dockerizing the enterprise – fast & secure
TRANSCRIPT
dockerizing the enterprise – fast & secure
the journey of ABN-AMRO towards the usage of Docker containers
EMEA PUG Challenge - 2018
Wiebe de Roos
Flusso: who we are & what we do
• Software development company in NL
• One of the biggest Progress partners
• Focus on OpenEdge & Progress technologies
• Open Source (Java, ServiceMix, etc),
• Web Apps (Mobile, Angular2, React)
• CI/CD Consultancy
2
who am I?
• Wiebe de Roos
• At Flusso since 2007
• Started as Java developer
• Present: CI/CD Consultant / Engineer
• Hired by ABN-AMRO in NL
table of contents
1. Business & IT goals
2. Context of CI/CD pipelines
3. The new & improved CI platform
4. Docker containers on an enterprise scale
5. CI/CD pipelines for all
6. Docler Security aspects
7. What’s next?
8. Questions and answers / discussion
business & IT goals
1. Respond to (external) change
2. From waterfall to Dev(Sec)Ops
3. Faster delivery
4. Optimize CI/CD processes
5. Facilitate team autonomy
6. Boost innovation
7. Improve security at all stages
CI/CD pipeline orchestration
ABN AMRO has introduced a set of quality gates and build breakers in the Jenkins pipelines. The software build process breaks when the required quality or security is not met and the developer needs to fix the defect in continue.
CI pipeline & build breakers
existing CI platform
• Statistics:a. +/-1500 usersb. 350+ projectsc. 10000+ Jenkins jobs
• 1 Jenkins Operation Centre• 10 Jenkins Masters
i. 40+ Linux build slavesii. 30+ Windows build slavesiii. 4 OSX build slavesiv. 25+ HP-fortify (secure coding) slaves
• 100+ (!!!) VMs in on-prem data center…and GROWING…
1. Ever growing demand of DEV teams
2. Number of static VMs growing every day
3. Maintenance hell
4. No Docker container support
5. No true team autonomy
6. Innovation is slowed down
7. Tech Talent will leave ABN-AMRO
challenges and limitations
5 major improvements
1. Empower the CI/CD teams
2. Flexible tech stacks + configuration
3. Move to AWS public Cloud & Increase security
4. Infrastructure as Code & Configuration as Code.
5. Cloudbees Jenkins Enterprise is critical
to the CI/CD program
main Docker use cases
1. Earlier feedback in software development cycle (shift left)
2. Package applications into containers (e.g. java, front-end, OpenEdge)
a. Application code
b. Configuration
c. Deployment scripts
3. Standard building blocks (Docker images) for DEV teams
4. Test/Demo different versions of your application at the same time
5. Replace Jenkins VMs with Docker Containers
Embrace the whale
the new and improved CI platform
Jenkins Enterprise - architecture
a short history of pipelines
• 2017: Birth of the standard pipelines (STPLs)
• 2018: Birth of the new (Dockerized) pipelines:
• A pipeline for Docker images (e.g. Java, Front-End, OpenEdge)
• Easy to use, easy to implement & extend
• Security is build-in
• A reference for other technologies
Docker image pipeline – main building blocks
example: CI/CD pipeline for Java apps
1. A pipeline which uses Docker images as building blocks
2. Create Java application (inside a Docker image)
3. All security stages in place
4. Deploy application in AWS public Cloud
5. Everything is based on source code (no manual steps)
the full CI/CD pipeline
18
context of containers in the enterpriseSpecific
Generic
Docker Security topics on all levels
20
Why all this?
To avoid compromised containers wherever they are used.
Secure business continuity - don’t end up in the news ;-)
21
Status: Downloaded newer image for hadolint/hadolint:v1.6.2-6-gcfb547a
/dev/stdin:3 DL3005 Do not use apt-get upgrade or dist-upgrade
/dev/stdin:3 DL3009 Delete the apt-get lists after installing something
/dev/stdin:4 DL3008 Pin versions in apt get install. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`
/dev/stdin:4 DL3015 Avoid additional packages by specifying `--no-install-recommends`
security (1): syntax check Docker image
22
security (2): anchore dependency check
23
security (3): Docker benchmark (OSS)
Continuously monitor your running containers and block anything unwanted
security (4): block anything unwanted
security (5): monitor docker hosts
security (6): best practices
1. Use official and approved (base) images - use image signing
2. Protect your Docker-enabled hosts (logging, auditing, hardening)
3. Use non-privileged users for containers
4. Reduce attack surface (keep Docker images clean & small)
5. Do not store secrets inside Docker images
6. Use secure networks (also between containers)
7. Establish standards & guidelines for the enterprise
8. Make everyone security minded
what’s next - roadmap
context within Progress software
1. OpenEdge 11.7.4 - first supported Docker container (progress/pasoe)
• standard disclaimers apply :-)
• PAS only (to run application on appserver)
• No OpenEdge DB support (yet)
2. OpenEdge 12 - Server side query resolution
• make up for loss of shared memory connections
3. Running OpenEdge apps inside a Tomcat container
4. Create your own OpenEdge Docker images for CI/CD and testing
references
• Cloudbees Core (formerly Jenkins Enterprise) - https://www.cloudbees.com/products/cloudbees-
core
• Docker security topics - https://docs.docker.com/engine/security/security/
• Docker & Devops - Progress https://www.progress.com/blogs/containerization-leverage-docker-
devops-to-do-more
• Dockerizing a react application - https://www.telerik.com/blogs/dockerizing-react-applications-
for-continuous-integration
• Docker & corticon - https://hub.docker.com/r/corticon/docker/
• OpenEdge Dockerfiles - https://github.com/bfv/docker4oe
• Dockerhub: official OpenEdge Docker images - https://hub.docker.com/u/openedge/