case study société générale - s3.amazonaws.com · to get there, boussardon and his ... the...

Four phases of successful Docker adoption.

CASE STUDY

Société Générale

One of the biggest banks in Europe, Societe Generale leverages digital

solutions to modernize and reinvent all aspects of its business. By

taking advantage of new technologies like Docker containers, Societe

Generale is able to quickly develop value-added services to stay in

step with new client behaviors. The firm’s journey to a modern, cloud

architecture didn’t happen overnight. A phased approach helped

Societe Generale incrementally adapt to a new infrastructure while

maintaining their primary goals of security and reliability.

Adapted from Societe General DockerCon 2017 presentation.

https://blog.docker.com/2017/11/docker-ee-societe-generale

CASE STUDY. Societe Generale. Page

CASE STUDY | Sunrun |

Societe Generale is France's third largest bank by total assets and the sixth

largest in Europe. Headquartered in Paris, the multinational financial

services firm has divisions supporting global transaction banking,

international retail banking, corporate and investment banking, private

banking, asset management and securities services.

Societe Generale uses digital strategies to transform banking relationships

with its customers, whether they be individuals, institutions, large

companies or private banking clients. To keep up with changing digital usage by consumers, Societe Generale is increasing its innovation in web

and mobile services to ensure its customers enjoy greater autonomy,

simplicity and security.

About Societe Generale.

02



“Everyone wants to do Docker,” declares Thomas

Boussardon, Middleware Specialist at Societe Generale as

he speaks to the audience at DockerCon 2017. To get there,

Boussardon and his team, which include DevOps architect,

Stéphan Dechoux, laid out a plan for container adoption

and delivery of containers-as-a-service (CaaS) and

platform as a service (PaaS) at the financial services firm.

In the two years since the start of the project, they have

successfully built the platform onto which they have on-

boarded 20 applications with more than 50 applications in

the pipeline for containerization.

“You have to understand that we have a lot of

applications,” states Boussardon. This includes legacy

applications, service oriented architecture (soa), API REST,

monolithic applications, and distributed applications. “In

the investment bank it’s nearly 1500 applications –

and we want people to run exactly in the same

infrastructure.” The Societe Generale container project

seeks to both transform and unify the company’s

infrastructure with the goal of reaching a new level of

agility, scalability, and automation for application rollouts

while ensuring security, stability, and performance. “We

want to improve the user experience, to easily deploy apps,

to upgrade easily, and decrease time to market,” describes

Boussardon. “The use cases in banking are changing. We

want now to be able to expose APIs on internet. We must be

able to expose everything in a DMZ to be ready to do Open

Banking and in a few months be able to do blockchain –

and for this we are building this platform.” The team knew

that Docker adoption would not happen overnight. To

ensure success, they mapped a four-phase plan to guide

their efforts.

“Everyone wants to do Docker.”

03



More than 8x the height of the Eiffel Tower! “We can store

more than 200 years of HD video, our global fiber network

can cover the Tour de France race, and our grid computing

can forecast weather faster than Meteo France (the French

national meteorological service).”

“We didn’t want to rebuild and recreate everything. We have

applications and systems and have people who can run

them. What we want to do is build a platform that can host

our applications but also use what we already have,” explains Boussardon. Existing services that Societe

Generale wanted to carry over to the new container

environment included Jenkins for CI/CD, GitHub for source

control, Nexus for their artifact repository, NetApp for

persistent storage, Hortonworks for their data lake,

Hashicorp Vault for secrets management, and Consul for

their service registry. As much as possible they also wanted

to maintain the tools used for their development stack. For

Java apps this includes Netflix Open Source Software

(OSS), Spring Cloud, RabbitMQ and Zipkin, and for .NET

apps consists of .NET core, ASP.net, and Open Web Interface for .NET (OWIN).

The phases of Docker adoption at Societe Generale.

LEVEL 0 – WHAT CAN WE REUSE WITH DOCKER?

The first phase for the bank was simply to assess what

they already have in place. Ideally, the software and

hardware solution investments already made by the firm

could be integrated and used in the new platform.

Illustrating the scale of Societe Generale’s IT equipment as

it exists today, Dechoux posed this question to the session

audience, “If we stack all of our datacenter equipment,

what will be the height of this tower?” The answer?

04



LEVEL 1 – INTRODUCING DOCKER ENTERPRISE EDITION.

JENKINS MASTER JENKINS SLAVE DOCKER UCP DOCKER HRM

SCHEDULEDTRIGGEREDMANUALD

eplo

yO

rder

GITHUB SOURCECONTROL

DOCKERIMAGES

DOCKERWORKERS

Apps Description

Now, when the company creates an application, they pull from GitHub and Nexus to build Docker images. Once the application is tested, they push the images to their Docker Trusted Registry (DTR), which makes the application

readily available to everyone who has a right to use it. Societe Generale’s deploy process follows a similar workflow and

provides the flexibility to schedule a deployment, to trigger a deployment after a change is done or a new image is available,

or to manually deploy should the team decide to re-deploy an application. For production rollouts, Societe Generale leverages

the Docker UCP to send orders to Docker workers to deploy containers.

The next phase for Societe Generale was to introduce Docker Enterprise Edition (EE) featuring Docker Engine to run

containers, Docker Universal Control Plane (UCP) with Docker Swarm for orchestration, and Docker Trusted Registry (DTR) to

storage images. The team also evolved their continuous integration and continuous delivery (CI/CD) pipeline practice to

support Docker and the container lifecycle from test and dev to production. The work completed in this step took place within

the first 6 months of the project.

Prior to Docker, the company utilized virtual machines (VMs) and bare metal servers to host applications. With the shift to

containers, the team was tasked to define how the build and deploy process would work in the new platform. As much as

possible, Societe Generale wanted their new workflow to utilize existing technology to reduce disruption to developers. For

their build process, they began to run their Jenkins master and Jenkin slaves in Docker containers.

05



Satisfying their goal of reusing existing infrastructure in

the container environment, Societe Generale adapted

Docker to take advantage of their NetApp storage to

support stateful applications that generate data the

company wants to keep safe. Two Docker Volume plugins

are utilized within the environment, one for NFS from

NetApp, and one for CIFS from Netshare. With this

functionality in place, the bank can now run stateful

applications. Examples of these stateful services include

their Jenkins Master, the company’s ELK stack with

ElasticSearch, and data generated by batch jobs. “We need

to be able to restart without losing information,” highlights

Boussardon. With this rollout, Societe Generale is able to

onboard stateful applications and ensure that they don’t

lose information even if the container crashes.

LEVEL 2 – STATEFUL CONTAINERS AND DOCKER MONITORING.

For the next phase, 10 months into the project, Societe

Generale began onboarding applications into production.

During this period they defined what was required to

mature the capabilities of the platform to ensure

successful operation in production and to enable a wider

range of applications to be supported. Three critical

enhancements were identified by the team for this phase.

First, they needed to support stateful containers to ensure

retention of critical data created by applications. Second,

they also defined a requirement for a monitoring solution

specifically designed to provide visibility into containerized

infrastructure and applications. Third, they upgraded how

they performed logging for the environment in conjunction

with the monitoring solution.

UCPENGINEDTRD

ocke

r

CONTINUOUS DELIVERY / INTEGRATION

Jenkins


Jenkins

PERSISTENT STORAGE

NetApp

SOURCE CONTROL

Github

DATA LAKE

Hortonworks

ARTIFACT REPOSITORY

Nexus

06



Choosing Sysdig for Container Monitoring.

“Monitoring containers is not the same as monitoring old

applications where you know the server, you know the IP,

and you know the port. In containers it’s not like this,” explained Boussardon. “With containers, everything

changes every time. Your application never runs on the

same node, never runs with the same IP, and never runs

with the same port. We had to find a solution to monitor

this. That’s why we decided to use Sysdig. It gives us a way

to introspect what is happening in our containers. It

provides us dashboards and also sends metrics and all our

logs to our data lake.” Sysdig Monitor enables the team to

see what is occurring not only within the physical

environment but also inside their containers. The

development and operations teams are now able to

monitor, alert, and troubleshoot resource usage across all

layers of their containerized infrastructure. With this

insight, Societe Generale can identify and address issues


“With containers, everything changes every time. Your application never runs on the same node, never runs with the same IP, and never runs with the same port. We had to find a solution to monitor this. That’s why we decided to use Sysdig.”

07




Sysdig Monitor featuring ContainerVision enables Societe Generale to:

• Analyze process execution, file system activity, and

network activity inside containers in a single view.

• Visualize the dependencies in containerized

environments to quickly isolate the root cause of

performance issues.

• Inspect application activity inside containers like HTTP

error codes, URL response times, and database queries.

For its initial rollout, the company deployed the Sysdig

Monitor solution on-premises to enable the collection of

metrics on internal infrastructure within its PaaS. This

deployment model lets Societe Generale leverage their

existing capital investments and ensures they meet their defined security and compliance requirements.

08



As Societe Generale entered the next

phase of their project, the platform

was actively supporting a number of

applications – both modern apps

and traditional legacy apps. At this

stage, 15 months into the project, the

company began to onboard

applications as microservices. Their

approach was to enable a parallel

run of applications, continuing to

support apps on non-container

infrastructure while concurrently

running the same apps in

production on containers. As

Dechoux describes it, “We already

have microservices in the bank

running on VMs or bare metal, and

we want to be able to migrate to

LEVEL 3 – MICROSERVICES AND SECURITY.

Docker. We want to have a parallel

run with the same services running

in containers in a canary or blue-

green scenario.”

With apps running in this cross-

platform services configuration,

Societe Generale chose to maintain

some services outside of containers.

By taking this approach, the team

maintains the immutability of their

container images – a main principle

of containers – but to inject at

runtime the needed configuration for

the application, the secret (e.g. API

key, password), and certificate. “We

want to build the image one time in

development and the same image

will follow all the next environments

– UIT integration, pre-prod, and

production, etc.,” explains Dechoux.

During this phase Societe Generale

also introduced Fabio, a

containerized dynamic L7 load

balancer that delivers “L7-as-a-

Service” to route traffic with

microservices deployments

managed by Consul. Fabio checks

with the Consul service registry and

adapts its configuration based on

state changes it discovers. Societe

Generale runs a dedicated Fabio

container for each containerized

application.

09



LEVEL 3 – MICROSERVICES AND SECURITY.

UCPENGINEDTRD

ocke

r

SECRETSMANAGEMENT

Vault

MONITORING +ALERTING

Sysdig

SERVICE REGISTRYKV STORE

Consul

PERSISTENT STORAGE

NetApp

DYNAMIC L7 LOAD BALANCER

Fabio

DATA LAKE

Hortonworks


Jenkins

SOURCE CONTROL

Github

ARTIFACT REPOSITORY

Nexus

The final focus of this phase of Societe Generale’s container project was improve on security. “It must be robust and rock

solid,” explains Dechoux. A key part of this process was to utilize Docker security scanning (DSS), an embedded feature of

Docker EE that scans images for vulnerabilities. The team also scans dockerfiles and compose files using an in-house linter

tool developed to check that everything respects best practices.

10



provide a choice of capabilities around performance and

persistence to satisfy diverse application requirements.

Because of the nature of their business, at each phase,

Societe Generale also diligently works to enhance security.

For level 4, the team intends to focus on security policy

enforcement. “We are a bank, so security is everywhere,” says Dechoux. “We want to be able to create some rules,

like you cannot run somethings as root, you cannot mount

a host volume in your container, you cannot run this kind

of command, and you cannot modify a bin directory. We

want to have some set of policies that can be applied

dynamically and for all containers to ensure security.

Especially if want to expose it in a DMZ.”

LEVEL 4 – HYBRID CLOUD AND SOFTWARE-DEFINED EVERYTHING.

As they look to the future, Societe Generale has set clear

goals as to what they want to achieve by the end of the next

year. This includes incorporating public cloud, deploying

more cross-platform applications, and continuing to

improve performance and security.

“The dream is to have some kind of cross-cluster between

Amazure – Amazon and Azure – and our own site. To have

something like a big giant cluster,” says Dechoux.

Boussardon adds, “We’ve got our own cloud, our private

cloud, but for overflow across data centers, we want to be

able to go to public cloud like Amazon or Azure – and so we

want to deploy our applications using immutability in

other data centers and other environments.”

To help achieve this goal, the company has outlined a

vision for “software-defined everything.” This includes

moving toward software-defined networking to standardize

the network between everything – VMs, bare metal servers,

and containers. They bank also sees software-defined

storage as a technology that can improve the way they are

delivering storage, offering their customers different

classes of service, such as gold, silver, and bronze, to

11



Not resting on its laurels, Societe

Generale continues to imagine what

else it might do to enhance its

platform and deliver value added

services to its customers. One

possibility is the use of Kubernetes

for container orchestration. “It will be

a discussion. Does the developer

want to have some kube file to

deploy or do they prefer the Docker

tools? We will test it,” says Dechoux.

In the final moments of the

DockerCon presentation, Dechoux

also described four technology areas

that are of interest to the bank. This includes:

• Serverless: Dynamically allocate

machine resources to allow focus

on applications, not servers.

• Machine Learning: Predictive

monitoring, proactively predict

and detect failure.

• Big Data: Hortonworks on

containers to Yarn stuff – a large-

scale, distributed operating

system for big data applications

to support more varied

processing approaches and a

broader array of applications.

• GPU: Deploy tasks with Docker

and use GPU to accelerate

calculations.

FOR SOCIETE GENERALE, THE MOVE TO CONTAINERS HAS CREATED NEW ENTHUSIASM.

What previously took one year now is

able to be accomplished in three

months. The bank now has more

than 400 developers working every

hour on the platform with a follow-

the-sun model. “Everyone wants to

onboard to the new platform.

Everyone wants to help the platform

to run. The UNIX team, the storage

team, and the dev team want to help

you. Everyone wants to work with

Docker. It’s a change of mindset in

the company. Everyone runs ONE

project,” highlights Boussardon.

Next level?

12



Clearly define priorities before each step. You cannot do everything at the same time.

Select with care your candidates. You cannot onboard

people who cannot work on the platform - it will only create

frustration. Why onboard someone who wants to do

stateful if you cannot do it? Do some assessment - choose

some candidates. You will have a big list. Sometimes you

will see a feature is used by 80% of the candidates. Start here.

Never forget to discuss with all teams: The process and the responsibility of some teams will change.

Everyone talks about DevOps, but in fact it’s not really like

this. With Dev everything is possible, everything is easy.

With Ops everything is no – no we won’t do it. You have to

cross the two worlds to find a good way to work and have a

core team on the infrastructure.

Societe Generale Recommendations for a Successful Container Project.

13

case study société générale - s3.amazonaws.com · to get there, boussardon and his ... the...

Documents