Ian Miell, @ianmiell
Author, Docker in Practice
Culture, Politics, Technical
Build, Ship, Run
How many here are comfortable with Docker?
How many have used an orchestrator
Platform like OpenShift or Rancher
How many work for company with <1000+, 5000+ 100000+
Running Docker in production? Working on it?
Kubernetes / Swarm / Mesos(phere)
Unregulated software house, Docker implemented as skunkworks project
40-700 staff - workarounds for enterprisey behaviours
Moved to 120,000 strong company - workarounds fail!
Moved from Dev to Infra
Blog post: https://medium.com/zwischenzugs
All roads lead here
History - processes built up around 'machine'
'When SecOps arrives at the meeting'
What do you want Docker for?
Separate build from run, infra from code?
'Two Cultures' - divided by 'who has root'?
Docker open, enterprises not
'docker run' anywhere!
Who’s in charge?
'People who are really serious about software should get serious about people'
Who makes decisions?
Who has the money?
What do they want?
How is change funded?
Strategic or piecemeal approach? Partnership?
'How hard can it be?'
Are you ok with users having root?
If not, how will you manage this?
Auditing (change control, change records, approval)
No trust / some trust?
Is this experience going to be the same as production? Do you care?
If not, how easy is it to on-board with your solution?
Do you have a strategic CM tool?
How does it play with Docker?
Do you want to mandate a CM tool as strategic?
<Insert mandatory image of shipping container here>
Problem: no access to outside world
Huge audit/sec/SDLC opportunity to check that images conform to standards
Is there a shellshock version of bash on there?
Is there an out of date ssl library?
Is it based on a fundamentally insecure or unacceptable base image?
Process for ingestion
Is there an existing process to leverage?
Classes of scanner
Docker’s (deep scanning)
What is your org’s trust model?
Drives: what do you want to know?
Are you afraid of licensed software?
How is your software licensed in a Docker world? Potential CPUs 'touched'?
How would you cope with an audit?
Coherence with other artifact stores
RBAC / Authentication
Who owns that container?
What is that container doing?
Which containers have shellshock?
Containers change a lot - where is change control required?
What did that container do?
What could that container do?
Does your monitoring solution have a concept of containers?
How do you you manage patches?
Who owns which layer?
How do you identify which images need updating?
Do you want to mandate a base image?
What do you want in your base image?
Is your OS up to date?
Docker versions and vendor software
SDNs - do you already have a solution?
How do you plan to deliver images and run containers on your cloud provider?
Do you want to tie yourself into their Docker solutions, or make your usage cloud-agnostic?
Are people trained to build and manage containers?
Build coalitions of interest
Engage parties early
Don’t focus on those already sold on the tech/devops
Consider using an aPaaS to manage these
Reverse engineer the culture
Figure out how things get done, don’t fight it
Re-use existing processes where possible
Build internal map of the organisation
Don’t hate the player, hate the game
Docker enterprise anti-patterns
Build prototype outside org (Rackspace, AWS)
Doing devops in isolation/business unit-specific projects
Don’t beat yourself up
GitHub: ianmiell / docker-in-practice
LinkedIn: Ian Miell