Dockercon EU 2015 Recaphttp://calcotestudios.com/dockercon-recap

Lee Calcoteclouds, containers, networks and their management

linkedin.com/in/leecalcote

@lcalcote

blog.gingergeek.com

lee@calcotestudios.com

ConferenceThemes

Usable SecurityQualityProduction Ready

Security

 

1. Industry’s First Hardware Signing of Container Images

2. User Namespaces Provides Enhanced Access Control

3. Built-in container security analysis in Docker Hub 

Security - Docker Content Trust (launched at Dockercon SF)

TUF and Notary enable:

Survivable Key Compromise

Proof of Origin 

Protection against untrusted transports. 

integrates the guarantees from  into Docker using  , an open source tool that

provides trust over any content.

The Update Framework(TUF) Notary

Hardware signing of container images reinforces Docker ContentTrust

Hardware Signing of Container Images

Yubico released Yubikey 4 at DockerCon with the goal of increasing thesecurity of Docker images.

 

“ A YubiKey is a small hardware device that offers two-factor authenticationwith a simple touch of a button.

http://blog.docker.com/2015/11/docker-content-trust-yubikey/

Docker Experimental only

notary key generate notary key list notary key backup export DOCKER_CONTENT_TRUST=1 docker push

http://blog.docker.com/2015/11/docker-content-trust-yubikey/

Security - Project NautilusBuilt-in container security analysis in Docker Hub

 

Project Goals

1. Scale up the security posture assessment2. Notify users of new vulnerabilities in existing code proactively3. Provide visibility to end-users on the security posture of images 

Security - Project NautilusText

Security - Project NautilusAn image-scanning service that makes it easier tobuild and consume high-integrity content

Steps through a sequence of tests, including:

Image security

Component inventory/license management

Image optimization

Basic functional testing 

Functions as a source of truth for certification metadataHas an extensible backend; may support 3rd-partyplugins 

Security - User Namespaces

containers themselves don’t have access to root on the host

only the Docker daemon does.

user namespaces gives IT operations the ability to separate container and

Docker daemon-level privileges to assign privileges for each container by user

group.

IT operations will lock down hosts to a restricted group of sysadmins per security

best practices

best practices

Docker Universal Control Plane

“  "an on-premises solution for deploying and managing Dockerizeddistributed applications in production on any infrastructure."

gives IT ops a single Docker-native management interface for allcontainer on-premise or in cloud

Currently in beta. Sign-up here.

UCP is to containers

as vCenter is to VMs

User Management

•LDAP/AD integration with Trusted Registry

•Role based access control (RBAC) to

cluster, apps, containers, images

Resource Management•Visibility into cluster, apps, containers, images,

events with intuitive dashboards

•Manage clusters, images, network and volumes

•Manage apps and containers

•Monitoring and logging

Security & Compliance•On-premise deployment

•Out of the box TLS

•LDAP/AD authentication

•User audit logs

•Out of the box HA

Containers as a Service

Production-ReadySwarm 1.0 Clustering 

Scaling Swarm to 1,000 AWS nodesand 50,000 containers!

Multi-hostnetworking

•  , and Swarm integrates fully

with this. Any networks you create in Swarmwill seamlessly work across multiple hosts.

Docker Engine 1.9 features a newnetworking system

Persistent storageEngine 1.9 has a new volume management systemIf you use a volume driver that works across multiplehosts (such as   or  ) you’ll be able to storepersistent data on your Swarm regardless of wherecontainers get scheduled on your cluster.Volume management works from the command lineinterface with plug-insThere are drivers availablefor  ,  ,  ,   and  .

Flocker Ceph

Blockbridge Ceph ClusterHQ EMC Portworx

Production-Ready: Docker Hub Autobuilds

 build system can now be configured to dynamicallytrigger builds as your team creates new git branches and tags.Docker Hub

Dynamic Matching

Parallel BuildsAutomated Build system will execute as manybuilds in parallel as you have private repositories. 

Networking

Multi-host networking no longerexperimental

Out of the box overlay networking in 1.9

New 'docker network' commandprovides management of networks as atop-level object

Extensibility through network plugins

Already 6 implementations done orunder development 

Support forDNS to come

later

An IP percontainer...

contrasted withan IP per pod in

kubernetes

Surgically Segmented Networks

Network driver plugins available are from Cisco, Microsoft,Midokura, Nuage, Project Calico, VMware, and Weave. Default IP addressing remains same, but IPAM is pluggable

VXLAN as the Overlay

for cluster membershipSerf

Resources

VideoDay 1 General SessionDay 2 General SessionDay 2 Closing General Session- Moby's Cool HacksWild Card Day 1 Videos/SlidesWild Card Day 2 Videos/Slides

SlidesGeneral and separate tracks

Upcoming Online EventsDec 10th: 

Dec 11th: 

Dec 17th: 

Jan 12th: 

Feb 11th: 

Introduction to Docker Security

Building, running & deploying Docker containers

Intro to Docker - Demo and FAQ

The Value of Docker Subscription and Support

Introduction to the Docker Platform