Docker for developers

Docker for Developers
ANDRZEJ SYDOR

Docker
 Docker is the leading software container platform
 Founded in 2013 as Linux developer tool
 Fundamentally solves the „works on my machine” problem
 Container industry inventor, leader and innovative
 Transform app and infrastructure security, portability, agility and efficiency

One Application on
One Physical Server
 Limitations
 Slow development times
 Huge costs
 Wasted resources
 Difficult to scale
 Difficult to migrate
 Vendor lock in

Hypervisior – Based
Virtualization
 Benefit:
 Better resource pooling
 One physical machine divided into multiple virtual machines
 Easier to scale
 VMs in the cloud
 Rapid elasticity
 Pay as you go model
 Limitations:
 Each VM stills requires:
 CPU limitations
 Storage
 RAM
 An entire guest operating system
 Full guest OS means wasted resources
 Application portability not guaranteed

Docker
 Standarized packaging for software and
dependencies
 Isolate apps from each other
 Share the same OS kernel
 Works with all major Linux and Windows
Server

Key Benefits of Docker Containers
 Speed
 No OS to boot – applications online in seconds
 Portability
 Less dependencies between proces layers = ability to move between
infrastructure
 Efficiency
 Less OS overhead
 Improved resource efficiency

WORA / PODA
 WORA = Write Once Run Anywhere {J,W,E}AR
 PODA = Package Once Deploy Anywhere

Docker
 Image
 The basis of a Docker container
 Registry
 Stores, distributes and manages Docker images
 Container
 The image when it is ‚running’
 Swarm Cluster
 Cluster of Docker hosts
 Control Pane
 Management plane for container and cluster orchestration

Docker
 Docker Compose
 Define and share multi-container definitions
 Docker Machine
 A tool to launch Docker hosts on multiple platforms
 Docker Hub
 Repository for Docker Images
 Docker Store
 A storefront for official Docker images and plugins as well as licensed products
 Docker Swarm
 A multi-host-aware orchestration tool
 Docker Cloud
 Docker’s Container as a Service (CaaS)

Docker Images Layers
 Layers are read only
 An image is a collection of files and some
meta data
 Images are comprised of multiple layers
 A layer is also contains software you want
to run
 Each image contains a base layer
 Every image contains a base layer
 Docker uses a copy on write systems

Docker Sharing Layers
 Images can share layers in order to speed up transfer times and optimize
disk and memory usage
 Parent images that already exists on the host do not have to be
downloaded

Portainer
 Docker UI
 „The easiest way to manage docker”
 https://www.portainer.io/

Portainer
docker volume create portainer_data
docker run –name=portainer
-d -p 9000:9000 --restart always
-v /var/run/docker.sock:/var/run/docker.sock
-v /opt/portainer:/data portainer/portainer

Portainer
 https://portainer.io/overview.html
 Detailed overview
 Containers (List, Details, Stats, Logs, Console, Creation)
 Images (List, Details)
 Network (List)
 Volumes (List)
 Container Templates
 Cluster overview
 Services Management
 Endpoint Management
 User Management and User Access Control

Kitematic
 Visual Docker Container Management on Mac & Windows
 Run containers through a simple, yet powerful graphical user interface.
 https://kitematic.com/
 Legacy desktop solution boundled with Docker Toolbox.

Kitematic
 Fast and Easy Setup
 Docker Hub Integration
 Seamless Experience Between CLI and GUI
 Advantaged Features
 Automatically map ports
 Configuring volumes
 Change environment variables
 Streamline logs
 CLI access to containers

Docker Desktop for Windows
 Docker Desktop for Windows is the best way to get started with Docker on
Windows
 https://docs.docker.com/docker-for-windows/
 Native application on UI
 Auto update capability
 No additional software required, e.g. Virtualbox
 Windows: Hyper-V VM
 Better networking and filesystem mounting/notification
 Requires Windows 10 64-bit (Yosemite 10.10+)

Rancher OS
 A simplified Linux distribution build from containers, for containers.
 https://rancher.com/rancher-os/
 https://github.com/rancher/os

Build Container Images
 Dockerfile
 FROM – Docker base
 FROM alpine:latest
 LABEL – extra information
 LABEL maintainer = ‘”Andrzej Sydor”
 RUN – commands to install software and run scripts
 RUN mkdir –p /tmp/myapp/
 COPY/ADD
 COPY build/app.jar /etc/app.jar
 ADD http://resource/files/html.tar.gz /usr/share/nginx/
 EXPOSE – the port and the protocol exposed in runtime
 EXPOSE 80/tcp
 ENTRYPOINT/CMD
 USER / WORKDIR / ONBUILD / ENV

Docker Build
 docker image build –file <Dockerfile> --tag <REPO>:<TAG>
 <REPO> - typically username on Docker Hub
 <TAG> - unique container value
 docker image build --tag local:dockerfile-example .
 .(dot) – current folder

Storing images
 Docker Registry
Docker Hub
Docker Store

Docker Registry
 Service that storing your Docker images
 Open source – Apache license
 Tightly control where your images are being stored
 Fully own your images distribution pipeline
 Integrate image storage and distribution tightly into your in-house development
Filesystem
/var/lib/registry

Storing images
 Docker Hub
 Free for public images
 Organizations
 Repository
 Automated build (GitHub, BitBucket)

Storing images
 Docker Store
 Docker images and plugins
 Docker Certified

Third-party registries
 Red Hat Container Catalog
 OpenShift
 Jfrog
 Quay.io
 Amazon EC2 Container Registry
 Others: Microbadger e.g. inspect image

Networking & Volumes
 IPAM (IP address management)
 Planning, tracking and managing IP addressess within the network
 IPAM has DNS and DHCP services

Docker – CPU/Memory
 By default, a container can consume all available resources on the host
machine if it requires it
 Limit CPU usage
 -c / --cpu-shares=1024
 --cpu-period=25000 (microseconds)
 --cpu-quota=25000 (microseconds)
 Limit memory usage
 --memory 1024M
 --memory-swap 1024M
 By default, when you set --memory, docker will set the --memory-swap size twice
 --kernel-swap 1024M

Docker Security Scanning
 Security Scanning feature (Non Free):
 Docker Hub
 Docker Cloud

Docker Security non-events
 https://docs.docker.com/engine/security/non-events/
 CVE-2013-1956, 1957, 1958, 1959, 1979, CVE-2014-
4014, 5206, 5207, 7970, 7975,CVE-2015-2925, 8543, CVE-2016-3134, 3135,
 CVE-2014-0181, CVE-2015-3339
 CVE-2014-4699
 CVE-2014-9529
 CVE-2015-3214, 4036
 CVE-2016-0728
 CVE-2016-2383
 CVE-2016-3134, 4997, 4998

Docker Security Scanning
 https://docs.docker.com/docker-cloud/builds/image-scan/
 Free for Docker Cloud users
 Clair
 free
 Peekr
 Atomic Scan
 docker diff
 docker run --read-only …
 docker run -v directory:/directory:ro ..

Docker Bench Security - examples
 Host configuration
 [WARN] 1.1 – Create a separate partition for containers
 [WARN] 1.5 – Audit Docker daemon - /usr/bin/docker
 [WARN] 1.6 – Audit Docker files and directories - /var/lib/docker
 [WARN] 1.7 – Audit Docker files and directories - /etc/docker
 [WARN] 1.8 – Audit Docker files and directories - /etc/default/docker

 Docker daemon configuration
 [WARN] 2.1 – Restrict network traffic between containers
 [WARN] 2.8 – Enable user namespace support
 [WARN] 2.11 – Use Authorization plugin
 [WARN] 2.12 – Configure centralized and remote logging
 [WARN] 2.13 – Disable operations on legacy registry (v1)
 [WARN] 2.14 – Enable live restore
 [WARN] 2.18 – Disable Userland Proxy

 Docker daemon configuration files
 Container images and build files
 [WARN] 4.1 – Create a user and build files
 [WARN] 4.5 – Enable Content trust for Docker
 [WARN] 4.6 – Add HEALTHCHECK instruction to the container image

 Container runtime
 [WARN] 5.2 – Verify SELinux security options, if applicable
 [PASS] – 5.1 – Do not disable AppArmor Profile
 [WARN] 5.4 – Do not use privileged containers
 [WARN] 5.6 – Do not run ssh within containers
 [WARN] 5.10 – Limit memory usage for container
 [WARN] 5.11 – Set container CPU priority appriopriately
 [WARN] 5.12 – Mount container’s root files as read only
 [WARN] 5.13 – Bind incoming container traffic to a specific host interface
 [WARN] 5.14 – Set the ‘on-failure’ container restart policy to 5

 Docker security operations
 [INFO] 6.1 – Perform regular security audits of your host system and containers
 [INFO] 6.2 – Monitor Docker container usage, performance and metering
 [INFO] 6.3 – Backup container data
 [INFO] 6.4 – Avoid image sprawl
 [INFO] 6.5 – Avoid container sprawl

Third Party Security services
 Quay
 https://quay.io/
 Clair
 https://github.com/coreos/clair/

Docker Swarm
 Docker Clusters
 Distribute containers across multiple hosts
 Scale Containers
 Docker Swarm standalone ended suport for version 1.11 in the first quarter
in 2017
 Docker 1.12 introduced Docker Swarm mode
 All function introduced

Docker Swarm Roles
 Swarm Manager
 Central management point of all Swarm hosts
 Commands to control nodes: switch between nodes, join nodes, remove
nodes, manipulate hosts
 Each cluster can run several Swarm managers
 Recomended run a minimum of five Swarm managers (two noes failure before start
have any errors)
 Swarm Worker
 Run docker containers

Docker - best practices
 One application per container
 Only install what you need
 Review who has access to your Docker hosts
 Use the latest version
 Use the resources

Docker Bench Security
 https://github.com/docker/docker-bench-security
 The Docker Bench Security is a script that checks for dozens of common
best-practices around deploying Docker containers in production
 The tool will inspect:
 The host configuration
 The docker daemon configuration
 The docker daemon configuration files
 Container images and build files
 Container runtime
 The docker security operations

Tools
 cAdvisor https://github.com/google/cadvisor/
 Analyzes resource usage and performance characteristics of running
containers
 Node-exporter https://github.com/prometheus/node_exporter/
 Exporter for machine metrics http://prometheus.io/
 Prometheus https://prometheus.io/
 Power your metrics and alerting with a leading open-source monitoring solution
 Grafana https://grafana.com/
 The open platform for beautiful analytics and monitoring

Links
 https://labs.play-with-docker.com/
 https://training.play-with-docker.com
 https://cloud.docker.com
 https://docs.docker.com/develop/develop-images/dockerfile_best-
practices
 https://circleci.com/pricing/
 https://app.codeship.com/

Docker for developers

More Related Content

What's hot (20)

Similar to Docker for developers (20)

Recently uploaded (20)

Docker for developers