use the source or join the dark side: differences between docker community and enterprise editions...
TRANSCRIPT
UsetheSourceorjointheDarkSide
ThedifferencesbetweenDockerCommunityEdition
andDockerEnterpriseEdition
Outline
• Introductions• Highleveldifferences• Build,ship,andrun• Securitymodel• Trafficrouting• Gettingstarted
WhoamI?
• JérômePetazzoni(@jpetazzo)• JoineddotCloudin2010(tobuildandscaleacontainerplatform)• In2013,dotCloudlaunchesDocker(andchangesitsname)• Thesameyear,Isubmitmyfirstcontainertalk(attheSCALE11xconferenceinLosAngeles)• SincethenI’vebeenlivinginconferencehotelsandairports😰
⚠Thisisavendortalk
• IworkforDockerInc.• IwilltalkaboutDockerInc.commercialproducts• ButIdon’tlikeadvertising• I’llexplain:• whatyougetforfree(DockerCE,CommunityEdition)• whatyougetfor€€€(DockerEE,EnterpriseEdition)
• Targetaudience:engineers(andtech-savvydecisionmakers)
Whythistalk?
• Dispellingafewmyths• MYTH#1:“DockerInc.doesn’thaveabusinessmodel!”• DockerInc.sellscommercialproducts,support,SAASofferings• DockerInc.generatessignificantrevenue&hascustomerslikeVisa,PayPal…• Thishasbeengoingonforafewyearsnow
• MYTH#2:“Dockerisonlyfordevelopment,notproduction!”• PeoplehavebeenusingDockerinproductionsince2013• Usinganykindofsoftware inproductionischallenging• Tohelp,DockerInc.hascommercialproducts,support,...yougettheidea
• HelpingyoutodecideifDockerisgoodforyourapp
Therewillbedemos(It’sanoldDockertradition!)
Ourdemoapplication
• Wewillshowanappbuiltaroundamicro-servicesarchitecture• DockerCoins• usedinmyorchestrationworkshop:https://github.com/jpetazzo/orchestration-workshop
• Youcanrunthisdemoonany Dockermachine• …anditshouldtakeapproximately1minutetobuildandrunit!
DemoRunDockerCoins inaplay-with-docker sandbox
High leveldifferencesbetweenDockerCEandDockerEEDockerCE• fordevelopersandsmallorganizations• free• stableversion(every3months)• edgeversion(everymonth),withcuttingedgefeatures
DockerEE• forbusinesscriticalproductionapps• subscriptionmodel• stableversion(every3months)• eachversionmaintainedatleastforoneyear• additionalenterprisefeatures(management,security…)
Releaseschedule
Supportedplatforms
Deployingourdemoapponacluster
• TheDockermottois“build,ship,andrunanyapp,anywhere”• Thismeans:• build containerimagesforourapp• ship theseimagestoaregistry• runtheapponaSwarmcluster
• DockerComposeisagreattoolfordevstacks…• …andcanbeusedtodeploythemonclustersaswell!
DemoUseComposeand“docker stackdeploy”tobuild,ship,andrunDockerCoins
Inspectingourapplication
• Wewantto:• listdeployedservicesandtheirstatus• viewcontainerlogs• getashellinacontainer
• DockerCE:wewilluseDocker’sCLIandAPI• DockerEE:wewilluseUCP(UniversalControlPlane)
Therearealso3rd-partyinterfaceslikePortainer,usingtheDockerAPI:https://github.com/portainer/portainer
Demodocker ps,docker logs,docker servicels,docker serviceps,docker exec
DemoShowthesameinformationwithUCP
Operatingourapplication
• Wewantto:• viewtheportallocatedtoDockerCoins’webUI• displaythewebUI• scaleupanddownthe“worker”service• viewmetrics
• DockerCE:wewillusetheDockerAPI• DockerEE:wewilluseUCP
Demodocker inspect,loadpageinbrowser,docker serviceupdate
Demometrics?Thatoneistrickier!Wecouldusethisthingnamed“Prometheus”...
DemoDothesameoperationsinUCP,showmetrics
Security(CE&EE)
• Dockernativeclustering(“SwarmMode”)usestheSwarmKit library• SwarmKit hasverystrongsecurityfoundations:• automaticTLSkeyingandsigning• fullencryptionofthecontrolplane• automaticcertandkeyrotation• optionalencryptionofthedataplane(leveraginghardwarecryptowhereavailable)• leastprivilegearchitecture(single-nodecompromise≠clustercompromise)• on-diskencryptionwithoptionalpassphrase
Secrets(CE&EE)
• Secretsarearbitraryblobsofdata(passphrases,privatekeys,oreventextpads…)• First-classcitizenwiththeDockerAPI• Neverstoredinclearondisk(persistedinencryptedformbymanagernodes)• Exposedtoservices(presentedasafileonanin-memoryfilesystem)
Demodocker secretcreate;addthesecrettoaservice;seethesecretintheservice
Privilegeseparation
• Bydefault,ifIhaveAPIaccess,Icandoanything• Includingcreatingamaliciousservicetoleaksecrets!⚠• Howdowefixthis?🤔
Authenticationandauthorization
• DockerEEhasthenotionofusers,groups,andpermissions• Permissionsareimplementedwithpermissionslabels:“IfanobjecthasthepermissionslabelX,youruserneedstohavepermissionX tobeabletoseeorinteractwiththatobject.”• Normallabel(com.docker.ucp.access.label)• Everyobjectcanhaveone(service,container,volume,secret…)• VisiblewiththeCLI,API,etc.• ProtectedandenforcedbyUCP
DemoCreateaUCPuser“jerome”withbasicprivilegeLoginwith“jerome”Deploya“jeromecoins”stack;Seeitrunninginthe“admin”console
Underthehood
• Docker(CEandEE)hasauthorizationplugins• AllAPIrequestsareexaminedbyallenabledplugins• Eachpluginhastheopportunitytoacceptordenytherequest• UCPisanauthorizationplugin• Youcanwriteyourownplugins• Multiplepluginscanco-exist• UCPletsyouexportakey/certbundle forauser(tousetheCLIwhilerespectingthepermissionssystem)
HTTProutingmesh
• Docker(CEandEE)hasaTCProutingmesh• providesload-balancingforinternalandinboundtraffic• leveragesIPVS,ahigh-performancein-kernelloadbalancer)
But:onlyoneappatatimecan“sit”onport80onyourcluster
• Docker(EE)hasaHTTProutingmesh• providesHTTPHostheaderparsingandvirtualhostrouting• optionalTLStermination• implementedusinglabels
DemoShowlabelsinthedeployedappDorequeststothedifferentvirtualhosts
Hostingcontainerimages
• DockerCE:wecanusetheopensourceregistry• assimpleas“docker runregistry:2”• thisistheregistrythatweusedforallthesedemos
• DockerEE:wecanuseDockerTrustedRegistry(DTR)• hasuserandgroups,integratingwiththeonesinUCP• also:webhooks andworkflowsimplementingCI/CD
• Alsomanythirdpartyoptions:ECR,quay…
Bigscarysecurityquestion
IsitsafetorunthisprogramthatIjustdownloadedfromtheInternet?
• Makesurethatitisfromatrusted,reputablesource• Checkthatitwasn’tcompromisedintransit• Runitthroughanantivirusscanner
Nextbigscarysecurityquestion
IsitsafetorunthiscontainerimagethatIjustdownloaded?
• Makesurethatitisfromatrusted,reputablesource• Checkthatitwasn’tcompromisedintransit• Runitthroughasecurityscanner
Dockersecurityfeatures
• Trusted,reputablesources• DockerStore• officialimages• DockerContentTrust
• Integritychecking• content-addressedlayers• manifestsignatures• cryptographichashes
• Arbitraryimagescanning• DockerSecurityScanning(onlyinEE)• other3rd partyscannersareavailable
GettingstartedwithDockerCE,usingplay-with-dockerLet’sdeployDockerCoins:• onaSwarmcluster• withoutinstallinganythingonourlocalmachine• inlessthan5minutes• andscaleit!
DemoCreateaSwarmclusterinPWDSetupaself-hostedregistryBuild,ship,runDockerCoinsScaleit!
Thereismore…
• RunDockeranywhere• onvirtualorphysicalmachines• onembeddedorenergy-efficientplatformslikeARM
• RunWindowsapplications• DockercanrunLinuxandWindowscontainers• Swarmcanmanagemixedclusters
• Runmonolithic/legacyapplications• image2dockerhelpsto“dockerize”existingapps(similartoP2Vprograms)• lookforDocker’s“MTA”(modernizetraditionalapps)program!
Conclusions
• WithDocker,youcanbuild,ship,andrunanyapp,anywhere• DockerCommunityEditionisgreatfordevelopersandsmallteams• DockerEnterpriseEditionisoptimizedforbusinesscriticalapps• longtermsoftwaremaintenance• dependablesupportteam• fine-grainedaccesscontrol• containerimagelifecyclemanagement• additionalsecurityfeatures
• Alltheseextrafeaturesareprovidedthroughopenintegrationpoints(no“magicbackdoor”orvendorlock-in)
Thankyou!Questions?
@jpetazzo@docker