DockerCon Europe 2017 Highlights

DockerCon Europe 2017 is coming to an end and we’d like to thank all of the speakers, sponsors and attendees for contributing to the success of these amazing 3 days in Copenhagen. All the slides will soon be published on our slideshare account and all the breakout session videos recordings will soon be available on the docker website.

DockerCon Day 1 Highlights

On Tuesday, we announced that Docker will be delivering seamless integration of Kubernetes into the Docker platform. Adding Kubernetes support as an orchestration option (alongside Swarm) in both Docker Enterprise Edition, and in Docker for Mac and Windows will help simplify and advance the management of Kubernetes for enterprise IT and deliver the advanced capabilities of the Docker platform to a broader set of applications.

DockerCon EU keynotes

To try the latest version of Docker Enterprise Edition, Docker for Mac and Windows with built-in Kubernetes and sign up for the upcoming Beta. Also, Check out the detailed blog posts to learn how we’re bringing Kubernetes to:

You can also watch the video recording and slides of the day 1 keynote here:

 

DockerCon Day 2 Highlights

Yesterday, we announced an expanded partnership with IBM to address the growing demand for the Modernize Traditional Applications (MTA) program. The Docker MTA program enables IT organizations to modernize legacy applications using Docker Enterprise Edition (EE) for application management in addition to one of Docker’s MTA partners for  for hybrid cloud infrastructure and professional services. Customers who have participated in the MTA program have realized the portability, agility and security benefits of the platform and a savings of more than 50 percent of their total cost of ownership (TCO). Through this expanded partnership, Docker and IBM will be able to take a broader range of enterprise customers through the modernization journey with a fast and efficient process for transforming their legacy applications on a modern cloud architecture.

DockerCon EU keynotes

You can also watch the video recording & slides of the day 2 keynote here below:

Learn more about the Modernize Traditional Application (MTA) program:

Could not make it to DockerCon this year? Save the date for DockerCon 2018 


#DockerCon Europe 2017 Highlights, video and slides from the keynotes @kubernetes
Click To Tweet


The post DockerCon Europe 2017 Highlights appeared first on Docker Blog.


Source: Docker

Like This (0)
Dislike This (0)

Docker Platform and Moby Project add Kubernetes

Today we’re announcing that the Docker platform is integrating support for Kubernetes so that Docker customers and developers have the option to use both Kubernetes and Swarm to orchestrate container workloads. Register for beta access and check out the detailed blog posts to learn how we’re bringing Kubernetes to:

Docker is a platform that sits between apps and infrastructure. By building apps on Docker, developers and IT operations get freedom and flexibility. That’s because Docker runs everywhere that enterprises deploy apps: on-prem (including on IBM mainframes, enterprise Linux and Windows) and in the cloud. Once an application is containerized, it’s easy to re-build, re-deploy and move around, or even run in hybrid setups that straddle on-prem and cloud infrastructure.

The Docker platform is composed of many components, assembled in four layers:

  • The containerd industry-standard container runtime implementing the OCI standards
  • Swarm orchestration that transforms a group of nodes into a distributed system
  • Docker Community Edition providing developers a simple workflow to build and ship container applications, with features like application composition, image build and management
  • Docker Enterprise Edition, to manage an end to end secure software supply chain and run containers in production

Docker Platform

These four layers are assembled from upstream components that are part of the open source Moby Project.

Docker’s design philosophy has always been about providing choice and flexibility. This is important for customers that are integrating Docker with existing IT systems, and that’s why Docker is built to work well with already-deployed networking, logging, storage, load balancers and CI/DC systems. For all of these (and more), Docker relies on industry-standard protocols or published and documented interfaces. And for all of these, Docker Enterprise Edition ships with sensible defaults, but those defaults can be swapped for certified third party options for customers that have existing systems or prefer an alternative solution.

In 2016, Docker added orchestration to the platform, powered by the SwarmKit project. In the past year, we’ve received lots of positive feedback on Swarm: it’s easy to set up, is scalable and is secure out-of-the-box.

We’ve also gotten feedback that some users really like the integrated Docker platform with end-to-end container management, but that they want to use other orchestrators, like Kubernetes, for container scheduling. Either because they’ve already designed services to work on Kubernetes or because Kubernetes has particular features they’re looking for. This is why we are adding Kubernetes support as an orchestration option (alongside Swarm) in both Docker Enterprise Edition, and in Docker for Mac and Windows.

Docker CE Kubernetes

We’re also working on innovative components that make it easier for Docker users to deploy Docker apps natively with Kubernetes orchestration. For example, by using Kubernetes extension mechanisms like Custom Resources and the API server aggregation layer, the coming version of Docker with Kubernetes support will allow users to deploy their Docker Compose apps as Kubernetes-native Pods and Services.

With the next version of the Docker platform, developers can build and test apps destined for production directly on Kubernetes, on their workstation. And ops can get all the benefits of Docker Enterprise Edition – secure multi-tenancy, image scanning and role-based access control – while running apps in production orchestrated with either Kubernetes or Swarm.

The Kubernetes version that we’re incorporating into Docker will be the vanilla Kubernetes that everyone is familiar with, direct from the CNCF.  It won’t be a fork, nor an outdated version, nor wrapped or limited in any way.

Through the Moby Project, Docker has been working to adopt and contribute to Kubernetes over the last year. We’ve been working on containerd and cri-containerd for the container runtime, on InfraKit for creating and managing Kubernetes installs, and on libnetwork for overlay networking. See the Moby Project blog post for more examples and details.

Docker and Kubernetes share much lineage, are written using the same programming language and have overlapping components, contributors and ideals. We at Docker are looking forward to incorporating Kubernetes support into our products and into the open source projects we work on. And we can’t wait to work with the Kubernetes community to make containers and container-orchestration ever more powerful and easier to use.

Beta of both Docker Enterprise (for supported infrastructure) and Community Edition (for Mac and Windows) with Kubernetes support will be available later this year. Sign up to get notified when they’re ready.

While we’re adding Kubernetes as an orchestration option in Docker, we remain committed to Swarm and our customers and users that rely on Swarm and Docker for running critical apps at scale in production. To learn more about how Docker is integrating Kubernetes, check out the sessions “What’s New in Docker” and “Gordon’s Secret Session” at DockerCon EU.

Where to go from here?


#Docker Platform and @Moby Project add @Kubernetesio #dockercon
Click To Tweet


The post Docker Platform and Moby Project add Kubernetes appeared first on Docker Blog.


Source: Docker

Like This (0)
Dislike This (0)

Extending Docker Enterprise Edition to Support Kubernetes

At DockerCon Europe, we announced that Docker will be delivering seamless integration of Kubernetes into the Docker platform. Bringing Kubernetes to Docker Enterprise Edition (EE) will simplify and advance the management of Kubernetes for enterprise IT and deliver the advanced capabilities of Docker EE to a broader set of applications.

Swarm and Kubernetes Side-by-Side

Docker EE is an enterprise-grade container platform that includes a private image registry, advanced security features and centralized management for the entire container lifecycle. By including Kubernetes for container orchestration, customers will have the ability to run both Swarm and Kubernetes in the same Docker EE cluster while still leveraging the same secure software supply chain for building and deploying applications.

Docker EE Kubernetes

Figure 1. Docker EE Architecture with Multiple Orchestrators

This is possible because Docker EE has a modular architecture that is designed to support multiple orchestrators. The Linux nodes are both Swarm and Kubernetes-ready and application teams can decide which orchestrator to use at app deployment time.

When creating a new Stack in Docker EE, you are given the choice of deploying it as Swarm Services or as Kubernetes Workloads:

Docker EE k8s

Figure 2. Selectable modes at app deployment time

Upon deployment, the Docker EE dashboard has a “Shared Resources” area which allows you to view and manage the entire EE environment, including both Swarm Services and Kubernetes Workloads.

Figure 3. New dashboard with shared resources view of both Swarm and Kubernetes

Get Docker EE Capabilities for Kubernetes

Bringing Kubernetes into Docker EE means making Kubernetes work as easily and powerfully as Docker EE. That includes enabling all of the advanced EE features for Kubernetes workloads.  

Easy Production Install

By leveraging Swarm for cluster management, creating a highly available and fault tolerant Kubernetes environment is much easier and much more secure.

For admins, they can get a cluster up and running with Kubernetes by simply installing Docker EE with a one-line command. Once the cluster is running, Kubernetes is installed as part of Docker EE. This includes built-in security to enable mutually authenticated TLS, with certificate rotation.  

Figure 4. Docker EE cluster where the same nodes are both Docker and Kubernetes-ready

NOTE: This view shows Kubernetes v1.7 although the Beta will be leveraging v1.8.

Secure and Unified Supply Chain

Docker EE delivers end-to-end security across the supply chain from the developer’s laptop to production deployment. With this integration, teams leverage the same supply chain capabilities for both Swarm and Kubernetes deployments. That includes:

  • Secure Image Management: With image scanning and Docker Content Trust, Docker EE provides a way to validate and verify images before being deployed and manage them in a privately hosted image registry.
  • Secure Automation: With policy-based image promotion, organizations remove bottlenecks in the supply chain while enforcing policies such as scanning for vulnerabilities.

Secure Multi-Tenancy

With flexible and granular role-based access controls (RBAC) down to the API-level, admins can integrate AD/LDAP once and support different teams bringing different apps (Windows, Linux, or mainframe) of different app types (microservices, ISV, or traditional), leveraging different orchestrators (Swarm or Kubernetes) all into the same Docker EE environment with secure isolation between them. That allows development teams to bring their own tools and processes into the same environment.

Figure 5. Docker EE access controls with resource collections

For users deploying applications to the EE cluster, they get the choice of API in Kubernetes or Swarm, across a common set of nodes and using a common set of container images secured by the Trusted Registry.

Deploy Apps to Kubernetes

A new capability with this upcoming release allows organizations to use existing Docker Compose files and deploy to a Kubernetes environment. The same Docker Compose file can be deployed with either orchestrator by mapping Docker service definitions to native Kubernetes resource types.

Figure 6. Docker Compose YAML file being deployed as a Kubernetes workload

Centralized Management

With Docker EE, all of these different applications can be monitored and managed in a single environment that is integrated with centralized logging and monitoring capabilities. IT can manage and secure all applications in a unified operating model that aligns with their current responsibilities.

Figure 7: Container view in the Docker EE dashboard that includes containers deployed in Swarm and in Kubernetes from the same Docker Compose YAML file

Infrastructure Independence

Docker EE delivers a consistent experience across certified infrastructure platforms including multiple Linux distributions (RHEL, SLES, CentOS, Ubuntu, Oracle Linux) and Windows as well as cloud platforms including AWS and Azure. This means organizations are not locked into an underlying platform and get greater cloud portability.

Sign up for the Beta

Docker will be integrating the latest stable release of Kubernetes and contributing back to the Kubernetes project. As part of this announcement, Docker will also be adding Kubernetes support in Docker for Mac and Docker for Windows.

If you’re interested in getting an easy-to-manage and secure deployment of Kubernetes with advanced lifecycle management capabilities, visit https://www.docker.com/kubernetes and sign up for the upcoming Beta.

To learn more about Docker Enterprise Edition:


Extending @Docker Enterprise Edition to Support @Kubernetesio #dockercon
Click To Tweet


The post Extending Docker Enterprise Edition to Support Kubernetes appeared first on Docker Blog.


Source: Docker

Like This (0)
Dislike This (0)

Beta Docker for Mac and Windows with Kubernetes

Today, as part of our effort to bring Kubernetes support to the Docker platform, we’re excited to announce that we will also add optional Kubernetes to Docker Community Edition for Mac and Windows. We’re demoing previews at DockerCon (stop by the Docker booth!) and will have a beta program ready at the end of 2017. Sign up to be notified when the beta is ready.

With Kubernetes support in Docker CE for Mac and Windows, Docker Inc. can provide customers an end-to-end suite of container-management software and services that span from developer workstations, through test and CI/CD through to production on-prem or in the cloud.

Docker for Mac and Windows are the most popular way to configure a Docker dev environment and are used everyday by hundreds of thousands of developers to build, test and debug containerized apps. Docker for Mac and Windows are popular because they’re simple to install, stay up-to-date automatically and are tightly integrated with macOS and Windows respectively.

The Kubernetes community has built solid solutions for installing limited Kubernetes development setups on developer workstations, including Minikube (itself based partly on the docker-machine project that predated Docker for Mac and Windows). Common to these solutions however, is that they can be tricky to configure for tight docker build → run → test iteration, and that they rely on outdated Docker versions.

Once Kubernetes support lands in Docker for Mac and Windows, developers building both docker-compose and Swarm-based apps, and apps destined for deployment on Kubernetes will get a simple-to-use development system that takes optimal advantage of their laptop or workstation. All container tasks (whether build, run or push) will run on the same Docker instance with a shared set of images, volumes and containers. And it’ll be based on the latest-and-greatest version of the Docker platform, giving Kubernetes desktop users access to enhancements like multi-stage builds.

As part of our effort to integrate Kubernetes with Docker, we’re building Kubernetes components using Custom Resources and the API server aggregation layer make it simpler to deploy Docker Compose apps as Kubernetes-native Pods and Services. These components will ship in both Docker EE and in Docker CE for Mac and Windows.

We can’t wait to show you Kubernetes running in Docker for Mac and Windows. Drop by the Docker booth at DockerCon EU 17 and sign up for the beta to be notified when we have something that’s ready to try.


Beta #Docker for Mac and @Windows with @Kubernetesio #dockercon
Click To Tweet


The post Beta Docker for Mac and Windows with Kubernetes appeared first on Docker Blog.


Source: Docker

Like This (0)
Dislike This (0)

Videos series: Modernizing Java Apps for IT Pros

Today we start releasing a new video series in Docker’s Modernize Traditional Apps (MTA) program, aimed at IT Pros who manage, maintain and deploy Java apps. The video series shows you how to move a Java EE 7 application written to run on Wildfly 3, move it to a Windows Docker container and deploy it to a scalable, highly-available environment in the cloud – without any changes to the app.

These are the first 4 of a 5 part video series in Docker’s Modernize Traditional Apps (MTA) program, aimed at Java IT Pros. The video series shows you how to move a Java EE app on JBoss Wildfly to a Docker container and deploy it to a scalable, highly-available environment in the cloud – without any changes to the app.

Modernizing Java Apps

Part 1 introduces the series, explaining what is meant by “traditional” apps and the problems they present. Traditional apps are built to run on a server, rather than on a modern application platform. They have common traits, like being complex to manage and difficult to deploy. A portfolio of traditional applications tends to under-utilize its infrastructure, and over-utilize the humans who manage it. Docker Enterprise Edition (EE) fixes that, giving you a consistent way to package, release and manage all your apps, without having to re-write them.

Part 2 shows how easy it is to move traditional apps to Docker. I start with an Java EE application running on Wildfly, and package the entire monolithic application as a Docker image. Then I run the application in a container on my Macbook Pro. I do that without changing the app, and without needing to access the original source code.

Part 3 covers the upgrade workflow in Docker. I build a new version of the Docker image for my app, by migrating it to a Tomcat EE image. I also replace the presentation layer implemented with Java Server faces with a javascript client written in React. I show how to do this using maven and node.js images to build them without having those tool chains on your laptop. Docker allows you to split off parts of the application and update them with modern technology.  In this case, I make use of the application’s REST interface to start moving towards a microservices architecture that’s suited to deployment in a cloud architecture.

Part 4 shows how to share the application images through a registry, in this case Docker Hub. A registry allows you to share the image publically. In addition to sharing images, Docker Hub and Docker Trusted Registry support automating the build process. I’ll connect the github repository with the application source code to the repository and configure it build a new image every time code is pushed. Updated images of the application will always be available for deployment.

In an upcoming Part 5, I’ll deploy the application as a cluster in the cloud using Docker EE. Migrating traditional apps to Docker EE gives you increased efficiency, portability and security. If you’re planning a move to the cloud, or upgrading to modern infrastructure – or if you just want to consolidate workloads on existing infrastructure – Docker makes it easy.

For more information about Modernizing Traditional Applications:


Videos series: Modernizing Java Apps for IT Pros w/ @docker EE by @spara
Click To Tweet


The post Videos series: Modernizing Java Apps for IT Pros appeared first on Docker Blog.


Source: Docker

Like This (0)
Dislike This (0)

Least Privilege Container Orchestration

The Docker platform and the container has become the standard for packaging, deploying, and managing applications. In order to coordinate running containers across multiple nodes in a cluster, a key capability is required: a container orchestrator.

container orchestrator

Orchestrators are responsible for critical clustering and scheduling tasks, such as:

  • Managing container scheduling and resource allocation.
  • Support service discovery and hitless application deploys.
  • Distribute the necessary resources that applications need to run.

Unfortunately, the distributed nature of orchestrators and the ephemeral nature of resources in this environment makes securing orchestrators a challenging task. In this post, we will describe in detail the less-considered—yet vital—aspect of the security model of container orchestrators, and how Docker Enterprise Edition with its built-in orchestration capability, Swarm mode, overcomes these difficulties.

Motivation and threat model

One of the primary objectives of Docker EE with swarm mode is to provide an orchestrator with security built-in. To achieve this goal, we developed the first container orchestrator designed with the principle of least privilege in mind.

In computer science,the principle of least privilege in a distributed system requires that each participant of the system must only have access to  the information and resources that are necessary for its legitimate purpose. No more, no less.

”A process must be able to access only the information and resources that are necessary for its legitimate purpose.”

Principle of Least Privilege

                                                      

Each node in a Docker EE swarm is assigned role: either manager or worker. These roles define a coarsegrained level of privilege to the nodes: administration and task execution, respectively. However, regardless of its role, a node has access only to the information and resources it needs to perform the necessary tasks, with cryptographically enforced guarantees. As a result, it becomes easier to secure clusters against even the most sophisticated attacker models: attackers that control the underlying communication networks or even compromised cluster nodes.

Secure-by-default core

There is an old security maxim that states: if it doesn’t come by default, no one will use it. Docker Swarm mode takes this notion to heart, and ships with secure-by-default mechanisms to solve three of the hardest and most important aspects of the orchestration lifecycle:

  1. Trust bootstrap and node introduction.
  2. Node identity issuance and management.
  3. Authenticated, Authorized, Encrypted information storage and dissemination.

Let’s look at each of these aspects individually

Trust Bootstrap and Node Introduction

The first step to a secure cluster is tight control over membership and identity. Without it, administrators cannot rely on the identities of their nodes and enforce strict workload separation between nodes. This means that unauthorized nodes can’t be allowed to join the cluster, and nodes that are already part of the cluster aren’t able to change identities, suddenly pretending to be another node.

To address this need, nodes managed by Docker EE’s Swarm mode maintain strong, immutable identities. The desired properties are cryptographically guaranteed by using two key building-blocks:

  1. Secure join tokens for cluster membership.
  2. Unique identities embedded in certificates issued from a central certificate authority.

Joining the Swarm

To join the swarm, a node needs a copy of a secure join token. The token is unique to each operational role within the cluster—there are currently two types of nodes: workers and managers. Due to this separation, a node with a copy of a worker token will not be allowed to join the cluster as a manager. The only way to get this special token is for a cluster administrator to interactively request it from the cluster’s manager through the swarm administration API.

The token is securely and randomly generated, but it also has a special syntax that makes leaks of this token easier to detect: a special prefix that you can easily monitor for in your logs and repositories. Fortunately, even if a leak does occur, tokens are easy to rotate, and we recommend that you rotate them often—particularly in the case where your cluster will not be scaling up for a while.

Docker Swarm

Bootstrapping trust

As part of establishing its identity, a new node will ask for a new identity to be issued by any of the network managers. However, under our threat model, all communications can be intercepted by a third-party. This begs the question: how does a node know that it is talking to a legitimate manager?

Docker Security

Fortunately, Docker has a built-in mechanism for preventing this from happening. The join token, which the host uses to join the swarm, includes a hash of the root CA’s certificate. The host can therefore use one-way TLS and use the hash to verify that it’s joining the right swarm: if the manager presents a certificate not signed by a CA that matches the hash, the node knows not to trust it.

Node identity issuance and management

Identities in a swarm are embedded in x509 certificates held by each individual node. In a manifestation of the least privilege principle, the certificates’ private keys are restricted strictly to the hosts where they originate. In particular, managers do not have access to private keys of any certificate but their own.

Identity Issuance

To receive their certificates without sharing their private keys, new hosts begin by issuing a certificate signing request (CSR), which the managers then convert into a certificate. This certificate now becomes the new host’s identity, making the node a full-fledged member of the swarm!

When used alongside with the secure bootstrapping mechanism, this mechanism for issuing identities to joining nodes is secure by default: all communicating parties are authenticated, authorized and no sensitive information is ever exchanged in clear-text.

Identity Renewal

However, securely joining nodes to a swarm is only part of the story. To minimize the impact of leaked or stolen certificates and to remove the complexity of managing CRL lists, Swarm mode uses short-lived certificates for the identities. These certificates have a default expiration of three months, but can be configured to expire every hour!

Docker secrets

This short certificate expiration time means that certificate rotation can’t be a manual process, as it usually is for most PKI systems. With swarm, all certificates are rotated automatically and in a hitless fashion. The process is simple: using a mutually authenticated TLS connection to prove ownership over a particular identity, a Swarm node generates regularly a new public/private key pair and sends the corresponding CSR to be signed, creating a completely new certificate, but maintaining the same identity.

Authenticated, Authorized, Encrypted information storage and dissemination.

During the normal operation of a swarm, information about the tasks has to be sent to the worker nodes for execution. This includes not only information on which containers are to be executed by a node;but also, it includes  all the resources that are necessary for the successful execution of that container, including sensitive secrets such as private keys, passwords, and API tokens.

Transport Security

The fact that every node participating in a swarm is in possession of a unique identity in the form of a X509 certificate, communicating securely between nodes is trivial: nodes can use their respective certificates to establish mutually authenticated connections between one another, inheriting the confidentiality, authenticity and integrity properties of TLS.

Swarm Mode

One interesting detail about Swarm mode is the fact that it uses a push model: only managers are allowed to send information to workers—significantly reducing the surface of attack manager nodes expose to the less privileged worker nodes.

Strict Workload Separation Into Security Zones

One of the responsibilities of manager nodes is deciding which tasks to send to each of the workers. Managers make this determination using a variety of strategies; scheduling the workloads across the swarm depending on both the unique properties of each node and each workload.

In Docker EE with Swarm mode, administrators have the ability of influencing these scheduling decisions by using labels that are securely attached to the individual node identities. These labels allow administrators to group nodes together into different security zones limiting the exposure of particularly sensitive workloads and any secrets related to them.

Docker Swarm Security

Secure Secret Distribution

In addition to facilitating the identity issuance process, manager nodes have the important task of storing and distributing any resources needed by a worker. Secrets are treated like any other type of resource, and are pushed down from the manager to the worker over the secure mTLS connection.

Docker Secrets

On the hosts, Docker EE ensures that secrets are provided only to the containers they are destined for. Other containers on the same host will not have access to them. Docker exposes secrets to a container as a temporary file system, ensuring that secrets are always stored in memory and never written to disk. This method is more secure than competing alternatives, such as storing them in environment variables. Once a task completes the secret is gone forever.

Storing secrets

On manager hosts secrets are always encrypted at rest. By default, the key that encrypts these secrets (known as the Data Encryption Key, DEK) is also stored in plaintext on disk. This makes it easy for those with minimal security requirements to start using Docker Swarm mode.

However, once you are running a production cluster, we recommend you enable auto-lock mode. When auto-lock mode is enabled, a newly rotated DEK is encrypted with a separate Key Encryption Key (KEK). This key is never stored on the cluster; the administrator is responsible for storing it securely and providing it when the cluster starts up. This is known as unlocking the swarm.

Swarm mode supports multiple managers, relying on the Raft Consensus Algorithm for fault tolerance. Secure secret storage scales seamlessly in this scenario. Each manager host has a unique disk encryption key, in addition to the shared key. Furthermore, Raft logs are encrypted on disk and are similarly unavailable without the KEK when in autolock mode.

What happens when a node is compromised?

Docker Secrets

In traditional orchestrators, recovering from a compromised host is a slow and complicated process. With Swarm mode, recovery is as easy as running the docker node rm command. This removes the affected node from the cluster, and Docker will take care of the rest, namely re-balancing services and making sure other hosts know not to talk to the affected node.

As we have seen, thanks to least privilege orchestration, even if the attacker were still active on the host, they would be cut off from the rest of the network. The host’s certificate — its identity — is blacklisted, so the managers will not accept it as valid.

Conclusion

Docker EE with Swarm mode ensures security by default in all key areas of orchestration:

  • Joining the cluster. Prevents malicious nodes from joining the cluster.
  • Organizing hosts into security zones. Prevents lateral movement by attackers.
  • Scheduling tasks. Tasks will be issued only to designated and allowed nodes.
  • Allocating resources. A malicious node cannot “steal” another’s workload or resources.
  • Storing secrets. Never stored in plaintext and never written to disk on worker nodes.
  • Communicating with the workers. Encrypted using mutually authenticated TLS.

As Swarm mode continues to improve, the Docker team is working to take the principle of least privilege orchestration even further. The task we are tackling is: how can systems remain secure if a manager is compromised? The roadmap is in place, with some of the features already available such as the ability of whitelisting only specific Docker images, preventing managers from executing arbitrary workloads. This is achieved quite naturally using Docker Content Trust.


Least Privilege #Container Orchestration w/ @docker Enterprise Edition and Swarm by @diogomonica
Click To Tweet


The post Least Privilege Container Orchestration appeared first on Docker Blog.


Source: Docker

Like This (0)
Dislike This (0)

Register for DockerCon Europe 2017 Livestream

For those of you who can’t make it to DockerCon Europe 2017 in Copenhagen, we are thrilled to announce that the General Sessions on both Day 1 and Day 2 of DockerCon will be livestreamed!

Find out about the latest Docker announcements live from Steve Singh (CEO) and Solomon Hykes (Founder and CTO) and enjoy the highly technical demos the Docker team has prepared for you!

Livestream schedule:

  • General Session Day 1 on 10/17 from 9am UTC +2
  • General Session Day 2 on 10/18 from 9am UTC+2

DockerCon Livestream

The livestream player will be embedded on the DockerCon site a few hours prior to the event. Be sure to sign up here to receive an email with the link to the livestream before the general session starts!

Sign up for the DockerCon EU Livestream

 

We invite you to follow the official Twitter account: @DockerCon and hashtag #DockerCon in order to get the latest updates.

Learn More about DockerCon


Watch the live stream of keynotes at #DockerCon Europe | Oct 17 – 18, 9-11am UTC +2
Click To Tweet


The post Register for DockerCon Europe 2017 Livestream appeared first on Docker Blog.


Source: Docker

Like This (0)
Dislike This (0)

Brace yourselves, DockerCon Europe 2017 is coming!

DockerCon Europe 2017 is just around the corner and the whole European Docker community is getting ready for four days of incredible learning, networking and collaboration!

If you’re a registered attendee, login on to the DockerCon Europe Agenda Builder using the information you set up during the registration process. You can use the keyword search bar or filter by topics, days, tracks, experience level or target audience to get recommended sessions and build you schedule.

Every DockerCon Europe Attendee should have received an invitation to join the Docker Community Slack (dockercommunity.slack.com). If that’s not the case, please reach out to community@docker.com and we’ll make sure to resend the invitation.

DockerCon EU

Monday 16 October

Attendees who have signed up for Paid-Workshops or want to check in and pick up their badge and backpacks early should plan to be in Copenhagen by Monday morning.

Registration

Registration will be open from 12:00 – 19:30.

Workshops

Interested in attending a DockerCon EU Workshops on Monday? Here is the list of the workshops that are still available:

  • Introduction to Docker for Enterprise Developers
  • Docker on Windows: From 101 to Production
  • Docker for Java Developers
  • Learn DockerDockerCon EU

If you’ve already registered for a workshop, full day workshops run from 9:00 – 17:00 and the half-day workshops from 14:00 – 18:00 at the Bella Center. Room assignments will be emailed out.

Hallway Track

From 12:00 to 20:00 on Monday you’ll be able to meet and share knowledge with community members and practitioners using the DockerCon Hallway track recommendation algorithm.

Docker Pals

It can be downright intimidating to attend a conference by yourself, much less figure out how to make the most of your experience! Docker Pals gives you a built-in network at the conference by pairing you with another attendee and a DockerCon veteran as your guide. You will meet your pals at a Meet Your Pals Pre-Welcome Reception in the Expo Hall from 17:30 – 18:00. Pre-registration is required.

Welcome Reception

Join us at the evening Welcome reception in the Ecosystem Expo starting at 18:00.

 

Tuesday 17 October

Conference sessions start on Tuesday. Come early and be ready to learn, connect and collaborate with the Docker community.

Registration and Hallway Track

Registration and the Hallway track will be open from 07:30 – 18:00.

Ecosystem Expo

Stop by the booths of the DockerCon Europe Sponsors from 8:00am – 17:50 pm to learn, connect and network! Don’t forget to make your way to the Docker booth to learn more about our products and meet the Docker team.

General Session

Make sure to arrive early to be on time for our Day 1 General Session which starts at 09:00 sharp!

Breakout Sessions

Download the DockerCon App and start scheduling your DockerCon Agenda.

Hands-on Labs

From 11:00 – 18:00, take your Docker learning to the next level by completing self-paced Hands-on-Labs to walk through the process of managing and securing Docker containers.

Docker Professional Certification 

We are launching Docker Certification in Copenhagen. As a DockerCon attendee, you’ll have the opportunity to be among the first in the world to earn the ‘Docker Certified Associate’ designation with the digital certificate and verification to prove it! Learn more.

DockerCon After Party

Starting at 19:00, arcade and classic games like Pong, Asteroids, Tetris, Tron and Breakout will fill the venue providing you with ample entertainment and opportunities to challenge your fellow attendees to some friendly competition. You will be transported to a whole new gaming universe!

Wednesday 18 October

Wednesday brings more awesome content, learning and networking:

Thursday 19 October

On Thursday attendees have the option to attend the Enterprise Summit (sold out) to learn how Docker customers have transformed their Windows or Linux applications to run as a container making it more efficient, more portable, and more secure—all without touching a line of code. To join the waitlist, email dockercon@docker.com.

The Moby Summit (sold out) is also taking place on Thursday. You can join the waitlist by logging into the DockerCon portal for a chance to attend.

Finally, the DockerCon Hands-on labs will be open all day on Thursday and offering a broad range of topics that cover the interests of both developers and IT operations personnel on Windows and Linux.

Learn More:


Time to plan your DockerCon Europe 2017 Week
Click To Tweet


The post Brace yourselves, DockerCon Europe 2017 is coming! appeared first on Docker Blog.


Source: Docker

Like This (0)
Dislike This (0)

Introducing Hallway Track: Learn from People Around You at DockerCon

Docker Hallway track

Photo by: Youssef Shoufan at DockerCon Austin 2017

The DockerCon Hallway Track is coming to DockerCon Europe in Copenhagen. We’ve partnered with e180.co once again to deliver the next level of conference attendee networking. Together, we believe that education is a relationship, not an institution, and that a conversation can change someone’s life. After the success of our collaboration in Austin with Moby Mingle, we’re happy to be growing this idea further for Copenhagen.

DockerCon is all about learning new things and connecting with the right people. The Hallway Track will help you meet and share knowledge with community members and practitioners at the conference.  

Docker hallway track

So, what’s a Hallway Track?

DockerCon Hallway Track is a one-on-one or group conversations based on topics of interest that you schedule with other attendees during DockerCon. Hallway Track’s recommendation algorithm curates an individualized selection of Hallway Track topics for each participant, based on their behavior and interests.

It’s simple:

  1. Explore the knowledge Offer and Requests –where all participants post the knowledge they are willing to share.
  2. Pick something you want to learn or create your own Offer or Request.
  3. Book your Hallway Tracks and meet in person at the Hallway Track Lounge!

If you are interested in attending DockerCon. please register soon as we have only 100 tickets left! If you are already registered and want to book your Hallway Tracks, the platform will be launching today – look out for the email with instructions for logging into the system.


Introducing Hallway Track: Learn from People Around You at #DockerCon
Click To Tweet


The post Introducing Hallway Track: Learn from People Around You at DockerCon appeared first on Docker Blog.


Source: Docker

Like This (0)
Dislike This (0)

Your Docker Agenda for JavaOne

If you are one of the thousands that will be in San Francisco for JavaOne Oct 1-5th, don’t miss the opportunity to level-up your knowledge around container technology and Docker Community and Enterprise Edition. We’ve listed our must-attend sessions below:

Monday, October 2nd

Monday, Oct 02, 11:00 a.m. – 11:45 a.m. | Java in a World of Containers [CON4429]

Speakers: Paul Sandoz and Mikael Vidstedt, Oracle

This session explains how OpenJDK 9 fits into the world of containers, specifically how it fits with Docker images and containers. The first part of the session focuses on the production of Docker images containing a JDK. It introduces technologies, such as J-Link, that can be used to reduce the size of the JDK and discusses the inclusion of class-data-sharing (CDS) archives and ahead-of-time (AOT) shared object libraries. The second part describes how the Java process can be a good citizen when running within a Java container and obeying resource limits. The presentation also covers the role of CDS archives and AOT shared object libraries that can be shared across running containers to reduce startup time or memory usage.

 

Tuesday, October 3rd

8:30 a.m. – 10:30 a.m. |  Hands-on Lab: Docker 101 [HOL7960]

Eric Smalling, Ben Bonnefoy, Mano Marks, Docker

Dennis Foley and Richard Wark, Oracle

If you are just getting started learning about the Docker platform and want to get up to speed, this is the lab for you. Come learn the  basics including running containers, building images, and basics on networking, orchestration, security, and volumes.

8:30 a.m. – 9:15 a.m. | Modernizing Traditional Apps with Docker EE: Java Edition [CON7951]

Sophia Parafina, Docker

Most large enterprises have huge application install bases. Many have apps running in production that were written by people who have moved on to other projects, or even other companies. How do you bring older, critical apps into a new, modern containerized infrastructure? In this presentation, you’ll learn the benefits of moving to a containerized infrastructure and how to easily package a Java EE application to a Docker Enterprise Edition container without changing any code. And then begin the process of modernizing it by replacing the JavaServer Faces client with a JavaScript client written in React.

 

Wednesday, October 4th

Wednesday, Oct 04, 2:45 p.m. – 3:30 p.m. | Best Practices for Developing and Deploying Java Applications with Docker [CON7957]

Speaker: Eric Smalling, Docker

What if you could run your Java application in the same artifacts as your developer workstation, integration, and user acceptance testing environments as it does in production? With the Docker platform, your deployment artifacts conform to a common, portable standard that allows your team to do exactly that. In this session learn how to best run the JVM inside containers; ensure it is built and tested in deterministic, repeatable fashion; and deploy it in a guaranteed known-good-state in every environment. This session explores the basics of the Docker platform, how to build and run your applications in containers, how to deploy a web application using the same artifacts on workstations and servers, and best practices for managing and configuring JVM-based applications in containers.

Wednesday, Oct 04, 2:45 p.m. – 3:30 p.m. | Docker Tips and Tricks for Java Developers [CON4060]

Speaker: Ray Tsang, Google

Everyone is talking about containers—but be aware! It takes discipline to use container technology. It may not be as secure nor as optimal as you thought it would be. Although it’s relatively easy to create a new immutable container image to run everywhere, you may have fallen into many of the caveats. Is it running as the root user? Why are the images taking so much space? Why did your containers run out of space in the first place!? Most importantly, your container images may not be as immutable nor repeatable as you thought, and your Java process might be overutilizing assigned resources! Attend this session to learn how to best address these issues when building your Java container images.


It’s almost time for #JavaOne! Here’s a don’t miss guide to the best #Docker sessions!
Click To Tweet


The post Your Docker Agenda for JavaOne appeared first on Docker Blog.


Source: Docker

Like This (0)
Dislike This (0)