DOCKER[con2018]

TOPICS

  • Docker Overview
    • What is it?
    • Why is it dope?
  • DockerCon 2018
    • Path to Containerization
    • Security 
    • Fun new tools

Docker Overview

What is Docker?

  • https://www.docker.com/
  • Company Driving the Container movement
  • Provides a global repository for Images
  • Provides a platform and orchestration for managing containers

What is a Container?

  • Lightweight, standalone, executable package
  • Includes everything needed to run the app
    • Code
    • Runtime
    • System Tools
    • System Libraries
    • Settings

Why?

  • It works on my machine
  • Why not use a VM?
  • I am an army of one

Container vs. VM

What could go wrong?

Top Container Challenges

  • Controlling the complexity of extremely dense, fast changing environments
  • Taking maximum advantage of a highly volatile technology ecosystem
  • Ensuring developers have the freedom to innovate
  • Deploying containers across disparate, distributed infrastructure
  • Enforcing organizational policy and controls

Is it really a big deal?

DockerCon 2018

Containerizing Applications

1. App

  •   Get first app production ready (security, data persistence, configuration)

2. Pipeline

  •   Don’t centralize CI/CD
  •   leads to plugin “hell”/complication/interference

3. Platform

  •   Centralized Registry and Orchestration
  •   Centralized Monitoring/Logs
  •   Clusters as a Service

4. Governance

  •   Operation Model
  •   SLA’s
  •   Support
  •   Knowledge Base

5. App + Pipeline >> Platform + Governance as a Service for the next applications

Path to Containerization

- Control Plane

  •     mutual tls on connection from all nodes, most important component to secure

- Identity

  •    kube auth/spiffe/spinica
  •    Never trust any connections, always use mutual tls everywhere

- Runtime

  •    BPF/Cilium, verifies no external memory storage, probes kernel functions, searches for bad commands, osquery, envoy

- Secrets

  •    decryption server accepts identity (spiffe)/secret and returns a packaged decrypted secret (decrypted secret never visible in transit), server uses key to access secret within package

- Providence

  •    get image, sign (notary), add metadata, scan -> store output in notary

- Dependency Management

  •    definitive software list centralized, recursive indexer: collects package names/versions/dependencies on info, location (check list before updates)

Security!

osquery.io

“osquery is an operating system instrumentation framework for Windows, OS X (macOS), Linux, and FreeBSD. The tools make low-level operating system analytics and monitoring both performant and intuitive.

 

osquery exposes an operating system as a high-performance relational database. This allows you to write SQL queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.”

Open source on prem osquery for docker: kolide fleet quickstart

Vendor: Uptycs

“Istio addresses many of the challenges faced by developers and operators as monolithic applications transition towards a distributed microservice architecture. The term service mesh is often used to describe the network of microservices that make up such applications and the interactions between them. As a service mesh grows in size and complexity, it can become harder to understand and manage. Its requirements can include discovery, load balancing, failure recovery, metrics, and monitoring, and often more complex operational requirements such as A/B testing, canary releases, rate limiting, access control, and end-to-end authentication.” 

“Cilium brings API-aware network security filtering to Linux container frameworks like Docker and Kubernetes. Using a new Linux kernel technology called BPF, Cilium provides a simple and efficient way to define and enforce both network-layer and application-layer security policies based on container/pod identity.”

Clium  cilium.io

ISTIO istio.io

ISTIO istio.io

“ StorageOS nodes aggregate available server storage into a distributed pool and presents virtual block devices to clients on any node. It is backed by an external key/value store which is used for service discovery, configuration and health checking. Data is replicated synchronously to as many nodes required for durability, and if a node fails, one of the replicas is promoted to master.”

“What is Gloo?

Gloo is a high-performance, plugin-extendable, platform-agnostic API Gateway built on top of Envoy. Gloo is designed for microservice, monolithic, and serverless applications. By employing function-level routing, Gloo can completely decouple client APIs from upstream APIs at the routing level. Gloo serves as an abstraction layer between clients and upstream services, allowing front-end teams to work independently of teams developing the microservices their apps connect to.”

Tutorial!

EXCITING!

DockerCon

By glenna

DockerCon

  • 1,014