case study société générale - sysdig · 2019-11-06 · applications, service oriented...

Four phases of successful Docker adoption.

CASE STUDY

Société Générale

One of the biggest banks in Europe, Societe Generale leverages digital solutions to

modernize and reinvent all aspects of its business. By taking advantage of technologies

like Docker containers with orchestration, platform-as-a service (PaaS) and public cloud

solutions like AWS, Societe Generale is able to quickly develop value-added services to

stay in step with new client behaviors. The firm’s journey to a modern cloud and a new

architecture didn’t happen overnight. A phased approach - including a strategic focus on

visibility and security - has helped Societe Generale successfully adapt to containers

and microservices while maintaining a laser focus on their primary goals of reducing

Adapted from Societe General DockerCon presentation.

risk and delivering high reliability.

https://blog.docker.com/2017/11/docker-ee-societe-generale

CASE STUDY. Societe Generale. Page

CASE STUDY | Sunrun |

Societe Generale is France's third largest bank by total assets and the sixth

largest in Europe. Headquartered in Paris, the multinational financial

services firm has divisions supporting global transaction banking,

international retail banking, corporate and investment banking, private

banking, asset management and securities services.

Societe Generale uses digital strategies to transform banking relationships

with its customers, whether they be individuals, institutions, large

companies or private banking clients. To keep up with changing digital

usage by consumers, Societe Generale is increasing its innovation in web

and mobile services to ensure its customers enjoy greater autonomy,

simplicity and security.

About Societe Generale.

02



“Everyone wants to do Docker,” declares Thomas

Boussardon, Middleware Specialist at Societe Generale as

he speaks to the audience at DockerCon 2017. To get there,

Boussardon and his team, which include DevOps architect,

Stéphan Dechoux, laid out a plan for container adoption

and delivery of containers-as-a-service (CaaS) and

platform as a service (PaaS) at the financial services firm.

In the two years since the start of the project, they have

successfully built the platform onto which they have on-

boarded 20 applications with more than 50 applications in

the pipeline for containerization.

“You have to understand that we have a lot of

applications,” states Boussardon. This includes legacy

applications, service oriented architecture (soa), API REST,

monolithic applications, and distributed applications. “In

the investment bank we have over 1500 applications – we

want people to run exactly in the same infrastructure.”

The Societe Generale container project seeks to transform

and unify the company’s infrastructure with the goal of

reaching a new level of agility, scalability, and automation

for application rollouts while ensuring security, stability,

and performance.

“We want to improve the user experience, to easily deploy

apps, to upgrade easily, and decrease time to market,” describes Boussardon. “The use cases in banking are

changing. We want now to be able to expose APIs on the

internet. We must be able to expose everything in a DMZ to

be ready to do Open Banking and to be able to do

blockchain – and for this we are building this platform.”

The team knew that Docker adoption would not happen

overnight. To ensure success, they mapped a four-phase

plan to guide their efforts.

“Everyone wants to do Docker.”

03



More than 8x the height of the Eiffel Tower! “We can store

more than 200 years of HD video, our global fiber network

can cover the Tour de France race, and our grid computing

can forecast weather faster than Meteo France (the French

national meteorological service).”

“We didn’t want to rebuild and recreate everything. We have

applications and systems and have people who can run

them. What we want to do is build a platform that can host

our applications but also use what we already have,” explains Boussardon. Existing services that Societe

Generale wanted to carry over to the new container

environment included Jenkins for CI/CD, GitHub for source

control, Nexus for their artifact repository, NetApp for

persistent storage, Hortonworks for their data lake,

Hashicorp Vault for secrets management, and Consul for

their service registry. As much as possible they also wanted

to maintain the tools used for their development stack. For

Java apps this includes Netflix Open Source Software

(OSS), Spring Cloud, RabbitMQ and Zipkin, and for .NET

apps consists of .NET core, ASP.net, and Open Web Interface for .NET (OWIN).

The phases of Docker adoption at Societe Generale.

LEVEL 0 – WHAT CAN WE REUSE IN A DOCKER CONTAINER ENVIRONMENT? The first phase for the bank was simply to assess what

they already have in place. Ideally, the software and

hardware solution investments already made by the firm

could be integrated and used in the new platform.

Illustrating the scale of Societe Generale’s IT equipment as

it exists today, Dechoux posed this question to the session

audience, “If we stack all of our datacenter equipment,

what will be the height of this tower?” The answer?

04



LEVEL 1 – INTRODUCING DOCKER ENTERPRISE EDITION.

JENKINS MASTER JENKINS SLAVE DOCKER UCP DOCKER HRM

SCHEDULEDTRIGGEREDMANUALD

eplo

yO

rder

GITHUB SOURCECONTROL

DOCKERIMAGES

DOCKERWORKERS

Apps Description

Now, when the company creates an application, they pull from GitHub and Nexus to build Docker images.

Once the application is tested, they push the images to their Docker Trusted Registry (DTR), which makes the application

readily available to everyone who has a right to use it. Societe Generale’s deploy process follows a similar workflow and

provides the flexibility to schedule a deployment, to trigger a deployment after a change is done or a new image is available,

or to manually deploy should the team decide to re-deploy an application. For production rollouts, Societe Generale leverages

the Docker UCP to send orders to Docker workers to deploy containers.

The next phase for Societe Generale was to introduce Docker Enterprise Edition (EE) featuring Docker Engine to run

containers, Docker Universal Control Plane (UCP) with Docker Swarm for orchestration, and Docker Trusted Registry (DTR) to

storage images. The team also evolved their continuous integration and continuous delivery (CI/CD) pipeline practice to

support Docker and the container lifecycle from test and dev to production. The work completed in this step took place within

the first 6 months of the project.

Prior to Docker, the company utilized virtual machines (VMs) and bare metal servers to host applications. With the shift to

containers, the team was tasked to define how the build and deploy process would work in the new platform. As much as

possible, Societe Generale wanted their new workflow to utilize existing technology to reduce disruption to developers. For

their build process, they began to run their Jenkins master and Jenkin slaves in Docker containers.

05



Satisfying their goal of reusing existing infrastructure in

the container environment, Societe Generale adapted

Docker to take advantage of their NetApp storage to

support stateful applications that generate data the

company wants to keep safe. Two Docker Volume plugins

are utilized within the environment, one for NFS from

NetApp, and one for CIFS from Netshare. With this

functionality in place, the bank can now run stateful

applications. Examples of these stateful services include

their Jenkins Master, the company’s ELK stack with

ElasticSearch, and data generated by batch jobs. “We need

to be able to restart without losing information,” highlights

Boussardon. With this rollout, Societe Generale is able to

onboard stateful applications and ensure that they don’t

lose information even if the container crashes.

LEVEL 2 – STATEFUL CONTAINERS AND DOCKER MONITORING.

For the next phase, 10 months into the project, Societe

Generale began onboarding applications into production.

During this period they defined what was required to

mature the capabilities of the platform to ensure

successful operation in production and to enable a wider

range of applications to be supported. Three critical

enhancements were identified by the team for this phase.

First, they needed to support stateful containers to ensure

retention of critical data created by applications. Second,

they also defined a requirement for a monitoring solution

specifically designed to provide visibility into containerized

infrastructure and applications. Third, they upgraded how

they performed logging for the environment in conjunction

with the monitoring solution.

UCPENGINEDTRD

ocke

r

CONTINUOUS DELIVERY / INTEGRATION

Jenkins


Jenkins

PERSISTENT STORAGE

NetApp

SOURCE CONTROL

Github

DATA LAKE

Hortonworks

ARTIFACT REPOSITORY

Nexus

06



Choosing Sysdig for Container Monitoring.

“Monitoring containers is not the same as monitoring old

applications where you know the server, you know the IP,

and you know the port. In containers it’s not like this,” explained Boussardon. “With containers, everything

changes every time. Your application never runs on the

same node, never runs with the same IP, and never runs

with the same port. We had to find a solution to monitor

this. That’s why we decided to use Sysdig. It gives us a way

to introspect what is happening in our containers. It

provides us dashboards and also sends metrics and all our

logs to our data lake.” Sysdig Monitor enables the team to

see what is occurring not only within the physical

environment but also inside their containers and across a

hybrid cloud estate that includes private data centers and

public clouds including AWS. Societe Generale's

development and operations teams are now able to

monitor, alert, and troubleshoot resource usage across all

layers of their containerized infrastructure.


“With containers, everything changes every time. Your application never runs on the same node, never runs with the same IP, and never runs with the same port. We had to find a solution to monitor this. That’s why we decided to use Sysdig.”

07




Sysdig Monitor featuring ContainerVision &

ServiceVision enables Societe Generale to:

• Analyze process execution, file system activity, and

network activity inside containers in a single view.

• Visualize the dependencies in containerized

environments to quickly isolate the root cause of

performance issues.

• Inspect application activity inside containers like HTTP

error codes, URL response times, and database queries.

With this insight, Societe Generale can quickly identify and

address any issues that occur.

For its initial rollout, the company deployed the Sysdig

Monitor solution on-premises to enable the collection of

metrics on internal infrastructure within its PaaS. This

deployment model lets Societe Generale leverage their

existing capital investments and ensures they meet

their defined security and compliance requirements.

08



As Societe Generale entered the next

phase of their project, the platform

was actively supporting a number of

applications – both modern apps

and traditional legacy apps. At this

stage, 15 months into the project, the

company began to onboard

applications as microservices. Their

approach was to enable a parallel

run of applications, continuing to

support apps on non-container

infrastructure while concurrently

running the same apps in

production on containers. As

Dechoux describes it, “We already

have microservices in the bank

running on VMs or bare metal, and

we want to be able to migrate to

LEVEL 3 – MICROSERVICES AND SECURITY.

Docker. We want to have a parallel

run with the same services running

in containers in a canary or blue-

green scenario.”

With apps running in this cross-

platform services configuration,

Societe Generale chose to maintain

some services outside of containers.

By taking this approach, the team

maintains the immutability of their

container images – a main principle

of containers – but to inject at

runtime the needed configuration for

the application, the secret (e.g. API

key, password), and certificate. “We

want to build the image one time in

development and the same image

will follow all the next environments –

UIT integration, pre-prod, and

production, etc.,” explains Dechoux.

During this phase Societe Generale

also introduced Fabio, a containerized

dynamic L7 load balancer that delivers

“L7-as-a-Service” to route traffic with

microservices deployments managed

by Consul. Fabio checks with the

Consul service registry and adapts its

configuration based on state changes

it discovers. Societe Generale runs a

dedicated Fabio container for each

containerized application.

09



LEVEL 3 – MICROSERVICES AND SECURITY.

UCPENGINEDTRD

ocke

r

SECRETSMANAGEMENT

Vault

MONITORING +ALERTING

Sysdig

SERVICE REGISTRYKV STORE

Consul

PERSISTENT STORAGE

NetApp

DYNAMIC L7 LOAD BALANCER

Fabio

DATA LAKE

Hortonworks


Jenkins

SOURCE CONTROL

Github

ARTIFACT REPOSITORY

Nexus

The final focus of this phase of Societe Generale’s container project was improve on security. “It must be robust and rock

solid,” explains Dechoux. A key part of this process was to utilize Docker security scanning (DSS), an embedded feature of

Docker EE that scans images for vulnerabilities. The team also scans dockerfiles and compose files using an in-house linter

tool developed to check that everything respects best practices.

10



choice of capabilities for performance and persistence to

satisfy diverse application requirements.

Because of the nature of their business, at each phase of,

their evolution, Societe Generale diligently works to

enhance security. For level 4, the team intends to focus on

security policy enforcement. “We are a bank, so security is

everywhere,” says Dechoux. “We want to be able to create

some rules, like you cannot run somethings as root, you

cannot mount a host volume in your container, you cannot

run this kind of command, and you cannot modify a bin

directory. We want to have some set of policies that can be

applied dynamically and for all containers to ensure

security. Especially if want to expose it in a DMZ.”

LEVEL 4 – HYBRID CLOUD AND SOFTWARE-DEFINED EVERYTHING.

Societe Generale has set clear goals to incorporate public

cloud, deploying cross-platform applications, and

continuing to improve performance and security along the

way to protect their customer data and deliver a great

experience with its applications.

“The dream is to have some kind of cross-cluster between

Amazure – Amazon Web Services and Azure – and our own

site. To have something like a big giant cluster,” says

Dechoux. Boussardon adds, “We’ve got our own cloud, our

private cloud, but we are incorporating public clouds like

Amazon or Azure . We want to deploy our applications

using immutability in other data centers and other

environments.”

To help achieve this goal, the company has outlined a

vision for “software-defined everything.” This includes

moving toward software-defined networking to standardize

the network between everything – VMs, bare-metal servers,

and containers. The bank also sees software-defined

storage as a technology that can improve the way they

deliver storage, offering their customers different classes

of service, such as gold, silver, and bronze, to provide a

11



Societe Generale continues to imagine

what else it might do to enhance its

platform and deliver value added

services to its customers. One

possibility is adopting Kubernetes for

container orchestration. “It will be a

discussion. Does the developer want to

have some kube file to deploy or do

they prefer the Docker tools?” says

Dechoux.

In the final moments of the Societe

Generale presentation, Dechoux

describes four technology areas that

are of interest to the bank:

• Serverless: Dynamic allocation of

machine resources to shift focus

to applications, not servers.

• Machine Learning: Predictive

monitoring to pro-actively predict

and detect failures.

• Big Data: A large-scale,

distributed operating system for

big data applications to support

varied processing approaches

and a broad array of applications.

• GPU: Deploy tasks with

containers and use GPUs to

accelerate calculations.

THE MOVE TO CLOUD AND CONTAINERS CREATES NEW ENTHUSIASM.

What previously took one year now is able

to be accomplished in three months. The

bank now has more than 400

developers working every hour on the

platform with a follow-the-sun model.

Boussardon summarizes the

excitement of their teams about the

new approach, "Everyone wants to

onboard to the new platform.

Everyone wants to help the platform

to run. The UNIX team, the storage

team, and the dev team all want to

help. Everyone wants to work with

Docker. It’s a change of mindset in

the company. Everyone runs ONE

project,”

Next level?

12



Clearly define priorities before each step.

You cannot do everything at the same time.

Select your candidates with care. You cannot onboard

people who cannot work on the platform - it will only create

frustration. Why onboard someone who wants to do

stateful if you cannot do it? Do some assessment - choose

some candidates. You will have a big list. Sometimes you

will see a feature is used by 80% of the candidates. Start here.

Never forget to discuss with all teams: The process

and the responsibility of some teams will change.

Everyone talks about DevOps, but in fact it’s not really like

this. With Dev everything is possible, everything is easy.

With Ops everything is no – no we won’t do it. You have to

cross the two worlds to find a good way to work and have a

core team on the infrastructure.

Societe Generale recommendations for a successful container project.

13

https://sysdig.com

case study société générale - sysdig · 2019-11-06 · applications, service oriented...

Documents