices Look for shared services to transform

Accelerate New ApplicationsGreenfield innovation

Servers ship with Docker Commercial Engine/Support

Docker Datacenter available through all HPE channels

Integrated Solution with Hardware, Software, Support, and Services

Docker Datacenter

Steven Thwaites, Solutions Engineer

DEVELOPERS IT OPERATIONS




Docker Datacenter workflow

Docker Trusted RegistryDocker Content Trust

Universal Control PlaneDocker for MacDocker for Windows

17

Docker Datacenter core values

+ +Agility Portability Control

Extends the Docker developer experience to production

Easy to setup and use

Native Docker solution

Ease of management at scale

Integrated security and policy for content and access (RBAC)

Integrates with existing systems

Full support of Docker API

Seamless dev to prod workflow

Infrastructure, network and storage portability

18

Key use cases for Docker Datacenter

Cloud Microservices

Cloud MigrationHybrid CloudMulti-Cloud

ContainerizationMicroservices

App Modernization

DevOpsCI/CD

Self Service

DevOps

Portability: Frictionless across environments

19

Dev Test / QA Staging Production

Same code in dev runs unchanged in every environmentContainer, network, storage portability

ServicesNetworksVolumes

Control: Orchestration and integrations at scale

Universal Control Plane

High Availability Access Control

3rd Party PluginsSwarm Managed

GUI Management

Docker Native Integration

Monitoring

20

Control: Ease of use and management

• Quick and easy to deploy• Easy GUI based configurations• Simple and non-disruptive upgrades• Intuitive GUI and dashboards• Point and click, search and browse• Support for Docker CLI and Toolbox

21

Control : Easy to deploy and use

22

Control: Granular control of applications

23

Manage Compose apps• Start, stop or delete Compose apps• Click to inspect individual

containers

Manage Containers• Start, stop, destroy or rename• Scale number of containers• View details, stats, logs• Use console to log into

Control: Secure Runtime Access

Set up options• LDAP/AD support• Built-in

Granular RBAC• Users and Teams• Roles• Permission labels

User Experience• Single sign on

24

Control: Unified Authentication Service

25

UCP

LDAP/AD

External CA

DTR

eNZi

•Provides shared authentication for entire DDC stack•Install/configure with UCP (including HA replication)•Users created in UCP show up in DTR and vice-versa•Streamlined UCP and DTR setup for SSO

Control: Secure Image Collaboration

Trusted Registry

Log Aggregator

Authorization Server

Registry ServiceContent Trust

26

LDAP/AD

Logs

Storage

Image Repo

Image Repo

Image Repo

Admin Server

Notary Server

Web UI

CLI

Control: Integrated Content TrustDevelopers IT Operations




27

Library of signed and trusted images

Enforce use of only trusted images

Control: Granular Image Management

• Search and browse repos

• RBAC by repo

–Users, Teams, Orgs

–Read, Read-Write, Admin

• Garbage collection

• Integrated Content Trust

28

Docker Datacenter Subscription

29



Docker Engine

Business Day Support

$1,500 /node/year



Docker Engine

Business Critical Support

$3,000 /node/year

Value of a Docker Subscription

30

Validated Configurations

Enterprise Class Support with SLAs

and hotfixes


Docker Trusted Registry(Integrated Docker Content Trust)

Commercially Supported Docker Engine

Integrations and API Support

Value of Docker Subscription

Official Technical Support• Dedicated support engineers and SLAs• Only available from Docker and IBM

Secure• Address vulnerabilities• Hotfixes

Stable• Predictable release cadence • Long supported versions• Backport defect fixes

31

Integrations and API Support• Docker native toolset• Access to the broadest ecosystem

Validated Configurations• Validated operating systems, configurations

and interoperability

Direct Product Roadmap Ownership• Directly responsible for proprietary and open

source product roadmap

Secure the Enterprise Software Lifecycle with Docker Diogo Monica, Security Lead

source/dependencies

build systems/engineers

network

application

repositorydeploye

dsystems

Software supply chain

Identity

IMAGEname: alpine:3.4sha256: ea08...950ID: f70c828098f5

expires: 2019-06-20

USERname: userorg: organization

DOCKER HOSTname: node-1ID:

9j1kxp7cd1z...22c*manager

expires: 2016-06-21

ID: 58slx2ra5qiee92n4uf56ocvf

source/dependencies

build systems/engineers

Consistent builds

Consistent Builds: Good input = good output

network

Application signing

Docker Content Trust

40

Security: Trusted image chaining

Add image layer, sign then push image to private registryContinue until complete for a trusted chain of image layers

pypy3 Django app

Additional Libraries

debian:jessie pypy:3 user/pypybase:latest user/myapp:latest

application

repository

Security Scanning and Gating

Docker Security Scanning Architecture

44

Trusted image chaining with signing

Add image layer, sign, security scan then push image to private registryContinue until complete for a trusted chain of image layersNow a security BOM exists for each image tag

pypy3 Django app

Additional Libraries

debian:jessie pypy:3 user/pypybase:latest user/myapp:latest

45

Threshold signing and gating

CI Security Scanning Staging Production

UCP WorkerUCP Worker UCP Worker

UCP Manager

Sign image to “approve” passing of each stage.Policy to check for signatures before deployment

deployedsystems

Orchestration

$ docker run -it --net host --pid host --cap-add audit_control ... docker/docker-bench-security

[INFO] 1 - Host Configuration[WARN] 1.1 - Create a separate partition for containers[PASS] 1.2 - Use an updated Linux Kernel[PASS] 1.4 - Remove all non-essential services from the host - Network[PASS] 1.5 - Keep Docker up to date[INFO] * Using 1.12.04 which is current as of 2016-08-16[INFO] * Check with your operating system vendor for support and security maintenance for docker[INFO] 1.6 - Only allow trusted users to control Docker daemon[INFO] * docker:x:999:docker[WARN] 1.7 - Failed to inspect: auditctl command not found.[WARN] 1.8 - Failed to inspect: auditctl command not found.[WARN] 1.9 - Failed to inspect: auditctl command not found.[INFO] 1.10 - Audit Docker files and directories - docker.service[INFO] * File not found[INFO] 1.11 - Audit Docker files and directories - docker.socket[INFO] * File not found...

• Docker 1.12 with built in orchestration (clustering and scheduling)

• Strong default cluster security

Secure Cluster Management

•Leader acts as CA.

•Any Manager can be promoted to leader.

•Workers and managers identified by their certificate.

•Communications secured with Mutual TLS.

Mutual TLS by default

• Managers support BYO CA.• Forwards CSRs to external

CA.• Customizable certificate

rotation periods.• Occurs automatically• Ensures potentially

compromised or leaked certificates are rotated out of use.

• Whitelist of currently valid certificates.

Support for External CA’s and Automatic Rotation

docker roadshow 2016

Technology