1 Docker Learnings TEC Lunch & Learn, 2016-01-06 Danilo Bargen 

2 Agenda 1. What is Docker? 2. Why the hype? 3. Docker Security 4. Conclusions 5. Questions 

3 1. What is Docker? 

4 «Docker containers wrap up a piece of software in a complete filesystem that contains everything it needs to run: code, runtime, system tools, system libraries – anything you can install on a server. This guarantees that it will always run the same, regardless of the environment it is running in.» www.docker.com 

5 Layer Filesystem - Uses union file system - Multiple layers are unified into a single file system - Only the top layer is writeable 

6 Lightweight - Shared kernel - Instant start (in the range of milliseconds) - Layers make disk usage and image downloads more efficient 

7 Kind-of-secure - Containers provide isolation - Not battle-tested yet though - More about this later 

8 Containers vs VMs - VMs contain the guest OS, containers don’t - VMs try to emulate hardware, containers don’t - Makes them faster, smaller, more portable 

9 Terminology - An image is a stack of filesystem layers that can be used to launch a container. This is like a class in OOP. - A container is an image instance. This is like an instance in OOP. A container can be started or stopped. - Both images and containers can be tagged. - A docker server runs the containers. - A docker client talks to the server to control containers. - A docker registry can be used to upload and download images. Publically available registries include the DockerHub and Quay. io. 

10 Technologies - Linux namespaces for isolation - Linux cgroups for resource management - Union file systems: AUFS, btrfs, vfs, DeviceMapper - Container format: LXC, libcontainer 

11 Possible Uses - Isolate multiple services on the same server from each other - Keep code and configuration together - Accelerate developer onboarding - Eliminate environment inconsistencies 

12 2. Why the hype? 

13 Containers aren’t anything new - FreeBSD Jails - Google containers - OpenVZ - LXC 

14 Then why the hype? - Easy to get started - Nice docs - Great name & cute logo - Rise of cloud computing - Developed by a startup, not by a big enterprise company - Dockerhub - Great adoption, so a lot of hosting options 

15 3. Docker Security 

16 Things To Note - Members of the docker group == root users - Don’t run your containers as root users! - Docker is safe in theory, but still young technology and not battle tested - Isolation through cgroups and namespaces. Shared kernel means that kernel exploits lead to bad consequences. - You should make yourself familiar with how namespaces and cgroups work. 

17 Watch this https://youtu.be/_lExqHukqOw 

18 4. Conclusion 

19 Learnings I - Code and Dockerfile belong together - Good for immutable applications - Good for simple deployments - Might be good for testing & integration - Might be good for development 

20 Learnings II - Right now configuration/secrets can be done through env variables. In the future through something like Vault. - Jenkins can build images after every successful test. - Jenkins can regularly rebuild images to include security updates in base layers. - We should regularly run the deployment script on moby to pull new images. - Read the docker book! 

21 Resources - “Getting Started” in Docker docs https://docs.docker.com/ - “The Docker Book” http://books.linuxfocus. net/books/view/652 - “Docker: Up & Running” by O’Reilly http://shop.oreilly.com/product/0636920036142.do 

22 5. Questions?