What is this "docker"

1
WHAT IS THIS "DOCKER" ?
Jean-Marc Meessen

2
3
My own copy of the database
… that I can break at will
My own iso-prod test environment
… that I can break at will
Easily share my con guration with colleagues.
DEVOPS !

5
6
HELLO !
Jean-Marc MEESSEN
Brussels, Belgium
"Brol Engineer" @ Worldline
Senior ESB Java Developer
Development Infrastructure Expert
Mentor
Starting in January at Cloudbees

8
AND YOU ?
Developers ?
Ops ?
Security ?
Managers ?

9
YOU AND DOCKER ?
Never heard about it ?
Some "Proof of Concept" ?
Use it every day ?
In Production ?

1011
TODAY’S TALK
What are "containers" ?
How to start ?
Docker for the Java Dev

1516
DOCKER CONTAINERS
is not a virtualization technique,
rather an isolation technology.

DOCKER CONTAINERS ARE :
cgroups (control groups)
limits CPU, memory, IOs, etc
NameSpaces
isolates and virtualizes system resources
(process, mounts, networking)

18
APPLICATIONS PACKAGED WITH SYSTEM
DEPENDENCIES
new packaging paradigm
one application works on Ubuntu with Python 2
second application works on Centos 7.2 with Python 3

19
WHAT DOCKER SOLVES
Escape the dependencies hell
Fast iterative Infrastructure improvement
Container "loader" & Container "shipper"
(no more "it worked in Dev, now it’s OPS problem")
easy onboarding of Devs.
"Own test environment"

21
22
NEED A CONTAINER ENABLED "KERNEL"

AND FOR WINDOWS OR MAC OS X ?
Install a virtual machine (ex VirtualBox)
Ready made bundles:
Docker Toolbox
New, better integrated, clients
Using (corporate) proxies: advanced topic

HOW DO YOU GET IMAGES ?
Note: an image is immutable
you get them from
DockerHub
Corporate Registry
Or build it yourself

2627
BUILDING A DOCKER IMAGE
Described in a Docker le

FROM ubuntu
MAINTAINER Kimbro Staken
RUN apt-get install -y software-properties-common python
RUN add-apt-repository ppa:chris-lea/node.js
RUN echo "deb http://us.archive.ubuntu.com/ubuntu/ precise universe" >> /etc/apt/
RUN apt-get update
RUN apt-get install -y nodejs
#RUN apt-get install -y nodejs=0.6.12~dfsg1-1ubuntu1
RUN mkdir /var/www
ADD app.js /var/www/app.js
CMD ["/usr/bin/node", "/var/www/app.js"]

DESCRIBE A COMPLETE INFRASTRUCTURE
Complex systems
Fuse ESB server
MQ series servers
Oracle database
Use "docker-compose"

28
29
DOCKER-COMPOSE
one place to de ne
your components
how to (docker) build them
what container should start rst
networks (who can talk to whom)
(data) volumes
Security restrictions
Etc.

31
HOW TO LEARN ?
Many tutorials available on-line
Developer
Beginner Linux Containers
Beginner Windows Containers
Intermediate (both Linux and Windows)
Operations
Beginner
Intermediate
https://training.docker.com/category/self-paced-online

3233
HOW TO LEARN ?
Docker playground
http://play-with-docker.com/

34
DOCKER INC.
Docker has been surprised by this techno " are"
Very, very lively Open Source community
"Batteries included"
Standardization (RunC, etc.)

35
WELL GROUNDED APPROACH
Coming from the web hosting world

3637
STATUS
Was good for development and integration
Start to be usable for Real Life Run
Since December 2015

STATUS
Start to offer enterprise level solutions
"Docker Datacenter"
Trusted Registry (Image scanning, sig/auth)
Docker Universal Control Plane
Docker Cloud

4142
MAVEN INTEGRATION
using fabric8io/docker-maven-plugin

MAVEN SEQUENCE
pre-integration-test
execute Docker "build" and "start" goals
execute FlyWay migration
integration-test
execute Failsafe "verify" goal
integration test make extensive use of DBunit
post-integration-test
execute Docker "stop" goal

43
MAVEN INTEGRATION
additional options
(networking, volumes, docker-compose)
ts nicely in Jenkins
especially V2 and pipeline
(but this is an other story)

44
BASE IMAGES
several base images are available, choose what is best
suited
openjdk (jdk and jre)
openjdk:alpine
maven
Oracle JDK/JRE is not available from the shelf anymore.
Need to build it yourself

4546
DEPLOYMENT MODEL
app-server
embedded (self contained JAR)

47
INSTALLATION MODES/TEST MODES
add the JAR in the right directory
execute the app installation script at image build time
execute the app installation script at container run

SINGLE PURPOSE JVM
thinks it is alone in the world
JVM defaults based on the machine characteristics
watch out
several JVMs (in Docker) are running on the same
machine

48
JVM CONFIGURATION
as on a physical host you need to speci y/limit the
memory/cpu requirement of your JVM
Docker offer the same tools. use them
orchestrator like mesos or kubernetes can help you for
this
beware of Docker exec in Production

49
DOCKER IN PRODUCTION
my point of view of Docker in Production
you need to have a very good understanding of what you
do
still in the early phase
Docker works very well for state less application
State full (with databases, etc) still in infancy. Recent
announcement very promising

50
Is Docker secure in
Production ?

This is, in general, the reaction…

55
WHAT IS HE LOOKING FOR?
(user) Data
Access other systems
Privilege elevation

56
WHAT ARE THE DANGERS WITH DOCKER?
Kernel exploits
Denial of service attack
Container breakout
Poisoned images
Compromising Secrets

57
IS DOCKER "SECURE" ?
A lot of expectations, of illusions
"Silver bullet"
Competition positioning (VM, Con guration Mgt)
Enviousness

5859
"CONTAINER DO NOT CONTAIN !"
Wrong perception by the "public"
Tremendous progress in 3 years
but usable…

60
EQUIPPED WITH SECURITY TOOLS

61
IN PARTICULAR
Cap drop
User namespace
selinux / apparmor

CAPABILITY DROP
options to the "Docker run"
goes beyond the root/non-root dichotomy
example: container with NTP
docker run --cap-drop ALL --cap-add SYS_TIME ntpd

6263
SELINUX / APPARMOR
pro les are called at each "Docker run"
Allow to go much further in the granularity
this program (ex ping) has no access to the network

#include <tunables/global>
profile docker-default flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>
network,
capability,
file,
umount,
deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx,
deny @{PROC}/sysrq-trigger rwklx,
deny mount,
deny /sys/[^f]*/** wklx,
deny /sys/f[^s]*/** wklx,

64
66
Malicious contents
Contains vulnerabilities or bugged applications

67
TRUSTED REGISTRY
Systematic use of TLS
Re-enforcement of the layers integrity
Upgraded with version 1.10

NOTARY
System of image signature and its validation
Validation of the author and content non alteration
Protection Against Image Forgery
Protection Against Replay Attacks
Protection Against Key Compromise
Clever usage of physical key storage

68
NAUTILUS
(now called "Docker Security Scanning")
Docker image scanner
vulnerabilities (CVE check)
Licence validation
Image Optimisation
Simpli ed functional tests

70
RECOMMENDATIONS
Keep your host/images up-to-date
"Bulkheading"
Seperate disk partition for Docker
Don’t run other (non-Docker) applications on the same
host
Container in a VM ?
Limit inter-container communications
log/audit trails
Access control

71
RECOMMENDATIONS
Do not use "priviliged" if it is not necessary
Applicative users in the containers
Where are my images coming from ? are they up-to-date ?
Access rights on the les

7273
CONCLUSIONS
"Is Docker 'secure' ?"
No more or less then the door of an apartment
Security is everyone’s business : DevOps + SecOps

CONTACT INFO
Twitter: @jm_meessen
jean-marc@meessen-web.org

What is this "docker"

More Related Content

What's hot (20)

Viewers also liked (16)

Similar to What is this "docker" (20)

Recently uploaded (20)

What is this "docker"