6. MICROSERVICES
"Many development teams have found the microservices
architectural style to be a superior approach to a
monolithic architecture. But other teams have found them
to be a productivity-sapping burden. Like any architectural
style, microservices bring costs and bene ts. To make a
sensible choice you have to understand these and apply
them to your speci c context.""
Martin Fowler ( )http://martinfowler.com/articles/microservice-trade-o s.html
16. WHATISDOCKER?
DOCKER,THEPLATFORM
Docker is a container based platform used to package
and run applications in a variety of systems
DOCKER,THECOMPANY
Docker Inc. (https://www.docker.com/company)
20. WHYDOCKER?
Linux containers
Around for a long time (Open VZ, LXC, etc)
Not very "friendly"
Docker streamlines the process and makes it very easy
to create and use containers
Speed (Development/Scalability)
Portability
Driver to DevOps and Microservices
26. FIRSTTHINGSFIRST...
Containers vs. VMs?
Containers not as isolated as VMs.
but much more isolated than processes...
cgroups & namespaces
Containers are OS-dependant.
Containers for multi-tenancy? Not so fast...
Containers & VMs :-)
30. CLAIRBYCOREOS
Security scanning of images -
Available on Quay
Security Scanning Beta -
https://coreos.com/blog/vulnerability-analysis-for-
containers/
https://blog.quay.io/security-
scanning-beta/
31. OTHERCONSIDERATIONS
Containers are stateless
Can mount additional volumes
How to do Secrets Management?
ENV variables - not recommended
Key/Value Pair solutions
Embedded in orchestration ( )
Vault & Keywhiz
Kubernetes
Custom solutions
33. NAMESPACES&CGROUPS
PID – process isolation
Network – NICs, IPs, routing tabes et al.
UTS – hostnames
Mount – lesystem layouts/ properties
IPC – interprocess communication
User – users ("root" != root)
Control groups: resource utilization (RAM, swap, CPU,
IO, controls)
34. ADDITIONALFEATURES
capabilities - add or drop capabilities
seccomp - ltering of system calls
network isolation via iptables
limit inter-container communication
36. LEVERAGINGDOCKERFORSECURITY
microservice -> reduced attack surface
enforce content trust to protect production
r/o FileSystems
drop capabilities when possible
seccomp - ltering system calls
journaled changes
44. MONITORING
CHALLENGES
Scalability (100s of containers in a single host)
Host Monitoring x Container Monitoring
Container instrumentation (1 process/container
philosophy)
API instability
48. LOOKINGATTHEFUTURE
Containers exist in a continuum of options.
Unikernels
one degree further
compile kernel for application
Undebuggable?
Serverless Architecture?
AWS Lambda
Azure Service Fabric
potentially bad idea?
49.
50. WRAPPINGUP
Docker Security "Anti-Patterns"
free-for-all (unrestricted containers in Prod)
treating containers as servers
Recommendations for Security
Don't try to stop it!!!
recognize massive potential for disruption
no agents on containers
watch for outbound tra c
keep up to date (news!)
rethink approach ("cattle, not pets")
51. DOCKERALLOVER
Last few weeks of news:
Docker buys Unikernel
Arista announces Container support in EOS
Citrix supports NetScaler as Container
Amazon announces Docker 1.9 support
52. RESOURCES!
Twitterfolk:
- AWS architect, tons of
Docker links
- Docker Security
- Tons of Container work
- Pluralsight course
- KeepingItClassless,
TechFieldDay
- WebScale @ Shopify
- DevOps
- Shmoocon 2016 preso
and - Company &
Conference
- Kubernetes confab
Websites:
- Checklist
- portal of all things "modern" stacks
- Network-focused approach
- Open Container Initiative
@mattnowina
@diogomonica
@frazelledazzell
@nigelpoulton
@mierdin
@Sirupsen
@blinken_lichten
@jaybeale
@docker @dockercon
@kubeconio
DockerBench
TheNewStack
Packet Pushers
RunC