Red Hat is helping organizations like Duke University become more efficient by delivering environmental parity for container-based applications across physical, virtual, private cloud, and public cloud environments. Red Hat delivers a comprehensive, integrated, and modular platform for containerized application delivery across the open hybrid cloud - from the OS platform, to software-defined storage, to development and deployment, and management. Through its work with Certified Cloud Service Providers like AWS, Red Hat ensures that application containers built for Red Hat Enterprise Linux can seamlessly move across public clouds. In this session, you will learn how Duke University used containers on Red Hat Enterprise Linux and AWS to combat a denial-of-service attack; how companies are using containers to increase the quality and speed of software delivery; key considerations for implementing container-based applications that can be moved across public clouds; and challenges organizations experience when using containers and how to address them. This session is sponsored by Red Hat.
2. What to Expect from the Session
In this session, you will learn:
•Where containers provide real value
•How Duke University use containers
Combatting a Denial of Service (DoS) attack
Identity management
Research computing
•How to address common container adoption challenges
•Key recommendations for working with containers
4. Containers Deliver Many Benefits
Base: 171 IT and Developer/programmer decision-makers at companies with 500+ employees in APAC, EMEA, and NA
Source: A commissioned study conducted by Forrester Consulting on behalf of Red Hat, January, 2015
6. Adoption Patterns
PACKAGE AND SHIP
MONOLITHIC APPS
MIGRATE DIFFERENTIATING
APPS TO CLOUD
PACKAGE AND SHIP
CLOUD-READY APPS
7. PROBLEM
●DDoS attack targeting Duke.edu
●Flooding load balancers
●All load-balanced services impacted
●Duke.edu down
Real-world Example #1:
Combatting a Denial of Service Attack
SOLUTION
●Duke.edu container image
●AWS Docker hosts
●External DNS for duke.edu pointed to
AWS
●Internal traffic kept inside Duke
THE RESULT
●Duke.edu unaffected for internal customers
●Duke.edu traffic handled by AWS for external customers/DDoS
●30-minute migration!
●Attack removed from load balancers
●Other load-balanced services back to normal
8. PROBLEM
●Legacy IDM apps
●Unpredictable behavior after patching
●Result: Infrequent patching
●Inability to easily upgrade
●Result: Ancient hardware
Real-world Example #2:
Internet Download Manager (IDM) in a Container
SOLUTION
●Build IDM apps in containers
●Jenkins builds every 4 hours w/latest
patches
●Automated testing notifies of failures
●Last “known good” image kept
THE RESULT
●“Known good” image always available; uptime assured
●Breaking patches can be investigated while “known good” images are kept in use
●Extremely portable
●Hardware independent
●Other environment can be set up, tested, torn down in minutes
9. PROBLEM
●Researchers want custom tool chains
●IT wants researchers on shared
infrastructure
●Researchers need to be able to
reproduce/share environment
Real-world Example #3: Research Computing
Serving Up Multiple Stacks
SOLUTION
●Run every job in a custom Docker-
formatted container
●Keep archive of old container images
with log of which version was used for
which job run
THE RESULT
●Self service: Researchers at Duke are starting to build their own Docker-formatted
container images to run their analysis
10. THE REALITY OF ADOPTING
CONTAINERS: WHAT ARE THE
TOP CHALLENGES?
11. Top Challenges by Container Users
Base: 171 IT and Developer/programmer decision-makers at companies with 500+ employees in APAC, EMEA, and NA
Source: A commissioned study conducted by Forrester Consulting on behalf of Red Hat, January, 2015
15. Security Inside the Container
●High vulnerabilities: ShellShock (bash), Heartbleed
(OpenSSL), etc.
●Medium vulnerabilities: Poodle (OpenSSL), etc.
●Low vulnerabilities: gcc: array memory allocations
could cause integer overflow
36% of official images available for download
contain high-priority security vulnerabilities
Source: Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities, Jayanth Gummaraju, Tarun Desikan, and Yoshio Turner, BanyanOps, May 2015
(http://www.banyanops.com/pdf/BanyanOps-AnalyzingDockerHub-WhitePaper.pdf)
17. Container Host & Container Image
UNTRUSTED
●Will what’s inside the containers compromise your infrastructure?
●How and when will apps and libraries be updated?
●Will it work from host to host?
RED HAT CERTIFIED
●Trusted source for the host and the containers
●Trusted content inside the container with security fixes available as
part of an enterprise lifecycle
●Portability across hosts
●Container Development Kit
●Certification as a service
●Certification catalog
●Red Hat Container Registry
HOST OS
CONTAINER
OS
RUNTIME
APP
HOST OS
CONTAINER
OS
RUNTIME
APP
20. Start Small, but Think Big:
Advanced Tools & Planning
portability across environments
PHYSICAL VIRTUAL PRIVATE CLOUD PUBLIC CLOUD
portability across platforms
21. A Word of Advice
●Adoption Patterns
Start small for quick wins
Top-down approach for confidence
Advanced management tools
Single vs. multiple containers
Portability
●Trust
Supply chain, build methodology, temporal
Training and education
●Tenancy
Resources, security, and configuration
22. •Talk with Red Hat container experts at booth #409
•Follow our blogs:
http://rhelblog.redhat.com/tag/containers/
https://blog.openshift.com/
•Connect with us:
Learn more
Red Hat Atomic
@RedHatAtomic
Scott McCarty
@fatherlinux
Sean Dilda Chris Collins
@ChrisInDurham