![Page 1: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/1.jpg)
science + computing ag IT-Dienstleistungen und Software für anspruchsvolle Rechnernetze Tübingen | München | Berlin | Düsseldorf
Dipl.-Inform. (FH) Holger Gantikow
Der Wal im Windkanal Docker Container für Scientific Computing
CeBIT Open Source Forum - März 2016
![Page 2: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/2.jpg)
https://www.xing.com/profile/Holger_Gantikow
![Page 3: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/3.jpg)
06.03.2016Prof. Dr. Christoph Reich
Institut für Cloud Computing und IT-Sicherheit (IfCCITS)previous: Cloud Research Lab
facts: ◆ 10/2015 founded ◆ Head: Prof. Dr. Ch. Reich ◆ 5 PhDs, 4 Masters, 6 Bachelors ◆ http://www.wolke.hs-furtwangen.de
research projects: ◆ Industrie 4.0 (security, data analysis) ◆ EU: A4Cloud („accountable Cloud“) ◆ PET Platform as a Service for Ambient
Assisted Living Applications
Institut for Cloud Computing And IT Security
research topics: ◆ Distributed Systems ◆ IT Security ◆ Cloud Computing ◆ Industry 4.0; IoT
![Page 4: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/4.jpg)
Seite
science + computing ag
4
© 2016 science + computing agHolger Gantikow - Der Wal im Windkanal | CeBIT Open Source Forum - März 2016
Gründungsjahr 1989
Standorte Tübingen München Berlin Düsseldorf Ingolstadt
Mitarbeiter 287 Hauptaktionär Atos SE (100%) davor Bull Umsatz 2013 30,70 Mio. Euro
Unser Fokus:IT-Dienstleistungen und Software für technische Berechnungsumgebungen
![Page 5: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/5.jpg)
Seite
Anspruchsvolle Rechnernetze effizient nutzen
5
© 2016 science + computing agHolger Gantikow - Der Wal im Windkanal | CeBIT Open Source Forum - März 2016
verteiltes Rechnen
Automatisierung/ Prozessoptimierung
Migration/ Konsolidierung
IT-Betrieb
IT-Sicherheit High Performance Computing
IT-Management
Distributed Resource Management
s+c Kernkompetenzen: IT Services | Consulting | Software
![Page 6: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/6.jpg)
Seite
Kunden der science + computing ag
6
© 2016 science + computing agHolger Gantikow - Der Wal im Windkanal | CeBIT Open Source Forum - März 2016
Bremen, Hamburg Beelen
Duisburg
Geschäftsstelle Düsseldorf
Aachen
Alzenau
Zentrale Tübingen
Stuttgart
Mannheim
Servicestandort Frankfurt
Geschäftsstelle Ingolstadt
Wolfsburg
Köln
Geschäftsstelle München
Geschäftsstelle Berlin
![Page 7: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/7.jpg)
Seite
Agenda
Teil I: Docker im HPC
Teil II: Benchmarks
Teil III: Security-Aspekte
8
© 2016 science + computing agHolger Gantikow - Der Wal im Windkanal | CeBIT Open Source Forum - März 2016
![Page 8: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/8.jpg)
EinleitungTeil 0:
![Page 9: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/9.jpg)
Was ist dieses HPC?
![Page 10: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/10.jpg)
High Performance Computing
Foto: Dieter Both, Bull GmbH
![Page 11: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/11.jpg)
Nur fliegende Pinguine?Grafik: Dr. Martin Schulz
![Page 12: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/12.jpg)
Enterprise IT vs. HPC
![Page 13: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/13.jpg)
Seite
Enterprise IT vs. HPC
14
© 2016 science + computing agHolger Gantikow - Der Wal im Windkanal | CeBIT Open Source Forum - März 2016
Enterprise IT HPC ZentrenAuslastung < 50% >>50% (teils bis zu 90%)Einsatz von Virtualisierung
ja nein bis selten
Art der Systeme
heterogen homogen
scale ... in Konsolidierung via Virtualisierung
out Berechnung verteilt auf mehrere Hosts
Verbindungs- Anforderungen
gemäßigt Bedarf an latenzarmen Verbindungen mit hohem Durchsatz
Ressourcen- Verbrauch
endlich - meist von Anwenderanzahl abhängig
quasi unendlich - was vorhanden ist wird genutzt
real. Bezugsart (Cloud)
SaaS (Software as a Service)
IaaS (Infrastructure as a Service)
Dateisysteme zentral parallel und verteilt Fazit:
• HPC unterscheidet sich deutlich von Enterprise IT
![Page 14: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/14.jpg)
Seite
HPC-Buzzword-Cloud
15
© 2016 science + computing agHolger Gantikow - Der Wal im Windkanal | CeBIT Open Source Forum - März 2016
![Page 15: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/15.jpg)
Docker
![Page 16: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/16.jpg)
Quelle: http://cdn.meme.am/instances/500x/59600465.jpg
![Page 17: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/17.jpg)
„An open platform to build, ship and run distributed applications anywhere.“
https://www.docker.com/whatisdocker
„Docker is an open platform for developers and sysadmins to build, ship, and run distributed
applications, whether on laptops, data center VMs, or the cloud.“
https://www.docker.com/whatisdocker
![Page 18: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/18.jpg)
Quelle: http://jamespacileo.github.io/Slides-Dockerize-That-Django-App/img/docker-meme.png
![Page 19: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/19.jpg)
Docker 101
Quelle: http://blog.docker.com/wp-content/uploads/2013/06/Docker-logo-011.png
![Page 20: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/20.jpg)
Was kann Docker für Dich tun?
![Page 21: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/21.jpg)
Leben retten ;)Devs vs Ops
![Page 22: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/22.jpg)
Abhängigkeiten isolieren
![Page 23: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/23.jpg)
Aufbau ohne Docker
![Page 24: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/24.jpg)
Aufbau mit Docker
![Page 25: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/25.jpg)
Nicht ganz typisches Beispiel…
![Page 26: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/26.jpg)
Containerized historic FlexLM
„triple“ running on one Docker Host
Legacy Dependency Hell - explained: Specific license required specific vendor daemon, which in return required specific FlexLM version, which was too outdated to run on current CentOS
![Page 27: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/27.jpg)
Schön geschichtet
![Page 28: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/28.jpg)
Virtualization 2.0?Harder, Better, Faster, Stronger?
![Page 29: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/29.jpg)
Virtualization im Vergleich
Container Virtualization
Type 1 Virtualization
Type 1 Virtualization
![Page 30: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/30.jpg)
Source: http://cdn.meme.am/instances/53646903.jpg
![Page 31: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/31.jpg)
Was ist anders?
![Page 32: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/32.jpg)
Und sonst so?
![Page 33: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/33.jpg)
Docker im HPCTeil 1:
![Page 34: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/34.jpg)
Wo drückt’s?
![Page 35: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/35.jpg)
Saubere Trennung
![Page 36: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/36.jpg)
Deployment!
![Page 37: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/37.jpg)
Heterogene Cluster homogenisieren
![Page 38: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/38.jpg)
Umgebung weitergeben?
![Page 39: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/39.jpg)
weitere Ressourcen?
![Page 40: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/40.jpg)
Warum nicht klassische Virtualisierung?
![Page 41: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/41.jpg)
BenchmarksTeil II:
![Page 42: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/42.jpg)
Benchmarks...
![Page 43: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/43.jpg)
IBM Docker Paper
Quelle: Google: ibm docker paper oder: http://domino.research.ibm.com/library/cyberdig.nsf/papers/0929052195DD819C85257D2300681E7B/$File/rc25482.pdf
![Page 44: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/44.jpg)
IBM Docker Paper - Aufbau
Quelle: Google: ibm docker paper oder: http://domino.research.ibm.com/library/cyberdig.nsf/papers/0929052195DD819C85257D2300681E7B/$File/rc25482.pdf
![Page 45: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/45.jpg)
"In general, Docker equals or exceeds KVM performance in every case we tested. [...]
Even using the fastest available forms of par- avirtualization, KVM still adds some overhead to every I/O operation [...].
Thus, KVM is less suitable for workloads that are latency-sensitive or have high I/O rates.
5. Conclusions and Future Work, An Updated Performance Comparison of Virtual Machines and Linux Containers
Zusammenfassung
Container vs. bare-metal: Although containers themselves have almost no overhead, Docker is not without performance gotchas. Docker volumes have noticeably better performance than files stored in AUFS. Docker’s NAT also introduces overhead for work- loads with high packet rates. These features represent a tradeoff between ease of management and performance and should be considered on a case-by-case basis.
![Page 46: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/46.jpg)
Docker@HPC
Danke! @Sebastian Klingberg
![Page 47: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/47.jpg)
Docker@HPC - Ergebnis
Zahlen - average runtime (native vs Docker) local disk: 114s vs 116,5s - overhead: 2,21% Lustre: 117,3s vs 118,5s - overhead: 1,04%
![Page 48: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/48.jpg)
Security-AspekteTeil III:
![Page 49: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/49.jpg)
Zitate
Quelle: Surviving the Zombie Apocalyse - Ian Jackson http://xenbits.xen.org/people/iwj/2015/fosdem-security/
![Page 50: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/50.jpg)
"Some people make the mistake of thinking of containers as a better and faster way of running virtual machines. From a security point of view, containers are much weaker."
Dan Walsh,SELinux architect(?)
![Page 51: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/51.jpg)
"Virtual Machines might be more secure today, but containers are definitely catching up."
Jerome Petazzoni, Senior Software Engineer at Docker
![Page 52: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/52.jpg)
"You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can’t write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes."
Theo de Raadt,OpenBSD project lead
![Page 53: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/53.jpg)
vulnerabilities
![Page 54: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/54.jpg)
Surviving the Zombie Apocalypse
Quelle: Surviving the Zombie Apocalyse - Ian Jackson http://xenbits.xen.org/people/iwj/2015/fosdem-security/
![Page 55: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/55.jpg)
Quelle: Surviving the Zombie Apocalyse - Ian Jackson http://xenbits.xen.org/people/iwj/2015/fosdem-security/
Zombies?- Findings!
![Page 56: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/56.jpg)
Frustbringer...
![Page 57: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/57.jpg)
Quelle: Docker Containers on the Desktop https://blog.jessfraz.com/posts/docker-containers-on-the-desktop.html
Docker - Missverständnisse
![Page 58: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/58.jpg)
Quelle: Docker Containers on the Desktop https://blog.jessfraz.com/posts/docker-containers-on-the-desktop.html
Docker - Leichtsinn
![Page 59: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/59.jpg)
Quelle: Docker containers on the desktop - Discussion https://news.ycombinator.com/item?id=9086751
Docker - DiskussionX11 is completely unsecure, the "sandboxed" app has full access to every other X11 client.
if you have docker access you have root access […] docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system.
![Page 60: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/60.jpg)
"Without user namespaces (CLONE_NEWUSER), which Docker currently doesn't use, uid 0 inside a container is the same thing as uid 0 outside it.
If you let Docker run apps as root, which seems to be not uncommon, then it is, in a strong sense, the same as the root user outside the container.
That's why Jessie's gparted process can partition her disk: as long as it can get at the device node, it has full permissions on it.
Quelle: Docker containers on the desktop - Discussion https://news.ycombinator.com/item?id=9088169
![Page 61: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/61.jpg)
NFS anyone?
![Page 62: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/62.jpg)
Docker zähmen
![Page 63: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/63.jpg)
Feingranularer Zugriff
![Page 64: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/64.jpg)
Wrapper
![Page 65: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/65.jpg)
Application vs System Container
![Page 66: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/66.jpg)
Docker Image Insecurity
Quelle: Docker Image Insecurity https://titanous.com/posts/docker-insecurity
![Page 67: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/67.jpg)
Was sonst noch geschah…Docker 1.10, …
Short summary: „Security Scanner“ - https://github.com/coreos/clair „Clair is an open source project for the static analysis of vulnerabilities in appc and docker containers.“ Docker Bench for Security - https://github.com/docker/docker-bench-security The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. [...] an easy way to self-assess their hosts and docker containers against this benchmark. See also: Seccomp Profile, User Namespaces, OpenSCAP/container-compliance
![Page 68: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/68.jpg)
ZusammenfassungTeil IV:
![Page 69: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/69.jpg)
Wa(h)lwerbung?
Quelle: http://cdn2.spiegel.de/images/image-806145-galleryV9-ygfz.jpg
![Page 70: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/70.jpg)
Quelle: https://www.flickr.com/photos/protohiro/3847864550
![Page 71: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/71.jpg)
Seite
Zusammenfassung
Virtualisierung 2.0? Nö ;)
72
© 2016 science + computing agHolger Gantikow - Der Wal im Windkanal | CeBIT Open Source Forum - März 2016
bessere Performance als klassische Virtualisierung im HPC
Sicherheit muss gewährleistet sein
![Page 72: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/72.jpg)
Vielen Dank für Ihre Aufmerksamkeit.
science + computing ag www.science-computing.de
Telefon: 07071 9457 - 503 E-Mail: [email protected]
Holger Gantikow
![Page 73: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/73.jpg)
CfP ist offen!TÜBIX 2016 http://www.tuebix.org/
![Page 74: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/74.jpg)
Frage? Antwort!
![Page 75: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/75.jpg)
http://www.science-computing.de https://www.science-computing.de/jobs
![Page 76: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/76.jpg)
Quellen
aufgerufen 14.03.2015
![Page 77: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/77.jpg)
Seite
Quellen
Docker ALL THE THINGS
§ http://cdn.meme.am/instances/500x/59600465.jpg
Docker Logo
§ http://blog.docker.com/wp-content/uploads/2013/06/Docker-logo-011.png
IBM Docker Paper
§ Google: ibm docker paper oder:
§ http://domino.research.ibm.com/library/cyberdig.nsf/papers/0929052195DD819C85257D2300681E7B/$File/rc25482.pdf
Ian Jackson - Surviving the Zombie Apocalyse
§ http://xenbits.xen.org/people/iwj/2015/fosdem-security/
Docker Containers on the Desktop
§ https://blog.jessfraz.com/posts/docker-containers-on-the-desktop.html78
© 2016 science + computing agHolger Gantikow - Der Wal im Windkanal | CeBIT Open Source Forum - März 2016
![Page 78: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/78.jpg)
Seite
Quellen
Docker containers on the desktop - Discussion
§ https://news.ycombinator.com/item?id=9086751
Docker containers on the desktop - Discussion
§ https://news.ycombinator.com/item?id=9088169
A Real Life White Whale that Destroyed Over 20 Whaling Ships and Survived Encounters with Another 80
§ http://www.todayifoundout.com/index.php/2011/12/a-real-life-white-whale-that-destroyed-over-20-whaling-ships-and-survived-encounters-with-another-80/
Docker Image Insecurity
§ https://titanous.com/posts/docker-insecurity
Wa(h)lplakat
§ http://cdn2.spiegel.de/images/image-806145-galleryV9-ygfz.jpg79
© 2016 science + computing agHolger Gantikow - Der Wal im Windkanal | CeBIT Open Source Forum - März 2016
![Page 79: Der Wal im Windkanal€¦ · Legacy Dependency Hell - explained: ... docker run -v /:/tmp ubuntu rm -rf /tmp/* Which will remove all the files on your system. ... around deploying](https://reader036.vdokument.com/reader036/viewer/2022062606/5fe6663447de19247b43de31/html5/thumbnails/79.jpg)
Seite
weitere Quellen
Docker^12
§ http://jamespacileo.github.io/Slides-Dockerize-That-Django-App/img/docker-meme.png
Magical Virtual Machines
§ http://cdn.meme.am/instances/53646903.jpg
Boxed Amazon Cat
§ https://www.flickr.com/photos/protohiro/3847864550
TUEBIX
§ http://tuebix.org
80
© 2016 science + computing agHolger Gantikow - Der Wal im Windkanal | CeBIT Open Source Forum - März 2016
aufgerufen 05.05.2015