case study société générale - s3.amazonaws.com · to get there, boussardon and his ... the...
TRANSCRIPT
Four phases of successful Docker adoption.
CASE STUDY
Société Générale
One of the biggest banks in Europe, Societe Generale leverages digital
solutions to modernize and reinvent all aspects of its business. By
taking advantage of new technologies like Docker containers, Societe
Generale is able to quickly develop value-added services to stay in
step with new client behaviors. The firm’s journey to a modern, cloud
architecture didn’t happen overnight. A phased approach helped
Societe Generale incrementally adapt to a new infrastructure while
maintaining their primary goals of security and reliability.
Adapted from Societe General DockerCon 2017 presentation.
CASE STUDY. Societe Generale. Page
CASE STUDY | Sunrun |
Societe Generale is France's third largest bank by total assets and the sixth
largest in Europe. Headquartered in Paris, the multinational financial
services firm has divisions supporting global transaction banking,
international retail banking, corporate and investment banking, private
banking, asset management and securities services.
Societe Generale uses digital strategies to transform banking relationships
with its customers, whether they be individuals, institutions, large
companies or private banking clients. To keep up with changing digital usage by consumers, Societe Generale is increasing its innovation in web
and mobile services to ensure its customers enjoy greater autonomy,
simplicity and security.
About Societe Generale.
02
CASE STUDY. Societe Generale. Page
CASE STUDY | Sunrun |
“Everyone wants to do Docker,” declares Thomas
Boussardon, Middleware Specialist at Societe Generale as
he speaks to the audience at DockerCon 2017. To get there,
Boussardon and his team, which include DevOps architect,
Stéphan Dechoux, laid out a plan for container adoption
and delivery of containers-as-a-service (CaaS) and
platform as a service (PaaS) at the financial services firm.
In the two years since the start of the project, they have
successfully built the platform onto which they have on-
boarded 20 applications with more than 50 applications in
the pipeline for containerization.
“You have to understand that we have a lot of
applications,” states Boussardon. This includes legacy
applications, service oriented architecture (soa), API REST,
monolithic applications, and distributed applications. “In
the investment bank it’s nearly 1500 applications –
and we want people to run exactly in the same
infrastructure.” The Societe Generale container project
seeks to both transform and unify the company’s
infrastructure with the goal of reaching a new level of
agility, scalability, and automation for application rollouts
while ensuring security, stability, and performance. “We
want to improve the user experience, to easily deploy apps,
to upgrade easily, and decrease time to market,” describes
Boussardon. “The use cases in banking are changing. We
want now to be able to expose APIs on internet. We must be
able to expose everything in a DMZ to be ready to do Open
Banking and in a few months be able to do blockchain –
and for this we are building this platform.” The team knew
that Docker adoption would not happen overnight. To
ensure success, they mapped a four-phase plan to guide
their efforts.
“Everyone wants to do Docker.”
03
CASE STUDY. Societe Generale. Page
CASE STUDY | Sunrun |
More than 8x the height of the Eiffel Tower! “We can store
more than 200 years of HD video, our global fiber network
can cover the Tour de France race, and our grid computing
can forecast weather faster than Meteo France (the French
national meteorological service).”
“We didn’t want to rebuild and recreate everything. We have
applications and systems and have people who can run
them. What we want to do is build a platform that can host
our applications but also use what we already have,” explains Boussardon. Existing services that Societe
Generale wanted to carry over to the new container
environment included Jenkins for CI/CD, GitHub for source
control, Nexus for their artifact repository, NetApp for
persistent storage, Hortonworks for their data lake,
Hashicorp Vault for secrets management, and Consul for
their service registry. As much as possible they also wanted
to maintain the tools used for their development stack. For
Java apps this includes Netflix Open Source Software
(OSS), Spring Cloud, RabbitMQ and Zipkin, and for .NET
apps consists of .NET core, ASP.net, and Open Web Interface for .NET (OWIN).
The phases of Docker adoption at Societe Generale.
LEVEL 0 – WHAT CAN WE REUSE WITH DOCKER?
The first phase for the bank was simply to assess what
they already have in place. Ideally, the software and
hardware solution investments already made by the firm
could be integrated and used in the new platform.
Illustrating the scale of Societe Generale’s IT equipment as
it exists today, Dechoux posed this question to the session
audience, “If we stack all of our datacenter equipment,
what will be the height of this tower?” The answer?
04
CASE STUDY. Societe Generale. Page
CASE STUDY | Sunrun |
LEVEL 1 – INTRODUCING DOCKER ENTERPRISE EDITION.
JENKINS MASTER JENKINS SLAVE DOCKER UCP DOCKER HRM
SCHEDULEDTRIGGEREDMANUALD
eplo
yO
rder
GITHUB SOURCECONTROL
DOCKERIMAGES
DOCKERWORKERS
Apps Description
Now, when the company creates an application, they pull from GitHub and Nexus to build Docker images. Once the application is tested, they push the images to their Docker Trusted Registry (DTR), which makes the application
readily available to everyone who has a right to use it. Societe Generale’s deploy process follows a similar workflow and
provides the flexibility to schedule a deployment, to trigger a deployment after a change is done or a new image is available,
or to manually deploy should the team decide to re-deploy an application. For production rollouts, Societe Generale leverages
the Docker UCP to send orders to Docker workers to deploy containers.
The next phase for Societe Generale was to introduce Docker Enterprise Edition (EE) featuring Docker Engine to run
containers, Docker Universal Control Plane (UCP) with Docker Swarm for orchestration, and Docker Trusted Registry (DTR) to
storage images. The team also evolved their continuous integration and continuous delivery (CI/CD) pipeline practice to
support Docker and the container lifecycle from test and dev to production. The work completed in this step took place within
the first 6 months of the project.
Prior to Docker, the company utilized virtual machines (VMs) and bare metal servers to host applications. With the shift to
containers, the team was tasked to define how the build and deploy process would work in the new platform. As much as
possible, Societe Generale wanted their new workflow to utilize existing technology to reduce disruption to developers. For
their build process, they began to run their Jenkins master and Jenkin slaves in Docker containers.
05
CASE STUDY. Societe Generale. Page
CASE STUDY | Sunrun |
Satisfying their goal of reusing existing infrastructure in
the container environment, Societe Generale adapted
Docker to take advantage of their NetApp storage to
support stateful applications that generate data the
company wants to keep safe. Two Docker Volume plugins
are utilized within the environment, one for NFS from
NetApp, and one for CIFS from Netshare. With this
functionality in place, the bank can now run stateful
applications. Examples of these stateful services include
their Jenkins Master, the company’s ELK stack with
ElasticSearch, and data generated by batch jobs. “We need
to be able to restart without losing information,” highlights
Boussardon. With this rollout, Societe Generale is able to
onboard stateful applications and ensure that they don’t
lose information even if the container crashes.
LEVEL 2 – STATEFUL CONTAINERS AND DOCKER MONITORING.
For the next phase, 10 months into the project, Societe
Generale began onboarding applications into production.
During this period they defined what was required to
mature the capabilities of the platform to ensure
successful operation in production and to enable a wider
range of applications to be supported. Three critical
enhancements were identified by the team for this phase.
First, they needed to support stateful containers to ensure
retention of critical data created by applications. Second,
they also defined a requirement for a monitoring solution
specifically designed to provide visibility into containerized
infrastructure and applications. Third, they upgraded how
they performed logging for the environment in conjunction
with the monitoring solution.
UCPENGINEDTRD
ocke
r
CONTINUOUS DELIVERY / INTEGRATION
Jenkins
CONTINUOUS DELIVERY / INTEGRATION
Jenkins
PERSISTENT STORAGE
NetApp
SOURCE CONTROL
Github
DATA LAKE
Hortonworks
ARTIFACT REPOSITORY
Nexus
06
CASE STUDY. Societe Generale. Page
CASE STUDY | Sunrun |
Choosing Sysdig for Container Monitoring.
“Monitoring containers is not the same as monitoring old
applications where you know the server, you know the IP,
and you know the port. In containers it’s not like this,” explained Boussardon. “With containers, everything
changes every time. Your application never runs on the
same node, never runs with the same IP, and never runs
with the same port. We had to find a solution to monitor
this. That’s why we decided to use Sysdig. It gives us a way
to introspect what is happening in our containers. It
provides us dashboards and also sends metrics and all our
logs to our data lake.” Sysdig Monitor enables the team to
see what is occurring not only within the physical
environment but also inside their containers. The
development and operations teams are now able to
monitor, alert, and troubleshoot resource usage across all
layers of their containerized infrastructure. With this
insight, Societe Generale can identify and address issues
LEVEL 2 – STATEFUL CONTAINERS AND DOCKER MONITORING.
“With containers, everything changes every time. Your application never runs on the same node, never runs with the same IP, and never runs with the same port. We had to find a solution to monitor this. That’s why we decided to use Sysdig.”
07
CASE STUDY. Societe Generale. Page
CASE STUDY | Sunrun |
LEVEL 2 – STATEFUL CONTAINERS AND DOCKER MONITORING.
Sysdig Monitor featuring ContainerVision enables Societe Generale to:
• Analyze process execution, file system activity, and
network activity inside containers in a single view.
• Visualize the dependencies in containerized
environments to quickly isolate the root cause of
performance issues.
• Inspect application activity inside containers like HTTP
error codes, URL response times, and database queries.
For its initial rollout, the company deployed the Sysdig
Monitor solution on-premises to enable the collection of
metrics on internal infrastructure within its PaaS. This
deployment model lets Societe Generale leverage their
existing capital investments and ensures they meet their defined security and compliance requirements.
08
CASE STUDY. Societe Generale. Page
CASE STUDY | Sunrun |
As Societe Generale entered the next
phase of their project, the platform
was actively supporting a number of
applications – both modern apps
and traditional legacy apps. At this
stage, 15 months into the project, the
company began to onboard
applications as microservices. Their
approach was to enable a parallel
run of applications, continuing to
support apps on non-container
infrastructure while concurrently
running the same apps in
production on containers. As
Dechoux describes it, “We already
have microservices in the bank
running on VMs or bare metal, and
we want to be able to migrate to
LEVEL 3 – MICROSERVICES AND SECURITY.
Docker. We want to have a parallel
run with the same services running
in containers in a canary or blue-
green scenario.”
With apps running in this cross-
platform services configuration,
Societe Generale chose to maintain
some services outside of containers.
By taking this approach, the team
maintains the immutability of their
container images – a main principle
of containers – but to inject at
runtime the needed configuration for
the application, the secret (e.g. API
key, password), and certificate. “We
want to build the image one time in
development and the same image
will follow all the next environments
– UIT integration, pre-prod, and
production, etc.,” explains Dechoux.
During this phase Societe Generale
also introduced Fabio, a
containerized dynamic L7 load
balancer that delivers “L7-as-a-
Service” to route traffic with
microservices deployments
managed by Consul. Fabio checks
with the Consul service registry and
adapts its configuration based on
state changes it discovers. Societe
Generale runs a dedicated Fabio
container for each containerized
application.
09
CASE STUDY. Societe Generale. Page
CASE STUDY | Sunrun |
LEVEL 3 – MICROSERVICES AND SECURITY.
UCPENGINEDTRD
ocke
r
SECRETSMANAGEMENT
Vault
MONITORING +ALERTING
Sysdig
SERVICE REGISTRYKV STORE
Consul
PERSISTENT STORAGE
NetApp
DYNAMIC L7 LOAD BALANCER
Fabio
DATA LAKE
Hortonworks
CONTINUOUS DELIVERY / INTEGRATION
Jenkins
SOURCE CONTROL
Github
ARTIFACT REPOSITORY
Nexus
The final focus of this phase of Societe Generale’s container project was improve on security. “It must be robust and rock
solid,” explains Dechoux. A key part of this process was to utilize Docker security scanning (DSS), an embedded feature of
Docker EE that scans images for vulnerabilities. The team also scans dockerfiles and compose files using an in-house linter
tool developed to check that everything respects best practices.
10
CASE STUDY. Societe Generale. Page
CASE STUDY | Sunrun |
provide a choice of capabilities around performance and
persistence to satisfy diverse application requirements.
Because of the nature of their business, at each phase,
Societe Generale also diligently works to enhance security.
For level 4, the team intends to focus on security policy
enforcement. “We are a bank, so security is everywhere,” says Dechoux. “We want to be able to create some rules,
like you cannot run somethings as root, you cannot mount
a host volume in your container, you cannot run this kind
of command, and you cannot modify a bin directory. We
want to have some set of policies that can be applied
dynamically and for all containers to ensure security.
Especially if want to expose it in a DMZ.”
LEVEL 4 – HYBRID CLOUD AND SOFTWARE-DEFINED EVERYTHING.
As they look to the future, Societe Generale has set clear
goals as to what they want to achieve by the end of the next
year. This includes incorporating public cloud, deploying
more cross-platform applications, and continuing to
improve performance and security.
“The dream is to have some kind of cross-cluster between
Amazure – Amazon and Azure – and our own site. To have
something like a big giant cluster,” says Dechoux.
Boussardon adds, “We’ve got our own cloud, our private
cloud, but for overflow across data centers, we want to be
able to go to public cloud like Amazon or Azure – and so we
want to deploy our applications using immutability in
other data centers and other environments.”
To help achieve this goal, the company has outlined a
vision for “software-defined everything.” This includes
moving toward software-defined networking to standardize
the network between everything – VMs, bare metal servers,
and containers. They bank also sees software-defined
storage as a technology that can improve the way they are
delivering storage, offering their customers different
classes of service, such as gold, silver, and bronze, to
11
CASE STUDY. Societe Generale. Page
CASE STUDY | Sunrun |
Not resting on its laurels, Societe
Generale continues to imagine what
else it might do to enhance its
platform and deliver value added
services to its customers. One
possibility is the use of Kubernetes
for container orchestration. “It will be
a discussion. Does the developer
want to have some kube file to
deploy or do they prefer the Docker
tools? We will test it,” says Dechoux.
In the final moments of the
DockerCon presentation, Dechoux
also described four technology areas
that are of interest to the bank. This includes:
• Serverless: Dynamically allocate
machine resources to allow focus
on applications, not servers.
• Machine Learning: Predictive
monitoring, proactively predict
and detect failure.
• Big Data: Hortonworks on
containers to Yarn stuff – a large-
scale, distributed operating
system for big data applications
to support more varied
processing approaches and a
broader array of applications.
• GPU: Deploy tasks with Docker
and use GPU to accelerate
calculations.
FOR SOCIETE GENERALE, THE MOVE TO CONTAINERS HAS CREATED NEW ENTHUSIASM.
What previously took one year now is
able to be accomplished in three
months. The bank now has more
than 400 developers working every
hour on the platform with a follow-
the-sun model. “Everyone wants to
onboard to the new platform.
Everyone wants to help the platform
to run. The UNIX team, the storage
team, and the dev team want to help
you. Everyone wants to work with
Docker. It’s a change of mindset in
the company. Everyone runs ONE
project,” highlights Boussardon.
Next level?
12
CASE STUDY. Societe Generale. Page
CASE STUDY | Sunrun |
Clearly define priorities before each step. You cannot do everything at the same time.
Select with care your candidates. You cannot onboard
people who cannot work on the platform - it will only create
frustration. Why onboard someone who wants to do
stateful if you cannot do it? Do some assessment - choose
some candidates. You will have a big list. Sometimes you
will see a feature is used by 80% of the candidates. Start here.
Never forget to discuss with all teams: The process and the responsibility of some teams will change.
Everyone talks about DevOps, but in fact it’s not really like
this. With Dev everything is possible, everything is easy.
With Ops everything is no – no we won’t do it. You have to
cross the two worlds to find a good way to work and have a
core team on the infrastructure.
Societe Generale Recommendations for a Successful Container Project.
13