Sunday, September 27, 2015

Decoding Docker - Part 3 : Docker files

Hope you have gone through the Part1 and Part2 of  my blog series on Docker. In this post on my Docker series, I am exploring the creation of Docker images

There are multiple ready made docker images available in Docker hub, which you could simply pull and use. However, what if you need a different combination of software versions than what is ready available. Simple, you create an image of your own with all required softwares installed

There are two options to do this.The easiest option is to pull a base image and install everything you want, commit the container as a new image. What if you would like to make some changes down the line? You may have to redo the whole thing. That is where the option to create image using docker file helps. You can simply write a docker file to install and configure the required software. If you wish to make some changes at a later point, you could  edit the docker file and build a new image

In this example , I will explain the process of creating an docker image with apache installed, with the relevant ports opened in it. Lets start with creating a docker file. It is a simple text file with the name "Dockerfile"

#vi Dockerfile

We will be using the Centos base image, so the first line of the docker file explains which image to use

FROM centos

Now lets install all required softwares using the run command

RUN yum -y update
RUN yum -y install python-setuptools
RUN easy_install supervisor
RUN mkdir -p /var/log/supervisor
RUN yum -y install which
RUN yum -y install git

Now build the docker file to an image

Docker build –t  custom/base .

Notice the "." at the end. You should run the command from the directory where "Dockerfile" exists. Now you have created your base image. Lets install apache next. Edit the docker file and add the following content

FROM custom/base
RUN yum -y install httpd
ADD supervisord.conf /etc/supervisord.conf
EXPOSE 22 80 
CMD ["/usr/bin/supervisord"]

We have installed  supervisord in the base image to manage the processes within the container, point in case the apache service. Now, lets write a supervisord config files to start the service on container startup

vi supervisord.conf

Add the following content

[supervisord]
nodaemon=true

[program:httpd]
command=/bin/bash -c "exec /usr/sbin/apachectl –k start"

Run dockerbuild to create the image

Docker build –t  custom/httpd .

Now lets spin up a container from the image

sudo docker run -p 80:80 -v /root/htdocs:/var/www/html -t -i custom/httpd

Note: You can create a folder named /root/htdocs and use the -v switch to mount this folder at  /var/www/html of the container, so that the storage is persistent
The -p switch will map the 80 port of the container to 80 port of the host



Tuesday, September 1, 2015

Decoding Docker - Part 2

                                     


                                            Docker Remote Registry

Continuing the blog series on my trysts with docker, in this installment we will look into the details of how to set up a docker remote registry. Hope now you have an idea on how to get Docker up and running , if not go ahead and read the first part of my blog series here

Now that we have docker engine up and running, and  few containers spinned up in it we might very well think about a centralized docker image repository. Of course we have Docker hub, and you could  save your images there. But what if you want to have a bit more privacy and would like to save all your hard work in house?That is where Docker remote registry comes in handy.

Docker remote registry can be set up in a local machine for centralized storage of docker images. You can pull and push images just like you do in Docker hub.It allows centralized collaboration of people working on docker containers in your firm. For eg: a developer working on a project can save the current status of his container as an image and push it to the remote registry . His fellow team mate could download the image and spin up and container and continue the work. This is just one of the use cases, the functionality is somewhat similar to an SVN repository. However, one major drawback I noticed was the lack of a search/list functionality.

Here is how you can set it up:

Server side configuration:

To start with, you will need a certificate for connecting to the remote registry. Lets create one using openssl in the machine where you plan to set up your docker remote registry:

Monday, August 31, 2015

Decoding Docker - Part 1

Having worked with multiple Virtualization platforms, I recently got an interesting opportunity to work with its younger sibling containerization . The  platform of choice was obviously Docker. Getting Docker up and run in an OS of your preference is a simple task, you can straightaway get it done using the instructions here . Interesting part is  getting to play around with it

 Getting it up and running:

Docker can be started as a services or at a tcp port. Starting as a service is pretty straight forward

#service docker start

However, the interesting bit is when you want to run it as a deamon listening to a specific port. This is useful in scenarios when you want to manage the docker engine remotely, say using a windows docker client or using one of the open source GUIs available for docker like Shipyard and Mist.io

The command to run docker as a deamon listening to a port is

# /usr/bin/docker  -d -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock &

Here docker will listen at all IPs of the machine at port 4243. If you want to connect to this docker engine from a remote docker client, the following command can be used

#docker -H tcp://<docker engine host>:4243 <commands>

For eg: #docker -H tcp://<docker engine host>:4243 ps

One downside of this method is that there is no inherent authentication mechanisms for remote access

Spin up your containers:

Lets start with pulling an image from the Docker hub, which is  a public repository of Docker images

Friday, May 1, 2015

Cloud security - CSA domains

This is the second post in the blog series on Cloud security. You can see the first blog post here

The Cloud security alliance group provides actionable best practices for businesses to transition to cloud services while mitigating the risk involved in doing so. As per the latest version of CSA guide The critical areas of focus in cloud computing is divided into fourteen domains



Saturday, April 18, 2015

Cloud Security - Risk factors

Cloud security is a major consideration for enterprise wide cloud adoption, especially public cloud. This is part 1 of a serious of blog posts , where I am planning to pen down the different dimensions of Cloud security, starting with the risk factors of cloud adoption.

The various attributes of security risks  involved in the process can be summed up as follows:


ENISA* recommends the following  risk areas to be taken into account, while embarking on a cloud adoption journey