Upload
lee-calcote
View
186
Download
0
Embed Size (px)
Citation preview
Dockercon EU 2015 Recaphttp://calcotestudios.com/dockercon-recap
Lee Calcoteclouds, containers, networks and their management
linkedin.com/in/leecalcote
@lcalcote
blog.gingergeek.com
ConferenceThemes
Usable SecurityQualityProduction Ready
Security
1. Industry’s First Hardware Signing of Container Images
2. User Namespaces Provides Enhanced Access Control
3. Built-in container security analysis in Docker Hub
Security - Docker Content Trust (launched at Dockercon SF)
TUF and Notary enable:
Survivable Key Compromise
Proof of Origin
Protection against untrusted transports.
integrates the guarantees from into Docker using , an open source tool that
provides trust over any content.
The Update Framework(TUF) Notary
Hardware signing of container images reinforces Docker ContentTrust
Hardware Signing of Container Images
Yubico released Yubikey 4 at DockerCon with the goal of increasing thesecurity of Docker images.
“ A YubiKey is a small hardware device that offers two-factor authenticationwith a simple touch of a button.
http://blog.docker.com/2015/11/docker-content-trust-yubikey/
Docker Experimental only
notary key generate notary key list notary key backup export DOCKER_CONTENT_TRUST=1 docker push
http://blog.docker.com/2015/11/docker-content-trust-yubikey/
Security - Project NautilusBuilt-in container security analysis in Docker Hub
Project Goals
1. Scale up the security posture assessment2. Notify users of new vulnerabilities in existing code proactively3. Provide visibility to end-users on the security posture of images
Security - Project NautilusText
Security - Project NautilusAn image-scanning service that makes it easier tobuild and consume high-integrity content
Steps through a sequence of tests, including:
Image security
Component inventory/license management
Image optimization
Basic functional testing
Functions as a source of truth for certification metadataHas an extensible backend; may support 3rd-partyplugins
Security - User Namespaces
containers themselves don’t have access to root on the host
only the Docker daemon does.
user namespaces gives IT operations the ability to separate container and
Docker daemon-level privileges to assign privileges for each container by user
group.
IT operations will lock down hosts to a restricted group of sysadmins per security
best practices
best practices
Docker Universal Control Plane
“ "an on-premises solution for deploying and managing Dockerizeddistributed applications in production on any infrastructure."
gives IT ops a single Docker-native management interface for allcontainer on-premise or in cloud
Currently in beta. Sign-up here.
UCP is to containers
as vCenter is to VMs
User Management
•LDAP/AD integration with Trusted Registry
•Role based access control (RBAC) to
cluster, apps, containers, images
Resource Management•Visibility into cluster, apps, containers, images,
events with intuitive dashboards
•Manage clusters, images, network and volumes
•Manage apps and containers
•Monitoring and logging
Security & Compliance•On-premise deployment
•Out of the box TLS
•LDAP/AD authentication
•User audit logs
•Out of the box HA
Containers as a Service
Production-ReadySwarm 1.0 Clustering
Scaling Swarm to 1,000 AWS nodesand 50,000 containers!
Multi-hostnetworking
• , and Swarm integrates fully
with this. Any networks you create in Swarmwill seamlessly work across multiple hosts.
Docker Engine 1.9 features a newnetworking system
Persistent storageEngine 1.9 has a new volume management systemIf you use a volume driver that works across multiplehosts (such as or ) you’ll be able to storepersistent data on your Swarm regardless of wherecontainers get scheduled on your cluster.Volume management works from the command lineinterface with plug-insThere are drivers availablefor , , , and .
Flocker Ceph
Blockbridge Ceph ClusterHQ EMC Portworx
Production-Ready: Docker Hub Autobuilds
build system can now be configured to dynamicallytrigger builds as your team creates new git branches and tags.Docker Hub
Dynamic Matching
Parallel BuildsAutomated Build system will execute as manybuilds in parallel as you have private repositories.
Networking
Multi-host networking no longerexperimental
Out of the box overlay networking in 1.9
New 'docker network' commandprovides management of networks as atop-level object
Extensibility through network plugins
Already 6 implementations done orunder development
Support forDNS to come
later
An IP percontainer...
contrasted withan IP per pod in
kubernetes
Surgically Segmented Networks
Network driver plugins available are from Cisco, Microsoft,Midokura, Nuage, Project Calico, VMware, and Weave. Default IP addressing remains same, but IPAM is pluggable
Resources
VideoDay 1 General SessionDay 2 General SessionDay 2 Closing General Session- Moby's Cool HacksWild Card Day 1 Videos/SlidesWild Card Day 2 Videos/Slides
SlidesGeneral and separate tracks
Upcoming Online EventsDec 10th:
Dec 11th:
Dec 17th:
Jan 12th:
Feb 11th:
Introduction to Docker Security
Building, running & deploying Docker containers
Intro to Docker - Demo and FAQ
The Value of Docker Subscription and Support
Introduction to the Docker Platform