Apcera Webinar Series

Docker In Production:

Securing Containers After Dev

January 22, 2015

Today's Webinar Topics

• Brief intro on why developers are using Docker.
• How to meet production security requirements with Docker after development.
• An overview and demo of Docker support in Continuum, a PaaS for the modern enterprise.

Webinar Speaker

Josh Ellithorpe, Senior Software Engineer, Apcera

A Chicago native, Josh began his career in the late nineties working in all aspects of the tech stack. As an open-source advocate, he released his first open-source project, throttled, in 2001. Specializing in Ruby development, Josh decided to acquaint himself with San Francisco’s tech scene, and made the city his home. After relocating, Josh worked on some of the biggest emerging social applications for companies like Facebook and Involver. He joined the Apcera team in 2013 to revisit his networking roots and revolutionize the cloud.

Email - josh@apcera.com

Github - https://github.com/zquestz

Why Devs Choose Docker

• Docker Repository makes finding and deploying services easy. (Postgres/MySQL/Redis/Mongo/etc)

• Easy to build Docker images that can run almost anywhere. 

• Very low overhead compared to Virtualization. 

• Growing ecosystem of developers and tools.

Concerns About Using Docker In Production

• Version changes on the Docker Registry.
• Integration with production logging services.
• Health monitoring.
• Networking workloads across different hosts.
• Protecting service credentials.
• Resource controls (disk, network, memory and cpu).
• Access and permissions on services.
• Switching from development services to production.
• ...

Continuum - A Quick Breakdown

• A modern hybrid cloud platform leveraging linux containers, cgroups, and user namespaces.
• "Just a Job" - The job primitive.
• Runs Docker workloads as a first class citizen.
• Designed from scratch to support high end enterprise organizations.
• Built in policy grammar to provide extremely granular access controls on all parts of the system.
• Workload agnostic, can run anything that runs on a modern linux kernel.

Continuum Makes Docker Fit for Production

• ​​Policy controls to restrict docker packages loaded in the system.
  on job::/sandbox/dev { { docker.lockPublicImages "mysql" } }
• Full caching of all docker layers for near instant launch times on subsequent runs.
• Logging is fully integrated and can be viewed through apc (our command line client), the web console, or sent to another service like Splunk via syslog integration.
• Health monitoring is done out of the box. If your app isn't responding to known ports, it will automatically be restarted.

Production Fit (Continued)

• Container networking is provided by default in Continuum. All applications are completely sandboxed via an application firewall.
• Full resource controls are enforced on all jobs in the system. This includes disk, memory, cpu, and network.
• Policy is not limited just to resources, you can also control routes, packages, service access, etc.
• No application changes are required to move your job between environments.
• Semantic pipelines allow for granular control over mysql/postgres/redis and http connections. This includes the ability to log or filter insert/drop/delete requests from your db. 
• Ephemeral credentials.

Live Demo

• Deploying Docker services in Continuum.
• Health monitoring and logging.
• Networking applications and services.
• Hybrid cloud deployments with Docker.

To Learn More About Continuum

To get started with Continuum:

  - Schedule a demo by emailing info@apcera.com

  - Try Continuum yourself at apcera.com/getstarted

Stay Tuned for Upcoming Apcera Webinars:

​​  - The Modern Paas - Hybrid Cloud

  - Solving the Authentication Problem