Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ChaDev: From Cargo Ships to Shipping Docker Containers

Rob Scott
February 22, 2018
260

ChaDev: From Cargo Ships to Shipping Docker Containers

The 1950s saw standardized containers revolutionize the shipping industry. In this talk Rob will discuss how Docker, a leading container technology, is enabling a similar kind of transformation in cloud infrastructure.

Docker provides an incredibly powerful way to package and deploy your applications. We’ll start with a brief background on what Docker is, how it works, and why you’d want to use it. From there we’ll go over some common mistakes people make when building Docker images, and learn how they can be avoided. Once we have a great image, we’ll cover how we can run it in a secure way. Even if you haven’t used Docker before, you should leave this talk with a good understanding of how to build great images and run them securely.

Further Resources:

Jake Wright: Learn Docker in 12 Minutes: https://www.youtube.com/watch?v=YFl2mCHdv24

Docker Getting Started Guide: https://docs.docker.com/get-started/

Docker Curriculum: https://docker-curriculum.com/

Jess Frazelle: Containers aka crazy user space fun: https://www.youtube.com/watch?v=7mzbIOtcIaQ

Red Hat Container Security Guide: https://docs.docker.com/get-started/

Rob Scott

February 22, 2018
Tweet

Transcript

  1. From Cargo Ships to Shipping Docker Containers crea%ve commons licensed

    (BY-SA) flickr photo by chumlee10: hAps:/ /www.flickr.com/photos/chumlee/25379306163 Rob Sco' | @robertjsco'
 ChaDev, February 22, 2018
  2. 1. Stackability Shipping containers can be stacked on top of

    each other for greater capacity. Docker containers can run on shared resources, effec9vely stacking containers.
  3. 2. Portability Shipping containers can be immediately loaded onto trucks

    or trains and con9nue their journey. Docker containers provide a consistent interface that can easily run across many environments.
  4. 3. Simplicity Ships only need to be able to transport

    standardized containers, no need for specialized storage areas. Servers only need to be able to run Docker containers, no need to specialize each server for a different task.
  5. 4. Security Shipping containers can protect their contents from external

    dangers. Docker containers can help secure their applica9ons from external dangers.
  6. 5. Isola9on Shipping containers can prevent malicious contents from escaping

    and infec9ng other containers. Docker containers can prevent malicious applica9ons from escaping and infec9ng other containers.
  7. What is Docker? • Not the first Linux container technology.

    • Makes it easier to create, deploy, and run applica%ons with containers. • Combines Linux namespaces, control groups, and union file systems. • Core idea is to package your applica%on with its dependencies in a single immutable container.
  8. What about VMs? App A App B Bins/Libs Bins/Libs Guest

    OS Guest OS Hypervisor Host OS Server App A App B Bins/Libs Bins/Libs Docker Engine Host OS Server
  9. Why Would You Use It? • Achieve consistent deployments across

    environments • Improve resource u%liza%on • Simplify applica%on isola%on • Package all applica%ons in iden%cal containers • U%lize a strong library of supported base images
  10. What is Moby? • Announced by Docker in April 2017

    as a beAer way to differen%ate their products • Moby represents the base, open source, development • Docker CE is a free product based on Moby • Docker EE is a commercial product based on Docker CE
  11. What is Kubernetes? • A container orchestra%on tool ini%ally inspired

    by Google’s Borg project • Commonly used to orchestrate Docker containers • Can provide: • Networking • Service discovery • Resource alloca%on • Replica%on • Rolling updates
  12. const express = require('express'); const app = express(); const port

    = parseInt(process.env.PORT, 10); app.get('/', (req, res) => { res.send('Hello World!') }); app.listen(port, () => { console.log(`app listening on port ${port}!`); }); app.js
  13. { "name": "node-docker-example", "version": "0.1.0", "description": "Node.js Docker Example", "repository":

    "https://github.com/robscott/node-docker-example", "main": "index.js", "dependencies": { "express": "^4.16.2" }, "devDependencies": {}, "scripts": { "test": "echo \"Error: no test specified\" && exit 1" }, "author": "Rob Scott", "license": "MIT" } package.json
  14. FROM node:8 WORKDIR /app COPY . /app RUN npm install

    ENV PORT 80 CMD node index.js Dockerfile.original
  15. FROM node:8.9.4 WORKDIR /app COPY . /app RUN npm install

    ENV PORT 80 CMD node index.js 1. Use a Specific Image Version
  16. FROM node:8.9.4-alpine WORKDIR /app COPY . /app RUN npm install

    ENV PORT 80 CMD node index.js 2. Use a Minimal Base OS
  17. FROM node:8.9.4-alpine RUN apk update && apk upgrade WORKDIR /app

    COPY . /app RUN npm install ENV PORT 80 CMD node index.js 3. Update Dependencies
  18. FROM node:8.9.4-alpine RUN apk update && apk upgrade WORKDIR /app

    COPY . /app RUN npm install ENV PORT 8001 CMD node index.js 4. Run on a Non Privileged Port
  19. FROM node:8.9.4-alpine RUN apk update && apk upgrade WORKDIR /app

    COPY . /app RUN npm install ENV PORT 8001 RUN addgroup -S app \ && adduser -S -g app app \ && chown -R app /app \ && chmod -R 500 /app USER app CMD node index.js 5. Run as a Minimally Privileged User
  20. Things to Remember • Docker Containers should be a thin

    wrapper around a single process • Remove any unnecessary dependencies • Run containers with a minimally privileged user • Ensure your dependencies are up to date • Use some kind of vulnerability scanner
  21. docker run \ -p 80:8001 \ --read-only \ --cap-drop ALL

    \ quay.io/robertjscott/node-docker-example:improved 2. Drop Kernel Capabili9es
  22. •CHOWN •DAC_OVERRIDE •FSETID •FOWNER •MKNOD •NET_RAW •SETGID Default Kernel Capabili9es

    •SETUID •SETFCAP •SETPCAP •NET_BIND_SERVICE •SYS_CHROOT •KILL •AUDIT_WRITE
  23. docker run \ --read-only \ --cap-drop ALL \ --cap-add SETUID

    \ quay.io/robertjscott/node-docker-example:improved Adding Kernel Capabili9es
  24. docker run \ -p 80:8001 \ --read-only \ --cap-drop ALL

    \ --cpus 1 \ --memory 100m \ quay.io/robertjscott/node-docker-example:improved 3. Limit Resources
  25. Docker containers are transforming applica9on deployment in the same way

    that standardized shipping containers transformed the logis9cs industry. 1.
  26. A few simple changes to your Dockerfile can drama9cally improve

    the portability and security of your containers. 3.
  27. Docker provides powerful ways to secure your containers as they’re

    running, but many of them aren’t enabled by default. 4.
  28. Further Resources • Jake Wright: Learn Docker in 12 Minutes

    • Docker Gehng Started Guide • Docker Curriculum • Jess Frazelle: Containers aka crazy user space fun • Red Hat Container Security Guide
  29. From Cargo Ships to Shipping Docker Containers Rob Sco' |

    @robertjsco'
 ChaDev, February 22, 2018 crea%ve commons licensed (BY-SA) flickr photo by Maersk Line: hAps:/ /www.flickr.com/photos/maerskline/6953654422 Ques9ons?