Docker Azure Friday OSS March 2017 - Developing and deploying Java & Linux on Azure with Docker

  • Published on
    11-Apr-2017

  • View
    136

  • Download
    4

Transcript

Patrick Chanezon, Docker Inc.@chanezonDeveloping and deploying Java & Linux on Azure with Docker

March 2017

FrenchPolyglotPlatformsSoftware PlumberSan FranciscoDeveloper Relations@chanezon

5

PublicHybridPrivate

OpsDevopsDevelopers

Linux Container Ecosystem

glusterfs

weave

calico

midokura

cisco

nuage

CloudOSPluginsOrchestration

Docker

The world needstools of mass innovation

(NOTE: PASTE IN PHOTO AND SEND BEHIND FOREGROUND GRAPHIC FOR CROP)A programmable Internet would be the ultimate tool of mass innovation

2. A programmable Internet would be the ultimate tool of mass innovation.

A commercial product,

built ona development platform,

built oninfrastructure,

built onstandards.

Docker is building a stack to program the Internet

Docker Platform

Docker Platform constituenciesMany purposes, users and infrastructureToday

Developer CommunityNeed to experiment and innovate with leading edge tech

Ops CommunityEnterprisePartnerEcosystemRun business critical apps at scale anywhereExtend and add value to a platform with a shared path to monetizationNeed a predictable system to deploy and run apps

The Docker Platform

Developers

OpsEnterpriseEcosystem

ONE PLATFORMFor Developers and ITFor Linux and WindowsOn Premises and in the CloudTraditional Homegrown, Commercial ISV, Microservices

Docker Community Edition (CE)

Docker Enterprise Edition (EE) Docker Certified Docker Store

Docker Enterprise Edition (EE) and Community Edition (CE)

Free Docker platform for do it yourself dev and ops Monthly Edge release with latest features for developersQuarterly release with maintenance for ops Community Edition (CE)

Enterprise Edition (EE)CaaS enabled platform subscription (integrated container orchestration, management and security) Enterprise class supportQuarterly releases, supported for one year each with backported patches and hotfixes. Certified Infrastructure, Plugins, Containers

What is a Docker EditionMaking things simple for a great user experience

Virtual NetworkVMSSBlob StorageAzure LBARMAAD

Enterprises need support and assurancesNEW Certification program for Infrastructure, Plugins and Containers InfrastructurePlatform

Community Edition

Enterprise Edition

Docker Certified Launch Partners

Docker StoreA commercial marketplace for partners and customers

Publishers gain instant access to Docker users with product delivery in containersCustomers gain ability to search, browse, purchase and manage from a single UX

Docker EE Subscription TiersEE BasicEE Standard(Docker Datacenter)EE AdvancedCaaS enabled platformxxxContainer engine and built in orchestration, networking, securityxxxDocker Certified Infra, Plugins and ISV ContainersxxxImage management With private registry, cachingxxIntegrated container app management xxMulti-tenancy with RBAC, LDAP/ADxxIntegrated secrets mgmt, image signing, policyxxImage security scanning and continuous vulnerability monitoringx

Docker Datacenter

CaaS is the modern software supply chain framework

Isolation using Linux kernel featuresnamespacespidmntnetutsipcusercgroupsmemorycpublkiodevices

Union File Systems & Image Layers

(NOTE: PASTE IN PHOTO AND SEND BEHIND FOREGROUND GRAPHIC FOR CROP)Swarm modeService APICryptographic node identityBuilt-in routing mesh

Docker built-in orchestration

Whats New in Docker 17.03Docker EE and CECompose file support for Swarm mode service deploymentdocker stack deploy --compose-file=docker-compose.yml my_stackSecrets ManagementSystem commandsdocker system df, pruneMonitoringdocker service logsPrometheus experiment endpointBuilddocker build squashCPU management cpus 2.5Docker for AWS & Azure GA

Docker & Microsoft: a great Open Source collaboration

Docker & Microsoft: collaboration on all frontsBuildDocker for WindowsDocker EE for Windows ServersVisual Studio Tools for DockerVisual Studio Code Docker extensionShipVisual Studio team Services Docker IntegrationAzure Container RegistryRunAzure Docker agentAzure Container Service Swarm and Swarm ModeDocker EE in Azure MarketPlace

Docker for Developers

Docker for MacDocker for Windows

spring-doge.jarExample: Spring Boot App using MongoDBhttps://github.com/chanezon/docker-tips/spring-dogespring-doge-webspring-doge-photoAPI: Spring Boot, Spring DataUI: AngularJSBusiness Logic: java.awt

java -Dserver.port=8080 \-Dspring.data.mongodb.uri=mongodb://mongo:27017/test \-jar spring-doge.jar

DockerfileFROM java:8MAINTAINER Patrick Chanezon EXPOSE 8080COPY spring-doge/target/*.jar /usr/src/spring-doge/spring-doge.jarWORKDIR /usr/src/spring-dogeCMD java -Dserver.port=8080 -Dspring.data.mongodb.uri=$MONGODB_URI -jar spring-doge.jarHEALTHCHECK --interval=5m --timeout=3s --retries=3 \ CMD curl -f http://localhost:8080/ || exit 1

Using Docker to compile your jar/warhttps://registry.hub.docker.com/_/maven/docker run -it --rm \-v $PWD:/usr/src/spring-doge \-v maven:/root/.m2 \-w /usr/src/spring-doge \maven:3.3-jdk-8 \mvn package

Build an imagedocker build -t chanezon/spring-doge .FROM java:8MAINTAINER Patrick Chanezon EXPOSE 8080COPY spring-doge/target/*.jar /usr/src/spring-doge/spring-doge.jarWORKDIR /usr/src/spring-dogeCMD java -Dserver.port=8080 -Dspring.data.mongodb.uri=$MONGODB_URI -jar spring-doge.jarHEALTHCHECK --interval=5m --timeout=3s --retries=3 \ CMD curl -f http://localhost:8080/ || exit 1

Run a containerdocker run \env MONGODB_URI=mongodb://mongo:27017/test \-p 8090:8080 \chanezon/spring-doge

docker-compose: running multiple containersRun your stack with one command: docker-compose upDescribe your stack with one file: docker-compose.ymlversion: '3'services: web: image: chanezon/spring-doge ports: - "8080:8080" environment: - MONGODB_URI=mongodb://mongo:27017/test mongo: image: mongo

Demo

Docker Java Labshttps://github.com/docker/labs/tree/master/developer-tools/Wildfly and Couchbase J2EE AppDebugging a Java app in Docker using Eclipse

Docker for Ops

Docker for Azure

Deep integration with native load-balancers, templates,SSH keys, ACLs, scaling groups, firewall rules

Azure Container Service

SLA-backed Azure serviceaz acs create

ACS Engineopen-source project that enables power users to customize the cluster configuration

Where Docker can work directly with Microsoft on newer versions of both Docker & ACS

https://github.com/Azure/acs-engine/blob/master/docs/swarmmode.md

Azure Container Service Swarm Modehttps://github.com/Azure/acs-engine/blob/master/docs/swarmmode.mdacs-engine ARM template generator

acs-engine swarmmode.json cd _output/SwarmMode...az group create --name "pat_az_5" --location "westus"az group deployment create -g pat_az_5 -n pat_acs_5 \--template-file=azuredeploy.json \--parameters=@azuredeploy.parameters.json

docker stack deployDeploy your stack with one command: docker stack deployDescribe your stack with one file: docker-compose.ymlversion: '3'services: web: image: chanezon/spring-doge ports: - "8004:8080" environment: - MONGODB_URI=mongodb://mongo:27017/test deploy: replicas: 2 update_config: parallelism: 2 delay: 10s restart_policy: condition: on-failure mongo: image: mongo

Demo

Docker for Enterprise

Goals

++AgilityPortabilityControl

Docker EE Subscription TiersEE BasicEE Standard(Docker Datacenter)EE AdvancedCaaS enabled platformxxxContainer engine and built in orchestration, networking, securityxxxDocker Certified Infra, Plugins and ISV ContainersxxxImage management With private registry, cachingxxIntegrated container app management xxMulti-tenancy with RBAC, LDAP/ADxxIntegrated secrets mgmt, image signing, policyxxImage security scanning and continuous vulnerability monitoringx

Docker DatacenterDocker 2017 - Confidential

Docker Universal Control PlaneIntegrated SecurityDocker EngineContainer runtime, orchestration, networking, volumes, pluginsDocker Trusted Registry

Operating Systems

Config Mgt

Monitoring

Logging

CI/CD

..more..

Images

Networking

Volumes

Virtualization

Public Cloud

Physical

Docker DatacenterDocker EE Platform

Usable SecuritySecure defaults with tooling that is native to both dev and opsThe Key Components of Container Security

Infrastructure Independent Trusted DeliverySafer Apps

Everything needed for a full functioning app is delivered safely and guaranteed to not be tampered withAll of these things in your system are in the app platform and can move across infrastructure without disrupting the app

+

+

=

When approaching app containers and the security surrounding them, Docker believes there are three key components or characteristics that are critical.

Usable security - This means that it has to be usable by both the people at both ends of the app pipeline. Secure by default with usable tooling that makes sense for developers and operators -- workflows that work for them

Trusted Delivery - Meaning that apps move around, so you need ensure that it safely gets from point A to point B with proof that is hasnt been tampered with. Securely delivered signed, encrypted --security that is required for delivering app

Infrastructure independent - totally portable to whatever infrastructure you deliver it on. The security configurations are defined at the app and can then move from a developers workstation to a test in the cloud to a production datacenter without losing any of its security or requiring re-coding of the app to make it work.

Build each point so the final slide has all 3 points.Safer apps mean that when you build and deploy your app in docker, it is intrinsically more secureTD is everything is needed for the full functioning of your app is delivered in a secure and trusted mannerAll of these things in your system are in the app platform itself and move across

Secrets enable: secure API handshakes, encrypted communication what else?Assign secrets to services when they are ready to run and need to connect to other services (both internal and external)

Usable SecurityIntegrated Security with Docker EE

Infrastructure Independent Trusted DeliverySafer Apps

Image Scanning

TLS Encryption

Encryption at Rest

App Secrets

Image Signing & Verification

Public Cloud

Virtualization

Physical

Users & RBAC

Dev/Ops Workflow

+

+

=

Secure by default runtime

Build each point so the final slide has all 3 points.Safer apps mean that when you build and deploy your app in docker, it is intrinsicly more secureTD is everything is needed for the full fucntioning of your app is delivered in a secure and trusted mannerAll of these things in your system are in the app platform itself and move across = usable = people are not leaning in to security

Secrets enable: secure API handshakes, encrypted communication what else?Assign secrets to services when they are ready to run and need to connect to other services (both internal and external)

Docker Universal Control Plane

UCP Permission Model

Whats New in Docker Datacenter

Whats New in Docker EE 17.03

Application Services

Content Trust and Distribution

Platform EnhancementsSecrets ManagementHTTP Routing Mesh (GA)Docker Compose for ServicesAccess control for Secrets and VolumesImage Content CacheOn premises image security scanning and vulnerability monitoringRegistry WebhooksDTR install command from UIUI Enhancements Additional LDAP configsTemplates for AWS, Azure

Integrated Secrets Management

Worker

Worker

Manager

Internal Distributed StoreRaft Consensus Group

Manager

Manager

Worker

External App

Web UI

ManagementAdmins can add/remove/list/update secrets in the clusterExposed to a container via a /secrets tmpfs volumeAuthorizationTag secrets to a specific serviceAdmins can authorize secrets access to users/teams via RBACRotationUse GUI to update a secret to all containers in a serviceAuditingEach user request for secret access logged in cluster for auditing

Docker delivers secrets management architected for containerized applicationsUsable Security: Integrated and designed with dev and ops workflows in mindTrusted Delivery: Encrypted storage and secure transit with TLS Infrastructure Independent: A portable security model across any infrastructure across the lifecycleAll apps are safer - Only the assigned app can access the secret, even with multiple apps on the same cluster

Docker Datacenter provides integrated secrets and container management with granular access controls for a secure software supply chain.

Security Scanning: Get a full BOM for a Docker Image

Security Scanning: Vulnerabilities and Licensing for Each Component

Security Scanning: Set Automated Policy for Scanning

Security Scanning: Online and Offline Updates

Compose for ServicesDeploy stacks (services, volumes, networks, secrets) using new Compose file v3.1 formatManage and monitor stacks directly from UCP UI

Local development environments Self service app imagesBuild, Test, Deploy applicationsDefine app behavior and infra needs

Registry services for image storage, management and distributionIT Ops maintains library of secure base contentManage role based access to repos/images

Management consolesProvision, manage infrastructure resourcesMonitor, manage, scale infrastructure and applications

Built in HTTP Routing Mesh (Now GA!)Extend TCP routing mesh to HTTP hostname routing for servicesHTTPS support via SNI protocolSupport for multiple HRM networks for enhanced app isolation External LB routes hostnames to nodes Can add hostname routing via UINon-service containers continue to use Interlock ref arch

Worker

Worker

Worker

External Load Balancer

Traffic via DNS (http to port 80 or other)Foo.comBar.comQux.com

R

R

R

The http routing mesh service uses these labels to route hostname pings to the correct service (e.g. foo.com S1)Customer can set up an external LB of choice (e.g. F5, ELB) to route hostnames to nodes via DNSServices only; Interlock reference architecture for UCP 1.1.x should continue to function for non-service containers

Each app service can have a label corresponding to a host addressExternal LB routes hostnames to nodes Non services containers continue to use RA w/InterlockNow Generally AvailableSupport for routing multiple hostnames to the same docker serviceHTTPS pass-through via SNISticky sessions (use named cookie to always route to same task)Support for multiple HRM networks for increased app isolationIncreased stability during config loading and app routing failuresImproved UIConfigure hostname routing directly from service deploy/inspect pagesView app routing configs status

Docker EE on Azure

Docker EE on Azure

Free 30 Days Test Drive from Docker Store

Build each point so the...