Containers are a developer's new best friend. For all the non-developers, what does this mean? This session will demystify this abstraction called containers, and dive deep on how it changes the way we provision, deliver, deploy and manage applications.
Speaker: Shiva Narayanaswamy, Solutions Architect, Amazon Web Services
2. Containerised Microservices
Dom 0
Instance Instance Instance
OS OS OS
Container Runtime Container Runtime Container Runtime
App App
Service Service
App App
Service Service
App App
Service Service
3. Container Orchestration
Dom 0
Instance Instance Instance
OS OS OS
Container Runtime Container Runtime Container Runtime
App Service App App Service Service
Container Orchestration
4. Container Orchestration
Dom 0
Instance/OS Instance/OS Instance/OS
App Service App App Service Service
Service Management
Scheduling
Resource Management
Orchestration
Service Management
§Labels
§Groups/Namespaces
§Dependencies
§Load Balancing
§Health Check
§Service Discovery
5. Container Orchestration
Dom 0
Instance/OS Instance/OS Instance/OS
App Service App App Service Service
Service Management
Scheduling
Resource Management
Orchestration
Scheduling
§Placement
§Replication/Scaling
§Resurrection
§Rescheduling
§Rolling deploys
§Upgrades
§Downgrades
§Colocation
6. Container Orchestration
Dom 0
Instance/OS Instance/OS Instance/OS
App Service App App Service Service
Service Management
Scheduling
Resource Management
Orchestration
Resource
Management
§ Memory
§ CPU
§ GPU
§ Volumes
§ Ports
§ IPs
10. Schedulers – General Blurb
Cluster
Machines
Cluster State
Information
Monolothic Two-Level Shared State
No Concurrency Pessimistic
Concurrency
(offers)
Optimistic
Concurrency
(transactions)
Scheduling Logic
17. Security Pro-Tips
§ Host Security
§ Lock it down
§ Namespaces and cgroups are your friends
§ Select few belong to docker UNIX group
§ SELinux is also your friend
§ Docker daemon runs as root!
§ Docker Daemon Security
§ Do not run in privileged mode
§ Lock down inter container comms –icc=false
§ Secure APIs with TLS certificates
18. Whale-Say
"Only trusted users should be allowed to control your Docker daemon"
“If you run Docker on a server, it is recommended to run exclusively Docker
in the server, and move all other services within containers controlled by
Docker”
19. IMAGE REGISTRY
CI/CD
DEPLOYMENT SYSTEM
SOURCE
CODE REPO
SECURITY
SCANNING
CONTINUOUS
ASSURANCE
Pull latest
signed image
Commit Code
Trigger Build
Push signed
image
Pull latest
stable signed
image
DEVELOPER
Workflow
20. More Prescriptive Advice Here…
https://benchmarks.cisecurity.org/tools2/docker/CIS_
Docker_1.11.0_Benchmark_v1.0.0.pdf
24. Persistent Storage
§ POSIX is legacy filesystem. So don’t!
§ Named volumes
§ Data only container
§ Flocker
§ Shared file system (EFS, GlusterFS etc.)
26. Monitoring and Operating
Monitoring systems need to be more available and scalable than the systems (and services) being monitored
~ Adrian Cockroft