Top 5 benefits of docker

Top 5 Benefits of Docker

1

December 2nd, 2016

Ippon Technologies © 2016

Ippon Technologies Founded in 2002 by Stephane Nomis, former professional French judoka

● Consulting in Agile Development, Big Data and DevOps / Cloud● Expertise in project delivery with short time-to-market and high quality● Located in France, USA, Australia, Morocco ● 250 engineers● 80% enterprise customers● $32 million revenue and 20% annual growth rate

We support innovative open-source projects such as the popular application generator JHipster

We released a fully managed data platform based on Docker

a full point scored in judo - a win

2


Ippon Technologies USAFounded in March 2014

40 employees● Richmond, VA (HQ)● Washington DC

10+ Customers● Top 10 US Bank● Insurance & Health

○ Allianz ○ Genworth○ CMS○ Envera

Specialties● Big Data● Agile Dev./ Digital● Devops / Cloud 3


About John

4


What is Docker?

●Your application… PLUS stuff your application needs to run

➔ Libraries, file system, webserver, etc.

●Docker images == Shippable Artifact●Docker containers/images are lightweight

➔ Fast spin-up➔ Small footprint➔ Fast shipping between hosts

●Built on top of Linux kernel features: namespaces and cgroups

➔ Features that have been part of the linux kernel for a few years

5


VM uses a hypervisor to create hard resource boundaries between running instances.

Docker Engine shares resources, allow containers to be much more lightweight

Top 5 Benefits of Docker

7

Benefit #1 Solve “Works on my machine” Syndrome

8


Problem: Environmental Drift

● Overtime, changes to servers cause environments to diverge

➔ Example: security patches in production environment

●Bugs in production cannot be reproduced➔ Hours wasted debugging

9


Solution: Immutable Infrastructure

● Docker images are immutable

●Don’t change servers directly!

● Need to update?➔ Implement change in Dockerfile, then deploy immutable image to all

environments➔ Remove old containers with new containers from new Image➔ Changes are traceable, versioned and reproducible

●Bugs in production?➔ Pull image locally, and debug! 10

Benefit #2 - Security

11


Security

“Containers offer many overall advantages. From a security perspective, they create a method to reduce attack surfaces and isolate applications to only the required components, interfaces, libraries and network connections.”

“In this modern age, I believe that there is little excuse for not running a Linux application in some form of a Linux container, MAC or lightweight sandbox.”

– Aaron Grattafiori, Formerly Principal Consultant at NCC Group

“Gartner asserts that applications deployed in containers are more secure than applications deployed on the bare OS” because

even if a container is cracked “they greatly limit the damage of a successful compromise because applications and users are

isolated on a per-container basis so that they cannot compromise other containers or the host OS”.– Joerg Fritsch , Gartner

12


Security with Isolation and Granular Controls

●Isolated containers provide better defense in depth➔ Network, PID, and other namespace isolation

●Only have libraries installed needed for your applications

➔ Smaller attack surfaces➔ Don’t give hackers tools they can utilize (linux tools)

●Granular access for mandatory access controls (MAC)➔ Selinux, AppArmor➔ Whitelisting is best practice➔ Each container has exactly the permission required to run the application13


Security Scan Service

●Available with Docker Cloud and Docker Hub●Scans against a database of known vulnerabilities●Scans new layers as they are pushed through the

pipeline●New vulnerability? Scan all images again and notify

developers

14


Want to learn more about security?

●Aaron Grattafiori, Security lead of NCC Group wrote a good whitepaper on container security (very technical)

https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2016/april/understanding-and-hardening-linux-containers/

15

https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2016/april/understanding-and-hardening-linux-containers/

Benefit #3 - Faster Time to Market with Microservices

16


Yay! Microservices!

●Faster time to market●Highly Scalable●Loosely coupled●Agile teams are cross functional and product aligned●Technology Agnostic

17


Microservices! Oh Wait...

●Service orchestration / discovery●Centralized monitoring and logging●Resiliency / self-healing●Need lots of environments

➔ Dev, QA, Prod, Build environments, Test environments

All these problems are harder when you have different types of applications

18


Introducing.. The Container

19


Docker Helps with Microservices

●Standard container interface➔ Operations problems become more generic➔ Ecosystem tools exist

● Spin up new environments quickly➔ For all of your Dev, QA, Prod, needs

●Containers are isolated➔ Deploy multiple apps with conflicting dependencies on the same VM➔ Fully utilize your allocated infrastructure. Save $$$!

●Use containers for build and test environments➔ Riot Games does it right: https://engineering.riotgames.com/ 20




Benefit #4 - Unlock the Ecosystem

24


Ecosystem Tools

25

Clustering and Container Manager

Docker SwarmMesosKubernetesMarathon (Mesos)

Hosting (and PaaS)Docker Cloud (PaaS with plugin hosting)Amazon ECSGoogle Container Engine (Kubernetes)Digital OceanOpenShift (Redhat Paas)

Service DiscoveryConsulEtcdzookeeper

Monitoring / LoggingDatadogcAdvisorSysdigSplunkFluentDELK (or EFK)

https://github.com/veggiemonk/awesome-docker

Benefit #5 - “Developed in the Open”

26


Community Relationship

● Docker is open-source with >1000 contributors

● Docker extracts internals and publishes as separate OS projects➔ libnetwork , swarmkit, infrakit, etc. ➔ Non are Docker dependent

●Experimental releases to collect feedback

●Programs such as the Docker Captains group and community slack channels

➔ Join the community! https://community.docker.com/registrations/groups/4316o

27


Docker is Built on Open Standards

● Open Container Initiative (OCI) define open Industry standards for container format and runtime

● Backed by big companies (Google, Docker, Redhat)

●Docker donated reference implementation runc: https://runc.io/

●Starting with Docker 1.11 runs OCI compliant images using OCI-compliant OS projects: runc and containerd.

28

https://runc.io/



Back by Big Players

30

Thank You

31


John ZacconeSoftware Engineer, [email protected]@JohnZaccone

Romain LhéritierManaging Director, [email protected](804) 482-1515

www.ippon.tech

Olivia DeputyBusiness Dev. Assoc., [email protected](540) 421-3861

Addresses: Ippon @PowerPlant2700 East Cary StreetRichmond, VA 23223

Ippon @WeWork718 7th St NWWashington, DC 20001

Contact Us

32

mailto:[email protected]





Engineering

Top 5 benefits of docker