This slidedeck deals with new features delivered with Docker Engine 1.12, in a larger context of application architecture & security. It has been presented at Voxxed Days Luxembourg 2016
2. voxxeddays.com/luxembourg/ #voxxeddaysLU
Back on Docker paradigms
‘’A universal, self-sufficient and standard artifact embedding an app module,
and its subsequent infrastructure configuration’’
It’s mainly focused on enclosing computing
aspects of the app: what about persistence? communication? Topologies?
Immutable
Portable
Lightweight
Incremental
Versionned
Disposable
3. voxxeddays.com/luxembourg/ #voxxeddaysLU
1 - Starters
Application
architecture shifts
3 - Dessert
Taste-an-app
2 - Main course
Docker networking,
service & volume
features discovered
6. voxxeddays.com/luxembourg/ #voxxeddaysLU
Security paradigms shifts
Your IT opens up
• Externalization (housing, hosting)
• Cloud (IaaS/PaaS/SaaS)
Open up your IS
• B2B, services exposition
• Multi tenancy
More & more breaches appears in your Great Wall of China!
7. voxxeddays.com/luxembourg/ #voxxeddaysLU
Security paradigms shifts
The necessary porosity of your IS requires to stick security closer to each application:
sandbox your apps and expose protected interfaces (ciphered/auth/authz)!
• Network is now part of application topology
• Security is an app topic, not just infra. Concern
• Onboard security in feature teamSecDevOps
11. voxxeddays.com/luxembourg/ #voxxeddaysLU
Resilience & scalability: apps problem now!
Vertical > horizontal
• Apps designed for failure & scalability
• Data to be externalized
• Dumber infrastructure
Structured: MongoDB, Hadoop, Cassandra, Elastic Search...
Binaries: object storage with Ceph, OpenStack Swift...
Helpful patterns: stateless, multi-versioning, loose coupling...
Infrastructure rationalization
Low-cost, poor-SLA commodity
12. voxxeddays.com/luxembourg/ #voxxeddaysLU
« Organizations which design systems... are constrained to
produce designs which are copies of the communication structures
of these organizations ». - M. Conway, 1968
Consider shifting your organization if you
wish to shift your architecture!
• Forget about the central architects myth of
organizing, integrating everything
• Promote feature teams
Organization
14. voxxeddays.com/luxembourg/ #voxxeddaysLU
Docker networking
The Container Network Model (CNM)
A docker container
Endpoint
A docker container
Endpoint
A docker container
EndpointEndpoint
Network sandbox Network sandbox Network sandbox
Front network Back network
20. voxxeddays.com/luxembourg/ #voxxeddaysLU
Docker service, tasks, stack
Docker engine 1.12 introduces a complete new swarm orchestration
framework
• Built in the engine
• Decentralized
• More secured
• More resilient
$docker node ls
ID NAME MEMBERSHIP STATUS AVAILABILITY MANAGER STATUS
0cdxzmgi1a[...] m1 Accepted Ready Active Leader
4wz1zlur5c[...] * m3 Accepted Ready Active Reachable
a4v6da1yre[...] m2 Accepted Ready Active Reachable
21. voxxeddays.com/luxembourg/ #voxxeddaysLU
Docker service
Depicts the desired runtime behavior of a given image : networking, resiliency, quotas...
shift to state-machine paradigms
$docker service create --name front -–network app –replicas 3 -p 80:80/tcp nginx:latest
$docker service ls
ID NAME REPLICAS IMAGE COMMAND
9gxxdqpauq08 front 3/3 nginx:latest
$docker service scale front=10
Front scaled to 10
Attach the containers to a given network
Define the desired amount of instances for this service (named « tasks »)
Attach each instance to a transversal L4 loadbalancer instance, reachable on each node of the cluster
22. voxxeddays.com/luxembourg/ #voxxeddaysLU
Docker tasks
The Swarm cluster schedules creation/deletion of tasks (aka
containers) to meet the desired state described in the service
$docker service tasks front
ID NAME SERVICE IMAGE LAST STATE DESIRED NODE
7yu4rgc23[...] front.1 front nginx:latest Running 8 hours Running m3
dj4trimu4[...] front.2 front nginx:latest Running 8 hours Running m2
7rdiv2r2e[...] front.3 front nginx:latest Running 7 hours Running m1
Should a task or a cluster node fails, swarm will fire new tasks to meet
the desired state
23. voxxeddays.com/luxembourg/ #voxxeddaysLU
Docker stack
docker-compose enabled to trigger a complete containerized
app topology and its network conf., piloted from the client side
docker-compose bundle enables to create an artifact
depicting this topology, which can be consumed server-side
docker stack deploy enables to pop up the desired
topology at runtime. The state-machine behavior of swarm then
ensures this topology to be maintained
25. voxxeddays.com/luxembourg/ #voxxeddaysLU
Docker volumes
Host file system Host file system
‘’Former data management locked in a host’’
• No persistent data inside app containers
• Object storage: OpenStack Swift, Ceph, Amazon
S3…
• Consider use of Docker Volumes if you need to
manage binaries on app container filesystem
• Handle configuration at run time
32. voxxeddays.com/luxembourg/ #voxxeddaysLU
AppConsumers
• The NGINX reverse proxy forward app. requests on one of the python instance registered in Consul
Find
Application design in nov’ 15
Registrator agents makes Consul aware of popped up containers
34. voxxeddays.com/luxembourg/ #voxxeddaysLU
3 command lines to heaven
docker network create --driver overlay wordpressnet
docker service create --env MYSQL_ROOT_PASSWORD=plop --
env MYSQL_DATABASE=wordpress --network wordpressnet --
replicas 1 --name wordpressdb mysql:latest
docker service create --env
WORDPRESS_DB_HOST=wordpressdb --env
WORDPRESS_DB_PASSWORD=plop --network wordpressnet --
replicas 4 --name wordpressapp --publish 80:80/tcp
wordpress:latest
... Or even, even better: use docker-compose bundle & deploy through CI
35. voxxeddays.com/luxembourg/ #voxxeddaysLU
Between apps, consumers may asks a service discovery where a
desired micro-service is located
Docker now exposes multi-instanciated services, leveraging on
IPVS load balancing and internal service discovery
The app. may use internally its own service service discovery to get
more higher control (Java ex.: Spring Cloud stack with Zuul/Eureka)
At infrastructure level, an internal service discovery is used by swarm
Noticed the different usages of a service discovery & name resolution mechanism?
Zoom on various service discovery usages
37. voxxeddays.com/luxembourg/ #voxxeddaysLU
Conclusion
• Software is eating the world: application architecture is the
key, infrastructure is commodity
• Security is an app concern
• Docker shifted from universal containers to object-
oriented app. architecture