docker, inc. director, solutions engineering · docker, inc. introduction to docker enterprise....
Post on 20-May-2020
38 Views
Preview:
TRANSCRIPT
Matt BentleyDirector, Solutions EngineeringDocker, Inc.
Introduction to Docker Enterprise
AgendaIntroduction to Docker Enterprise
Docker Enterprise Platform Architecture
What’s New in Docker Enterprise 3.0
Containers are the New Standard for Apps
But how do you roll out a successful container strategy in your business?
● Will this work with my existing storage and networking solutions?
● How do you control access to the workloads?
● How do you ensure the system is secure?
● What kind of governance model is in place?
● Where will my content/IP live?
● What types of apps will I containerize?
● Who on my staff will maintain, patch and operate this?
● Do my developers know how to use Docker?
The Docker Enterprise PlatformANY APPLICATION
END-TO-END
ANYWHEREHybrid Cloud VM Bare Metal Edge
RunBuild
Share
Docker Enterprise 3.0Securely build, share and run any application, anywhere
Developer Productivity:Docker Desktop Enterprise
Build
Secure Registry and Collaboration:Docker Trusted RegistryDocker Hub
Share
Application Runtime and Orchestration:Docker Engine EnterpriseDocker Universal Control Plane Kubernetes and Swarm
Run
BUILD: Desktop Enterprise● One-click to install
certified Kubernetes
● Application Designer and Application Templates - faster “time-to-Docker”
● Version Packs to align to production environments
● Distributed as PKG or MSI with standard endpoint management tools
SHARE: Docker Hub & Trusted Registry
100B+ Container Downloads
HUB
TRUSTED REGISTRY
● Run in your own servers or VPC● Role-based access controls● Immutable repositories● Image promotion policies
● Image vulnerability scanning● Image caching & mirroring● Policy-based tag pruning● Webhook integration for CI automation
RUN: Docker Kubernetes Service with Universal Control Plane
● Integrated Kubernetes 1.14
○ Includes out-of-the-box Calico CNI plugin
○ Option to run Swarm interchangeably, using the same Compose files
○ Advanced role-based access controls with integration to LDAP/AD, SAML 2.0
● Management dashboard with healthchecks, 24-hour data retention and easy drilldown of nodes, containers, networks, volumes
Built on Foundation of Docker EngineDocker Engine - Enterprise
Docker Engine - Community
containerd
runc
Certified Plugins,
ISVs
Signature Verification FIPS 140-2Support
SLA
PluginsStorage
Networking
Docker Compose
dockerdDocker CLI/API
Storage mgmt libnetwork
BuildKitSwarmKitDocker Content
Trust
Image mgmt
Logs Mgmt
● Based on leading containerd runtime
● Includes BuildKit and Docker CLI
● Enterprise Engine includes:
○ Enhanced security features like FIPS 140-2 validated encryption
○ Certified plugins for networking, storage, logging
Docker Enterprise Architecture
Cluster ArchitectureDocker Enterprise Cluster
Node
Manager
Node
Manager
Node
Manager
Management Plane
Node Node Node
Worker Worker Worker
NodeNode
DTRWorker
Node
DTRWorker
DTRWorker
Kubernetes in Docker EnterpriseUCP Manager/Linux UCP Linux worker
calico cni pods
kubedns
kube-proxy
kubelet
kube-controller-manager
kube-manager
kube-scheduler
calico cni pods
kube-proxy
kubelet
What’s New in Docker Enterprise 3.0
Automated lifecycle management on your choice of infrastructure
● Day 1 and Day 2 ops● Easy install, scheduled and
online backups, blue/green upgrades
Enhanced Kubernetes Support
● Enterprise Storage CSI, iSCSI
● Built-in Ingress - Tech Preview
Faster time-to-market for new applications
● Enterprise-ready desktop development environment
● Application templates● Multi-service compose-based
applications (Docker App)
Enhanced security and continuous compliance
● Group managed service accounts (gMSA) for Swarm
● PKI Certificate-based authentication
● Open Security Controls Assessment Language (OSCAL) - Tech Preview
Expanding Choice Enhanced SecurityHigh Velocity Innovation
Benefits
● Give end users as much or little control as needed
● Safeguard against performance and security issues
Key Features
● Enables Admin to pre-configure Docker Desktop i.e. company-specific defaults
● Choose which settings the user can change
Desktop Administrator settings
Desktop Community Desktop Enterprise
Latest Docker Engine based on containerd ✅ ✅
Certified Kubernetes ✅ ✅
Available for Windows 10 and macOS ✅ ✅
Same interface and commands shared by developers and production ✅ ✅
Production-Ready App Development
Develop in any language or framework, even multiple version simultaneously
✅ ✅
Application Designer interface to simplify creating & developing Docker applications
✅
Synchronize Docker Engine and Kubernetes versions to match Docker Enterprise
✅
IT Manageability
Maintain and distribute across teams with standard MSI/PKG packages
✅
Selectable configuration restrictions ✅
Customizable application templates ✅
Technical Support SLA ✅
Docker ApplicationsBuild, share and run multi-service apps in a single package deployable to any infrastructure
my-app.yml
Docker App
APP DESCRIPTION
name-version-maintainer
APP COMPONENTS
ENVIRONMENT VARIABLES
default-settings.yml
● “Container of containers” defines an application that can be comprised of multiple services
● Supports Docker Compose, Kubernetes YAML, Helm Charts and more
● Implements the new open standard, CNAB, announced by Docker and Microsoft
● Parameterized fields allow for flexible deployment across different environments, delivering on “code once, deploy anywhere”
End-to-End Docker Application WorkflowConsistency from Dev to Ops
BUILD:
● Define and package multiple images and their interdependencies
● Compatible with Docker Compose, Helm charts and Kubernetes YAML
SHARE:
● Collaborate and distribute via Docker Hub and Docker Trusted Registry
● Shareable applications with clear interfaces for operators
RUN:
● Run multiple versions of the same application and manage per-environment settings
● Works with Swarm and Kubernetes
DOCKER HUB
DOCKER TRUSTED REGISTRY
DOCKER DESKTOP ENTERPRISE
DOCKER ENGINE + DOCKER KUBERNETES SERVICE
Docker Certified Infrastructure Components
• Automation Tooling build into Docker Engine without the need to install additional software using ‘docker cluster’ command
• Reference architectures for AWS, Azure and VSphere
• Ecosystem integrations with cluster add-ons
BENEFITS
• Eliminates the need to modify Terraform and Ansible modules directly
• Out of the box provisioning and management via CLI for multiple infrastructures on all supported releases
FEATURE
Docker Certified Infrastructure Architecture
VMVMVMEE
Infrastructure provider
docker/cluster:latest
docker cluster create -f cluster.yml
Terraform
VM
LB
Ansible
Reference Architecture
VM
Solution briefs
Swarm/K8sMonitoring
Logging
DTRUCP
LB
EE EE
LB
EE EE
cluster.yml
UCP Backup EnhancementsLifecycle
• Backups the configuration of UCP without affecting your manager nodes
• Backup via the Web UI and view history
• Backend API to create and retrieve backups
BENEFITS
• De-risks upgrades to provide a more stable platform for lifecycle operations.
• Allows you to schedule backups at any given time without issues
FEATURE
etcd rethinkdb
UCP volumes
tar file
HTTP GET
Container Storage Interface (CSI) for K8sStorage
Storage Plugin
Container Storage Interface
Kubernetes
• CSI is a community-driven standardized interface for storage drivers across container orchestrators
• Docker Enterprise supports CSI through certified CSI drivers
Standardized Storage Interface
• Dynamic provisioning/deprovisioning• Attachment/Detachment • Mounting/Unmounting• Supports block and file storage types• Snapshotting • Provisioning volumes from snapshot
Volume Lifecycle Management
iSCSI Target
iSCSI Support for K8sStorage
External Provisioner
Kubernetes
Kubelet
Host (iSCSI Initiator)
Pod
Volume
• Provision block, centralized, on-premise storage for high performance workloads
• Enables plugins for hardware-based storage that uses iSCSI for network storage
iSCSI
Kubernetes Cluster Ingress (Experimental)Networking
● Layer L7 ingress services such as:○ L7 routing○ Load balancing○ TLS termination○ API metrics○ Application deployment strategies
● Shipping as experimental in Docker Enterprise 3.0. Will be GA in a subsequent release.
● Istio-based ingress controller offering the ingress capabilities of the Envoy proxy.
Ingress Controller
Kubernetes
Pod
Client
IngressProxy
Control Plane Traffic
Application Traffic
Experimental
Standalone Engine GPU SupportGPU
$ docker run -it --rm --gpus all ubuntu nvidia-smiThu Apr 4 21:47:41 2019+-----------------------------------------------------------------------------+| NVIDIA-SMI 384.130 Driver Version: 384.130 ||-------------------------------+----------------------+----------------------+| GPU Name Persistence-M| Bus-Id Disp.A | Volatile Uncorr. ECC || Fan Temp Perf Pwr:Usage/Cap| Memory-Usage | GPU-Util Compute M. ||===============================+======================+======================|| 0 GRID K520 Off | 00000000:00:03.0 Off | N/A || N/A 36C P0 39W / 125W | 0MiB / 4036MiB | 0% Default |+-------------------------------+----------------------+----------------------+
+-----------------------------------------------------------------------------+| Processes: GPU Memory || GPU PID Type Process name Usage ||=============================================================================|| No running processes found |+-----------------------------------------------------------------------------+
● Support for Nvidia GPUs use inside containers with correct Nvidia drivers.
GPU
Manage multiple clusters using Docker ContextCLI
$ docker context listNAME DESCRIPTION DOCKER ENDPOINT KUBERNETES ENDPOINT ORCHESTRATORlocal * An example context unix:///var/run/docker.sock https://192.168.65.3:6443 (default) kubernetesremote A remote context tcp://myserver:2376 swarmcurrent An automatic context tcp://myserver:2376 swarm
$ docker context use remote
• Seamlessly work with multiple Docker and Kubernetes clusters, without manual configuration
• Easily export and import contexts when moving between machines
• Supported in all Docker CLI commands
Docker Context
$ docker context create current --description "An automatic example" --docker from-current=true --kubernetes from-current=true
1. Create a context to store cluster credentials (including from UCP bundles)
2. List and manage your contexts
3. Set the context using the CLI or environment
PS> $Env:DOCKER_CONTEXT="remote"
Open Security Controls Assessment Language (OSCAL) - (Experimental)
Security
Docker EnterpriseCatalogs and profiles in OSCAL format
Automated Assessment
Automated Reporting
Standardized reporting in OSCAL format
● “Tech preview” integration of NIST’s new OSCAL standard (https://github.com/usnistgov/OSCAL)
● Compliance automation and built-in security control auditing
● Standardized reporting against multiple security control catalogs
○ NIST 800-53 only for alpha-1○ CIS Docker and Kube
Benchmarks coming in a future dev release
● Available via new UCP API endpoints (refer to live API docs)
○ OSCAL formatted JSON output● New open source OSCAL SDK
(https://github.com/docker/oscalkit)
Experimental
• Docker Enterprise is the industry-leading enterprise container platform
• The only container platform that extends from developers’ desktops to the cloud
• Enabling applications of all kinds
In Summary
3:00-5:00pm, Continental Ballroom
How to build your containerization strategy
1:00-1:45pm, International Ballroom A
Check out these sessions:
Developing New Applications with Docker App Package
top related