4. spring-doge.jar
Example: Spring Boot App using MongoDB
https://github.com/chanezon/docker-tips/tree/master/java-in-container-dev/spring-doge-workspace
spring-doge
spring-doge-web
spring-doge-photo
API: Spring Boot, Spring Data
UI: AngularJS
Business Logic: java.awt
java -Dserver.port=8080
-Dspring.data.mongodb.uri=mongodb://mongo:27017/test
-jar spring-doge.jar
5. Dockerfile for development
FROM java:8
MAINTAINER Patrick Chanezon <patrick@chanezon.com>
EXPOSE 8080
COPY spring-doge/target/*.jar /usr/src/spring-doge/spring-
doge.jar
WORKDIR /usr/src/spring-doge
CMD java -Dserver.port=8080 -
Dspring.data.mongodb.uri=$MONGODB_URI -jar spring-doge.jar
6. Using Docker to compile your jar/war
https://registry.hub.docker.com/_/maven/
docker run -it --rm
-v $PWD:/usr/src/spring-doge
-v maven:/root/.m2
-w /usr/src/spring-doge
maven:3.3-jdk-8
mvn package
7. Build an image
docker build -t chanezon/spring-doge .
FROM java:8
MAINTAINER Patrick Chanezon <patrick@chanezon.com>
EXPOSE 8080
COPY spring-doge/target/*.jar /usr/src/spring-doge/spring-
doge.jar
WORKDIR /usr/src/spring-doge
CMD java -Dserver.port=8080 -
Dspring.data.mongodb.uri=$MONGODB_URI -jar spring-doge.jar
8. Dockerfile with multi stage build
FROM maven:3.5-jdk-8 as builder
MAINTAINER Patrick Chanezon <patrick@chanezon.com>
COPY . /usr/src
WORKDIR /usr/src
RUN mvn package
FROM openjdk:8u131-jre
EXPOSE 8080
COPY --from=builder /usr/src/spring-doge/target/*.jar
/usr/app/spring-doge.jar
WORKDIR /usr/app
CMD java -Dserver.port=8080 -Dspring.data.mongodb.uri=$MONGODB_URI -
jar spring-doge.jar
HEALTHCHECK --interval=5m --timeout=3s --retries=3
9. Run a container
docker run
—env MONGODB_URI=mongodb://mongo:27017/test
-p 8090:8080
chanezon/spring-doge
10. docker-compose: running multiple containers
● Run your stack with one command: docker-compose up
● Describe your stack with one file: docker-compose.yml
version: '3.3'
services:
web:
image: chanezon/spring-doge
ports:
- "8080:8080"
environment:
- MONGODB_URI=mongodb://mongo:27017/test
mongo:
image: mongo
11. docker stack deploy
● Deploy your stack with one command: docker stack deploy
● Describe your stack with one file: docker-compose.yml
version: '3'
services:
web:
image: chanezon/spring-doge
ports:
- "8004:8080"
environment:
- MONGODB_URI=mongodb://mongo:27017/test
depends_on:
- mongo
deploy:
replicas: 2
update_config:
parallelism: 2
delay: 10s
restart_policy:
condition: on-failure
mongo:
image: mongo
19. Docker for Azure
Making things simple for a great user experience
Virtual Network VMSS
Blob Storage Azure LB ARM
AAD
20. Docker EE on Azure
Free 30 Days Test Drive from Docker Store
21. Docker & Microsoft: collaboration on all fronts
• Build
• Docker for Windows
• Docker EE for Windows Servers
• Visual Studio Tools for Docker
• Visual Studio Code Docker extension
• Ship
• Visual Studio Team Services Docker Integration
• Azure Container Registry
• Run
• Docker EE in Azure MarketPlace
• Docker on Azure Stack
22. Docker with Windows Server 1709
• Docker Linux Containers on Windows
• Docker ingress mode service publishing on Windows
• Named pipes in Windows containers
> docker run -d -p 8080:8080 -v
.pipedocker_engine:.pipedocker_engine
friism/jenkins
• Smaller Windows base images: Nanoserver download
70MB
https://blog.docker.com/2017/09/docker-windows-server-1709/
23. .Net and ASP.NET Docker Images & Samples
• Smaller Windows base images
• Nanoserver download 70MB
• Alpine images
• Linux and Windows
• Multi stage build
• Unit tests at build or runtime
https://github.com/dotnet/dotnet-docker/tree/master/samples
24. Swarm Windows Roadmap for Docker EE
24
Versions Release Date Highlights
Docker EE 2.0.0 GA Q1 2018 ● Only Windows Server 2016 (RS1) Supported
○ Easy Image Compatibility: No
○ Ingress Networking: No
Docker EE 2.0.x
Patches
Q2 2018 ● Add Windows Server 1709 (RS3) support with partial features:
○ Easy Image Compatibility: Yes
○ Ingress Networking: No
Docker EE 2.1 Q3 2018 ● Full Support for Windows Server 1709
○ Easy Image Compatibility: Yes
○ Ingress Networking: Yes
● Tentative Considerations:
○ Windows Server 1803 (RS4) support
○ Possible new Windows LTSC version in Q3
25. Kube Windows Known Timelines (Still assessing for EE Roadmap)
25
Q4’ 2017
Kube 1.9
Beta support for Windows
● Docker 17.06 engine
● Windows Server 1709
Q1’2018
Kube 1.10
Beta Support for Windows
● Docker 17.06 engine
● Windows Server 1709
Q2’2018
Kube 1.11
GA Support for Windows
● Docker 17.06 engine
● Possibly containerd
● Windows Server 1709
(RS3)
● Windows Server 1803
(RS4)
H2’ 2018
Kube 1.x?
GA Support for Windows
● Possibly containerd
● Windows Server LTS
release
27. Lifecycle of a Kubernetes API Request
Kubernetes API Server
Authentication Authorization
Admission
Control
etcd
28. Orchestrator: Docker Engine with Swarm-Mode Enabled
● github.com/docker/swarmkit
● Declarative State through the “Service” construct
● Built-in Routing Mesh & Overlay networking
● In-memory Raft Store for all state (persisted to disk)
● Built-in CA, per-node cryptographic node identity, mTLS between all endpoints
29. Orchestrator: Kubernetes
● github.com/kubernetes/kubernetes
● Scheduling Unit: Pods
● Declarative State through “Controllers”: Deployment, ReplicaSet, DaemonSet …
● Load balancing via Services and Ingresses
● Flat Networking model delegated to plugins
30. Linuxkit VM
Kubernetes CLI
Swarm Mode
Kubernetes
etcd
Docker CLI
kubeadm
Kubernetes in Docker CE (Windows and Mac)
Compose
CRD
Single Docker Engine
vpnkitHost fs mounts hyperkit / hyperv
32. Docker EE now includes Kubernetes
Docker Enterprise Edition
Production Ready Windows and IBM P/Z Support
Pods, batch jobs, blue-green deployments,
horizontal pod auto-scaling
Docker Swarm Swarm-Mode Kubernetes
Private Image Registry
Secure Access and User
Management
App and Cluster Management
Image Security Scanning Content Trust and Verification
Policy Management
33. GUI
Universal Control Plane
Trusted Registry Kubernetes CLI
Docker Engine
Swarm-Mode
Docker Swarm Kubernetes
etcd
CA OIDC Provider
Docker CLI
Node Agent Reconciler
Kubernetes in Docker EE
35. Docker EE Architectural Highlights
● Conformant Kubernetes components ran as Docker containers
● Swarm Managers are Kubernetes Masters
● Swarmkit node inventory is source of truth
● Cryptographic Node Identity and mTLS used throughout
37. Authentication
● X509 Client Certificates
○ Used for authentication of kubectl and the docker CLI via the “client bundle” feature
● OpenID Connect Identity Provider
○ GUI sessions use a custom identity provider and a token exchange service to authenticate with
the OIDC authentication plugin
38. Authorization
● All requests authorized via the Authorization Webhook plugin
● Custom RBAC system shared between Swarm and Kubernetes:
○ Users, Teams, Organizations, Service Accounts
○ Custom Roles
○ Hierarchical “Grants”
● No support for the rbac.authorization.k8s.io API, future plans for API translation
39. Admission Control
● Allows plugins to inspect, mutate or reject API requests after authorization
● Used for:
○ Orchestrator Selection
○ Linking nodes to namespaces
○ User Impersonation for Stacks
○ Image Signing policy enforcement
40. Orchestrator Selection
● Each node is running both kubernetes and swarm system components
● Administrators can toggle between (kubernetes, swarm or mixed) for any given node
● When toggling orchestrators, workloads of the previous orchestrator will be evicted
● An admission controller ensures that kubernetes workloads can only be scheduled on nodes
labelled as “kubernetes” nodes.
● Workloads of multiple orchestrators on the same node can lead to resource contention
Manager Node
(K8s, Swarm)
Worker Node
(Swarm)
Worker Node
(Kubernetes)
Worker Node
(Kubernetes)
Kubelet
Swarm Agents
Kubelet Kubelet Kubelet
Swarm Agents Swarm Agents Swarm Agents
41. Linking Nodes to Namespaces
● Allows users to uniquely assign nodes to namespaces.
● Variation of the PodNodeSelector admission controller integrated with UCP’s RBAC system
42. Image Signing Policy Enforcement
● Enforces that all workloads deployed in the cluster have a fully qualified image reference
● Resolves image references to always include a digest
● Contacts the registry to ensure that the referenced image has been signed by an authorized
user.
45. Instructions
• Signup: ask karen.bajza@docker.com to plan your workshop and
provide you the url.
• Instructions: https://github.com/dockersamples/ee-workshop
• Code: https://github.com/dockersamples/hybrid-app
Build each point so the final slide has all 3 points.
Safer apps mean that when you build and deploy your app in docker, it is intrinsicly more secure
TD is everything is needed for the full fucntioning of your app is delivered in a secure and trusted manner
All of these things in your system are in the app platform itself and move across
= usable = people are not leaning in to security
Secrets enable: secure API handshakes, encrypted communication what else?
Assign secrets to services when they are ready to run and need to connect to other services (both internal and external)
Windows containers are different
Runs on Docker EE engine
Swarm-mode Managers are Kubernetes Masters
Swarm-modet node inventory is source of truth
Cryptographic Node Identity and mTLS used throughout
Unmodified Kubernetes components run as Docker containers
UCP Agent/Reconciler manages component lifecycle
Manager / Worker states
Certificate validity
Patching and upgrades
Leverage Kubernetes extension model (webhooks, initializers, flexvolume, CNI, etc.)
We will submit the product and aim to pass the Certified Kubernetes Conformance program
Requests arriving to the UCP controller against the kubernetes API will have their session token exchanged for a long-lived identity token. The request is then forwarded to the kubernetes API server which is configured to trust UCP’s identity tokens.
A Grant is either a RoleBinding or a ClusterRoleBinding