Tag Archives: Containers & Kubernetes

Docker Security – part 3(Engine access)

This is the third part of my Docker security series. In this blog, we will cover ways to securely access Docker engine. Following are the other parts (1, 2, 4)

Docker engine access:

Docker engine runs as a daemon and by default listens on the Unix socket, “unix:///var/
run/docker.sock”. In Ubuntu distributions, Docker start options are specified in “/etc/default/docker”. To allow Docker API and client to access Docker engine remotely, we need to expose Docker daemon using http socket. This can be done by:

DOCKER_OPTS="-D -H unix:///var/run/docker.sock -H
tcp://192.168.56.101:2376" -> add this to /etc/default/docker
Sudo service docker restart -> Restart Docker daemon

Exposing Docker daemon using http is not a good practice and it is needed to secure the connection using https. Similar to the way web browsers trust the web server using https and TLS, Docker client can establish a secure connection to Docker engine that provides confidentiality, authentication as well as integrity. There are two options: first option is for client to verify server identity and in second option both client and server verify each other’s identity. Certificates establish the identity of a server. For commercial purposes, Certificates can be purchased from third-party sources like Verisign. For testing purposes, we can generate certificates using Openssl as described below. The procedure below is based on the steps detailed here.

Server side authentication:

Continue reading Docker Security – part 3(Engine access)

Docker Security – part 2(Docker Engine)

This is the second part of my Docker security series. In this blog, we will cover security features around Docker engine. Following are the other parts(1, 3, 4)

Namespaces:

Docker makes use of the following Linux kernel Namespaces to achieve Container isolation:

  • pid namespace
  • mount namespace
  • network namespace
  • ipc namespace
  • UTS namespace

To illustrate the five namespaces mentioned above, let’s create two Ubuntu containers:

docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash
docker run -ti --name ubuntu2 -v /usr:/ubuntu2 ubuntu bash

PID namespace:

Continue reading Docker Security – part 2(Docker Engine)

Docker Security – part 1(Overview)

There is a general perception that Containers, especially Docker Containers, are insecure. It is true that Containers are not as secure as VM since all Containers in a single machine share the same kernel and compromising one Container can cause host level compromise or compromise with other Containers. There are many ways to harden Containers and the Docker team has put in a lot of effort to make Docker Containers secure. Docker release 1.10 introduces new security features like seccomp profiles, user namespace, authorization plugin that further enhances Docker security.

In this four part blog series on Docker security, I will cover the following:

  • The first part will cover overview of Docker Security and its different components.
  • The second part will focus on Docker engine security and associated Linux kernel capabilities.
  • The third part will focus on secure access to Docker engine.
  • The fourth part will focus on Container image security.

To better understand Docker security, I have classified Docker security into the following categories as shown in the picture below:

Continue reading Docker Security – part 1(Overview)

“Mastering CoreOS” book got published!

My book “Mastering CoreOS” finally got published on February 27, 2016. Big thanks to everyone who supported me in this effort. Motivation for writing this book as well as relevant links to purchase and get more details can be found here.

I will keep my fingers crossed on the feedback… I am hoping that the book helps folks to understand more about CoreOS, Containers and Docker and trigger their interests to learn more about these technologies.

Docker on Raspberry Pi

I recently purchased Raspberry Pi 2 modelB and I wanted to use it to try out some home IoT projects. I wanted to combine Docker with Raspberry Pi so that I can develop IoT application using Containers. There is already lot of work ongoing to get Docker working on Raspberry Pi and I learnt that it is pretty easy to use it currently. In this blog, I will cover how I setup my Raspberry Pi in headless mode and how I got Docker working in Raspberry Pi. I collected the steps from different websites and I have tried to put them together in this blog.

Model used:

We can buy Raspberry Pi base board alone or a starter kit which contains basic accessories along with the board. I bought this model from amazon which included powersupply, case, ethernet cable, hdmi cable, 8GB SD card with Noobs OS installed.

Basic setup:

I wanted to operate Pi in headless mode since I don’t have a separate monitor at home. Rather than using Noobs and then installing Raspbian OS, I preferred directly installing Raspbian OS in the SD card.

Burning Raspbian OS into SD card:

Continue reading Docker on Raspberry Pi

Trying out Docker in Windows

Few folks recently asked me how to try out Docker in Windows machine to get familiar with Docker and Containers. This is not the same as running Docker engine in Windows, there is some active work going on to achieve this. The easiest way to try out Docker is to use Docker Toolbox. I covered Toolbox in one of my earlier blogs. In this blog, I will provide the steps to create a simple environment to play with Docker engine, Swarm, Compose and Networking in Windows.

Pre-requisites:

  • Install Docker Toolbox from here.
  • Docker Toolbox 1.9 version has the following components(Docker client, Docker machine, Virtualbox, Kitematic, Compose, Git). If you already have Virtualbox and Git bash for Windows, you can skip the installation of these 2.
  • In this blog, I will use Docker CLI, so Kitematic is not needed.
  • I have executed commands below from git bash shell.

Following are the versions of Docker components that gets installed with Toolbox 1.9:

Continue reading Trying out Docker in Windows

Preview launch of my book “Mastering CoreOS”

Last 6 months, I have been blogging very little since I was busy writing a book on CoreOS. The book is available for pre-ordering now from the publisher websiteAmazon US and Amazon India. Discounts are available till Feb 29th from publisher and discount code is available here. The tentative publishing date is early end of Feb/early March.

Why I wrote the book other than the fact that I can make some money out of it?
I started blogging around later part of 2013. The first open source project that I tried was Opendaylight. It was very exciting to create virtual networks using Mininet and manage it with Openflow and Opendaylight. In early 2014, I focused on cloud technologies like AWS, Google Cloud and Openstack and learnt how Public and Private clouds revolutionized how we consume resources. Around August 2014, I started spending time on Devops and learnt how tools like Ansible eased the management pain not just in server infrastructure but also in networking infrastructure. From December 2014, I started spending time on Docker and CoreOS. The first Docker version I used was 1.3.1(Now its 1.9) and first CoreOS version I used was 500.x(Now its 933.x). Even though Microservices and Containers were present before, Docker made Containers easier to use which in turn made Microservices popular. CoreOS pretty much invented the Cluster OS or Container-optimized OS category and provided OS and tools that ease Container deployment. By writing this book, I felt that I could connect the dots between SDN, Cloud, Devops technologies that I focussed on earlier with Docker and CoreOS.

What are some questions the book tries to answer?
What is a Container-Optimized OS?
Why CoreOS and Containers are needed?
How to deploy microservices and distributed applications?
How to setup, maintain and update CoreOS cluster?
What role does key CoreOS services etcd, fleet, systemd play?
How does Docker and CoreOS manage networking and storage?
What role does standards play in Containers?
Why there are multiple Container runtimes like Docker and Rkt?
How does Kubernetes and Swarm orchestrate Container deployment?
How is Openstack, AWS ECS, Google Container engine, Tectonic related to CoreOS and Docker?
How to debug Containers and CoreOS?
What are the production considerations when deploying microservices?

What did I learn?
That there is a lot more to learn..
Open source is very powerful and it aids innovation and collaboration
Trying hands-on is more important than reading through software manuals
Can learn a lot from Conference Video recordings/slides, blogs
Need lot more patience for writing a book when compared to writing a blog
It is good to do something different part-time from daily office job to keep life interesting

If you read the book or read few chapters of the book, please feel free to provide your feedback..

Thanks to CoreOS, Docker and Container community for the amazing technologies that they have developed. Big thanks to Open source community for making software easily accessible to everyone.

Gopaddle Meetup Bangalore – CI, CD Presentation

Following link captures the slides on CI, CD with Docker, Jenkins and Tutum that I presented at GoPaddle meetup, Bangalore on January 23, 2015. You can find more details on the meetup here. In this presentation, I covered the following:

  • Overview of Continuous Integration(CI), Continuous deployment(CD)
  • Tutum Overview
  • Jenkins with Docker Integration
  • CI, CD Use cases with Docker and Jenkins, Docker and Tutum

Tutum Introduction

Tutum is a SaaS Container platform that can be used to build, deploy and manage Docker Containers. Docker acquired Tutum in October 2015. I have been playing with Tutum for the past few weeks and I will share some basics of Tutum and my experiences with Tutum in this blog.

Advantages

  • Very easy to get started and create Containers and multi-Container applications
  • Works with majority of cloud providers like AWS, GCE and our own node can also be used.
  • Hides orchestration, networking and storage complexity.
  • Provides GUI, CLI as well as api access
  • Gives own private repository within Tutum per user, other repositories can also be used
  • Logging, monitoring, Scaling and HA is built-in
  • Does rolling upgrade automatically
  • Suited for CI, CD Usecases

What can we do with Tutum?

  • Build Docker images from Dockerfiles
  • Have a private repository in Tutum for storing Docker images and also interact with already existing repositories
  • Deploy single container and multi-container application in cloud provider or in our own machine
  • Integrate with Github for automatic Container image build and deploy Containers automatically using rolling upgrade
  • Monitor, debug, manage and upgrade Containers and Services

Getting Started

  • Need Tutum account – Free at this point since Tutum is still in Beta
  • Cloud provider account or own node

Continue reading Tutum Introduction