Devops, Docker and Security

John Willis @botchagalupe

• One of the founding members of “Devopsdays” • Co-author of the “Devops Handbook”. • Author of the “Introduction to Devops” on Linux Foundation

edX. • Podcaster at devopscafe.org • Devops Enterprise Summit - Cofounder • Nine person in at Chef (VP of Customer Enablement) • Formally Director of Devops at Dell • Found of Socketplane (Acquired by Docker) • 10 Startups over 25 years

About Mehttps://github.com/botchagalupe/my-presentations

5

What If I told you you could be 2000 times

faster than your competitors

6

What if I told you that you could be 100

times more reliable than your

competitors

7

What if you could have

both

Faster, Effective, Reliable

• Devops (Faster)

• Docker (Effective)

• Supply Chain (Reliable)

8

Immutable Service Delivery

Devops … faster

DTO Solutions

• CAMS

• Culture • Automation • Measurement • Sharing

Devops Taxonomies

• The Three Ways

•The First Way •The Second Way •The Third Way

Devops Practices and Patterns• Continuous Delivery

• Everything in version control • Small batch principle • Trunk based deployments • Manage flow (WIP) • Automate everything

• Culture • Everyone is responsible • Done means released • Stop the line when it breaks • Remove silos

12

itrevolution.com/devops-handbook

30x 200xmore frequent deployments

faster lead times

60x 168xthe change success rate

faster mean time to recover (MTTR)

2x 50%more likely to exceed profitability, market share & productivity goals

higher market capitalization growth over 3 years*

High performers compared to their peers…

Data from 2014/2015 State of DevOps Report - https://puppetlabs.com/2015-devops-report

Recent IT Performance Data is Compelling

30x 200xmore frequent deployments

faster lead times

60x 168xthe change success rate

faster mean time to recover (MTTR)

2x 50%more likely to exceed profitability, market share & productivity goals

higher market capitalization growth over 3 years*

High performers compared to their peers…

Data from 2014/2015 State of DevOps Report - https://puppetlabs.com/2015-devops-report

Recent IT Performance Data is Compelling

Faster

HigherQuality

MoreEffective

2555x

Fast

CheapGood

“Pick Two!”

Conventional Wisdom

Devops Automated Deployment Pipeline

16

Source: Wikipedia - Continuous Delivery

18

Devops ResultsGoogle

• Over 15,000 engineers in over 40 offices • 4,000+ projects under active development • 5500+ code submissions per day (20+ p/m) • Over 75M test cases run daily • 50% of code changes monthly • Single source tree

• Over 75M test cases run daily

19

Devops ResultsAmazon

• 11.6 second mean time between deploys. • 1079 max deploys in a single hour. • 10,000 mean number of hosts

simultaneously receiving a deploy. • 30,000 max number of hosts simultaneously

receiving a deploy

20

Unicorns and Horses (Enterprises)

Unicorns

Enterprise

Shamelessly stolen and repurposed from: Pete Cheslock

21

Devops Results

Enterprise Organizations

• Ticketmaster - 98% reduction in MTTR • Nordstrom - 20% shorter Lead Time • Target - Full Stack Deploy 3 months to minutes • USAA - Release from 28 days to 7 days • ING - 500 applications teams doing devops • CSG - From 200 incidents per release to 18

Docker … effective

• IBM 360/370 (1960/1970) • CHROOT - Version 7 Unix 1979 (Bell Labs) • BSD in 1982 (Berkley) • VMware (1998) • FreeBSD Jails 2000 • XEN 2003 • Solaris Zones 2004 • OpenVZ 2005 • Amazon Web Services 2006 • Namespaces 2007 • Cgroups (Google) 2007 • KVM 2007 • AIX LPARS (IBM) 2007 • Drawbridge (2008) • Hyper-V (2008) • Linux Containers - LXC (Parelles, IBM, Google) 2008 • Docker (Dotcloud Inc) 2013 • Microsoft Docker on Windows Server 2016

History of

Virtualization

•Type 1 Virtualization •VMware ESX, XEN, Hyper-V

•Type 2 Virtualization •KVM, Virtualbox, QEMU, VMware Workstation

•OS Level Virtualization •OpenVZ, LXC, Docker

Virtualization

www.slideshare.net/BodenRussell/realizing-linux-containerslxc

• Provision in milliseconds • Near bare metal runtime performance • VM-like agility – it’s still “virtualization” • Lightweight – Just enough Operating System (JeOS) • Supported with modern Linux kernel • Growing in popularity

Why OS Level Virtualization

• Isolation

• Lightweight

• Simplicity

• Workflow

• Security

• Community

Why Docker

29

Docker Security Enhancements

• Docker Security Scanning • Docker Content Trust • Docker Trusted Registry • TLS by Default for Swarm/Docker Data Center • Read Only Containers • User Namespaces • Secomp and LSMS support • Enhanced System “Capabilities” support • Secrets Management • Immutable Operating System (Coming Soon)

30

Immutable Delivery

31

Immutable Delivery

Supply Chain … Reliable

33

35

Supply&chain&advantage&

Source:(Toyota(Supply(Chain(Management:(A(Strategic(Approach(to(Toyota’s(Renowned(System,(by(Ananth(Iyer(and(Sridhar(Seshadri(

Toyota&Advantage&

Toyota&Prius&

Chevy&Volt&

Unit%Retail%Price% 61%& $24,200% $39,900%

Units%Sold/Month% 13x& 23,294% 1,788%

In?House%ProducBon% 50%& 27%% 54%%

Plant%Suppliers% 16%&& 125% 800%

Firm@Wide(Suppliers( 4%# 224( 5,500(

Use their highest quality parts

Use fewer, better suppliers

Track which parts you use & where

37

Variety • Determine your variety of

offerings based on operational efficiency and market demand

Velocity • Maintain a steady flow through all

processes of the supply chain Variability • Manage inconsistencies carefully

to reduce cost and improve quality

Visibility • Ensure the transparency of all

processes to enable continuous learning and improvement

Toyota Production Systems - 4VL

38

Docker and the Three Ways of Devops

39

Variety • Learn faster, Limited frameworks,

Limited operating systems, Limit vendors.

Velocity • Small Batch, Small Teams,

Microservices and Containers Variability • Docker and Immutable Delivery Visibility • Automated Testing, Docker Trust,

Docker Security Scanning, Bounded Context, Bill of Materials

Immutable Service Delivery (4VL)

Use their highest quality parts

Use fewer, better suppliers

Track which parts you use & where

40

Visibility - Docker - Bill of Material

• Where and when was it built and why • What was its ancestor images • How do I start, validate, monitor and update it • What git repo is being built, what hash of that git repo

was built • What are all the tags this specific container is known as

at time of build • What’s the project name this belongs to • Have the ability to have arbitrary user supplied rich

metadata

Software Supply Chain - 4VL

Devops Automated Deployment Pipeline

41

Source: Wikipedia - Continuous Delivery

DevSecOps

Requirements & Design Development CI

Interval Trigger

AssessmentProduction

Application Risk Classification

Security Requirement Definition

Secure Libraries

Static Analysis/IDE

SCM

Open Source Governance(CI)

Secure Coding Standards

Perimeter Assessment

Dynamic Assessments

Threat-Based Pen Test

Web Application Firewalls

Automated Attack/Bot Defense

Container Security Management

Security Mavens (Security-Trained Developers and Operations)Role Based Software Security Training

Continuous Monitoring, Analytics and KPI Gathering

Preventative Detective

Lightweight threat modeling approach

Detailed manual assessments

triggered automatically at

appropriate interval; detached from

release cycle

Container Security Compliance (CI)

Threat modeling

Static Analysis (CI)

43

Immutable Service Delivery

Fortune 500 Insurance Company

• Tracks critical and high security defect rate per 10k lines of code

• Started out with (10/10k) • After applying Devops practices and principles (4/10k) • After applying Toyota Supply Chain 4VL (1/10k ) • After Docker with Immutable Delivery (0.1/10k)

44

With Docker

Fortune 500 Insurance Company

• One Service • One Container • One Read Only File System • One Port

Immutable Service Delivery

• Devops (Faster)

• Docker (Effective)

• Supply Chain (Reliable)

45

2000x Faster and

100x Reliable