1EMC CONFIDENTIAL—INTERNAL USE ONLY

Docker Introduction

Layne

2EMC CONFIDENTIAL—INTERNAL USE ONLY

$ uname -a

> No ops introduction> No codes> No Docker network (next time?)> No Docker storage (Dockerone,

Vivian)> One target: what is Docker?

> StarII program. Thanks for being here.

3EMC CONFIDENTIAL—INTERNAL USE ONLY

$ ls –al ./

> $ man Docker> $ man cgroup> $ man namespaces> User namespaces?> Security your Docker> $man UnionFS> $man docker-layer

4EMC CONFIDENTIAL—INTERNAL USE ONLY

$ cat Docker

ＯS Virtualization

5EMC CONFIDENTIAL—INTERNAL USE ONLY

$ cat Docker

ＯS Virtualization

• Virtual machine emulates everything, including hardware• Container isolates processes, users and filesystem.

6EMC CONFIDENTIAL—INTERNAL USE ONLY

$ cat Docker

LXC + Union FS

7EMC CONFIDENTIAL—INTERNAL USE ONLY

$ cat Docker

LXC + Union FS

cgroup + namespaces + Union FS

8EMC CONFIDENTIAL—INTERNAL USE ONLY

$ which Isolation

What is Isolation?

9EMC CONFIDENTIAL—INTERNAL USE ONLY

$ pstree -p

10EMC CONFIDENTIAL—INTERNAL USE ONLY

$ man cgroup• Limit, account, and isolate resource usage (CPU, memory, disk I/O, and more)

of process groups:– Resource limiting: groups can be set to not exceed a set memory limit;– Prioritization: some groups may get larger share of CPU or disk I/O

throughput;– Accounting: to measure how much resource certain systems use;– Control: freezing groups or checkpoint and restart

11EMC CONFIDENTIAL—INTERNAL USE ONLY

$ man cgroup

12EMC CONFIDENTIAL—INTERNAL USE ONLY

$ man cgroup

13EMC CONFIDENTIAL—INTERNAL USE ONLY

$ man cgroup

Monitor resource inside a container?

Or: vmstat, iostat…

14EMC CONFIDENTIAL—INTERNAL USE ONLY

$ man cgroup

Or: docker stats c7e8b77f5d84

15EMC CONFIDENTIAL—INTERNAL USE ONLY

$ man namespaces• UTS: isolate node-name and domain-name—returned by the uname()

system call

• Network: provide isolation of the system resources associated with

networking, including own network devices, IP addresses, IP routing tables, /proc/net directory, port numbers, and so on.

• PID: isolate the process ID number space.

• Mount: isolate the set of filesystem mount points seen by a group of

processes. Thus, processes in different mount namespaces can have different views of the filesystem hierarchy.

• IPC: isolate certain inter-process communication (IPC) resources, namely,

System V IPC objects and POSIX message queues.

• User: isolate the user and group ID number spaces. In other words, a

process's user and group IDs can be different inside and outside a user namespace.

16EMC CONFIDENTIAL—INTERNAL USE ONLY

$ pstree -p

17EMC CONFIDENTIAL—INTERNAL USE ONLY

$ man namespaces

docker run -it -m 256m --net=container:09f40c99ea5cubuntu:14.04 /bin/bash

18EMC CONFIDENTIAL—INTERNAL USE ONLY

$ man namespaces

19EMC CONFIDENTIAL—INTERNAL USE ONLY

Network namespaces

20EMC CONFIDENTIAL—INTERNAL USE ONLY

Wait, why same host name?

21EMC CONFIDENTIAL—INTERNAL USE ONLY

Why say no User namespaces (yet)?

22EMC CONFIDENTIAL—INTERNAL USE ONLY

Why say no User namespaces (yet)?

ID-inside-ns ID-outside-ns length

23EMC CONFIDENTIAL—INTERNAL USE ONLY

Security your Docker

• No “--privileged=true”• GID_Mapping/UID_Mapping with LXC driver;• SELinux or AppArmor• Libseccomp• Capabilities• ...

See: https://github.com/GDSSecurity/Docker-Secure-Deployment-Guidelines

24EMC CONFIDENTIAL—INTERNAL USE ONLY

Security your Docker

25EMC CONFIDENTIAL—INTERNAL USE ONLY

Conclusion of Isolation

–What is Isolation?–Why we feel Docker is excellent?

26EMC CONFIDENTIAL—INTERNAL USE ONLY

$ man UnionFSIt allows files and directories of separate file systems, known as branches, to be transparently overlaid, forming a single coherent file system. Contents of directories which have the same path within the merged branches will be seen together in a single merged directory, within the new, virtual filesystem.

When mounting branches, the priority of one branch over the other is specified. So when both branches contain a file with the same name, one gets priority over the other.

The different branches may be both read-only and read-write file systems, so that writes to the virtual, merged copy are directed to a specific real file system. This allows a file system to appear as writable, but without actually allowing writes to change the file system, also known as copy-on-write.

27EMC CONFIDENTIAL—INTERNAL USE ONLY

$ man docker-layer• Each layer of the FS is mounted on top of prior layers• The first layer is the base image• Current base images include debian, ubuntu, busybox,

fedora, cent os, etc• Each read-only layer is called an image (A layer is just

a collection of files and folders!)• The top layer is the only modifiable layer - it’s termed

the container

28EMC CONFIDENTIAL—INTERNAL USE ONLY

$ man docker-layer

29EMC CONFIDENTIAL—INTERNAL USE ONLY

$ man docker-layer

30EMC CONFIDENTIAL—INTERNAL USE ONLY

$ man docker-layer

31EMC CONFIDENTIAL—INTERNAL USE ONLY

$ (reverse-i-search)`cat': cat Docker

cgroup + namespaces + Union FS

32EMC CONFIDENTIAL—INTERNAL USE ONLY

$ ls -AF |grep '^\.'

curl http://10.32.105.223/add_certs | sudo sh

(Only worked in Ubuntu currently)