Docker & Apcera Better Together
•Download as PPTX, PDF•
5 likes•2,279 views
This document discusses how Docker containers and Apcera's Hybrid Cloud Operating System (HCOS) can work together. Some key points: - Apcera HCOS provides an enterprise-grade platform that allows running Docker containers across multiple hosts and clouds with integrated security, networking, load balancing and other capabilities. - Containers offer advantages over VMs like higher density, portability and agility but need enterprise features for production that Apcera provides. - Apcera integrates policy controls, image scanning, staging pipelines and other features to help securely run Docker containers in production environments at scale. - It addresses barriers to Docker adoption in enterprises like security, multi-cloud mobility, integration
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (9)
Similar to Docker & Apcera Better Together
Similar to Docker & Apcera Better Together (20)
More from Simone Morellato
More from Simone Morellato (9)
Recently uploaded
Recently uploaded (20)
Docker & Apcera Better Together
- 1. Simone Morellato Jul 7th 2015 & Docker better together Apcera
- 2. Apcera Hybrid Cloud Operating System Single Policy Multiple Workloads Multiple Clouds Enterprise-Grade Cloud Platform Policy is built in at the core for providing pervasive security and control. Run PaaS binaries, containers, and full OS (capsule) on same infrastructure today. Additional workloads in future. Workloads mobility. Private-to-private, public-to- public, and private-to-public. vSphere, OpenStack, AWS, GCE, IBM Softlayer, Mirantis Express. Unified Orchestration & Governance Unified Infrastructure
- 3. Why containers? ● > 10X as many containers can run on the same hardware ● Run anywhere - from your laptop to the cloud ● Faster boot enables on-demand application deployment ● Increased performance - no more hardware emulation ● Increased agility and mobility - No more full OS to move around ● Smaller attack surface ● Repository makes finding and deploying services easy. (Postgres/MySQL/Redis/Mongo/etc) ● Growing ecosystem of developers and tools. Server Hardware Hypervisor OS OS OS Libraries Libraries Libraries App App App VM Any Hardware Container OS App Container App Libraries Libraries Any Cloud 1 x 30 MB n x 700 MB App Libraries App Libraries App Libraries WastedSpace
- 4. Where is Docker today? ● Containers bring speed and agility to developers ● Containers are great for web and greenfield apps ● Development and runtime are siloed either in the private or in the public cloud Private Cloud Public CloudOR
- 5. What is industry trying to figure out? ● Containers moving into the enterprise ● Enterprise-grade security and reliability ● Multi cloud mobility ● Integration with existing enterprise apps and services ● Multi workload capabilities Hybrid Cloud Private Cloud Public Cloud ● Container-optimized small- footprint OS
- 6. Docker in poduction, barriers to adoption This report is based on the current and planned container usage patterns of 285respondents. The survey was conducted over the latter half of May 2015. https://clusterhq.com/assets/pdfs/state-of-container-usage-june-2015.pdf
- 7. Why Apcera HCOS? Complete enterprise-grade platform Multi-host, multi-cloud secure networking Integrated load balancing and routing Containers isolation and container- level firewall Images visibility, control and malware inspection Consistent policy across multi-cloud environments Authentication and authorization layer Integration with production logging services Health monitoring Container Engine Networking Container Scheduling Container Orchestration Web Console, CLI, API Storage Policy&Governance Internal Services Integration Multi-vendor IaaS and hybrid cloud support (OpenStack, VMware, Amazon AWS, Google Cloud, Bare-metal) Cluster Installation and Management Advanced features Containers linking, semantic pipelines, scaling, load balancing, images malware inspection Multi-Workloads: Containers, OSes, Apps External Services Integration
- 8. A couple of more reasons… Pull images directly from Docker registries Docker CLI options support Policy controls to restrict packages in the system. Layers caching for near instant launch times Dynamic binding for container to container communication Active connections management Service credentials protection with ephemeral credentials
- 9. Apcera vs. DIY + + + Integration effort and competence Integration with external systems and services Feature gaps/overlap between the components Maintenance and lifecycle management UI and usability Security (including policy and governance) State of the art in industry (many components still in alpha or beta) No multi-tenancy No multi-workload Apcera One System vs. Components DIY
- 10. Apcera Policy for Docker Workload Placement Service Access Resource Quota Network Ingress/Egress Runtime Requirement A Docker workload is just like any other HCOS job Policy is not limited just to resources, you can also control routes, packages, service access, etc. Semantics pipelines
- 11. What’s in your container? You don’t know. And that’s a problem! Image source: BanyanOps Blog, June 2015 General Images with VulnerabilitiesOfficial Images with Vulnerabilities
- 12. Security for images Downlaod Inport Dependencies Virus Scan Approval Notification Package Repo Running Instance Docker Image Apcera Staging Pipeline Staging Pipeline open source API allows partners (eg. FlawCheck) and users to write custom stagers eg. Docker images security checks to detect security flaws.
- 13. Apcera provides the infrastructure that Docker needs
- 14. For more info and a FREE trial please visit http://docs.apcera.com/setup/setup-overview/ Apcera
Editor's Notes
- No more heavy hardware emulation because containers rest on top of a single Linux instance Leave behind the useless 99.9% VM junk, leaving you with a small, neat capsule containing your application Twice as many containers can run on the same hardware Run virtually anywhere - from your laptop to the cloud 1. containers are much lighter-weight vs virtual machines - Each VM on a server contains an entire operating system. That OS will contain all sorts of drivers, utilities, libraries, maybe some runtimes, etc (in addition to the kernel). This translates to lots of large images and as such they consume more disk space, RAM and CPU. With containers, all the containers on a server use the same (very much slimmed down) kernel. Essentially you go from lots of independent, fat operating systems running on a machine, to one very slim kernel that is shared and provides basic services to all containers. This leaves a lot more of a server’s disk, RAM and CPU for running applications - which means many more applications per server using containers vs using VMs. Whereas you may have 10s of VMs on a server you can have 100s of containers. dramatic increase in server utilization. 2. because containers are so light weight they boot much faster than VMs. Apps can be spun up in fractions of a second vs seconds. 3. containers by definition contain the app and all its dependencies (required libraries, runtimes, etc.). This means that (other than the very basic operations that the shared kernel provides) the container contains the app and everything it needs to run. This is very useful as it solves a common problem in the development world. Often when apps move from dev to test (for example) they won’t run properly in the new (test) environment. often after much unfruitful troubleshooting of the app the problem is reported to the developer and he checks the app only to find it’s running perfectly in his development environment. So the problem is the difference between the dev and test environments. A lot of time is wasted trying to (a) keep environments in sync with various patches, updates, libraries, etc. and (b) troubleshooting problems when the environments invariably get out of sync. Big win for containers wrt reducing wasted time and frustration. 4. because an app running in a container has only what it needs to run, its attack surface is much much smaller. In other words all that extra OS code that gets carried around in VMs not only eats CPU, disk and RAM, but it also increases the the possibility of an exploit. the more code you have the greater the possibility that some of it can be exploited. Not only does this increase risk, but also maintenance since someone has to patch all those pieces of code where exploits are found. Bottom line, containers provide many significant benefits vs VMs. This is why Google has been using them for a decade.
- High level overview today and the future
- Today, when a new application is placed in production, a networking team needs to select the appropriate VLAN, open ports, configure load balancing, set up port security through access control lists (ACLs) Containers on routers, switches, load labancers, embedded systems, etc. Free movement of containers and CI/CD into different clouds, but with enterprise-class controls. Companies requiring enterprise-grade reliability and security for all the technologies inside a container as well as the container host environment. Small-footprint operating system Containers as new software delivery model for enterprise applications and hardware Need for a specification for containers Multiple containers topology
- Apcera covers the full solution as a policy governed enterprise offering feature ranging from PaaS, integration with services and hybrid cloud capabilities. 1. Cluster management 2. Container scheduling 3. Container orchestration 4. Policy definition and enforcement 5. Multicloud runtimes - ability to span multiple clouds - with consistent policy across all clouds 6. Workload diversity - ability to run containers, non-containerized workloads and VMs together on same infra. We provide all of the above. The first 3 are provided by lots of others, Mesos, Kubernetes, etc. However, we have unique differentiation with respect to the last 3. Nobody has as complete a policy story as we do, nor can they claim consistent policy across multicloud environments - and I’m not aware of anyone that can run all the workloads we can. Apcera is dedicated to contribute to the Open Source community which innovates in container technologies and sometimes competes Kurma/KurmaOS Orchestration Higher level of abstraction, enables micro-services architecture, repeatable and automatable deployments and software management related to updates/upgrades Usually involves standards (manifests) for describing the application (multiple jobs) Scheduling Features as resource management, cluster management, health monitoring and scaling of workloads (containers) Container engine Container engine allows you to run your containers in isolated context (allocated CPU, RAM, disk, networking) Typically libraries and tooling around Linux kernel features cgroups and namespaces Storage and networking as well as multi-tenancy and isolation capabilities of the engine Operating system is usually integral part of the engine
- Our Docker policy is based upon image tags, which are not strong assertions about an image's contents. By partnering with FlawCheck we can show Continuum using Staging Pipelines to inspect Docker containers for malware and vulnerabilities that could put an organization at risk.