SlideShare ist ein Scribd-Unternehmen logo
1 von 32
Downloaden Sie, um offline zu lesen
© 2017 VMware Inc. All rights reserved.
Secure and Efficient Container Image
Management in Enterprise
Henry Zhang
Chief Architect, Cloud Native Apps
R&D, VMware China
About Me
• Chief Architect, VMware China R&D
– Current focus: Cloud Native Apps, Blockchain, IoT
• Creator and Architect of Project Harbor, an open source enterprise
class container registry
• Full stack engineer
• Coauthor of two books (in Chinese):
– Blockchain Technical Guides
– Software Defined Storage: Principle, Practice and Ecosystem
Agenda
1 Container Image Basics
2 Project Harbor Introduction
3 Consistency of Images
4 Security
5 Image Distribution
6 High Availability of Registry
Agenda
1 Container Image Basics
2 Project Harbor Introduction
3 Consistency of Images
4 Security
5 Image Distribution
6 High Availability of Registry
Registry
Lifecycle of Containers and Images
5
Images
Containers
Dockerfile
tar archive
Run
Stop
Start
Restart
Commit
Build
tag
Push
Pull
Save
Load
Images
Registry
Images
6
Push Pull
• Repository for storing images
• Intermediary for shipping and distributing images
• Ideal for access control and other image management
Registry - Key Component to Manage Images
Agenda
1 Container Image Basics
2 Project Harbor Introduction
3 Consistency of Images
4 Security
5 Image Distribution
6 High Availability of Registry
Project Harbor
• An open source enterprise-class registry server.
• Initiated by VMware China, adopted by users worldwide.
• Apache 2 license.
• https://github.com/vmware/harbor/
8
Key Features
• User management & access control
– RBAC: admin, developer, guest
– AD/LDAP integration
• Policy based image replication
• Web UI
• Audit and logs
• Restful API for integration
• Lightweight and easy deployment
9
Users, Partners and Developers
200+
• Developers
• Users
2200+10K+
Downloads Stars Users
49
Contributors
600+
Forks
6
Partners
10
Harbor Architecture
11
Registry v2
Docker
client
Nginx
API
Harbor
Browser
Auth
UI
DB
AD /
LDAP
Admin
Server
Log
Collector
Replication
job service
Notary
client
Remote
Harbor
Instance
Notary
Image replication (synchronization)
12
Project
Images
Policy
Image
Project
Images
Initial replication
Image
incremental replication
(including image deletion)
Agenda
1 Container Image Basics
2 Project Harbor Introduction
3 Consistency of Images
4 Security
5 Image Distribution
6 High Availability of Registry
Consistency of Container Images
• Container images are used throughout the life cycle of
software development
– Dev
– Test
– Staging
– Production
• Consistency must be maintained
– Version control
– Issue tracking
– Troubleshooting
– Auditing
14
Same Dockerfile Always Builds Same Image?
• Base image ubuntu:latest could be changed between builds
• ubuntu:14.04 could also be changed due to patching
• apt-get (curl, wget..) cannot guarantee always to install the
same packages
• ADD depends on the build time environment to add files
15
Example:
FROM ubuntu
RUN apt-get install –y python
ADD app.jar /myapp/app.jar
Shipping Images in Binary Format for Consistency
16
Dev Registry
Test Registry
Staging Registry Production
Registry
images
CI
Git
images
images
images
images
images
Images are synchronized between environments
by using Harbor registry.
Agenda
1 Container Image Basics
2 Project Harbor Introduction
3 Consistency of Images
4 Security
5 Image Distribution
6 High Availability of Registry
Access Control to Images
• Organizations often keep images within their own organizations
– Intellectual property stays in organization
– Efficiency: LAN vs WAN
• People with different roles should have different access
– Developer – Read/Write
– Tester – Read Only
• Different environments should enforce different rules
– Dev/test env – many people can access
– Production – a limited number of people can access
• Can be integrated with internal user management system
– LDAP/Active Directory
18
Example: Role Based Access Control in Harbor
19
Project
Members Images
Guest:
Developer:
Admin:
${Project}/ubuntu:14.04
${Project}/nginx:1.8, 1.9
${Project}/golang:1.6.2
${Project}/redis:3.0
…...
docker pull ...
docker pull/push ...
Other security considerations
• Enable content trust by installing Notary service
– Image is signed by publisher’s private key during pushing
– Image is verified using publisher’s public key during pulling
• Perform vulnerability scanning
– Identify images with vulnerabilities during pushing
– Prevent images with vulnerabilities from being pulled
– Regular scanning based on updated vulnerability database
20
Agenda
1 Container Image Basics
2 Project Harbor Introduction
3 Consistency of Images
4 Security
5 Image Distribution
6 High Availability of Registry
Image Distribution
• Container images are usually distributed from a registry.
• Registry becomes the bottleneck for a large cluster of nodes
– I/O
– Network
• Scaling out an registry server
– Multiple instances of registry sharing same storage
– Multiple instances of independent registry sharing no storage
22
Image Distribution via Master-Slave Replication
23Master – Slave model
Docker
Client
push
Docker
host
Docker
host
pull
Docker
host
Docker
host
Docker
host
Docker
host
• Load balancing
• Works well with geographically
distributed clients
Hierarchical Image Distribution
24
Hierarchical
Docker
Client
push
Agenda
1 Container Image Basics
2 Project Harbor Introduction
3 Consistency of Images
4 Security
5 Image Distribution
6 High Availability of Registry
High Availability of Registry
• To remove single point of failure on registry
• Three models to achieve HA
– Shared storage
– Replication ( no shared storage )
– Using other HA platform
26
Shared Storage
LB
Request
Registry instances
Registries using Shared Storage
Image replication between registries
28
LB
Request
VMware ESXi-1
Docker Volume Driver for
vSphere
VMware ESXi-2
Docker Volume Driver for
vSphere
VMware ESXi-3
Docker Volume Driver for
vSphere
Shared Storage
Virtual SAN
Docker Volume -1
Docker Host VM
Harbor
vSphere Docker Volume
Plugin
Docker Volume -2 Docker Volume-3
Other Docker
Volume s
Registry HA on vSphere
VMware ESXi-1
Docker Volume Driver for
vSphere
VMware ESXi-2
Docker Volume Driver for
vSphere
VMware ESXi-3
Docker Volume Driver for
vSphere
Shared Storage
Virtual SAN
Docker Volume -1
Docker Host VM
Harbor
vSphere Docker Volume
Plugin
Docker Volume -2 Docker Volume-3
Other Docker
Volume s
Registry HA on vSphere
Docker Host VM
Harbor
vSphere Docker Volume
Plugin
X
Summary
• Container image is the static part of container
lifecycle
• Registry is the key component to manage images
• Organizations usually need a private registry
– Security
– Efficiency
31
Thank you!
https://github.com/vmware/harbor

Weitere ähnliche Inhalte

Was ist angesagt?

Building stateful applications on Kubernetes with Rook
Building stateful applications on Kubernetes with RookBuilding stateful applications on Kubernetes with Rook
Building stateful applications on Kubernetes with RookRoberto Hashioka
 
HPC in a Box - Docker Workshop at ISC 2015
HPC in a Box - Docker Workshop at ISC 2015HPC in a Box - Docker Workshop at ISC 2015
HPC in a Box - Docker Workshop at ISC 2015inside-BigData.com
 
FOSDEM 2019: A containerd Project Update
FOSDEM 2019: A containerd Project UpdateFOSDEM 2019: A containerd Project Update
FOSDEM 2019: A containerd Project UpdatePhil Estes
 
containerd the universal container runtime
containerd the universal container runtimecontainerd the universal container runtime
containerd the universal container runtimeDocker, Inc.
 
OpenStack on Kubernetes (BOS Summit / May 2017 update)
OpenStack on Kubernetes (BOS Summit / May 2017 update)OpenStack on Kubernetes (BOS Summit / May 2017 update)
OpenStack on Kubernetes (BOS Summit / May 2017 update)rhirschfeld
 
Dockerizing OpenStack for High Availability
Dockerizing OpenStack for High AvailabilityDockerizing OpenStack for High Availability
Dockerizing OpenStack for High AvailabilityDaniel Krook
 
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin	Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin Vietnam Open Infrastructure User Group
 
OSDC 2018 | Three years running containers with Kubernetes in Production by T...
OSDC 2018 | Three years running containers with Kubernetes in Production by T...OSDC 2018 | Three years running containers with Kubernetes in Production by T...
OSDC 2018 | Three years running containers with Kubernetes in Production by T...NETWAYS
 
Monitoring Docker Application in Production
Monitoring Docker Application in ProductionMonitoring Docker Application in Production
Monitoring Docker Application in ProductionAlois Reitbauer
 
OSDC 2018 | Self Hosted bare Metal Kubernetes for SMEs by Thomas Hoppe
OSDC 2018 | Self Hosted bare Metal Kubernetes for SMEs by Thomas HoppeOSDC 2018 | Self Hosted bare Metal Kubernetes for SMEs by Thomas Hoppe
OSDC 2018 | Self Hosted bare Metal Kubernetes for SMEs by Thomas HoppeNETWAYS
 
Persistent Data Storage for Docker Containers by Andre Moruga
Persistent Data Storage for Docker Containers by Andre MorugaPersistent Data Storage for Docker Containers by Andre Moruga
Persistent Data Storage for Docker Containers by Andre MorugaDocker, Inc.
 
OSDC 2018 | Monitoring Kubernetes at Scale by Monica Sarbu
OSDC 2018 | Monitoring Kubernetes at Scale by Monica SarbuOSDC 2018 | Monitoring Kubernetes at Scale by Monica Sarbu
OSDC 2018 | Monitoring Kubernetes at Scale by Monica SarbuNETWAYS
 
K8s storage-glusterfs-20180210
K8s storage-glusterfs-20180210K8s storage-glusterfs-20180210
K8s storage-glusterfs-20180210Che-Chia Chang
 
Kubernetes 架構與虛擬化之差異
Kubernetes 架構與虛擬化之差異Kubernetes 架構與虛擬化之差異
Kubernetes 架構與虛擬化之差異inwin stack
 
OSDC 2018 | From batch to pipelines – why Apache Mesos and DC/OS are a soluti...
OSDC 2018 | From batch to pipelines – why Apache Mesos and DC/OS are a soluti...OSDC 2018 | From batch to pipelines – why Apache Mesos and DC/OS are a soluti...
OSDC 2018 | From batch to pipelines – why Apache Mesos and DC/OS are a soluti...NETWAYS
 
How to Achieve Canary Deployment on Kubernetes
How to Achieve Canary Deployment on KubernetesHow to Achieve Canary Deployment on Kubernetes
How to Achieve Canary Deployment on KubernetesHanLing Shen
 

Was ist angesagt? (20)

Building stateful applications on Kubernetes with Rook
Building stateful applications on Kubernetes with RookBuilding stateful applications on Kubernetes with Rook
Building stateful applications on Kubernetes with Rook
 
Rethinking the OS
Rethinking the OSRethinking the OS
Rethinking the OS
 
HPC in a Box - Docker Workshop at ISC 2015
HPC in a Box - Docker Workshop at ISC 2015HPC in a Box - Docker Workshop at ISC 2015
HPC in a Box - Docker Workshop at ISC 2015
 
FOSDEM 2019: A containerd Project Update
FOSDEM 2019: A containerd Project UpdateFOSDEM 2019: A containerd Project Update
FOSDEM 2019: A containerd Project Update
 
containerd the universal container runtime
containerd the universal container runtimecontainerd the universal container runtime
containerd the universal container runtime
 
OpenStack on Kubernetes (BOS Summit / May 2017 update)
OpenStack on Kubernetes (BOS Summit / May 2017 update)OpenStack on Kubernetes (BOS Summit / May 2017 update)
OpenStack on Kubernetes (BOS Summit / May 2017 update)
 
Dockerizing OpenStack for High Availability
Dockerizing OpenStack for High AvailabilityDockerizing OpenStack for High Availability
Dockerizing OpenStack for High Availability
 
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin	Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
 
Introduction to OCI Image Technologies Serving Container
Introduction to OCI Image Technologies Serving ContainerIntroduction to OCI Image Technologies Serving Container
Introduction to OCI Image Technologies Serving Container
 
OSDC 2018 | Three years running containers with Kubernetes in Production by T...
OSDC 2018 | Three years running containers with Kubernetes in Production by T...OSDC 2018 | Three years running containers with Kubernetes in Production by T...
OSDC 2018 | Three years running containers with Kubernetes in Production by T...
 
Monitoring Docker Application in Production
Monitoring Docker Application in ProductionMonitoring Docker Application in Production
Monitoring Docker Application in Production
 
OSDC 2018 | Self Hosted bare Metal Kubernetes for SMEs by Thomas Hoppe
OSDC 2018 | Self Hosted bare Metal Kubernetes for SMEs by Thomas HoppeOSDC 2018 | Self Hosted bare Metal Kubernetes for SMEs by Thomas Hoppe
OSDC 2018 | Self Hosted bare Metal Kubernetes for SMEs by Thomas Hoppe
 
Persistent Data Storage for Docker Containers by Andre Moruga
Persistent Data Storage for Docker Containers by Andre MorugaPersistent Data Storage for Docker Containers by Andre Moruga
Persistent Data Storage for Docker Containers by Andre Moruga
 
OSDC 2018 | Monitoring Kubernetes at Scale by Monica Sarbu
OSDC 2018 | Monitoring Kubernetes at Scale by Monica SarbuOSDC 2018 | Monitoring Kubernetes at Scale by Monica Sarbu
OSDC 2018 | Monitoring Kubernetes at Scale by Monica Sarbu
 
K8s storage-glusterfs-20180210
K8s storage-glusterfs-20180210K8s storage-glusterfs-20180210
K8s storage-glusterfs-20180210
 
CRI, OCI, and CRI-O
CRI, OCI, and CRI-OCRI, OCI, and CRI-O
CRI, OCI, and CRI-O
 
Docker for HPC in a Nutshell
Docker for HPC in a NutshellDocker for HPC in a Nutshell
Docker for HPC in a Nutshell
 
Kubernetes 架構與虛擬化之差異
Kubernetes 架構與虛擬化之差異Kubernetes 架構與虛擬化之差異
Kubernetes 架構與虛擬化之差異
 
OSDC 2018 | From batch to pipelines – why Apache Mesos and DC/OS are a soluti...
OSDC 2018 | From batch to pipelines – why Apache Mesos and DC/OS are a soluti...OSDC 2018 | From batch to pipelines – why Apache Mesos and DC/OS are a soluti...
OSDC 2018 | From batch to pipelines – why Apache Mesos and DC/OS are a soluti...
 
How to Achieve Canary Deployment on Kubernetes
How to Achieve Canary Deployment on KubernetesHow to Achieve Canary Deployment on Kubernetes
How to Achieve Canary Deployment on Kubernetes
 

Andere mochten auch

See what happened with real time kvm when building real time cloud pezhang@re...
See what happened with real time kvm when building real time cloud pezhang@re...See what happened with real time kvm when building real time cloud pezhang@re...
See what happened with real time kvm when building real time cloud pezhang@re...LinuxCon ContainerCon CloudOpen China
 

Andere mochten auch (20)

OCI Support in Mesos
OCI Support in MesosOCI Support in Mesos
OCI Support in Mesos
 
64-bit ARM Unikernels on uKVM
64-bit ARM Unikernels on uKVM64-bit ARM Unikernels on uKVM
64-bit ARM Unikernels on uKVM
 
There is NO Open Source Business Model
There is NO Open Source Business ModelThere is NO Open Source Business Model
There is NO Open Source Business Model
 
Build Robust Blockchain Services with Hyperledger and Containers
Build Robust Blockchain Services with Hyperledger and ContainersBuild Robust Blockchain Services with Hyperledger and Containers
Build Robust Blockchain Services with Hyperledger and Containers
 
Container Security
Container SecurityContainer Security
Container Security
 
Unikernelized Linux
Unikernelized LinuxUnikernelized Linux
Unikernelized Linux
 
The Open vSwitch and OVN Projects
The Open vSwitch and OVN ProjectsThe Open vSwitch and OVN Projects
The Open vSwitch and OVN Projects
 
LiteOS
LiteOS LiteOS
LiteOS
 
Simplify Networking for Containers
Simplify Networking for ContainersSimplify Networking for Containers
Simplify Networking for Containers
 
Linux Kernel Development
Linux Kernel DevelopmentLinux Kernel Development
Linux Kernel Development
 
Obstacles & Solutions for Livepatch Support on ARM64 Architecture
Obstacles & Solutions for Livepatch Support on ARM64 ArchitectureObstacles & Solutions for Livepatch Support on ARM64 Architecture
Obstacles & Solutions for Livepatch Support on ARM64 Architecture
 
OpenStack on AArch64
OpenStack on AArch64OpenStack on AArch64
OpenStack on AArch64
 
OpenDaylight OpenStack Integration
OpenDaylight OpenStack IntegrationOpenDaylight OpenStack Integration
OpenDaylight OpenStack Integration
 
Hyperledger Technical Community in China.
Hyperledger Technical Community in China. Hyperledger Technical Community in China.
Hyperledger Technical Community in China.
 
GPU Acceleration for Containers on Intel Processor Graphics
GPU Acceleration for Containers on Intel Processor GraphicsGPU Acceleration for Containers on Intel Processor Graphics
GPU Acceleration for Containers on Intel Processor Graphics
 
Libvirt API Certification
Libvirt API CertificationLibvirt API Certification
Libvirt API Certification
 
Practical CNI
Practical CNIPractical CNI
Practical CNI
 
Policy-based Resource Placement
Policy-based Resource PlacementPolicy-based Resource Placement
Policy-based Resource Placement
 
See what happened with real time kvm when building real time cloud pezhang@re...
See what happened with real time kvm when building real time cloud pezhang@re...See what happened with real time kvm when building real time cloud pezhang@re...
See what happened with real time kvm when building real time cloud pezhang@re...
 
Running Legacy Applications with Containers
Running Legacy Applications with ContainersRunning Legacy Applications with Containers
Running Legacy Applications with Containers
 

Ähnlich wie Linuxcon secureefficientcontainerimagemanagementharbor

Why you need a private container image registry SCALE 2019
Why you need a private container image registry SCALE 2019Why you need a private container image registry SCALE 2019
Why you need a private container image registry SCALE 2019Steve Wong
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceBlack Duck by Synopsys
 
Preparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentPreparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentDave Ward
 
Containers docker-docker hub-azureacr-azure aci
Containers docker-docker hub-azureacr-azure aciContainers docker-docker hub-azureacr-azure aci
Containers docker-docker hub-azureacr-azure aciRajesh Kolla
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container SecurityKsenia Peguero
 
Dockers and kubernetes
Dockers and kubernetesDockers and kubernetes
Dockers and kubernetesDr Ganesh Iyer
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisOW2
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container SecurityKsenia Peguero
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningStephane Woillez
 
Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...The Incredible Automation Day
 
Journey to the devops automation with docker kubernetes and openshift
Journey to the devops automation with docker kubernetes and openshiftJourney to the devops automation with docker kubernetes and openshift
Journey to the devops automation with docker kubernetes and openshiftYusuf Hadiwinata Sutandar
 
Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013
Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013
Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013dotCloud
 
Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDr Ganesh Iyer
 
VSphere Integrated Containers v3.0
VSphere Integrated Containers v3.0VSphere Integrated Containers v3.0
VSphere Integrated Containers v3.0The World Bank
 
Learn how to use Harbor
Learn how to use HarborLearn how to use Harbor
Learn how to use HarborSteve Wong
 

Ähnlich wie Linuxcon secureefficientcontainerimagemanagementharbor (20)

Why you need a private container image registry SCALE 2019
Why you need a private container image registry SCALE 2019Why you need a private container image registry SCALE 2019
Why you need a private container image registry SCALE 2019
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
 
Preparing your dockerised application for production deployment
Preparing your dockerised application for production deploymentPreparing your dockerised application for production deployment
Preparing your dockerised application for production deployment
 
Containers docker-docker hub-azureacr-azure aci
Containers docker-docker hub-azureacr-azure aciContainers docker-docker hub-azureacr-azure aci
Containers docker-docker hub-azureacr-azure aci
 
Containers 101
Containers 101Containers 101
Containers 101
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 
Dockers and kubernetes
Dockers and kubernetesDockers and kubernetes
Dockers and kubernetes
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment Planning
 
Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...
 
ExpoQA 2017 Docker and CI
ExpoQA 2017 Docker and CIExpoQA 2017 Docker and CI
ExpoQA 2017 Docker and CI
 
Docker & ci
Docker & ciDocker & ci
Docker & ci
 
Journey to the devops automation with docker kubernetes and openshift
Journey to the devops automation with docker kubernetes and openshiftJourney to the devops automation with docker kubernetes and openshift
Journey to the devops automation with docker kubernetes and openshift
 
Docker
DockerDocker
Docker
 
Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013
Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013
Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
 
Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data Scientists
 
VSphere Integrated Containers v3.0
VSphere Integrated Containers v3.0VSphere Integrated Containers v3.0
VSphere Integrated Containers v3.0
 
Learn how to use Harbor
Learn how to use HarborLearn how to use Harbor
Learn how to use Harbor
 

Mehr von LinuxCon ContainerCon CloudOpen China (11)

SecurityPI - Hardening your IoT endpoints in Home.
SecurityPI - Hardening your IoT endpoints in Home. SecurityPI - Hardening your IoT endpoints in Home.
SecurityPI - Hardening your IoT endpoints in Home.
 
kdump: usage and_internals
kdump: usage and_internalskdump: usage and_internals
kdump: usage and_internals
 
Building a Better Thermostat
Building a Better ThermostatBuilding a Better Thermostat
Building a Better Thermostat
 
Flowchain: A case study on building a Blockchain for the IoT
Flowchain: A case study on building a Blockchain for the IoTFlowchain: A case study on building a Blockchain for the IoT
Flowchain: A case study on building a Blockchain for the IoT
 
Secure Containers with EPT Isolation
Secure Containers with EPT IsolationSecure Containers with EPT Isolation
Secure Containers with EPT Isolation
 
Open Source Software Business Models Redux
Open Source Software Business Models ReduxOpen Source Software Business Models Redux
Open Source Software Business Models Redux
 
From Resilient to Antifragile Chaos Engineering Primer
From Resilient to Antifragile Chaos Engineering PrimerFrom Resilient to Antifragile Chaos Engineering Primer
From Resilient to Antifragile Chaos Engineering Primer
 
UEFI HTTP/HTTPS Boot
UEFI HTTP/HTTPS BootUEFI HTTP/HTTPS Boot
UEFI HTTP/HTTPS Boot
 
How Open Source Communities do Standardization
How Open Source Communities do StandardizationHow Open Source Communities do Standardization
How Open Source Communities do Standardization
 
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...
 
Quickly Debug VM Failures in OpenStack
Quickly Debug VM Failures in OpenStackQuickly Debug VM Failures in OpenStack
Quickly Debug VM Failures in OpenStack
 

Kürzlich hochgeladen

Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 

Kürzlich hochgeladen (20)

Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 

Linuxcon secureefficientcontainerimagemanagementharbor

  • 1. © 2017 VMware Inc. All rights reserved. Secure and Efficient Container Image Management in Enterprise Henry Zhang Chief Architect, Cloud Native Apps R&D, VMware China
  • 2. About Me • Chief Architect, VMware China R&D – Current focus: Cloud Native Apps, Blockchain, IoT • Creator and Architect of Project Harbor, an open source enterprise class container registry • Full stack engineer • Coauthor of two books (in Chinese): – Blockchain Technical Guides – Software Defined Storage: Principle, Practice and Ecosystem
  • 3. Agenda 1 Container Image Basics 2 Project Harbor Introduction 3 Consistency of Images 4 Security 5 Image Distribution 6 High Availability of Registry
  • 4. Agenda 1 Container Image Basics 2 Project Harbor Introduction 3 Consistency of Images 4 Security 5 Image Distribution 6 High Availability of Registry
  • 5. Registry Lifecycle of Containers and Images 5 Images Containers Dockerfile tar archive Run Stop Start Restart Commit Build tag Push Pull Save Load Images
  • 6. Registry Images 6 Push Pull • Repository for storing images • Intermediary for shipping and distributing images • Ideal for access control and other image management Registry - Key Component to Manage Images
  • 7. Agenda 1 Container Image Basics 2 Project Harbor Introduction 3 Consistency of Images 4 Security 5 Image Distribution 6 High Availability of Registry
  • 8. Project Harbor • An open source enterprise-class registry server. • Initiated by VMware China, adopted by users worldwide. • Apache 2 license. • https://github.com/vmware/harbor/ 8
  • 9. Key Features • User management & access control – RBAC: admin, developer, guest – AD/LDAP integration • Policy based image replication • Web UI • Audit and logs • Restful API for integration • Lightweight and easy deployment 9
  • 10. Users, Partners and Developers 200+ • Developers • Users 2200+10K+ Downloads Stars Users 49 Contributors 600+ Forks 6 Partners 10
  • 11. Harbor Architecture 11 Registry v2 Docker client Nginx API Harbor Browser Auth UI DB AD / LDAP Admin Server Log Collector Replication job service Notary client Remote Harbor Instance Notary
  • 12. Image replication (synchronization) 12 Project Images Policy Image Project Images Initial replication Image incremental replication (including image deletion)
  • 13. Agenda 1 Container Image Basics 2 Project Harbor Introduction 3 Consistency of Images 4 Security 5 Image Distribution 6 High Availability of Registry
  • 14. Consistency of Container Images • Container images are used throughout the life cycle of software development – Dev – Test – Staging – Production • Consistency must be maintained – Version control – Issue tracking – Troubleshooting – Auditing 14
  • 15. Same Dockerfile Always Builds Same Image? • Base image ubuntu:latest could be changed between builds • ubuntu:14.04 could also be changed due to patching • apt-get (curl, wget..) cannot guarantee always to install the same packages • ADD depends on the build time environment to add files 15 Example: FROM ubuntu RUN apt-get install –y python ADD app.jar /myapp/app.jar
  • 16. Shipping Images in Binary Format for Consistency 16 Dev Registry Test Registry Staging Registry Production Registry images CI Git images images images images images Images are synchronized between environments by using Harbor registry.
  • 17. Agenda 1 Container Image Basics 2 Project Harbor Introduction 3 Consistency of Images 4 Security 5 Image Distribution 6 High Availability of Registry
  • 18. Access Control to Images • Organizations often keep images within their own organizations – Intellectual property stays in organization – Efficiency: LAN vs WAN • People with different roles should have different access – Developer – Read/Write – Tester – Read Only • Different environments should enforce different rules – Dev/test env – many people can access – Production – a limited number of people can access • Can be integrated with internal user management system – LDAP/Active Directory 18
  • 19. Example: Role Based Access Control in Harbor 19 Project Members Images Guest: Developer: Admin: ${Project}/ubuntu:14.04 ${Project}/nginx:1.8, 1.9 ${Project}/golang:1.6.2 ${Project}/redis:3.0 …... docker pull ... docker pull/push ...
  • 20. Other security considerations • Enable content trust by installing Notary service – Image is signed by publisher’s private key during pushing – Image is verified using publisher’s public key during pulling • Perform vulnerability scanning – Identify images with vulnerabilities during pushing – Prevent images with vulnerabilities from being pulled – Regular scanning based on updated vulnerability database 20
  • 21. Agenda 1 Container Image Basics 2 Project Harbor Introduction 3 Consistency of Images 4 Security 5 Image Distribution 6 High Availability of Registry
  • 22. Image Distribution • Container images are usually distributed from a registry. • Registry becomes the bottleneck for a large cluster of nodes – I/O – Network • Scaling out an registry server – Multiple instances of registry sharing same storage – Multiple instances of independent registry sharing no storage 22
  • 23. Image Distribution via Master-Slave Replication 23Master – Slave model Docker Client push Docker host Docker host pull Docker host Docker host Docker host Docker host • Load balancing • Works well with geographically distributed clients
  • 25. Agenda 1 Container Image Basics 2 Project Harbor Introduction 3 Consistency of Images 4 Security 5 Image Distribution 6 High Availability of Registry
  • 26. High Availability of Registry • To remove single point of failure on registry • Three models to achieve HA – Shared storage – Replication ( no shared storage ) – Using other HA platform 26
  • 28. Image replication between registries 28 LB Request
  • 29. VMware ESXi-1 Docker Volume Driver for vSphere VMware ESXi-2 Docker Volume Driver for vSphere VMware ESXi-3 Docker Volume Driver for vSphere Shared Storage Virtual SAN Docker Volume -1 Docker Host VM Harbor vSphere Docker Volume Plugin Docker Volume -2 Docker Volume-3 Other Docker Volume s Registry HA on vSphere
  • 30. VMware ESXi-1 Docker Volume Driver for vSphere VMware ESXi-2 Docker Volume Driver for vSphere VMware ESXi-3 Docker Volume Driver for vSphere Shared Storage Virtual SAN Docker Volume -1 Docker Host VM Harbor vSphere Docker Volume Plugin Docker Volume -2 Docker Volume-3 Other Docker Volume s Registry HA on vSphere Docker Host VM Harbor vSphere Docker Volume Plugin X
  • 31. Summary • Container image is the static part of container lifecycle • Registry is the key component to manage images • Organizations usually need a private registry – Security – Efficiency 31