UsetheSourceorjointheDarkSide

ThedifferencesbetweenDockerCommunityEdition

andDockerEnterpriseEdition

Outline

• Introductions• Highleveldifferences• Build,ship,andrun• Securitymodel• Trafficrouting• Gettingstarted

WhoamI?

• JérômePetazzoni(@jpetazzo)• JoineddotCloudin2010(tobuildandscaleacontainerplatform)• In2013,dotCloudlaunchesDocker(andchangesitsname)• Thesameyear,Isubmitmyfirstcontainertalk(attheSCALE11xconferenceinLosAngeles)• SincethenI’vebeenlivinginconferencehotelsandairports😰

⚠Thisisavendortalk

• IworkforDockerInc.• IwilltalkaboutDockerInc.commercialproducts• ButIdon’tlikeadvertising• I’llexplain:• whatyougetforfree(DockerCE,CommunityEdition)• whatyougetfor€€€(DockerEE,EnterpriseEdition)

• Targetaudience:engineers(andtech-savvydecisionmakers)

Whythistalk?

• Dispellingafewmyths• MYTH#1:“DockerInc.doesn’thaveabusinessmodel!”• DockerInc.sellscommercialproducts,support,SAASofferings• DockerInc.generatessignificantrevenue&hascustomerslikeVisa,PayPal…• Thishasbeengoingonforafewyearsnow

• MYTH#2:“Dockerisonlyfordevelopment,notproduction!”• PeoplehavebeenusingDockerinproductionsince2013• Usinganykindofsoftware inproductionischallenging• Tohelp,DockerInc.hascommercialproducts,support,...yougettheidea

• HelpingyoutodecideifDockerisgoodforyourapp

Therewillbedemos(It’sanoldDockertradition!)

Ourdemoapplication

• Wewillshowanappbuiltaroundamicro-servicesarchitecture• DockerCoins• usedinmyorchestrationworkshop:https://github.com/jpetazzo/orchestration-workshop

• Youcanrunthisdemoonany Dockermachine• …anditshouldtakeapproximately1minutetobuildandrunit!

DemoRunDockerCoins inaplay-with-docker sandbox

High leveldifferencesbetweenDockerCEandDockerEEDockerCE• fordevelopersandsmallorganizations• free• stableversion(every3months)• edgeversion(everymonth),withcuttingedgefeatures

DockerEE• forbusinesscriticalproductionapps• subscriptionmodel• stableversion(every3months)• eachversionmaintainedatleastforoneyear• additionalenterprisefeatures(management,security…)

Releaseschedule

Supportedplatforms

Deployingourdemoapponacluster

• TheDockermottois“build,ship,andrunanyapp,anywhere”• Thismeans:• build containerimagesforourapp• ship theseimagestoaregistry• runtheapponaSwarmcluster

• DockerComposeisagreattoolfordevstacks…• …andcanbeusedtodeploythemonclustersaswell!

DemoUseComposeand“docker stackdeploy”tobuild,ship,andrunDockerCoins

Inspectingourapplication

• Wewantto:• listdeployedservicesandtheirstatus• viewcontainerlogs• getashellinacontainer

• DockerCE:wewilluseDocker’sCLIandAPI• DockerEE:wewilluseUCP(UniversalControlPlane)

Therearealso3rd-partyinterfaceslikePortainer,usingtheDockerAPI:https://github.com/portainer/portainer

Demodocker ps,docker logs,docker servicels,docker serviceps,docker exec

DemoShowthesameinformationwithUCP

Operatingourapplication

• Wewantto:• viewtheportallocatedtoDockerCoins’webUI• displaythewebUI• scaleupanddownthe“worker”service• viewmetrics

• DockerCE:wewillusetheDockerAPI• DockerEE:wewilluseUCP

Demodocker inspect,loadpageinbrowser,docker serviceupdate

Demometrics?Thatoneistrickier!Wecouldusethisthingnamed“Prometheus”...

DemoDothesameoperationsinUCP,showmetrics

Security(CE&EE)

• Dockernativeclustering(“SwarmMode”)usestheSwarmKit library• SwarmKit hasverystrongsecurityfoundations:• automaticTLSkeyingandsigning• fullencryptionofthecontrolplane• automaticcertandkeyrotation• optionalencryptionofthedataplane(leveraginghardwarecryptowhereavailable)• leastprivilegearchitecture(single-nodecompromise≠clustercompromise)• on-diskencryptionwithoptionalpassphrase

Secrets(CE&EE)

• Secretsarearbitraryblobsofdata(passphrases,privatekeys,oreventextpads…)• First-classcitizenwiththeDockerAPI• Neverstoredinclearondisk(persistedinencryptedformbymanagernodes)• Exposedtoservices(presentedasafileonanin-memoryfilesystem)

Demodocker secretcreate;addthesecrettoaservice;seethesecretintheservice

Privilegeseparation

• Bydefault,ifIhaveAPIaccess,Icandoanything• Includingcreatingamaliciousservicetoleaksecrets!⚠• Howdowefixthis?🤔

Authenticationandauthorization

• DockerEEhasthenotionofusers,groups,andpermissions• Permissionsareimplementedwithpermissionslabels:“IfanobjecthasthepermissionslabelX,youruserneedstohavepermissionX tobeabletoseeorinteractwiththatobject.”• Normallabel(com.docker.ucp.access.label)• Everyobjectcanhaveone(service,container,volume,secret…)• VisiblewiththeCLI,API,etc.• ProtectedandenforcedbyUCP

DemoCreateaUCPuser“jerome”withbasicprivilegeLoginwith“jerome”Deploya“jeromecoins”stack;Seeitrunninginthe“admin”console

Underthehood

• Docker(CEandEE)hasauthorizationplugins• AllAPIrequestsareexaminedbyallenabledplugins• Eachpluginhastheopportunitytoacceptordenytherequest• UCPisanauthorizationplugin• Youcanwriteyourownplugins• Multiplepluginscanco-exist• UCPletsyouexportakey/certbundle forauser(tousetheCLIwhilerespectingthepermissionssystem)

HTTProutingmesh

• Docker(CEandEE)hasaTCProutingmesh• providesload-balancingforinternalandinboundtraffic• leveragesIPVS,ahigh-performancein-kernelloadbalancer)

But:onlyoneappatatimecan“sit”onport80onyourcluster

• Docker(EE)hasaHTTProutingmesh• providesHTTPHostheaderparsingandvirtualhostrouting• optionalTLStermination• implementedusinglabels

DemoShowlabelsinthedeployedappDorequeststothedifferentvirtualhosts

Hostingcontainerimages

• DockerCE:wecanusetheopensourceregistry• assimpleas“docker runregistry:2”• thisistheregistrythatweusedforallthesedemos

• DockerEE:wecanuseDockerTrustedRegistry(DTR)• hasuserandgroups,integratingwiththeonesinUCP• also:webhooks andworkflowsimplementingCI/CD

• Alsomanythirdpartyoptions:ECR,quay…

Bigscarysecurityquestion

IsitsafetorunthisprogramthatIjustdownloadedfromtheInternet?

• Makesurethatitisfromatrusted,reputablesource• Checkthatitwasn’tcompromisedintransit• Runitthroughanantivirusscanner

Nextbigscarysecurityquestion

IsitsafetorunthiscontainerimagethatIjustdownloaded?

• Makesurethatitisfromatrusted,reputablesource• Checkthatitwasn’tcompromisedintransit• Runitthroughasecurityscanner

Dockersecurityfeatures

• Trusted,reputablesources• DockerStore• officialimages• DockerContentTrust

• Integritychecking• content-addressedlayers• manifestsignatures• cryptographichashes

• Arbitraryimagescanning• DockerSecurityScanning(onlyinEE)• other3rd partyscannersareavailable

GettingstartedwithDockerCE,usingplay-with-dockerLet’sdeployDockerCoins:• onaSwarmcluster• withoutinstallinganythingonourlocalmachine• inlessthan5minutes• andscaleit!

DemoCreateaSwarmclusterinPWDSetupaself-hostedregistryBuild,ship,runDockerCoinsScaleit!

Thereismore…

• RunDockeranywhere• onvirtualorphysicalmachines• onembeddedorenergy-efficientplatformslikeARM

• RunWindowsapplications• DockercanrunLinuxandWindowscontainers• Swarmcanmanagemixedclusters

• Runmonolithic/legacyapplications• image2dockerhelpsto“dockerize”existingapps(similartoP2Vprograms)• lookforDocker’s“MTA”(modernizetraditionalapps)program!

Conclusions

• WithDocker,youcanbuild,ship,andrunanyapp,anywhere• DockerCommunityEditionisgreatfordevelopersandsmallteams• DockerEnterpriseEditionisoptimizedforbusinesscriticalapps• longtermsoftwaremaintenance• dependablesupportteam• fine-grainedaccesscontrol• containerimagelifecyclemanagement• additionalsecurityfeatures

• Alltheseextrafeaturesareprovidedthroughopenintegrationpoints(no“magicbackdoor”orvendorlock-in)

Thankyou!Questions?

@jpetazzo@docker