Docker for the Enterprise

@bertpoller

ekito

Your Enterprise

Today’s strategic challengesBusiness Agility, Increased pace of delivery, Customer satisfaction

• Low MTBIAMSH (Mean Time Between Idea and making Stuff happen)

Today’s strategic challengesMultiplication of smaller bespoke applications

• WOA, SOA, Micro Services• Multiplication of front ends• Products are SaaS newly instantiated for each new customer

Today’s strategic challengesEver increasing volumes of data and processing

• Limited data center capacity• Ops efforts scale at best linearly with increased volume• Push for cloud deployments: private + public

Obstacles to overcomeWaterScrumFall

• Dev teams adopt iterative methodologies• The organization as a whole cannot keep up with Dev Team pace• Symptoms• Delivery to production still takes weeks• Upfront IT resource provisioning at the beginning of a project• Ticket based IT services deemed too slow for Dev teams• Difficulties in maintaining IT services catalogues with ever changing demands

http://bit.ly/waterscrumfall

Obstacles to overcomeUnaligned objectives and incentives between Devs and Ops

• Devs seek implementing new features and hence introduce change• Ops seek stability, robustness, availability of systems they manage

Obstacles to overcomeHybrid clouds are complex

• Different operating models between public cloud providers and private clouds• No real private cloud infrastructure• A Virtualized server infrastructure is not a private cloud

Keys to solve these challengesBreak up organizational silos

• Think in terms of products not projects• Construct multidisciplinary teams around products• Make Devs and Ops cooperate in these teams• But also other business stake holders

Keys to solve these challengesAlign Dev and Ops objectives; increase customer satisfaction

• Error Budget = 100% Availability – Service Level Objective• Use budget for

• Feature changes and functional regressions (Dev)• Service Reliability Engineering (Ops)

• When the error budget is consumed• New features must wait until the budget is recharged• Only bug fixes go into production

Keys to solve these challengesConstruct an agile self-service infrastructure platform

Docker to the rescue

The challenge

Source : https://github.com/mfilotto/docker-presentation/

Containers…

Source : https://github.com/mfilotto/docker-presentation/

A Container System for Code

Source : https://github.com/mfilotto/docker-presentation/

But we’ve got virtualization already like in…VMWare

Virtualization vs. Containers

Virtualization Containers

Containers are isolated but share OS and bins/ libraries, where appropriate

Isolation using Linux Featuresnamespaces• pid,• mnt,• net,• uts,• Ipc,• user

cgroups• memory• cpu• blkio• devices

Docker appeals for its…• Deployment Speed / Agility – minimal requirements for running the application, enabling

quick and lightweight deployment

• Portability – Independent self-sufficient application bundles Run across machines without compatibility issues

• Reuse – Versioning, archiving, sharing, roll backs to previous versions of an application. Platform configurations as code

• Efficiency - compared to classical virtualization, workloads can be run at higher densities thanks to avoided OS overhead

Source: https://www.upguard.com/articles/docker-vs.-vmware-how-do-they-stack-up

Trade off … Speed vs. Isolation• Shared kernel between containers• OS-based isolation vs. hardware-based isolation in classical

virtualization• Detractors often use this as argument for saying : “Docker is not safe”

Docker is not safe - well, Really ?Are all your VMs 100% up to date? Really?

• VMs present a larger attack surface than Linux containers• Contaminated containers can be quickly destroyed and restarted• Docker tools allow for end to end security policy enforcement – for all

containers (layered build approach, build automation, security scanning, trusted registries, container scheduling)

Trade off… Ephemeral vs. Stateful workloads• Docker works best with stateless applications• Every application must eventually persist its state (Databases)• Additional efforts and planning is required when setting up a multi-node

production level Docker cluster

Isn’t this a bit like Java EE or OSGI ?

Isn’t this a bit like Java EE or OSGI ?EARs, WARs, JARs package applications in deployment artifacts• Middleware centric – you need an application server• Limited to Java eco system• Programming language lock-in• Programming model lock-in (Java EE / OSGI)

• Also applies to more recent packaging formats, such as WebPacks

Ok but I’m already using Heroku…• PaaS• Build packs : Java, Node, Ruby,…• Intuitive UI / UX … nice !• Source code is held in the repository - no built artifact• Docker• Is a shipping format• Can be used with Docker tool chain to build a more generic PaaS / CaaS

XaaS – Pyramid

Softwareas a Service

Platformas a Service

Infrastructureas a Service

Container as a Service

Too high

Too low

Product Teams

IT Ops Team

Docker Mission

Image Layers

Service Composition

Docker Mission

Docker Trusted Registry

Example CI / CD pipeline

Circle CI

Security GovernanceIts like a virus scanner for built containers

• Can be integrated in your CI/CD pipeline• Scans for threads in defined policy files and CVC databases

• Docker Security Scanning• CoreOS Clair• OpenSCAP container compliance• Redhat Atomic Scan• …

Docker Mission

Running a CaaS infrastructure

Linux Container Ecosystem

Docker Cluster Orchestration

Services, Routing and Load Balancing

S_1 S_2

LB

Overlay network

App

Scale

Docker Host Docker Host Docker Host

Service

The scalable service pattern

Services, Routing and Load BalancingThe scalable service pattern

• Services scale instances of a container across the cluster• Comprises a load balancer and an overlay network to connect containers• Allows things like rolling updates and rollbacks• Exists in many schedulers: Kubernetes, Mesos…• Was introduced in Docker V1.12 Swarm mode

• Not compatible with Docker Compose• Requires new Distributed Application Bundle – still experimental

Services, Routing and Load Balancing• Workaround prior to Docker 1.12 compatible with Compose V2

Services, Routing and Load BalancingDomain based routing

Persistent workloads

Backend Network

App

Docker Host Docker Host Docker Host

DB

Frontend Network

Local storage

local local local

Persistent workloads

Backend Network

App

Docker Host Docker Host Docker Host

DB

Frontend Network

DB

???

Local storage

local local

Persistent workloads

Backend Network

App

Docker Host Docker Host Docker Host

DB

Frontend Network

DB

Data Sync

Volumeplugin

Volumeplugin

Volumeplugin

Volume plugin, distributed or externalized storage

Persistent workloads• Usage of volume plugins is encouraged• Decouples Product Teams from underlying storage solution

• Connect to external block storage (SAN, NAS, Cloud Provider Block Storage)• Network based file systems between Docker Hosts• GlusterFS, Flocker, Infinit.sh, PortWorx, CEPH

PaaS style self service access• For Product Teams• Intuitive UI / UX experience• Role based access (RBAC) integration with Enterprise IAM• Groups, virtual environments• Integrates with private repositories, CI/CD

• OpenShift, Rancher, Docker Datacenter…

Conclusion

Conclusion• Docker = Linux Containers + a Complete toolset• Large eco system (Kubernetes, MesoSphere, CoreOS, Rancher…)• Orchestration engine choice depends on your use cases• Limited risk on vendor lock-in: Docker Containers are de facto

standard• Instead of growing your own cluster, see what the ecosystem can

provide• Start small, grow steadily

Ils nous font confiance