Feature Friday: A Chat With Security Experts
DockerCon brings industry leaders and experts of the container world to one event where they share their knowledge, experience and guidance. This year is no different. For the next few weeks, we’re going to highlight a few of our amazing speakers and the talks they will be leading.
In this second highlight, we have several industry experts on container and application security that we’re excited to have sharing their knowledge at DockerCon. We’re going to have sessions covering network security, a dissection of a real world Kubernetes vulnerability (and what to do about it), encrypted containers, and the new AWS Firecracker “micro-VM” for containers, just to name a few.
In case you missed it, you can also see our first speaker highlight here, featuring storage, service mesh and networking experts.
Zero Trust Networks Come to Docker Enterprise Kubernetes
More on their session here.
|
Tigera Software Developer |
Docker Technical Alliances |
|
What is your breakout about? Brent: Docker Enterprise with Calico for networking being used in conjunction with Istio is an exciting intersection of securing various layers of networking – all from a single policy interface. Spike: The Docker-Calico-Istio combination Continue reading | |
How to setup an encrypted SOCKS proxy using stunnel
Why using SOCKS
There are times in which setting up a complete VPN tunnel might be an overkill (or not be an option at all).
For example, assume the followings:
- You don’t want to tunnel all the traffic, just want to do so for your browsers.
- Your OS is running under a limited account and doesn’t allow creation of tun interfaces.
- Your provider does not allow setting up a tun device.
- You want to securely surf the web on your old android device that doesn’t support tunneling.
stunnel can be used on your Android phone. SOCKS functionality could then be directly used in your phone for apps that support it: Firefox, Telegram, etc.
To see how to install and setup stunnel on android, take a look at:
These are just couple of examples. In such cases, setting up a SOCKS proxy might just do the trick.
Another interesting aspect of SOCKS proxy, is that after the initial per each connection handshake, it doesn’t add much overhead to the underlying traffic.
Overhead might not look like a big deal at first, but it adds up. This is specially true when you have a Continue reading
Your Kubernetes Agenda at DockerCon
Kubernetes has seen a rapid rise over the last few years and is becoming one of the most sought after skills. DockerCon is a great opportunity to get hands-on training from industry experts and hear from real customers who have deployed Kubernetes in production.
You’ll also have a chance to learn how Docker is the easiest way to get started with Kubernetes and attend sessions that describe how the Docker platform manages and secures applications on Kubernetes in multi-Linux, multi-OS and multi-cloud customer environments.
.
Download your Kubernetes agenda and register now for DockerCon!
Expert-Led Workshops
Register soon as space is running out in these hands-on workshops!
- Kubernetes 101: Getting up and running with Kubernetes – Led by Nigel Poulton, Docker Captain and Pluralsight author and writer of several popular Docker and Kubernetes books
- Security Best Practices for Kubernetes – Led by Scott Coulton, Docker Captain and Principal Software Engineer at Microsoft
Customer Case Studies
Hear from Docker customers who are running Kubernetes in production.
- McKesson: Serving Cloud Native Developer Teams in a Highly Regulated Environment
- Visa: Kubernetes On-Premises Best Practices & Deploying Machine Learning Workloads Inside Visa
Technical Sessions
Learn about the inner workings of Kubernetes and the Continue reading
Open Source Summit is Back at DockerCon 2019
Docker’s roots lie in open source and we are excited to spend time at DockerCon 2019 San Francisco sharing the latest innovations around the projects driving our industry. In addition to open source breakout sessions during the conference agenda, there will be an Open Source Summit on Thursday dedicated to collaboration and innovation with contributors, maintainers and users of popular Docker and container projects. Register to attend the DockerCon breakout sessions and the Summit.
Docker’s roots lie in open source and we are excited to spend time at DockerCon 2019 San Francisco sharing the latest innovations around the projects driving our industry. In addition to open source breakout sessions during the conference agenda, there will be an Open Source Summit on Thursday dedicated to collaboration and innovation with contributors, maintainers and users of popular Docker and container projects. Register to attend DockerCon to attend the breakout session. If planning to attend the Summit, please register here as well.
Open Source Agenda
Breakout Sessions
If you’ve never contributed to open source, join Phil Estes from IBM, a containerd maintainer and OCI Technical Oversight Board member, to learn how to enter the open source world and start contributing in his session: Continue reading
Take Your Windows Container Skills to the Next Level at DockerCon
On the heels of the Kubernetes 1.14 release that supports Windows nodes, organizations are going to need to understand how to build, share and run containerized Windows Server applications. Docker and Microsoft have been collaborating since 2014 to bring containers to Windows and have several years of experience helping enterprise organizations bring these applications to production. At this year’s DockerCon, we’re bringing that knowledge to you with a full lineup of Windows Containers sessions designed to take your skill-set to the next level.
Download your Windows Container agenda and register now to learn from industry experts. Content will include modernizing existing applications as well as building the next generation of applications in .NET and .NET Core with the latest Docker Tools.
- Modernize .NET Apps: Give new life to your existing application portfolio with this hands-on workshop (pre-registration required)
- Docker for Windows Container Development: Learn how to develop your first .NET/.NET Core application
- Networking and storage deep dives for Windows architects and sys admins include:
- See how companies like yours are using Docker Enterprise and Windows Containers for their production services
Feature Friday: DockerCon speakers sound off on Kubernetes, Service Mesh and More
DockerCon brings industry leaders and experts of the container world to one event where they share their knowledge, experience and guidance. This year is no different. For the next few weeks, we’re going to highlight a few of our amazing speakers and the talks they will be leading.
In this first highlight, we have a few of our own Docker speakers that are covering storage and networking topics, including everything from container-level networking on up to full cross-infrastructure and cross-orchestrator networking.
Persisting State for Windows Workloads in Kubernetes
More on their session here.
|
Docker Software Engineer |
Docker Software Engineer |
|
What is your breakout about? We’ll be talking about persistent storage options for Windows workloads on Kubernetes. While a lot of options exist for Linux workloads we will look at dynamic provisioning scenarios for Windows workloads. Why should people go to your session? Persistence in Windows containers is very limited. Our talk aims to tackle this hard problem and provide practical solutions. The audience will learn about ways to achieve persistent storage in their Windows container workloads and they will also hear about future direction. What is your favorite DockerCon moment? | |
Top 5 Ways to Enhance Your DockerCon Experience
DockerCon 2019 is coming soon to San Francisco and and we’ve significantly improved your DockerCon experience based on your feedback. If you haven’t reserved your spot, head over to register today.
DockerCon 2019 is coming soon to San Francisco and and we’ve significantly improved your DockerCon experience based on your feedback. If you haven’t reserved your spot, head over to register today.
After each conference, our team goes through all of your feedback and brainstorms adjustments big and small to make sure DockerCon remains a special experience for you. To everyone that filled out the event survey – thank you! We know it can seem tedious but we appreciate the feedback.
With that in mind, we wanted to share some of the new changes you’ll see in San Francisco:
- Role-based Content: This year you can find dedicated tracks on how to use Docker for Developers and for IT Infrastructure & Operations teams. These tracks are led by Docker Captains, customers and Docker Solution Architects sharing their experiences and best practices in building and running apps in containers. And, to make the experience even better – we heard you – and have a new mobile app for attendees.
- One Global DockerCon Continue reading
How to install and configure stunnel on Ubuntu
Overview
We all know how awesome stunnel is, but setting it up properly on Ubuntu (and on most other distros, really), can be a little tricky.
This post is dedicated to show you how to properly install and configure this magnificent piece of software on Ubuntu.
For this, I’ll be using Ubuntu 18.04 Server. There is a good chance however that the same procedure (maybe with slight adjustments), could work on other Ubuntu versions (or even other distros) as well. Please share your results with me so I can update this post.
Installing stunnel
This part should be simple enough. We’ll be using Ubuntu’s own repository:
sudo sh -c 'apt-get update && apt-get install stunnel4'
The installation process also comes with its own stunnel4 user, init script, and logrotate config (which we’ll take advantage of soon).
Moreover, couple of scripts are included in the package to deal with the ppp connections (to handle ppp status changes gracefully by restarting the stunnel process).
stunnel – manual mode
stunnel can be manually called with the config file as its argument and it will work.
For example, assuming the file is located at /etc/stunnel/stunnel.conf, the following command would run it: Continue reading
Find the right AMI everytime: Make your AWS application work in any region
With over 170 Amazon Web Services (AWS) modules, including 60 specifically for Elastic Compute Cloud (EC2), Ansible makes it easy to provision and manage AWS resources. Are you using resources on AWS and looking to diversify across regions to facilitate high availability and disaster recovery? Are you concerned about how Ansible handles differences among EC2 regions? This post will help you build Ansible Playbooks that operate smoothly across regions using the ec2_ami_facts module. In our example, we’ll spin up Red Hat Enterprise Linux instances in AWS.
To spin up an Amazon Machine Image (AMI), you must know the image’s ImageID, a unique identifier for that specific image. AMI ImageIDs use a human-unfriendly hex string to catalog the AMI. For example, ami-c998b6b2. Unfortunately AMI ImageIDs are unique per region, which means the ImageID for Red Hat Enterprise Linux in us-east-1 (Virginia) is not the same as the ImageID for the identical image in us-east-2 (Ohio). Some cloud operators use AWS CloudFormation templates, which include a catalog of AMI ImageIDs for every region, to make their deployment model work across regions. While this can work, it is a bit inflexible, needs constant maintenance of the CloudFormation template, and may work in one Continue reading
Advancing Windows Containers with Docker and Kubernetes
Today, the Cloud Native Computing Foundation (CNCF) announced Kubernetes 1.14, which includes support for Windows nodes. Kubernetes supporting Windows is a monumental step for the industry and it further confirms the work Docker has been doing with Microsoft to develop Windows containers over the past five years. It is evidence that containers are not just for Linux; Windows and .NET applications represent an important and sizeable footprint of applications that can benefit from both the Docker platform and Kubernetes.
Docker’s collaboration with Microsoft started five years ago. Today, every version of Windows Server 2016 and later ships with the Docker Engine – Enterprise. In addition, to facilitate a great user experience with Windows containers, Microsoft publishes more than 129 Windows container images of its popular software on Docker Hub. Many Docker Enterprise customers are already running mixed Windows and Linux containers with Swarm, and an upcoming release of Docker Enterprise will allow our customers to expand their Windows options to Kubernetes as well. Today both Docker Enterprise and Docker Desktop users have found that the easiest way to use and manage Kubernetes is with Docker and now these users will have the same benefits with Windows containers as well.
gMSA Continue reading
Three quick ways to move your Ansible inventory into Red Hat Ansible Tower
If you’ve been using Ansible at the command line for a while, you probably have a lot of servers, network devices, and other target nodes listed in your inventory. You know that Red Hat Ansible Tower makes it easier for everyone on your team to run your Ansible Playbooks. So you’ve thought about using Ansible Tower to take your automation to the next level, but you want to retain all the data and variables in your existing inventory file or directory. Are you worried about transferring your inventory from command-line use to Ansible Tower? Let me show you how easy it is to import your existing Ansible inventory into Ansible Tower!
This blog covers three quick and effective ways to connect your existing Ansible inventory into Ansible Tower:
- Migrating an inventory file from the Ansible Tower control node (awx-manage)
- Migrating an inventory file from anywhere with a playbook
- Setting Tower to access a git source-controlled inventory file
If you don’t have Ansible Tower yet and want to download and try it out, please visit: https://www.ansible.com/products/tower
If you’re using dynamic inventory, you don't need to import your inventory into Ansible Tower. Dynamic inventory retrieves your inventory from an Continue reading
Build your Agenda for DockerCon 2019
The DockerCon Agenda builder is live! So grab a seat and a cup of coffee and take a look at the session lineup coming to San Francisco April 29th – May 2nd. This year’s DockerCon delivers the latest updates from the Docker product team, lots of how to sessions for developers and IT Infrastructure and Ops, and customer use cases. Search talks by tracks to build your agenda today.
Build Your Agenda
Use the agenda builder to select the sessions that work for you:
- Using Docker for Developers: How to talks for Developers, from beginner to intermediate. You’ll get practical advice on how implement Docker into your current deployment.
- Using Docker for IT Infrastructure and Ops: Practical sessions for IT teams and enterprise architects looking for how best to design and architect your Docker container platform environment.
- Docker Tech Talks: Delivered by the Docker team, these talks share the latest tech on the Docker Platform. You’ll learn about new features, product roadmap and more.
- Customer Case Studies: Looking to learn from companies who have been there and learned a few things along the way? In this track, industry leaders share how Docker transformed their organization – from business use cases,technical Continue reading
Spousetivities at Oktane 2019
It should come as no surprise to anyone that I’m a huge supporter of Spousetivities, and not just because it was my wife, Crystal Lowe, who launched this movement. What started as the gathering of a few folks at VMworld 2008 has grown over the last 11 years, and this year marks the appearance of Spousetivities at an entirely new conference: Oktane 2019!
Oktane is the conference for Okta, a well-known provider of identity services, and the event is happening in San Francisco from April 1 through April 4 (at Moscone West). This year, Okta is bringing Spousetivities in to add activities for those traveling to San Francisco with conference attendees.
What sort of activities are planned? The Oktane19 Spousetivities landing page has full details, but here’s a quick peek:
- A wine tour in Sonoma/Napa with private transportation (lunch is included, of course!)
- A walking food tour of San Francisco combined with a bus tour of the city and tickets to Beach Blanket Babylon
- A whale watching tour
…and more!
If you’re attending Oktane19 and are bringing along a spouse, domestic partner, family member, or even just a friend—I’d definitely recommend signing them up for Spousetivities. Continue reading
Looking Ahead: My 2019 Projects
It’s been a little while now since I published my 2018 project report card, which assessed my progress against my 2018 project goals. I’ve been giving a fair amount of thought to the areas where I’d like to focus my professional (technical) development this coming year, and I think I’ve come up with some project goals that align both with where I am professionally right now and where I want to be technically as I grow and evolve. This is a really difficult balance to strike, and we’ll see at the end of the year how well I did.
Without further ado, here’s my list of 2019 project goals, along with an optional stretch goal (where it makes sense).
Make at least one code contribution to an open source project. For the last few years, I’ve listed various programming- and development-related project goals. In all such cases, I haven’t done well with those goals because they were too vague, and—as I pointed out in previous project report cards—these less-than-ideal results are probably due to the way programming skills tend to be learned (by solving a problem/challenge instead of just learning language semantics and syntax). So, in an effort to Continue reading
Docker Pals Program 2019
At DockerCon Copenhagen we launched the Docker Pals program in order to connect attendees and help them make the most out of their trip. Attending a conference for the first time or by yourself can be intimidating and we don’t want anyone to feel that way at DockerCon! Pals get matched with a few others who are new (the “Pals”), and someone who knows their way around (the “Guide”) so you will have a familiar group before you arrive at the conference. Guides help Pals figure out which talks and activities to attend, and are available for questions.
This year we are excited to grow the program, matching more groups and adding Meet-and-Greets throughout the week. You won’t want to miss the best version of Docker Pals yet!
Here’s what Pals had to say about DockerCon Barcelona:
“Docker Pals made my DockerCon experience ten times better and I’ve made friends I hope to see again!”
“Our Guide was very helpful and I really enjoyed meeting other Pals at the conference.”
“[I enjoyed] the fact that even though I was there alone I always had a place to turn for help and fellowship.”
“[Our Continue reading
Happy Pi Day with Docker and Raspberry Pi
What better way to say “Happy Pi Day” than by installing Docker Engine – Community (CE) 18.09 on Raspberry Pi. This article will walk you through the process of installing Docker Engine 18.09 on a Raspberry Pi. There are many articles out there that show this process, but many failed due to older Engine versions and some syntax issues.
Special thanks to Docker Solutions Engineer, Stefan Scherer and his monitoring image (stefanscherer/monitor) along with the whoami image (stefanscherer/whoami) that allows Pimoroni Blinkt! LED’s to turn on/off when scaling an application within a Swarm Cluster.
Instructions
For this demo, I used 7 Raspberry Pi’s 3 (model B+) and 1 Pimoroni Blinkt! LED for each Pi.
1. Download the following Raspian image ‘2018-11-13-raspbian-stretch-full.img’ from https://www.raspberrypi.org/downloads/raspbian/
2. Use balenaEtcher to write the image to each of your microusb cards.
3. To make DNS hostname resolution a little easier, I setup local hostnames on each Pi device. Below is an example.
192.168.93.231 pi-mgr1 pi-mgr1.docker.cafe
192.168.93.232 pi-mgr2 pi-mgr2.docker.cafe
192.168.93.233 pi-mgr3 pi-mgr3.docker.cafe
192.168.93.241 pi-node1 pi-node1.docker.cafe
192. Continue reading
Split Tunneling with vpnc
vpnc is a fairly well-known VPN connectivity package available for most Linux distributions. Although the vpnc web site describes it as a client for the Cisco VPN Concentrator, it works with a wide variety of IPSec VPN solutions. I’m using it to connect to a Palo Alto Networks-based solution, for example. In this post, I’d like to share how to set up split tunneling for vpnc.
Split tunneling, as explained in this Wikipedia article, allows remote users to access corporate resources over the VPN while still accessing non-corporate resources directly (as opposed to having all traffic routed across the VPN connection). Among other things, split tunneling allows users to access things on their home LAN—like printers—while still having access to corporate resources. For users who work 100% remotely, this can make daily operations much easier.
vpnc does support split tunneling, but setting it up doesn’t seem to be very well documented. I’m publishing this post in an effort to help spread infomation on how it can be done.
First, go ahead and create a configuration file for vpnc. For example, here’s a fictional configuration file:
IPSec gateway vpn.company.com
IPSec ID VPNGroup
IPSec secret donttellanyone
Xauth username bobsmith
Advanced AMI Filtering with JMESPath
I recently had a need to do some “advanced” filtering of AMIs returned by the AWS CLI. I’d already mastered the use of the --filters parameter, which let me greatly reduce the number of AMIs returned by aws ec2 describe-images. In many cases, using filters alone got me what I needed. In one case, however, I needed to be even more selective in returning results, and this lead me to some (slightly more) complex JMESPath queries than I’d used before. I wanted to share them here for the benefit of my readers.
What I’d been using before was a command that looked something like this:
ec2 describe-images --owners 099720109477 \
--filters Name=name,Values="*ubuntu-xenial-16.04*" \
Name=virtualization-type,Values=hvm \
Name=root-device-type,Values=ebs \
Name=architecture,Values=x86_64 \
--query 'sort_by(Images,&CreationDate)[-1].ImageId'
The part after --query is a JMESPath query that sorts the results, returning only the ImageId attribute of the most recent result (sorted by creation date). In this particular case, this works just fine—it returns the most recent Ubuntu Xenial 16.04 LTS AMI.
Turning to Ubuntu Bionic 18.04, though, I found that the same query didn’t return the result I needed. In addition to the regular builds of 18.04, Canonical apparently also builds EKS Continue reading
Technology Short Take 111
Welcome to Technology Short Take #111! I’m a couple weeks late on this one; wanted to publish it earlier but work has been keeping me busy (lots and lots of interest in Kubernetes and cloud-native technologies out there!). In any event, here you are—I hope you find something useful for you!
Networking
- Daniel Dib has a great article on how network engineers need to evolve. The network isn’t going away, it’s just changing.
- I referenced part 1 of Ajay Chenampara’s series on the Ansible
network-enginecommand parser back in Technology Short Take 102 (July of last year). I’m not sure how I missed that part 2 was published only 2 days later, so I’m rectifying that now. Go check out part 2. - Paul Fitzgerald shows how to use Hyper-V and Docker to build a VyOS 1.2.0 ISO image. (VyOS is an open source Linux-based network operating system.)
- Matt Cowger shares how to use MetalLB with the Unifi USG to take advantage of Kubernetes LoadBalancer functionality in your home lab. Nifty.
Servers/Hardware
- James Hamilton is back with a more in-depth look at the components of the AWS Nitro System.
- I must say that my conclusions regarding Continue reading
containerd Graduates Within the CNCF
We are happy to announce that as of today, containerd, an industry-standard runtime for building container solutions, graduates within the CNCF. The successful graduation demonstrates containerd has achieved the maturity, stability and community acceptance required for broad ecosystem adoption. containerd has already been deployed in tens of millions of production systems today, making it the most widely adopted runtime and an essential upstream component of the Docker platform. containerd was donated to the CNCF as a top-level project because of its strong alignment with Kubernetes, gRPC and Prometheus and is the fifth project to make it to this tier. Built to address the needs of modern container platforms like Docker Enterprise and orchestration systems like Kubernetes, containerd ensures users have a consistent dev to ops experience.
From Docker’s initial announcement that it was spinning out its core runtime to its donation to the CNCF in March 2017, the containerd project has experienced significant growth and progress over the last two years. The primary goal of Docker’s donation was to foster further innovation in the container ecosystem by providing a core container runtime that could be leveraged by container system vendors and orchestration projects such as Kubernetes, Swarm, Continue reading