From 30a6f2bef796c7ab244dc8f75919369099403696 Mon Sep 17 00:00:00 2001 From: Thomas Schuering Date: Tue, 8 Dec 2015 13:32:17 +0100 Subject: [PATCH 1/3] Create 2015-12-08-DockerCon-EU-2015.md --- _posts/2015-12-08-DockerCon-EU-2015.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 _posts/2015-12-08-DockerCon-EU-2015.md diff --git a/_posts/2015-12-08-DockerCon-EU-2015.md b/_posts/2015-12-08-DockerCon-EU-2015.md new file mode 100644 index 0000000..7a71b56 --- /dev/null +++ b/_posts/2015-12-08-DockerCon-EU-2015.md @@ -0,0 +1 @@ +# Insights, Outlooks and Inbetweens From 04cc85018442b929463a96555514fd167e029ed0 Mon Sep 17 00:00:00 2001 From: Thomas Schuering Date: Tue, 8 Dec 2015 15:07:31 +0100 Subject: [PATCH 2/3] update --- _posts/2015-12-08-DockerCon-EU-2015.md | 48 ++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/_posts/2015-12-08-DockerCon-EU-2015.md b/_posts/2015-12-08-DockerCon-EU-2015.md index 7a71b56..d3cc4eb 100644 --- a/_posts/2015-12-08-DockerCon-EU-2015.md +++ b/_posts/2015-12-08-DockerCon-EU-2015.md @@ -1 +1,49 @@ +--- +layout: post +title: DockerCon EU 2015 +subtite: Insights, Outlooks and Inbetweens +description: Notes from DevOpsCon 2015 +category: general +author: ThomasSc +author_email: thomas.schuering@haufe-lexware.com +--- # Insights, Outlooks and Inbetweens + +Once upon a time in a ~~galaxy~~ container far, far away ... + +We, a bunch or ~~rebels~~ Haufe-employees, entered the halls of container - wisdom: DockerCon EU 2015 in Barcelona, Spain. Hailing from different departments and locations (Freiburg AND Timisoira, CTO's, ICT, DevOps, ...), the common goal was to learn about the current state of Docker, the technology behind it and its evolving eco-system. + +The unexpected high level catering (at least on the first day and the DockerCon Party in the Marine Museum) was asking for more activity than moving from one session to the next, but we had to bear that burden (poor us!). + +We met with a couple of companies (Rancher Labs, SysDig, Zanlado and some more) to get a feeling what is already available on the market and how mature do the solutions feel? + +A rough overview what we've seen and heared: + +# Day one + +... started with a bunch of exciting news (if you're fascinated by Docker as me ;- +)) in the general session. Have a look at the video of [Day 1 General Session](http://blog.docker.com/2015/11/dockercon-eu-2015-day-1-general-session/) + +Here's what what stuck in my mind (no specific order and might be intermixed with later presentations ;-)): + +- Security + - Docker Content Trust + - Hardware signing for Docker images + - Security scans for Images: Project Nautilus + - No more exception from isolation: Namespacing User(Id) + - Security made easy + +- Does it (Docker) scale? + - Scale testing with Docker swarm on AWS + +- Managing containers + - Docker UCP (Universal Control Plane) + +# Day two +... continued not as highbeat as day one, but still was going strong. + +Here's the recording to [Day 2 General Session](http://blog.docker.com/2015/11/dockercon-eu-2015-day-2-general-session/) + +# Things "inbetween" +... were quite interesting, too. We met with some guys from Zalando (yes, the guys who're screeming a lot in their adverts), who were explaining how they are using some home-brewn (git-available) facade (or tool if you like) to ease the pain with running a custom PaaS on AWS. The project [STUPS](https://stups.io/) uses a plethora of Docker-containers and is to be found on its own web-page and [github](https://github.com/zalando-stups) . + From ec9275bf283738f4d29b59a0cf12a4772465a9da Mon Sep 17 00:00:00 2001 From: thomassc Date: Mon, 14 Dec 2015 17:16:49 +0100 Subject: [PATCH 3/3] update --- _posts/2015-12-08-DockerCon-EU-2015.md | 43 ++++++++++++++++---------- 1 file changed, 27 insertions(+), 16 deletions(-) diff --git a/_posts/2015-12-08-DockerCon-EU-2015.md b/_posts/2015-12-08-DockerCon-EU-2015.md index d3cc4eb..5e27728 100644 --- a/_posts/2015-12-08-DockerCon-EU-2015.md +++ b/_posts/2015-12-08-DockerCon-EU-2015.md @@ -17,33 +17,44 @@ The unexpected high level catering (at least on the first day and the DockerCon We met with a couple of companies (Rancher Labs, SysDig, Zanlado and some more) to get a feeling what is already available on the market and how mature do the solutions feel? -A rough overview what we've seen and heared: +The recordings of the [Day 1 General Session](http://blog.docker.com/2015/11/dockercon-eu-2015-day-1-general-session/) and [Day 2 General Session](http://blog.docker.com/2015/11/dockercon-eu-2015-day-2-general-session/) contain the major news and most important things. -# Day one -... started with a bunch of exciting news (if you're fascinated by Docker as me ;- -)) in the general session. Have a look at the video of [Day 1 General Session](http://blog.docker.com/2015/11/dockercon-eu-2015-day-1-general-session/) +Here's what I found most important (no specific order and might be intermixed with other sessions or presentations, but you know that I'm deeply interested in security and stuff ;-)): -Here's what what stuck in my mind (no specific order and might be intermixed with later presentations ;-)): +- Docker delivers "Enterprise" Features and is getting more mature: + - Security + - Docker Content Trust is getting stronger by hardware signing + Since Docker 1.8, strong cryptographic guarantess over the content of an Docker image can be established by using signing procedures. From their [Blog](https://blog.docker.com/2015/08/content-trust-docker-1-8/) here an excerpt: + [...] Docker Engine uses the publisher’s public key to verify that the image you are about to run is exactly what the publisher created, has not been tampered with and is up to date. [...]. + At DockerConEU 2015, the support of Hardware Signing via Yubi Key was announced that strengthens the signing process even more. There's an elaborate [article](https://blog.docker.com/2015/11/docker-content-trust-yubikey/) available. + - Security scans for Images: Project Nautilus + Trusting an image is good and well, but what if the binaries (or packages) used image are vulnarable? Usually, distribution-maintainers provide information and updates for packages. But what about a Dockerfile that installs its artifacts without using a package-manager? Project Nautilus takes care about this situation but not only checking "all" of the vulnerability databases, but by scanning the files of an image. There's not much public information (link :-)) available yet, but it's a promising approach. + - No more exception from isolation: User namespaces (available in Docker 1.10 "dev") + Almost everything in Docker is isolated / abstracted from the Host-OS. One crucial exception was still present: Userids were used "as is". For example, this would allow the root user of a container to modify a readonly mounted file (by "volume" command) that is owned by the root user of the host. In future, this will not be possible anymore, because the userids will be "mapped" and the rootid "0" inside the container will be effectively treated as "xxxx + 0" outside the container. + + - SecComp + Seccomp is a filter technology to restrict the set of systemcalls available for processes. You could imagine a container being corrupted and the docker-engine would simply not allow a process inside a container to execute "unwanted" systemcalls. Setting the system (host) time? Modifying swap params? Such calls (and more) can be "eliminated". -- Security - - Docker Content Trust - - Hardware signing for Docker images - - Security scans for Images: Project Nautilus - - No more exception from isolation: Namespacing User(Id) - - Security made easy + - Security made easy + This is mentioned in the recording of [Day 1 General Session](http://blog.docker.com/2015/11/dockercon-eu-2015-day-1-general-session/). Basically it says: If security is hard to do, nobody will do it ... + Docker tries to ease the "security pain" and I ask you to look/search for that small mentioning in the session. Maybe you agree to the points mentioned there :-) - Does it (Docker) scale? - - Scale testing with Docker swarm on AWS + - Live [scale testing](https://blog.docker.com/2015/11/scale-testing-docker-swarm-30000-containers/) wasn't something I was really looking forward to see, but it was impressive anyway. - Managing containers - - Docker UCP (Universal Control Plane) + - I DO like Rancher, I'd love to have something even more powerfull ... and there comes "Docker UCP (Universal Control Plane) Beta". The UCP and the Docker trusted registry are two of the "commercial" products I've seen from Docker. Hopefully, the basic tools are staying on the "Forces light side" of free opensource - at least for developers and private users. -# Day two -... continued not as highbeat as day one, but still was going strong. +- Using Docker in production + - At Haufe, sometimes we seem to be lagging behind new technologies. Some of the presentations at Dockercon put a pretty strong emphasis on being carefull and preserve successfull processes (esp. dev, ops and security). A quick compilation of presentation links and topics will follow. -Here's the recording to [Day 2 General Session](http://blog.docker.com/2015/11/dockercon-eu-2015-day-2-general-session/) +In the meantime have a look at the [great overview](https://github.com/docker-saigon/dockercon-eu-2015) what happened during both days with links to all/most of the presentations, slides or videos to be found a . # Things "inbetween" ... were quite interesting, too. We met with some guys from Zalando (yes, the guys who're screeming a lot in their adverts), who were explaining how they are using some home-brewn (git-available) facade (or tool if you like) to ease the pain with running a custom PaaS on AWS. The project [STUPS](https://stups.io/) uses a plethora of Docker-containers and is to be found on its own web-page and [github](https://github.com/zalando-stups) . +(To be extended :-)) + +# +There's more to come (from other colleagues, too :-)