A few thoughts on using Docker

15/06/2017 by Brendon Higgins
 
What is Docker
“It’s a jail for applications” that enables Rapid Application Development
 
A container is the end product.  It is not the same as a VM
 
Docker Components
An image is the most important component and is used to create the container.  Think of an image as a ‘snapshot’ of the application and its dependancies.
 
Docker works on Layers
EVERYTHING in docker is a layer, either a thin read/write layer or think read only layer.
 
Docker Images
Images are designed to be hardware independent.  Use CentOS image on ANY linux distort.  Not able to ‘currently’ swap between Windows & Linux…
 
The Dockerfile
*** Learn this 1st ***
Allowed to have as many labels as you want.  Place things like email of owner in labels to enable anyone to see the information.
 
Interaction is not possible when the docker file is processed.  Think of it as a ‘compiler process.’
 
There is no PID zero in containers.  Use “Foreground” or something else to allow interaction with container.
 
1st build is very slow as everything needs to be pulled down.  2nd & Nth build will then use the local cache data and will run fast.
 
Speaker creates a ‘base’ image with EVERYTHING he needs and up loads it to AWS.  Then any other containers that go on top can be VERY small with simple docker files.
 
Docker Registry/Repository
Free version is PUBLIC.  Speaker said his ‘Broken, Do not use’ container was download multiple times!
 
Recommend using a AWS Repository on an S3 bucket.  Works very well and costs pennies
 
 
Docker container networking
Linux firewall on host MUST be on for networking to work as it depends on the firewall’s NAT.
 
Containers are stateless
When they restart, all data and changes are lost!
 
See slides
Options
Pull the config from Gitlab…
 
Drawbacks
Containers are read only, you just can’t edit a file and restart a service
If there is an issue, it can be hard to troubleshoot the problem
 
Q&A
How does the security know what is happening is containers are just popping up everywhere?
  • Have a source control system for the config files
  • Deploy a release pipeline
  • Create a test harness to test security requirements
  • Create a process to discover issues in the environment.  Companies have discovered past mistakes and insure they don’t happen again.  Over time this process will become very powerful 
 
top