1. State of Union - Containerz
---------------------
Shiva (narshiva@)
--------------------
^__^
(oo)_______
(__) )/
||----w |
|| ||
2. TO BEGIN AT THE BEGINNING…
Let’s start, shall we?
3. Containerized Microservices
Dom 0
Instance Instance Instance
OS OS OS
Container Runtime Container Runtime Container Runtime
App App
Service Service
App App
Service Service
App App
Service Service
4. Container Orchestration
Dom 0
Instance Instance Instance
OS OS OS
Container Runtime Container Runtime Container Runtime
App Service App App Service Service
Container Orchestration
5. Container Orchestration
Dom 0
Instance/OS Instance/OS Instance/OS
App Service App App Service Service
Service Management
Scheduling
Resource Management
Orchestration
Service Management
§Labels
§Groups/Namespaces
§Dependencies
§Load Balancing
§Health Check
§Service Discovery
6. Container Orchestration
Dom 0
Instance/OS Instance/OS Instance/OS
App Service App App Service Service
Service Management
Scheduling
Resource Management
Orchestration
Scheduling
§Placement
§Replication/Scaling
§Resurrection
§Rescheduling
§Rolling deploys
§Upgrades
§Downgrades
§Colocation
7. Container Orchestration
Dom 0
Instance/OS Instance/OS Instance/OS
App Service App App Service Service
Service Management
Scheduling
Resource Management
Orchestration
Resource Management
§Memory
§CPU
§GPU
§Volumes
§Ports
§IPs
9. Container Operations
Development Lifecycle
Source repo, CI-CD, Artefact repo
Container Orchestration
Scheduling, Resource Management, Service Management
BAU Operations
Monitoring and Metrics, Maintenance, Debugging
Did you hear that?
10. In no particular order…
[ ] Schedulers and Orchestration
[ ] Networking
[ ] Security
[ ] Operating Systems
[ ] PaaS
[ ] Storage
[ ] Monitoring
[ ] Container Integration and Container Deployment
[ ] Miscellaneous
11. In no particular order…
[ ] Schedulers and Orchestration
[ ] General Blurb
[ ] ECS
[ ] Kubernetes
[ ] Mesos
[ ] Docker Swarm
[ ] Orchestration Wars
12. Schedulers – General Blurb
Cluster
Machines
Cluster State
Information
Monolothic Two-Level Shared State
No Concurrency Pessimistic
Concurrency
(offers)
Optimistic
Concurrency
(transactions)
Scheduling Logic
25. Host Security
• Lock it down!
• Namespaces and cgroups are your friends
• Select few belong to docker UNIX group
• SELinux is also your friend
• Docker daemon runs as root!
27. Docker daemon security
• Do not run in privileged mode
• Lock down inter container comms –icc=false
• Secure APIs with TLS certificates
28. Whale-say
“If you run Docker on a server, it is recommended to run
exclusively Docker in the server, and move all other
services within containers controlled by Docker”
29. Container Image Security
• Use a small selection of trusted images
• Scan your images
• CoreOS’s Clair scans Quay.io,
• Docker Security Scanning works with Docker Trusted
Registry
• Red Hat has built a new scanner in Project Atomic for
its Atomic Registry.
• Other scanners are such as Aqua Peekr, Anchore,
and Twistlock Trust work independently of specific
registries
30. Lot more prescriptive advice here…
https://benchmarks.cisecurity.org/tools2/docker/CIS
_Docker_1.6_Benchmark_v1.0.0.pdf
31. In no particular order…
[X] Schedulers and Orchestration
[X] Networking
[X] Security
[ ] Operating Systems
[ ] PaaS
[ ] Storage
[ ] Monitoring
[ ] Container Integration and Container Deployment
[ ] Miscellaneous