Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Butler)

Copyright©2015, Oracleand/oritsaffiliates.Allrightsreserved.|

MakingDevOps SecurewithDocker[CON8724]BringingNativeDocker toOracleSolaris

Jérôme Petazzoni – Docker,IncJesseButler– OracleSolarisOctober28,2015

Presentedwith

Copyright©2015, Oracleand/oritsaffiliates.Allrightsreserved.

SafeHarborStatementThefollowingisintendedtooutlineourgeneralproductdirection.Itisintendedforinformationpurposesonly,andmaynotbeincorporatedintoanycontract.Itisnotacommitmenttodeliveranymaterial,code,orfunctionality,andshouldnotberelieduponinmakingpurchasingdecisions.Thedevelopment,release,andtimingofanyfeaturesorfunctionalitydescribedforOracle’sproductsremainsatthesolediscretionofOracle.


WhoamI?● Jérôme Petazzoni (@jpetazzo)● Before2010:50%developer,50%sysadmin● After2010:100%DevOps atdotCloud

– polyglotPAAS– microservices– provisioning,metrics,scaling...– massivedeploymentofLXCandØMQ

● 2013:dotCloud becomesDocker


WhyDocker?


WhyDocker?● Fasterapplicationdevelopmentcycle● Multiplicationofenvironments● Scalingrequirements


Yesterday:slowcycles(months/years)● Specification● Implementation● Validation● Release● Maintenance


Today:fastcycles(weeks/days)● MinimumViableProduct● Shortiterations(sprints)● ContinuousDeployment● Aprojectisnever"done"or"over"● Agilemethods


Yesterday:singleenvironment● Onelanguage● Oneframework● Onedatabase● Oneserver● (+sometimesadevenvironment)


Today:manyenvironments● Manylanguages● Polyglotplatforms● SimultaneoususeofSQL,NoSQL ...● Therighttoolfortherightjob● Manyservers(everybodyhastheirlocaldev envtherearemanyenvs fortesting,CI,QA,etc.)


Yesterday:slow,verticaldeployment● Newversionsonceinawhile● Installedtofewservers(sometimesjustone)

● Scaling=scalingup(buybiggerservers)

● Scalingmustbeplannedfarahead


Today:rapid,horizontaldeployment● Newversionsallthetime● (everyweek/day/hour)● Installedtomanyservers● Scaling=scalingout(addmoreservers)

● Needtobeabletoscalequickly


WhatisDocker?


WhatisDocker?● Containerexecutionengine● Containerbuildsystem● Containerimagedistribution● Hugeecosystem


Containerexecutionengine● ~Hypervisorforcontainers● Container=~lightweightvirtualmachine

Whatisacontainer???


DEMO


Container● ItlooksandfeelslikeaVM● StandardUNIXprocesses,isolatedbykernelmechanisms:

– namespaces– cgroups (controlgroups)– copy-on-write

● Insanelyfastboottimes● Insanelylowresourceusage


Buildsystem● Dockerfile =recipedescribingthebuildprocess● Easytolearn(similartoshellscripting)● Fast(cachingsystem)● Reliable,reproducible● Bestofbothworlds:

– Shellscripts(easytowrite,easytounderstand)– Config management(reliability,repeatability)


DEMO


Imageformat● Problem:VMimagesarebig● Solution1:containerimagesaresmaller

– doesn'tneedhardwaresupport,kernel,drivers...– separatehandlingoflogs,metrics,backups...

● Solution2:imagesbrokendownintolayers– 1layer=1buildstep– example:basesystem,packages,code,config– onlytransferupdatedlayers


Distributionprotocol● Downloadcontainersimageseasily:“docker pullmaven”

● BuildontopofthoseimageswithDockerfiles:“docker build-tjpetazzo/springapp .”

● Makethatbuildavailabletoothers:“docker pushjpetazzo/springapp”

● UsethatbuildonanyDocker host:“docker pulljpetazzo/springapp”


Docker Registry● ServicetohostDocker images● Multipleoptionsavailable:

– Docker Hub(SAASmodel,freeforpublicimages)

– Docker TrustedRegistry(on-premoron-cloud)

– Self-hostedopensourceedition


Ecosystem:images● ~100officialimages

– Linuxdistros– (Debian,Ubuntu,CentOS,Fedora,...)

– components

– (MySQL,Redis,PostgreSQL,MongoDB,NGINX...)– languages

– (Python,Ruby,Java,Go,Node...)– applications

– (Wordpress...)

● ~150,000contributedimages


Ecosystem:code● ~100,000GitHub repositorieshaveaDockerfile● ~1000contributorstoDocker code● ThousandsofprojectsintegratingwithDocker● Someofficialtools:

– Machine(deployDocker hosts)– Compose(managemulti-containerapplications)– Swarm(clustermultipleDocker hoststogether)


Moreresources


Ifyoulikereading● docs.docker.com● Startwith"getstarted"(duh!)● Writteningoodold"howto"style● Referencedocumentations


Ifyoulikelookingat/listeningto● training.docker.com● Free,officialtrainingvideos

– IntrotoDocker(generalconcepts)

– Docker Fundamentals(firststepswithDocker)

– Docker Operations(usingMachine,Swarm,Compose)


Ifyou'reinahurry● OSX,Windows:Docker Toolbox+boot2docker

– tinyVMimage(lessthan30MB)– workson(most)physicalandvirtualmachines

● Linux:get.docker.com– officialpackagesformostdistros– get.docker.com(CloudInit-ready)

● Solaris:– boot2dockerVMinOracleVirtualBox– soon:Docker EnginenativeonSolaris


Linux?OSX?Windows?Solaris?● Docker onLinuxrunsLinuximages● Docker onWindowswillrunWindowsimages● Docker onSolariswillrunSolarisimages● Docker onOSXisreallyDocker onLinux,withinaboot2dockerVMinVirtualBox

● Docker onWindwos is(fornow)thesame


OneAPItorulethemall● AllportsofDocker exposethesameAPI● Docker client isavailableonallplatforms● Docker client cantalktoanyotherplatform● Docker allowstocontrolallworkloads:

– Linux– Solaris(soon)– Windows(soon)

● …usinguniformAPIs,dashboards,tools.


NativeDocker onOracleSolarisProvidingadev/opstoolkitintheOS


ABriefHistory

• OracleSolarisZonesfirstdeliveredin2005withOracleSolaris10– LightweightOSvirtualization,combinedwithresourcemanagement–Originallyintendedtobeapplication-specificsingle-purposeinstances– Sparserootdeploymentoptionwasidealforapplicationdeployment,butmostuserswererunninggeneralcomputeenvironments

• OracleSolaris11streamlinedfortheOScontainer–Majorityofuserfeedbacksteeredustowardadefault‘solaris’non-globalzonebrandwhichprovidesageneralcomputeenvironment– Fullpackageimage,fullhostofservicesbootedfrominit andmanagedbySMF

OracleSolarisZones


OracleSolarisZonesToday

• OracleSolaris11FCSNativeZones– ‘solaris’brand:non-globalzoneOScontainers– FullyintegratedwithIPSpackagingsystem,makingatomicupdateandrollbackwiththehostautomatic

• OracleSolaris11.2KernelZones– ‘solaris-kz’brand:VMglobalzones,eachwithindependentkernelandimage– Sametoolingasnativezones,applicationsrunseamlesslybetweentwobrands

NativeZones&KernelZones


NativeZonesWishlist

• Fasterdeploymentandboot• Improvedlifecyclemanagement• Application-specificzoneinstances• Streamlinedrepetitiveconfigurationtasks• Applicationcontainers

UserFeedbackContinuestoGuideFeatureEnhancements


Docker onOracleSolaris

• AnativeDocker onOracleSolaris,withsimilarruntimecharacteristicsasexperiencedonLinux,wouldcheckalloftheboxes• PlanningforworktoimproveintheseareascoincidedwithournoticingaconsiderableuptickinDocker adoption• AswithOpenStack,participateratherthanreinvent• IntegrationwithothercontainertechnologiesalreadyagoalfortheDocker project

Goodtimingandwell-aligned


OracleSolarisOSFeatures:WhatWeAlreadyHave

Observability &Reporting ConfigurationManagement&Auditing

FaultManagement ServiceMonitoring&PredictiveSelfHealing


OracleSolarisOSFeatures:BuiltforContainers

ContainerSecurity NetworkVirtualization

StorageVirtualization RobustandProvenContainerTechnology


Docker andOracleSolarisZones

• Docker deploysideallyminimalcontainers,inbothsizeandintent– Smallerimagesmeanslesssurfaceforadministration,maintenanceandattack– Themoreexpresstheintentofaninstance,thelesscomplextheconfiguration

• OracleSolarisNativeZonesarerocksolidOScontainers–OScontainersrunageneralcomputeenvironment,notidealforDocker– Fullpackageimagedeployment,evencloningtakeslongerthanidealforDocker–OracleSolarisNativeZonesdoexactlywhattheyaredesignedtodo,verywell

What’smissing?Mostly,it’sbydesign.


Docker andSolarisZones

• ImageContent– Evenwhencloningtherootfs,westillneedsmallerbaseimages– IdeallyaDocker containerrunsasaservice,notanotherinstancetoadmin

• InstanceBootConfiguration– Ideally,werunasingleintent:oneapplication,maybeonlyoneprocess– IntegrationwithSMFandothercoretechnologiesisrequired

Twomainrequirementscopes


IntegratingDocker andSolarisZones

• Docker instancesonOracleSolarisarenativenon-globalzones– ApplicationswhichruninSolarisZonescanruninDocker onOracleSolaris

• Docker leveragesrobust,matureSolarisZonestechnology– Resourcemanagement,scheduling,networking,storageandsecurity

• Docker instancesarenotcreatednormanagedviazonestoolchain– Instancesarecreatedviadocker(1),notzonecfg(1) /zoneadm(1)

• Docker instancescanbemonitoredviazones-relatedutilities– zonestat,ps –z,prstat –Z,etc

OracleSolarisZonesandResourceManagement



• Asmallerbaseimage,constructedfromIPS,usedforallDockerinstancesonOracleSolaris• AworkingIPSimageintheinstanceallowsformodificationviapkg(1)• ‘pkg verify’lendsaddedconfidenceintheassembledDocker image• TransformationtoandfromUnifiedArchivestoallowformigrationbetweenDocker instancesandotherOracleSolarisplatforms

ImageManagementandDeployment



• SMFconfigurationisquicklyinjectedduringinstancedeployment• Weboottoaverysparseenvironment,withasmallhandfulofprocessesprovidingabasicruntimeandSMFsupport• Havinganinit isn’tsobad,afterall

Bootandruntimeconfiguration



• Networking– Crossbow:World-classvirtualnetworkingstackintheOS– EachinstancehasanexclusiveIPstackandiswell-integrated

• Storage– AswithallZones,rootfs isbaseduponZFS,rapidlydeployedviaZFScloning– Allthebenefitsofthenativezonesstoragesupport• delegateddatasets,volumes,mounts,etc

Networkingandstorage


OracleSolarisandtheOpenContainersInitiative

• Earlierthisyear,Docker,Inc.announcedthedonationofacorepieceoftheirsoftwaretoseedanewOpenContainerInitiative• Manysystemvendorsandserviceprovidersjoinedearly,includingOracle• Aswe’vebeenworkingaspartofOCI,wehaveadoptedthenewcontainerformatforDocker onOracleSolaris• Docker integrateswithOracleSolarisZonesthroughourinternalimplementationoftheOCIspecification

Collaboratingonanopencontainerandruntimespecification


Docker &Zones

Security

ZFS

BEs

IPS

RAD

SMF

Dtrace

Audit

TheDocker EcosystemonOracleSolaris• OracleSolarisZonesinDocker• Securevirtualstorage&network• AtomicupdateandseamlessrollbackviaIPS&BootEnvironments• Secureremoteadministration&Role-basedaccesscontrol• Observability,configurationmanagement&audit


InitialBestPractices

• Docker asatoolkit– Typicallypositionedasanapplicationpackaginganddeploymentautomationframeworkthatmapsverywelltocoredev/opsprincipals– IntegratesverywellwithCI/CDworkflows

• WhentoconsiderDocker onOracleSolaris–WorkloadsrunninginsingleintentinstancesorthatcanbedecomposedintosingleintentinstancesaregoodcandidatesformigrationtoDocker onOracleSolaris– NewprojectswhichcanbearchitectedascooperativedistributedservicesaregoodcandidatesfornewdevelopmentinDocker onOracleSolaris

Docker isadev/opsjumpstart


InitialBestPractices

• Docker hostselection:metalorVM– Ifperformanceandscaleout isthemainconcerndeployonmetal– Ifmigrationandflexibilityisthemainconcern,orpotentiallyafutureconcern,deployinakernelzone

• Don’tover-rotateondecomposition– IfapplicationcomponentsanddependenciescanbemappedtoindividualDocker imagesandinstances,pursuethatcourse– Iftheycannot,useanOracleSolarisZoneorKernelZone,dependinguponplatformrequirements

Docker isadev/opsjumpstart


Q&A


Don’tMissTheseSessionsWhat When Topic LocationCON8468 Wed,12:15p.m. DevOps DoneRight:SecureVirtualizationwithOracleSolaris Intercon B

CON8605 Wed,1:45p.m DevelopingthePlatformoftheFuture:OracleSolaris Engineering Intercon B

CON8604 Wed,3:00p.m. CustomerPanel:CustomerInsightsintoDeployingOracleSolaris Intercon B

CON8337 Thu,9:30a.m. DeveloperCloudMadeSimple:HowtoBuildanOpenStack DeveloperCloud Intercon B

CON8726 Thu,10:45a.m. KeepingyourCompliance/SecurityAuditorHappy Intercon B

CON9757 Thu,12:00p.m. OracleSolaris:BuildingaSecurePlatform-as-a-ServiceHybridCloud Intercon B

CON8354 Thu,1:15p.m. TheDBaaS You’veBeenWaitingfor—OracleDatabase,OracleSolaris,SPARC,andOpenStack

Intercon B

4848


SafeHarborStatementTheprecedingisintendedtooutlineourgeneralproductdirection.Itisintendedforinformationpurposesonly,andmaynotbeincorporatedintoanycontract.Itisnotacommitmenttodeliveranymaterial,code,orfunctionality,andshouldnotberelieduponinmakingpurchasingdecisions.Thedevelopment,release,andtimingofanyfeaturesorfunctionalitydescribedforOracle’sproductsremainsatthesolediscretionofOracle.