DevOps & Automation Tech/Team Leader at Cisco DRM EngineeringRoman Dembitsky – romande@gmail.com

Released: November 16, 2015

Docker OverviewDockerCon EU 2015

Agenda• What is Docker?• Docker Solutions• Docker Security

What is Docker?

Docker allows you to package an application with all of its dependencies into a standardized unit for software development.

Docker

Docker Engine

How is this different from virtual machines?

• Docker Machine – Machine provisioning• Docker Engine – Creates and runs Docker containers• Docker Registry – Docker image distribution repository• Docker Kitematic – Desktop GUI for Docker• Docker Compose – Define multi-container applications• Docker Swarm – Host clustering and container scheduling• Docker Universal Control Plane - Management Platform

Docker Solutions

Docker Stack

Docker Engine

Docker Container

Docker Compose

Docker Swarm

Docker Orca (UCP)

Platform Layer

Application

Multi-container applications

Distributed Cluster Management

Platform Management

18© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Docker Machine

• Create Hosts Anywhere• Docker Machine can create hosts on most major

virtualization hypervisors and in cloud service providers. Docker Machine has driver support for

• AWS, Digital Ocean, Google Cloud Platform, IBM Softlayer, Microsoft Azure and Hyper-V, OpenStack, Rackspace, VirtualBox, VMware Fusion®, vCloud® Air™ and vSphere®

Docker Machine

• Install Docker Engine• Configure Docker

Registry• Join nodes to Swarm

21© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Docker Kitematic

•Kitematic – nice GUI for containers management

•Video

Kitematic

Kitematic

24© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Docker Registry

Docker Registry

Docker Registry is an open source application dedicated to the storage and distribution of your Docker images. Its seamless architecture allows both for fine grain integration with other systems and high-level scalability. Aggressively developed, its vibrant community includes industry leaders and users using it at the core of their images distribution solutions.

Docker Registry

27© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Docker Stages

Docker Stages

Docker File - SampleSource

To Run:

docker run -d -p 27017:27017 -p 28017:28017 --name mongo -e AUTH=no tutum/mongodb

30© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Docker Compose

Docker Compose - Example

• Compose facilitates the orchestration of linked containers

• Compose allows to have a single script for all the environments

• Developers can start/stop/rebuild containers without any deep knowledge of Docker

Docker Compose

35© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Docker Swarm

Docker Swarm

• Swarm – container distribution manager, clustering and scheduling

• Swarm 1.0 – ready for production

Docker Swarm

•Built-in multi-host networking•Built-in persistent storage• Attach any volume to any container dynamically

Docker Swarm

• Scalable• Libkv (abstraction layer on top of etcd, zookeeper, consul kv stores)

Docker Swarm

Docker Swarm - Demo

41© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Docker Security

Hardware Key for signing images

• Docker Images signing and verifying• Key compromise protection• Content trust allows operations with a remote Docker registry to enforce

client-side signing and verification of image tags. Content trust provides the ability to use digital signatures for data sent to and received from remote Docker registries. These signatures allow client-side verification of the integrity and publisher of specific image tags.

• https://blog.docker.com/2015/08/content-trust-docker-1-8/

Docker Content Trust

• Hardware crypto + docker content trust• Hardware root key (usb security device) used for

starting key ladder• Allows quickly changing/updating keys so it won’t be

possible pushing images with the old keys (that were compromised)

Docker Security

• Sign docker images before pushing images to repos

• Uses root key inside the yubikey for creating new singing keys to sign the images

• To see existing keys: notary key list

Docker Security

• Project Nautilus• Built-in container security analysis• Soon will be as a self service• Deep content analysis• Checks against its own vulnerability db

Docker Security Analysis

47© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Docker Networking

• New Docker Networking APIs• Multi-Host networking• Networks are scoped: Local / Global• Container can participate in multiple

networks

Docker Networking

• VXLAN Layer 2 over Layer 4• VXLAN is a network virtualization technology that attempts to

ameliorate the scalability problems associated with large cloud computing deployments. It uses a VLAN-like encapsulation technique to encapsulate MAC-based OSI layer 2 Ethernet frames within layer 4 UDP packets, using 4789 as the default IANA-assigned destination UDP port number.[1]

Docker Networking uses VXLAN

53© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Docker Universal Control PlaneContainers as a service

• Management Platform – deploy and manage dockerized apps in production

• running containers on any infrastructure• Infrastructure agnostic (on premises, cloud)• Language agnostic

Universal Control Plane

• Provisioning of compute, network, and storage on any infrastructure, with integration of enterprise security and monitoring

• Support for any:• application: stateful and stateless, legacy and next-generation, for any

programming language• bare-metal server, VM or cloud instance• Linux distribution and Windows Server and Solaris• stage of the application lifecycle, from dev to test to QA to staging to

production

Docker Universal Control Plane

• Enterprise ready (LDAP/AD authN) on premise deployment integrated with Trusted Registry

• Security – TLS• Resource Management (visibility and

monitoring)• HA

Docker Universal Control Plane

60© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Linux Kernel IP Virtual Server

• Forwarder Layer 4 OSI• IPVS is incorporated into the Linux Virtual Server (LVS), where it

runs on a host and acts as a load balancer in front of a cluster of real servers. IPVS can direct requests for TCP- and UDP-based services to the real servers, and make services of the real servers appear as virtual services on a single IP address. IPVS is built on top of the Netfilter.[1]

IP Virtual Server (IPVS)

• IPIP mode: Returns packets directly to client (rather that via LB)

• DNAT• DSR

IP Virtual Server - Modes

• http://github.com/kobolog/gorb• BGP – load balance lbs• Better that lb box

GORB – REST Iinterface of IPVS

66© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Jenkins CI with Docker and Compose at Oxford Press

• Commit to Github -> • Jenkins Build with unit tests ->• Build docker image ->• After all the desired components are

stablely built run docker compose

Jenkins Flow

• Push images to docker registry• Bind docker socket – share dockers• /var/run/docker.sock

Docker Con EU 2015

https://blog.docker.com/tag/dockercon/

http://www.vmtocloud.com/how-to-run-a-docker-swarm-cluster-on-vsphere-with-photon/

http://docker.com

http://www.tomsitpro.com/articles/docker-enterprise-hub-orchestration,1-2375.html

http://blog.octo.com/en/docker-registry-first-steps/

http://blog.arungupta.me/docker-compose-orchestrate-containers-techtip77/

http://learning-continuous-deployment.github.io/dockercompose/multi-app/2015/05/30/docker-compose/

References