dockerizing the enterprise – fast & secure

the journey of ABN-AMRO towards the usage of Docker containers

EMEA PUG Challenge - 2018

Wiebe de Roos

Flusso: who we are & what we do

• Software development company in NL

• One of the biggest Progress partners

• Focus on OpenEdge & Progress technologies

• Open Source (Java, ServiceMix, etc),

• Web Apps (Mobile, Angular2, React)

• CI/CD Consultancy

2

who am I?

• Wiebe de Roos

• At Flusso since 2007

• Started as Java developer

• Present: CI/CD Consultant / Engineer

• Hired by ABN-AMRO in NL

• w.deroos@flusso.nl

table of contents

1. Business & IT goals

2. Context of CI/CD pipelines

3. The new & improved CI platform

4. Docker containers on an enterprise scale

5. CI/CD pipelines for all

6. Docler Security aspects

7. What’s next?

8. Questions and answers / discussion

business & IT goals

1. Respond to (external) change

2. From waterfall to Dev(Sec)Ops

3. Faster delivery

4. Optimize CI/CD processes

5. Facilitate team autonomy

6. Boost innovation

7. Improve security at all stages

CI/CD pipeline orchestration

ABN AMRO has introduced a set of quality gates and build breakers in the Jenkins pipelines. The software build process breaks when the required quality or security is not met and the developer needs to fix the defect in continue.

CI pipeline & build breakers

existing CI platform

• Statistics:a. +/-1500 usersb. 350+ projectsc. 10000+ Jenkins jobs

• 1 Jenkins Operation Centre• 10 Jenkins Masters

i. 40+ Linux build slavesii. 30+ Windows build slavesiii. 4 OSX build slavesiv. 25+ HP-fortify (secure coding) slaves

• 100+ (!!!) VMs in on-prem data center…and GROWING…

1. Ever growing demand of DEV teams

2. Number of static VMs growing every day

3. Maintenance hell

4. No Docker container support

5. No true team autonomy

6. Innovation is slowed down

7. Tech Talent will leave ABN-AMRO

challenges and limitations

5 major improvements

1. Empower the CI/CD teams

2. Flexible tech stacks + configuration

3. Move to AWS public Cloud & Increase security

4. Infrastructure as Code & Configuration as Code.

5. Cloudbees Jenkins Enterprise is critical

to the CI/CD program

main Docker use cases

1. Earlier feedback in software development cycle (shift left)

2. Package applications into containers (e.g. java, front-end, OpenEdge)

a. Application code

b. Configuration

c. Deployment scripts

3. Standard building blocks (Docker images) for DEV teams

4. Test/Demo different versions of your application at the same time

5. Replace Jenkins VMs with Docker Containers

Embrace the whale

the new and improved CI platform

Jenkins Enterprise - architecture

a short history of pipelines

• 2017: Birth of the standard pipelines (STPLs)

• 2018: Birth of the new (Dockerized) pipelines:

• A pipeline for Docker images (e.g. Java, Front-End, OpenEdge)

• Easy to use, easy to implement & extend

• Security is build-in

• A reference for other technologies

Docker image pipeline – main building blocks

example: CI/CD pipeline for Java apps

1. A pipeline which uses Docker images as building blocks

2. Create Java application (inside a Docker image)

3. All security stages in place

4. Deploy application in AWS public Cloud

5. Everything is based on source code (no manual steps)

the full CI/CD pipeline

18

context of containers in the enterpriseSpecific

Generic

Docker Security topics on all levels

20

Why all this?

To avoid compromised containers wherever they are used.

Secure business continuity - don’t end up in the news ;-)

21

Status: Downloaded newer image for hadolint/hadolint:v1.6.2-6-gcfb547a

/dev/stdin:3 DL3005 Do not use apt-get upgrade or dist-upgrade

/dev/stdin:3 DL3009 Delete the apt-get lists after installing something

/dev/stdin:4 DL3008 Pin versions in apt get install. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`

/dev/stdin:4 DL3015 Avoid additional packages by specifying `--no-install-recommends`

security (1): syntax check Docker image

22

security (2): anchore dependency check

23

security (3): Docker benchmark (OSS)

Continuously monitor your running containers and block anything unwanted

security (4): block anything unwanted

security (5): monitor docker hosts

security (6): best practices

1. Use official and approved (base) images - use image signing

2. Protect your Docker-enabled hosts (logging, auditing, hardening)

3. Use non-privileged users for containers

4. Reduce attack surface (keep Docker images clean & small)

5. Do not store secrets inside Docker images

6. Use secure networks (also between containers)

7. Establish standards & guidelines for the enterprise

8. Make everyone security minded

what’s next - roadmap

context within Progress software

1. OpenEdge 11.7.4 - first supported Docker container (progress/pasoe)

• standard disclaimers apply :-)

• PAS only (to run application on appserver)

• No OpenEdge DB support (yet)

2. OpenEdge 12 - Server side query resolution

• make up for loss of shared memory connections

3. Running OpenEdge apps inside a Tomcat container

4. Create your own OpenEdge Docker images for CI/CD and testing

questions and answers

Thank you!

Wiebe de Roos - w.deroos@flusso.nl

references

• Cloudbees Core (formerly Jenkins Enterprise) - https://www.cloudbees.com/products/cloudbees-

core

• Docker security topics - https://docs.docker.com/engine/security/security/

• Docker & Devops - Progress https://www.progress.com/blogs/containerization-leverage-docker-

devops-to-do-more

• Dockerizing a react application - https://www.telerik.com/blogs/dockerizing-react-applications-

for-continuous-integration

• Docker & corticon - https://hub.docker.com/r/corticon/docker/

• OpenEdge Dockerfiles - https://github.com/bfv/docker4oe

• Dockerhub: official OpenEdge Docker images - https://hub.docker.com/u/openedge/