What is Docker?

Docker is a tool to run processes in a container separate from the rest of the host machine. Depending on your point of view, its similar to an extremely lightweight virtual machine or a static binary that links the whole operating system.

Docker is used for a few tasks:

• Releases are cut inside Docker containers.
• Running development instances on developer machines.
• Containing applications in the cloud.

Why Docker Secure?

Docker-Local is one of repository permits CRUD operations with no authentication (anonymous) or with AD credentials. This means that released docker image tags can be updated after release, which is a violation any sane versioning scheme.
Docker-Secure does not permit CUD operations anonymously, nor with AD credentials (only reads) – only TrustedBuildSystems (at the moment, QuickBuild) have credentials that authorize write and delete operations. The TBS is a layer of abstraction in front of the raw docker registry interface that reduces the operations that can be performed.

This reduces the likelihood of two kinds of breaking CUD operations on released docker artifacts:

1. Accidental overwrite
2. Intentional overwrite

Deployment Flow through DS

As shown in diagram flow with non-Docker Secure the Docker images those already released possibly to get accidental or intentional overwrite as its open to every developer. But once we are on DS its only trusted build system, e.g., the quick build would be able to release the Docker images versions as a credential for Docker secure configured on that build system which will avoid those accidental or intentional overwrites and once released it will maintain those images.

 

Integrating Dockerized Application with Vault

Vault (from HashiCorp) provides secure storage for sensitive data. To integrate the application with vault, common service discovery is needed which will be provided by Consul where your application and vault service will be registered.

Registering Application on Consul (from HashiCorp) 

Consul is a tool for service discovery and configuration. Consul is distributed, highly available, and extremely scalable.

Consul provides several key features:

Service Discovery – Consul, makes it simple for services to register themselves and to discover other services via a DNS or HTTP interface. External services such as SaaS providers can be registered as well.

Health Checking – Health Checking enables Consul to quickly alert operators to any issues in a cluster. The integration with service discovery prevents routing traffic to unhealthy hosts and allows service level circuit breakers.

Key/Value Storage – A flexible key/value store enables storing dynamic configuration, feature flagging, coordination, leader election and more. The simple HTTP API makes it easy to use anywhere.

Multi-Datacenter – Consul, is built to be datacenter aware and can support any number of regions without complicated configuration.

 

ConatinerPilot.json

This Json file which helps to register an application on Consul looks like below- In which all the variable is flowing from environmental variables defined on the application.

{

“consul”:”{{ .HOST }}:8500″,

“logging”:{

“level”: “{{ .CP_LOG_LEVEL | default “INFO” }}”,

“format”:”default”,

“output”:”stdout”

},

“services”:[

{

“name”:”{{ .APPLICATION_NAME }}-{{ .ENVIRONMENT }}”,

“port”:”{{ .PORT_8080 }}”,

“health”:[

“/usr/bin/curl”,

“–fail”,

“-s”,

“-o”,

“/dev/null”,

“http://{{ .HOST }}:{{ .PORT_8080 }}/alive.txt”

],

“interfaces”:[

“static:{{ .HOST }}”

],

“poll”:10,

“ttl”:30,

“timeout”:”10s”,

“tags”:[

“{{ .TASK_ID }}”,

“iid-{{ .TASK_ID }}”,

“app-{{ .APPLICATION_NAME }}”,

“env-{{ .ENVIRONMENT }}”,

“ver-{{ .APPLICATION_VERSION }}”,

],

“consul”:{

“enableTagOverride”:true,

“deregisterCriticalServiceAfter”: “90m”

}

},

{

“name”:”{{ .APPLICATION_NAME }}-secret-{{ .ENVIRONMENT }}”,

“port”:”{{ .PORT_10080 }}”,

“health”:[

“/usr/bin/curl”,

“–fail”,

“-s”,

“-o”,

“/dev/null”,

“http://{{ .HOST }}:{{ .PORT_10080 }}/private/always-alive”

],

“interfaces”:[

“static:{{ .HOST }}”

],

“poll”:10,

“ttl”:30,

“timeout”:”10s”,

“tags”:[

“{{ .TASK_ID }}”,

“iid-{{ .TASK_ID }}”,

“app-{{ .APPLICATION_NAME }}”,

“env-{{ .ENVIRONMENT }}”,

“ver-{{ .APPLICATION_VERSION }}”,

“secret”

],

“consul”:{

“enableTagOverride”:true,

“deregisterCriticalServiceAfter”: “90m”

}

}

]

}

 

Now we have application and vault service on Consul; it’s just an API call away to get the secrets or credentials on vault and give it to bootstrap the application.

 

References 

https://www.docker.com/
https://www.joyent.com/containerpilot
https://www.consul.io/
https://www.vaultproject.io/

 

Share this:

Leave a Reply

Your email address will not be published. Required fields are marked *