Upload
amazon-web-services
View
2.172
Download
0
Embed Size (px)
Citation preview
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
DVO311
Learn How to Use Containers, Red Hat, and AWS
to Achieve Extreme IT Agility and Combat
Network ExploitsSean Dilda
Senior Automation Engineer
Duke University
Chris Collins
Senior Linux System Administrator
Duke University
Scott McCarty
Container Technical Evangelist
Red Hat
What to Expect from the Session
In this session, you will learn:
•Where containers provide real value
•How Duke University use containers Combatting a Denial of Service (DoS) attack
Identity management
Research computing
•How to address common container adoption challenges
•Key recommendations for working with containers
REAL VALUE OF CONTAINERS
Containers Deliver Many Benefits
Base: 171 IT and Developer/programmer decision-makers at companies with 500+ employees in APAC, EMEA, and NA
Source: A commissioned study conducted by Forrester Consulting on behalf of Red Hat, January, 2015
CONTAINERS IN USE
Adoption Patterns
PACKAGE AND SHIP
MONOLITHIC APPS
MIGRATE DIFFERENTIATING
APPS TO CLOUD
PACKAGE AND SHIP
CLOUD-READY APPS
PROBLEM
●DDoS attack targeting Duke.edu
●Flooding load balancers
●All load-balanced services impacted
●Duke.edu down
Real-world Example #1:
Combatting a Denial of Service Attack
SOLUTION
●Duke.edu container image
●AWS Docker hosts
●External DNS for duke.edu pointed to
AWS
●Internal traffic kept inside Duke
THE RESULT
●Duke.edu unaffected for internal customers
●Duke.edu traffic handled by AWS for external customers/DDoS
●30-minute migration!
●Attack removed from load balancers
●Other load-balanced services back to normal
PROBLEM
●Legacy IDM apps
●Unpredictable behavior after patching
●Result: Infrequent patching
●Inability to easily upgrade
●Result: Ancient hardware
Real-world Example #2:
Internet Download Manager (IDM) in a Container
SOLUTION
●Build IDM apps in containers
●Jenkins builds every 4 hours w/latest
patches
●Automated testing notifies of failures
●Last “known good” image kept
THE RESULT
●“Known good” image always available; uptime assured
●Breaking patches can be investigated while “known good” images are kept in use
●Extremely portable
●Hardware independent
●Other environment can be set up, tested, torn down in minutes
PROBLEM
●Researchers want custom tool chains
●IT wants researchers on shared
infrastructure
●Researchers need to be able to
reproduce/share environment
Real-world Example #3: Research Computing
Serving Up Multiple Stacks
SOLUTION
●Run every job in a custom Docker-
formatted container
●Keep archive of old container images
with log of which version was used for
which job run
THE RESULT
●Self service: Researchers at Duke are starting to build their own Docker-formatted
container images to run their analysis
THE REALITY OF ADOPTING
CONTAINERS: WHAT ARE THE
TOP CHALLENGES?
Top Challenges by Container Users
Base: 171 IT and Developer/programmer decision-makers at companies with 500+ employees in APAC, EMEA, and NA
Source: A commissioned study conducted by Forrester Consulting on behalf of Red Hat, January, 2015
TECHNOLOGY
Challenges Duke Is Seeing
PROCESS/STRATEGIC
CONTAINING THE MOST
INTERESTING APPLICATION
IN THE WORLD
The Reality: Security Implications
Security Inside the Container
●High vulnerabilities: ShellShock (bash), Heartbleed (OpenSSL), etc.●Medium vulnerabilities: Poodle (OpenSSL), etc.●Low vulnerabilities: gcc: array memory allocations could cause integer overflow
36% of official images available for download
contain high-priority security vulnerabilities
Source: Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities, Jayanth Gummaraju, Tarun Desikan, and Yoshio Turner, BanyanOps, May 2015
(http://www.banyanops.com/pdf/BanyanOps-AnalyzingDockerHub-WhitePaper.pdf)
And That's Why the Ops Guy Is
Freaking Out
Container Host & Container Image
UNTRUSTED●Will what’s inside the containers compromise your infrastructure?
●How and when will apps and libraries be updated?
●Will it work from host to host?
RED HAT CERTIFIED ●Trusted source for the host and the containers
●Trusted content inside the container with security fixes available as
part of an enterprise lifecycle
●Portability across hosts
●Container Development Kit
●Certification as a service
●Certification catalog
●Red Hat Container Registry
HOST OS
CONTAINER
OS
RUNTIME
APP
HOST OS
CONTAINER
OS
RUNTIME
APP
RECOMMENDATIONS
AND A WORD OF ADVICE
TRUST PORTABILITY COMPREHENSIVE
Red Hat’s Container Strategy
Start Small, but Think Big:
Advanced Tools & Planning
portability across environments
PHYSICAL VIRTUAL PRIVATE CLOUD PUBLIC CLOUD
portability across platforms
A Word of Advice
●Adoption Patterns
Start small for quick wins
Top-down approach for confidence
Advanced management tools
Single vs. multiple containers
Portability
●Trust
Supply chain, build methodology, temporal
Training and education
●Tenancy
Resources, security, and configuration
•Talk with Red Hat container experts at booth #409
•Follow our blogs:http://rhelblog.redhat.com/tag/containers/
https://blog.openshift.com/
•Connect with us:
Learn more
Red Hat Atomic
@RedHatAtomic
Scott McCarty
@fatherlinux
Sean Dilda Chris Collins
@ChrisInDurham
Remember to complete
your evaluations!
Thank you!