Download - Docker Azure Friday OSS March 2017 - Developing and deploying Java & Linux on Azure with Docker
Patrick Chanezon, Docker Inc.@chanezon
Developing and deploying Java & Linux on Azure with Docker
March 2017
French
Polyglot
Platforms
Software Plumber
San Francisco
Developer Relations
@chanezon
PublicHybridPrivate
Ops Devops Developers
Linux Container Ecosystem
glusterfs
weavecalicomidokuracisconuage
Cloud
OS
Plugins
Orchestration
Docker
The world needstools of mass innovation
A programmable Internet would be the ultimate tool of mass innovation
A commercial product,
built ona development platform,
built oninfrastructure,
built onstandards.
Docker is building a stack to program the Internet
Docker Platform
Docker Platform constituencies
Many purposes, users and infrastructure
Today
Developer Community
Need to experiment and innovate with leading edge tech
Ops Community Enterprise Partner
Ecosystem
Run business critical apps at scale
anywhere
Extend and add value to a platform
with a shared path to monetization
Need a predictable system to deploy
and run apps
The Docker Platform
Developers Ops Enterprise Ecosystem
ONE PLATFORMFor Developers and ITFor Linux and Windows
On Premises and in the CloudTraditional Homegrown, Commercial ISV, Microservices
Docker Community Edition (CE) Docker Enterprise Edition (EE)
Docker Certified Docker Store
Docker Enterprise Edition (EE) and Community Edition (CE)
• Free Docker platform for “do it yourself” dev and ops
• Monthly Edge release with latest features for developers
• Quarterly release with maintenance for ops
Community Edition (CE)Enterprise Edition (EE)
• CaaS enabled platform subscription (integrated container orchestration, management and security)
• Enterprise class support• Quarterly releases, supported for one
year each with backported patches and hotfixes.
• Certified Infrastructure, Plugins, Containers
What is a Docker Edition
Making things simple for a great user experience
Virtual Network VMSS
Blob Storage Azure LB ARM
AAD
Enterprises need support and assurances
NEW Certification program for Infrastructure, Plugins and Containers
Infrastructure
Platform Community EditionEnterprise Edition
Docker Certified Launch Partners
Docker Store
• A commercial marketplace for partners and customers
• Publishers gain instant access to Docker users with product delivery in containers
• Customers gain ability to search, browse, purchase and manage from a single UX
Docker EE Subscription Tiers
EE Basic EE Standard(Docker Datacenter)
EE Advanced
CaaS enabled platform x x x
Container engine and built in orchestration, networking, security
x x x
Docker Certified Infra, Plugins and ISV Containers
x x x
Image management With private registry, caching
x x
Integrated container app management x x
Multi-tenancy with RBAC, LDAP/AD x x
Integrated secrets mgmt, image signing, policy
x x
Image security scanning and continuous vulnerability monitoring
x
Doc
ker D
atac
ente
r
CaaS is the modern software supply chain framework
Isolation using Linux kernel featuresnamespaces pid mnt net uts ipc user
cgroups memory cpu blkio devices
Union File Systems & Image Layers
Swarm mode
Service API
Cryptographic node identity
Built-in routing mesh
Docker built-in orchestration
What’s New in Docker 17.03• Docker EE and CE• Compose file support for Swarm mode service deployment
• docker stack deploy --compose-file=docker-compose.yml my_stack• Secrets Management• System commands
• docker system df, prune• Monitoring
• docker service logs• Prometheus experiment endpoint
• Build• docker build —squash
• CPU management —cpus 2.5• Docker for AWS & Azure GA
Docker & Microsoft: a great Open Source collaboration
Docker & Microsoft: collaboration on all fronts• Build
• Docker for Windows• Docker EE for Windows Servers• Visual Studio Tools for Docker• Visual Studio Code Docker extension
• Ship• Visual Studio team Services Docker Integration• Azure Container Registry
• Run• Azure Docker agent• Azure Container Service Swarm and Swarm Mode• Docker EE in Azure MarketPlace
Docker for Developers
Docker for Mac Docker for Windows
spring-doge.jar
Example: Spring Boot App using MongoDB
https://github.com/chanezon/docker-tips/
spring-doge
spring-doge-web
spring-doge-photo
API: Spring Boot, Spring Data
UI: AngularJS
Business Logic: java.awt
java -Dserver.port=8080 \-Dspring.data.mongodb.uri=mongodb://mongo:27017/test \-jar spring-doge.jar
Dockerfile
FROM java:8MAINTAINER Patrick Chanezon <[email protected]>EXPOSE 8080COPY spring-doge/target/*.jar /usr/src/spring-doge/spring-doge.jarWORKDIR /usr/src/spring-dogeCMD java -Dserver.port=8080 -Dspring.data.mongodb.uri=$MONGODB_URI -jar spring-doge.jarHEALTHCHECK --interval=5m --timeout=3s --retries=3 \ CMD curl -f http://localhost:8080/ || exit 1
Using Docker to compile your jar/war
https://registry.hub.docker.com/_/maven/
docker run -it --rm \-v $PWD:/usr/src/spring-doge \-v maven:/root/.m2 \-w /usr/src/spring-doge \maven:3.3-jdk-8 \mvn package
Build an imagedocker build -t chanezon/spring-doge .FROM java:8MAINTAINER Patrick Chanezon <[email protected]>EXPOSE 8080COPY spring-doge/target/*.jar /usr/src/spring-doge/spring-doge.jarWORKDIR /usr/src/spring-dogeCMD java -Dserver.port=8080 -Dspring.data.mongodb.uri=$MONGODB_URI -jar spring-doge.jarHEALTHCHECK --interval=5m --timeout=3s --retries=3 \ CMD curl -f http://localhost:8080/ || exit 1
Run a containerdocker run \—env MONGODB_URI=mongodb://mongo:27017/test \-p 8090:8080 \chanezon/spring-doge
docker-compose: running multiple containers Run your stack with one command: docker-compose
up Describe your stack with one file: docker-compose.ymlversion: '3'services: web: image: chanezon/spring-doge ports: - "8080:8080" environment: - MONGODB_URI=mongodb://mongo:27017/test mongo: image: mongo
Demo
Docker Java Labs
https://github.com/docker/labs/tree/master/developer-tools/
• Wildfly and Couchbase J2EE App• Debugging a Java app in Docker using Eclipse
Docker for Ops
Docker for Azure
Azure Container Service
SLA-backed Azure serviceaz acs create…
ACS Engine
open-source project that enables power users to customize the cluster configuration
Where Docker can work directly with Microsoft on newer versions of both Docker & ACS
https://github.com/Azure/acs-engine/blob/master/docs/swarmmode.md
Azure Container Service Swarm Mode
https://github.com/Azure/acs-engine/blob/master/docs/swarmmode.md
acs-engine ARM template generator
acs-engine swarmmode.json cd _output/SwarmMode...az group create --name "pat_az_5" --location "westus"az group deployment create -g pat_az_5 -n pat_acs_5 \--template-file=azuredeploy.json \[email protected]
docker stack deploy Deploy your stack with one command: docker stack deploy
Describe your stack with one file: docker-compose.ymlversion: '3'services: web: image: chanezon/spring-doge ports: - "8004:8080" environment: - MONGODB_URI=mongodb://mongo:27017/test deploy: replicas: 2 update_config: parallelism: 2 delay: 10s restart_policy: condition: on-failure mongo: image: mongo
Demo
Docker for Enterprise
Goals
+ +
Agility Portability Control
Docker EE Subscription Tiers
EE Basic EE Standard(Docker Datacenter)
EE Advanced
CaaS enabled platform x x x
Container engine and built in orchestration, networking, security
x x x
Docker Certified Infra, Plugins and ISV Containers
x x x
Image management With private registry, caching
x x
Integrated container app management x x
Multi-tenancy with RBAC, LDAP/AD x x
Integrated secrets mgmt, image signing, policy
x x
Image security scanning and continuous vulnerability monitoring
x
Doc
ker D
atac
ente
r
Docker 2017 - Confidential
Docker Universal Control Plane
Integrated Security
Docker EngineContainer runtime, orchestration, networking, volumes, plugins
Docker Trusted Registry
Operating Systems Config Mgt Monitoring LoggingCI/CD ..more..Images Networking Volumes
VirtualizationPublic Cloud Physical
Docker Datacenter
Docker EE Platform
Usable Security
Secure defaults with tooling that is native to both dev and ops
The Key Components of Container Security
Infrastructure Independent
Trusted Delivery
Safer Apps
Everything needed for a full functioning app is delivered safely and guaranteed to not be tampered with
All of these things in your system are in the app platform and can move across infrastructure without disrupting the app
+
+
=
Usable Security
Integrated Security with Docker EE
Infrastructure Independent
Trusted Delivery
Safer Apps
Image Scanning
TLS EncryptionEncryption at Rest
App Secrets
Image Signing & Verification
Public CloudVirtualizationPhysical
Users & RBAC
Dev/Ops Workflow
+
+
=
Secure by default runtime
Docker Universal Control Plane
UCP Permission Model
What’s New in Docker Datacenter
What’s New in Docker EE 17.03
Application Services Content Trust and Distribution
Platform Enhancements
• Secrets Management
• HTTP Routing Mesh (GA)
• Docker Compose for Services
• Access control for Secrets and Volumes
• Image Content Cache
• On premises image security scanning and vulnerability monitoring
• Registry Webhooks
• DTR install command from UI
• UI Enhancements
• Additional LDAP configs
• Templates for AWS, Azure
Integrated Secrets Management
WorkerWorker
Manager
Internal Distributed Store
Raft Consensus Group
ManagerManager
Worker
External App
Web UI
• Management– Admins can add/remove/list/update
secrets in the cluster– Exposed to a container via a ”/secrets”
tmpfs volume• Authorization
– Tag secrets to a specific service– Admins can authorize secrets access
to users/teams via RBAC• Rotation
– Use GUI to update a secret to all containers in a service
• Auditing– Each user request for secret access
logged in cluster for auditing
Security Scanning: Get a full BOM for a Docker Image
Security Scanning: Vulnerabilities and Licensing for Each Component
Security Scanning: Set Automated Policy for Scanning
Security Scanning: Online and Offline Updates
Compose for Services
• Deploy stacks (services, volumes, networks, secrets) using new Compose file v3.1 format
• Manage and monitor stacks directly from UCP UI
Built in HTTP Routing Mesh (Now GA!)
• Extend TCP routing mesh to HTTP hostname routing for services
• HTTPS support via SNI protocol
• Support for multiple HRM networks for enhanced app isolation
• External LB routes hostnames to nodes
• Can add hostname routing via UI
• Non-service containers continue to use Interlock ref arch
WorkerWorkerWorker
External Load Balancer
Traffic via DNS (http to port 80 or other)
Foo.com Bar.com Qux.com
R RR
Docker EE on Azure
Docker EE on Azure
Free 30 Days Test Drive from Docker Store
Docker EE on Azure
Demo
• Software• https://www.docker.com/get-docker
• Slides • https://www.slideshare.net/chanezon
• Samples • https://github.com/chanezon/docker-tips• https://github.com/docker/labs
Resources
THANK YOU