Learn from the development team as we dive into some of the latest and upcoming features in Docker EE, our enterprise container management solution. We will focus on the architecture and configuration of the features and how they can be used with both modern apps and containerized legacy apps. Stay for some tips on monitoring and troubleshooting to help you prevent your production environment from going sideways.
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
Docker Enterprise Edition: Building a Secure Supply Chain for the Enterprise - Vivek Saraswat and Patrick Devine, Docker
1. Patrick Devine Vivek Saraswat
Product Manager, Docker
@pdev110
Docker EE - Building a Secure
Software Supply Chain
Product Manager, Docker
@theVSaraswat
2. 1. What is Docker EE?
2. Architectural Overview
3. Keynote Features Deep Dive
a. Image Management Demo
b. App Deployment Demo
Agenda
3. Docker Enterprise Edition (EE)
CaaS enabled platform for the modern software supply chain
• Integrated orchestration, security and
management
• Predictable quarterly releases with 1-year
of support and maintenance
• Security patches and hotfixes backported
to all supported versions
• Enterprise class support (9am-6pm or
24x7x365)
• Certified Infrastructure, Containers and
Plugins
docker enterprise edition
4. Enterprise Edition (EE)
• Paid Docker subscription
• Includes support from Docker
• Predictable quarterly release
• Certified partner ecosystem
• Enterprise-grade features (security,
management, automation)
Recommended for production use
Enterprise & Community Editions
• Free for “do it yourself” dev & ops
• Does not include support
• Quarterly Stable release for ops
• Monthly Edge release for developers
Community Edition (CE)
9. Docker 2017 - Confidential
Docker EE Available in Three Versions
EE Basic
(CS Engine)
EE Standard
(Docker Datacenter)
EE Advanced
CaaS enabled platform x x x
Container engine and built in orchestration,
networking, security
x x x
Docker Certified
Infra, Plugins and ISV Containers
x x x
Image management
With private registry, caching
x x
Integrated container app management
x x
Multi-tenancy with RBAC, LDAP/AD
x x
Integrated secrets mgmt, image signing,
policy
x x
Image security scanning and continuous
vulnerability monitoring
x
Business Day Support
Business Critical Support
X X X
DockerDatacenter
10. Image Management:
● Image Promotions
(coming soon)
● Image Scanning
(Available today!)
Let’s dive into
the keynote
demo features!
11. Image Promotion
● Promotes “blessed” images from one repository
to a different one in the same DTR
● Repositories each have their own access
control
● Images can be re-tagged automatically to a
new tag
● Can be done “manually” or by a “policy”
com
ing
soon
13. Promotion Policy Criteria
● Tagged with a certain tag
● Doesn’t contain any vulnerabilities above a threshold
(critical, major, minor)
● Package exists or is greater or less than a certain version
● Is greater than (or less than) a certain size
● Doesn’t contain a certain type of license (e.g. GPLv3)
16. • Scans at a binary level
○ Not just looking at package versions
• Works both online and offline
○ New vulnerability database released daily
○ Great for air gapped scenarios (sneaker net!)
• Scans both Linux and Windows
Image Scanning
available
now
17.
18.
19. $ docker history pdevine/partyparrot:1.0
IMAGE CREATED CREATED BY
4e21821ad0d9 5 minutes ago /bin/sh -c #(nop) ENTRYPOINT [“/parrot”]
880254b79668 5 minutes ago /bin/sh -c #(nop) ADD file:6e64234...
6aa638b57d74 5 minutes ago /bin/sh -c apk update && apk add pcre
4a415e366388 6 weeks ago /bin/sh -c #(nop) ADD file:730030a...
25. App & Cluster
Management:
● Apps with Hybrid
Linux/Windows
(Coming soon)
● Apps with Secrets
Management
(Available today!)
Let’s dive into
the keynote
demo features!
26. ● Linux Managers
○ UCP Controllers
○ DTR Replicas
○ Authentication, Image
Scanning, Signing and
other shared Services
● Mixed Workers
○ Windows native containers
on Windows nodes
○ Linux containers on Linux
nodes
Node
Manager
Node
Worker
Node
Manager
Node
Manager
Node
Worker
Node
Worker
Node
Worker
Worker nodes
docker
universal control plane
trusted registry
Mixed Windows/Linux Cluster
com
ing
soon
27. Hybrid Linux/Windows App Deploy
● Can deploy with
Compose
● Use labels and
constraints for
intelligent scheduling
● Overlay networks
connect the containers
31. Simple Workflow for Devs
● Add secrets to cluster
○ `docker secret create` - Add secret to swarm RAFT store
● Inject a secret into a service
○ `docker service create --secret=”foo”
● Define services, secrets, networks, volumes in a compose file (yml v3.1+)
32. Control for Ops
● Management: Admins can add/remove/list/update secrets in the cluster
● Rotation: Use GUI to update a secret to all containers in a service
● Authorization: Admins can authorize secrets access to users/teams via RBAC
● Auditing: Each user request for secret access logged in cluster
33. Lock Down Your Cluster - Access Control
User Authentication
• Built-in
• LDAP/AD support
Granular RBAC
• Teams/Orgs
• Permission Roles
No
Access
View
Only
Restricted
Control
Full
Control
Admin
• Inspect
• View
• Create
• Run
• Restart
• Stop
• Delete
• Exec
• Namespaces
• Kernel access
• Host-mounted
volumes
• Manage users
• Assign
permissions
• Change UCP
settings
35. In Summary...
● Docker EE: Container management platform with support and
integrated orchestration, security, and automation
● We talked about these Docker EE features:
○ Image Scanning (Available today)
○ Secrets Management (Available today)
○ Image Promotions (Coming soon)
○ Linux/Windows Cluster (Coming soon)
● Try out Docker EE for yourself!
○ www.docker.com/trial
○ Come to the Docker booth for a demo