Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Docker for developers

A
andrzejsydor

This document provides an overview of Docker for developers. It discusses Docker's capabilities for solving portability issues, its advantages over traditional virtualization through operating system-level virtualization using containers that share the same kernel, and how it addresses challenges like slow development times and inefficient resource usage. It also covers Docker concepts like images, containers, registries, networking, security best practices using tools like Docker Bench Security, and cluster management using Docker Swarm.

1 of 44
Docker for Developers ANDRZEJ SYDOR
Docker  Docker is the leading software container platform  Founded in 2013 as Linux developer tool  Fundamentally solves the „works on my machine” problem  Container industry inventor, leader and innovative  Transform app and infrastructure security, portability, agility and efficiency
One Application on One Physical Server  Limitations  Slow development times  Huge costs  Wasted resources  Difficult to scale  Difficult to migrate  Vendor lock in
Hypervisior – Based Virtualization  Benefit:  Better resource pooling  One physical machine divided into multiple virtual machines  Easier to scale  VMs in the cloud  Rapid elasticity  Pay as you go model  Limitations:  Each VM stills requires:  CPU limitations  Storage  RAM  An entire guest operating system  Full guest OS means wasted resources  Application portability not guaranteed
Docker  Standarized packaging for software and dependencies  Isolate apps from each other  Share the same OS kernel  Works with all major Linux and Windows Server
Docker for developers
Key Benefits of Docker Containers  Speed  No OS to boot – applications online in seconds  Portability  Less dependencies between proces layers = ability to move between infrastructure  Efficiency  Less OS overhead  Improved resource efficiency
WORA / PODA  WORA = Write Once Run Anywhere {J,W,E}AR  PODA = Package Once Deploy Anywhere
Docker  Image  The basis of a Docker container  Registry  Stores, distributes and manages Docker images  Container  The image when it is ‚running’  Swarm Cluster  Cluster of Docker hosts  Control Pane  Management plane for container and cluster orchestration
Docker  Docker Compose  Define and share multi-container definitions  Docker Machine  A tool to launch Docker hosts on multiple platforms  Docker Hub  Repository for Docker Images  Docker Store  A storefront for official Docker images and plugins as well as licensed products  Docker Swarm  A multi-host-aware orchestration tool  Docker Cloud  Docker’s Container as a Service (CaaS)
Docker Images Layers  Layers are read only  An image is a collection of files and some meta data  Images are comprised of multiple layers  A layer is also contains software you want to run  Each image contains a base layer  Every image contains a base layer  Docker uses a copy on write systems
Docker Sharing Layers  Images can share layers in order to speed up transfer times and optimize disk and memory usage  Parent images that already exists on the host do not have to be downloaded
Portainer  Docker UI  „The easiest way to manage docker”  https://www.portainer.io/
Portainer docker volume create portainer_data docker run –name=portainer -d -p 9000:9000 --restart always -v /var/run/docker.sock:/var/run/docker.sock -v /opt/portainer:/data portainer/portainer
Portainer  https://portainer.io/overview.html  Detailed overview  Containers (List, Details, Stats, Logs, Console, Creation)  Images (List, Details)  Network (List)  Volumes (List)  Container Templates  Cluster overview  Services Management  Endpoint Management  User Management and User Access Control
Kitematic  Visual Docker Container Management on Mac & Windows  Run containers through a simple, yet powerful graphical user interface.  https://kitematic.com/  Legacy desktop solution boundled with Docker Toolbox.
Kitematic  Fast and Easy Setup  Docker Hub Integration  Seamless Experience Between CLI and GUI  Advantaged Features  Automatically map ports  Configuring volumes  Change environment variables  Streamline logs  CLI access to containers
Kitematic
Docker Desktop for Windows  Docker Desktop for Windows is the best way to get started with Docker on Windows  https://docs.docker.com/docker-for-windows/  Native application on UI  Auto update capability  No additional software required, e.g. Virtualbox  Windows: Hyper-V VM  Better networking and filesystem mounting/notification  Requires Windows 10 64-bit (Yosemite 10.10+)
Rancher OS  A simplified Linux distribution build from containers, for containers.  https://rancher.com/rancher-os/  https://github.com/rancher/os
Build Container Images  Dockerfile  FROM – Docker base  FROM alpine:latest  LABEL – extra information  LABEL maintainer = ‘”Andrzej Sydor”  RUN – commands to install software and run scripts  RUN mkdir –p /tmp/myapp/  COPY/ADD  COPY build/app.jar /etc/app.jar  ADD http://resource/files/html.tar.gz /usr/share/nginx/  EXPOSE – the port and the protocol exposed in runtime  EXPOSE 80/tcp  ENTRYPOINT/CMD  USER / WORKDIR / ONBUILD / ENV
Docker Build  docker image build –file <Dockerfile> --tag <REPO>:<TAG>  <REPO> - typically username on Docker Hub  <TAG> - unique container value  docker image build --tag local:dockerfile-example .  .(dot) – current folder
Storing images  Docker Registry Docker Hub Docker Store
Docker Registry  Service that storing your Docker images  Open source – Apache license  Tightly control where your images are being stored  Fully own your images distribution pipeline  Integrate image storage and distribution tightly into your in-house development Filesystem /var/lib/registry
Storing images  Docker Hub  Free for public images  Organizations  Repository  Automated build (GitHub, BitBucket)
Storing images  Docker Store  Docker images and plugins  Docker Certified
Third-party registries  Red Hat Container Catalog  OpenShift  Jfrog  Quay.io  Amazon EC2 Container Registry  Others: Microbadger e.g. inspect image
Networking & Volumes  IPAM (IP address management)  Planning, tracking and managing IP addressess within the network  IPAM has DNS and DHCP services
Docker – CPU/Memory  By default, a container can consume all available resources on the host machine if it requires it  Limit CPU usage  -c / --cpu-shares=1024  --cpu-period=25000 (microseconds)  --cpu-quota=25000 (microseconds)  Limit memory usage  --memory 1024M  --memory-swap 1024M  By default, when you set --memory, docker will set the --memory-swap size twice  --kernel-swap 1024M
Docker Security Scanning  Security Scanning feature (Non Free):  Docker Hub  Docker Cloud
Docker Security non-events  https://docs.docker.com/engine/security/non-events/  CVE-2013-1956, 1957, 1958, 1959, 1979, CVE-2014- 4014, 5206, 5207, 7970, 7975,CVE-2015-2925, 8543, CVE-2016-3134, 3135,  CVE-2014-0181, CVE-2015-3339  CVE-2014-4699  CVE-2014-9529  CVE-2015-3214, 4036  CVE-2016-0728  CVE-2016-2383  CVE-2016-3134, 4997, 4998
Docker Security Scanning  https://docs.docker.com/docker-cloud/builds/image-scan/  Free for Docker Cloud users  Clair  free  Peekr  Atomic Scan  docker diff  docker run --read-only …  docker run -v directory:/directory:ro ..
Docker Bench Security - examples  Host configuration  [WARN] 1.1 – Create a separate partition for containers  [WARN] 1.5 – Audit Docker daemon - /usr/bin/docker  [WARN] 1.6 – Audit Docker files and directories - /var/lib/docker  [WARN] 1.7 – Audit Docker files and directories - /etc/docker  [WARN] 1.8 – Audit Docker files and directories - /etc/default/docker
Docker Bench Security - examples  Docker daemon configuration  [WARN] 2.1 – Restrict network traffic between containers  [WARN] 2.8 – Enable user namespace support  [WARN] 2.11 – Use Authorization plugin  [WARN] 2.12 – Configure centralized and remote logging  [WARN] 2.13 – Disable operations on legacy registry (v1)  [WARN] 2.14 – Enable live restore  [WARN] 2.18 – Disable Userland Proxy
Docker Bench Security - examples  Docker daemon configuration files  Container images and build files  [WARN] 4.1 – Create a user and build files  [WARN] 4.5 – Enable Content trust for Docker  [WARN] 4.6 – Add HEALTHCHECK instruction to the container image
Docker Bench Security - examples  Container runtime  [WARN] 5.2 – Verify SELinux security options, if applicable  [PASS] – 5.1 – Do not disable AppArmor Profile  [WARN] 5.4 – Do not use privileged containers  [WARN] 5.6 – Do not run ssh within containers  [WARN] 5.10 – Limit memory usage for container  [WARN] 5.11 – Set container CPU priority appriopriately  [WARN] 5.12 – Mount container’s root files as read only  [WARN] 5.13 – Bind incoming container traffic to a specific host interface  [WARN] 5.14 – Set the ‘on-failure’ container restart policy to 5
Docker Bench Security - examples  Docker security operations  [INFO] 6.1 – Perform regular security audits of your host system and containers  [INFO] 6.2 – Monitor Docker container usage, performance and metering  [INFO] 6.3 – Backup container data  [INFO] 6.4 – Avoid image sprawl  [INFO] 6.5 – Avoid container sprawl
Third Party Security services  Quay  https://quay.io/  Clair  https://github.com/coreos/clair/
Docker Swarm  Docker Clusters  Distribute containers across multiple hosts  Scale Containers  Docker Swarm standalone ended suport for version 1.11 in the first quarter in 2017  Docker 1.12 introduced Docker Swarm mode  All function introduced
Docker Swarm Roles  Swarm Manager  Central management point of all Swarm hosts  Commands to control nodes: switch between nodes, join nodes, remove nodes, manipulate hosts  Each cluster can run several Swarm managers  Recomended run a minimum of five Swarm managers (two noes failure before start have any errors)  Swarm Worker  Run docker containers
Docker - best practices  One application per container  Only install what you need  Review who has access to your Docker hosts  Use the latest version  Use the resources
Docker Bench Security  https://github.com/docker/docker-bench-security  The Docker Bench Security is a script that checks for dozens of common best-practices around deploying Docker containers in production  The tool will inspect:  The host configuration  The docker daemon configuration  The docker daemon configuration files  Container images and build files  Container runtime  The docker security operations
Tools  cAdvisor https://github.com/google/cadvisor/  Analyzes resource usage and performance characteristics of running containers  Node-exporter https://github.com/prometheus/node_exporter/  Exporter for machine metrics http://prometheus.io/  Prometheus https://prometheus.io/  Power your metrics and alerting with a leading open-source monitoring solution  Grafana https://grafana.com/  The open platform for beautiful analytics and monitoring
Links  https://labs.play-with-docker.com/  https://training.play-with-docker.com  https://cloud.docker.com  https://docs.docker.com/develop/develop-images/dockerfile_best- practices  https://circleci.com/pricing/  https://app.codeship.com/

More Related Content

Docker for developers

  • 2. Docker  Docker is the leading software container platform  Founded in 2013 as Linux developer tool  Fundamentally solves the „works on my machine” problem  Container industry inventor, leader and innovative  Transform app and infrastructure security, portability, agility and efficiency
  • 3. One Application on One Physical Server  Limitations  Slow development times  Huge costs  Wasted resources  Difficult to scale  Difficult to migrate  Vendor lock in
  • 4. Hypervisior – Based Virtualization  Benefit:  Better resource pooling  One physical machine divided into multiple virtual machines  Easier to scale  VMs in the cloud  Rapid elasticity  Pay as you go model  Limitations:  Each VM stills requires:  CPU limitations  Storage  RAM  An entire guest operating system  Full guest OS means wasted resources  Application portability not guaranteed
  • 5. Docker  Standarized packaging for software and dependencies  Isolate apps from each other  Share the same OS kernel  Works with all major Linux and Windows Server
  • 7. Key Benefits of Docker Containers  Speed  No OS to boot – applications online in seconds  Portability  Less dependencies between proces layers = ability to move between infrastructure  Efficiency  Less OS overhead  Improved resource efficiency
  • 8. WORA / PODA  WORA = Write Once Run Anywhere {J,W,E}AR  PODA = Package Once Deploy Anywhere
  • 9. Docker  Image  The basis of a Docker container  Registry  Stores, distributes and manages Docker images  Container  The image when it is ‚running’  Swarm Cluster  Cluster of Docker hosts  Control Pane  Management plane for container and cluster orchestration
  • 10. Docker  Docker Compose  Define and share multi-container definitions  Docker Machine  A tool to launch Docker hosts on multiple platforms  Docker Hub  Repository for Docker Images  Docker Store  A storefront for official Docker images and plugins as well as licensed products  Docker Swarm  A multi-host-aware orchestration tool  Docker Cloud  Docker’s Container as a Service (CaaS)
  • 11. Docker Images Layers  Layers are read only  An image is a collection of files and some meta data  Images are comprised of multiple layers  A layer is also contains software you want to run  Each image contains a base layer  Every image contains a base layer  Docker uses a copy on write systems
  • 12. Docker Sharing Layers  Images can share layers in order to speed up transfer times and optimize disk and memory usage  Parent images that already exists on the host do not have to be downloaded
  • 13. Portainer  Docker UI  „The easiest way to manage docker”  https://www.portainer.io/
  • 14. Portainer docker volume create portainer_data docker run –name=portainer -d -p 9000:9000 --restart always -v /var/run/docker.sock:/var/run/docker.sock -v /opt/portainer:/data portainer/portainer
  • 15. Portainer  https://portainer.io/overview.html  Detailed overview  Containers (List, Details, Stats, Logs, Console, Creation)  Images (List, Details)  Network (List)  Volumes (List)  Container Templates  Cluster overview  Services Management  Endpoint Management  User Management and User Access Control
  • 16. Kitematic  Visual Docker Container Management on Mac & Windows  Run containers through a simple, yet powerful graphical user interface.  https://kitematic.com/  Legacy desktop solution boundled with Docker Toolbox.
  • 17. Kitematic  Fast and Easy Setup  Docker Hub Integration  Seamless Experience Between CLI and GUI  Advantaged Features  Automatically map ports  Configuring volumes  Change environment variables  Streamline logs  CLI access to containers
  • 19. Docker Desktop for Windows  Docker Desktop for Windows is the best way to get started with Docker on Windows  https://docs.docker.com/docker-for-windows/  Native application on UI  Auto update capability  No additional software required, e.g. Virtualbox  Windows: Hyper-V VM  Better networking and filesystem mounting/notification  Requires Windows 10 64-bit (Yosemite 10.10+)
  • 20. Rancher OS  A simplified Linux distribution build from containers, for containers.  https://rancher.com/rancher-os/  https://github.com/rancher/os
  • 21. Build Container Images  Dockerfile  FROM – Docker base  FROM alpine:latest  LABEL – extra information  LABEL maintainer = ‘”Andrzej Sydor”  RUN – commands to install software and run scripts  RUN mkdir –p /tmp/myapp/  COPY/ADD  COPY build/app.jar /etc/app.jar  ADD http://resource/files/html.tar.gz /usr/share/nginx/  EXPOSE – the port and the protocol exposed in runtime  EXPOSE 80/tcp  ENTRYPOINT/CMD  USER / WORKDIR / ONBUILD / ENV
  • 22. Docker Build  docker image build –file <Dockerfile> --tag <REPO>:<TAG>  <REPO> - typically username on Docker Hub  <TAG> - unique container value  docker image build --tag local:dockerfile-example .  .(dot) – current folder
  • 23. Storing images  Docker Registry Docker Hub Docker Store
  • 24. Docker Registry  Service that storing your Docker images  Open source – Apache license  Tightly control where your images are being stored  Fully own your images distribution pipeline  Integrate image storage and distribution tightly into your in-house development Filesystem /var/lib/registry
  • 25. Storing images  Docker Hub  Free for public images  Organizations  Repository  Automated build (GitHub, BitBucket)
  • 26. Storing images  Docker Store  Docker images and plugins  Docker Certified
  • 27. Third-party registries  Red Hat Container Catalog  OpenShift  Jfrog  Quay.io  Amazon EC2 Container Registry  Others: Microbadger e.g. inspect image
  • 28. Networking & Volumes  IPAM (IP address management)  Planning, tracking and managing IP addressess within the network  IPAM has DNS and DHCP services
  • 29. Docker – CPU/Memory  By default, a container can consume all available resources on the host machine if it requires it  Limit CPU usage  -c / --cpu-shares=1024  --cpu-period=25000 (microseconds)  --cpu-quota=25000 (microseconds)  Limit memory usage  --memory 1024M  --memory-swap 1024M  By default, when you set --memory, docker will set the --memory-swap size twice  --kernel-swap 1024M
  • 30. Docker Security Scanning  Security Scanning feature (Non Free):  Docker Hub  Docker Cloud
  • 31. Docker Security non-events  https://docs.docker.com/engine/security/non-events/  CVE-2013-1956, 1957, 1958, 1959, 1979, CVE-2014- 4014, 5206, 5207, 7970, 7975,CVE-2015-2925, 8543, CVE-2016-3134, 3135,  CVE-2014-0181, CVE-2015-3339  CVE-2014-4699  CVE-2014-9529  CVE-2015-3214, 4036  CVE-2016-0728  CVE-2016-2383  CVE-2016-3134, 4997, 4998
  • 32. Docker Security Scanning  https://docs.docker.com/docker-cloud/builds/image-scan/  Free for Docker Cloud users  Clair  free  Peekr  Atomic Scan  docker diff  docker run --read-only …  docker run -v directory:/directory:ro ..
  • 33. Docker Bench Security - examples  Host configuration  [WARN] 1.1 – Create a separate partition for containers  [WARN] 1.5 – Audit Docker daemon - /usr/bin/docker  [WARN] 1.6 – Audit Docker files and directories - /var/lib/docker  [WARN] 1.7 – Audit Docker files and directories - /etc/docker  [WARN] 1.8 – Audit Docker files and directories - /etc/default/docker
  • 34. Docker Bench Security - examples  Docker daemon configuration  [WARN] 2.1 – Restrict network traffic between containers  [WARN] 2.8 – Enable user namespace support  [WARN] 2.11 – Use Authorization plugin  [WARN] 2.12 – Configure centralized and remote logging  [WARN] 2.13 – Disable operations on legacy registry (v1)  [WARN] 2.14 – Enable live restore  [WARN] 2.18 – Disable Userland Proxy
  • 35. Docker Bench Security - examples  Docker daemon configuration files  Container images and build files  [WARN] 4.1 – Create a user and build files  [WARN] 4.5 – Enable Content trust for Docker  [WARN] 4.6 – Add HEALTHCHECK instruction to the container image
  • 36. Docker Bench Security - examples  Container runtime  [WARN] 5.2 – Verify SELinux security options, if applicable  [PASS] – 5.1 – Do not disable AppArmor Profile  [WARN] 5.4 – Do not use privileged containers  [WARN] 5.6 – Do not run ssh within containers  [WARN] 5.10 – Limit memory usage for container  [WARN] 5.11 – Set container CPU priority appriopriately  [WARN] 5.12 – Mount container’s root files as read only  [WARN] 5.13 – Bind incoming container traffic to a specific host interface  [WARN] 5.14 – Set the ‘on-failure’ container restart policy to 5
  • 37. Docker Bench Security - examples  Docker security operations  [INFO] 6.1 – Perform regular security audits of your host system and containers  [INFO] 6.2 – Monitor Docker container usage, performance and metering  [INFO] 6.3 – Backup container data  [INFO] 6.4 – Avoid image sprawl  [INFO] 6.5 – Avoid container sprawl
  • 38. Third Party Security services  Quay  https://quay.io/  Clair  https://github.com/coreos/clair/
  • 39. Docker Swarm  Docker Clusters  Distribute containers across multiple hosts  Scale Containers  Docker Swarm standalone ended suport for version 1.11 in the first quarter in 2017  Docker 1.12 introduced Docker Swarm mode  All function introduced
  • 40. Docker Swarm Roles  Swarm Manager  Central management point of all Swarm hosts  Commands to control nodes: switch between nodes, join nodes, remove nodes, manipulate hosts  Each cluster can run several Swarm managers  Recomended run a minimum of five Swarm managers (two noes failure before start have any errors)  Swarm Worker  Run docker containers
  • 41. Docker - best practices  One application per container  Only install what you need  Review who has access to your Docker hosts  Use the latest version  Use the resources
  • 42. Docker Bench Security  https://github.com/docker/docker-bench-security  The Docker Bench Security is a script that checks for dozens of common best-practices around deploying Docker containers in production  The tool will inspect:  The host configuration  The docker daemon configuration  The docker daemon configuration files  Container images and build files  Container runtime  The docker security operations
  • 43. Tools  cAdvisor https://github.com/google/cadvisor/  Analyzes resource usage and performance characteristics of running containers  Node-exporter https://github.com/prometheus/node_exporter/  Exporter for machine metrics http://prometheus.io/  Prometheus https://prometheus.io/  Power your metrics and alerting with a leading open-source monitoring solution  Grafana https://grafana.com/  The open platform for beautiful analytics and monitoring
  • 44. Links  https://labs.play-with-docker.com/  https://training.play-with-docker.com  https://cloud.docker.com  https://docs.docker.com/develop/develop-images/dockerfile_best- practices  https://circleci.com/pricing/  https://app.codeship.com/