Docker Learnings

Transcript

1. 1 Docker Learnings TEC Lunch & Learn, 2016-01-06 Danilo Bargen

2. 2 Agenda 1. What is Docker? 2. Why the hype?

   3. Docker Security 4. Conclusions 5. Questions

3. 3 1. What is Docker?

4. 4 «Docker containers wrap up a piece of software in

   a complete filesystem that contains everything it needs to run: code, runtime, system tools, system libraries – anything you can install on a server. This guarantees that it will always run the same, regardless of the environment it is running in.» www.docker.com

5. 5 Layer Filesystem - Uses union file system - Multiple

   layers are unified into a single file system - Only the top layer is writeable

6. 6 Lightweight - Shared kernel - Instant start (in the

   range of milliseconds) - Layers make disk usage and image downloads more efficient

7. 7 Kind-of-secure - Containers provide isolation - Not battle-tested yet

   though - More about this later

8. 8 Containers vs VMs - VMs contain the guest OS,

   containers don’t - VMs try to emulate hardware, containers don’t - Makes them faster, smaller, more portable

9. 9 Terminology - An image is a stack of filesystem

   layers that can be used to launch a container. This is like a class in OOP. - A container is an image instance. This is like an instance in OOP. A container can be started or stopped. - Both images and containers can be tagged. - A docker server runs the containers. - A docker client talks to the server to control containers. - A docker registry can be used to upload and download images. Publically available registries include the DockerHub and Quay. io.

10. 10 Technologies - Linux namespaces for isolation - Linux cgroups

    for resource management - Union file systems: AUFS, btrfs, vfs, DeviceMapper - Container format: LXC, libcontainer

11. 11 Possible Uses - Isolate multiple services on the same

    server from each other - Keep code and configuration together - Accelerate developer onboarding - Eliminate environment inconsistencies

12. 12 2. Why the hype?

13. 13 Containers aren’t anything new - FreeBSD Jails - Google

    containers - OpenVZ - LXC

14. 14 Then why the hype? - Easy to get started

    - Nice docs - Great name & cute logo - Rise of cloud computing - Developed by a startup, not by a big enterprise company - Dockerhub - Great adoption, so a lot of hosting options

15. 15 3. Docker Security

16. 16 Things To Note - Members of the docker group

    == root users - Don’t run your containers as root users! - Docker is safe in theory, but still young technology and not battle tested - Isolation through cgroups and namespaces. Shared kernel means that kernel exploits lead to bad consequences. - You should make yourself familiar with how namespaces and cgroups work.

17. 17 Watch this https://youtu.be/_lExqHukqOw

18. 18 4. Conclusion

19. 19 Learnings I - Code and Dockerfile belong together -

    Good for immutable applications - Good for simple deployments - Might be good for testing & integration - Might be good for development

20. 20 Learnings II - Right now configuration/secrets can be done

    through env variables. In the future through something like Vault. - Jenkins can build images after every successful test. - Jenkins can regularly rebuild images to include security updates in base layers. - We should regularly run the deployment script on moby to pull new images. - Read the docker book!

21. 21 Resources - “Getting Started” in Docker docs https://docs.docker.com/ -

    “The Docker Book” http://books.linuxfocus. net/books/view/652 - “Docker: Up & Running” by O’Reilly http://shop.oreilly.com/product/0636920036142.do

22. 22 5. Questions?