© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

DVO311

Learn How to Use Containers, Red Hat, and AWS

to Achieve Extreme IT Agility and Combat

Network ExploitsSean Dilda

Senior Automation Engineer

Duke University

Chris Collins

Senior Linux System Administrator

Duke University

Scott McCarty

Container Technical Evangelist

Red Hat

What to Expect from the Session

In this session, you will learn:

•Where containers provide real value

•How Duke University use containers Combatting a Denial of Service (DoS) attack

Identity management

Research computing

•How to address common container adoption challenges

•Key recommendations for working with containers

REAL VALUE OF CONTAINERS

Containers Deliver Many Benefits

Base: 171 IT and Developer/programmer decision-makers at companies with 500+ employees in APAC, EMEA, and NA

Source: A commissioned study conducted by Forrester Consulting on behalf of Red Hat, January, 2015

CONTAINERS IN USE

Adoption Patterns

PACKAGE AND SHIP

MONOLITHIC APPS

MIGRATE DIFFERENTIATING

APPS TO CLOUD

PACKAGE AND SHIP

CLOUD-READY APPS

PROBLEM

●DDoS attack targeting Duke.edu

●Flooding load balancers

●All load-balanced services impacted

●Duke.edu down

Real-world Example #1:

Combatting a Denial of Service Attack

SOLUTION

●Duke.edu container image

●AWS Docker hosts

●External DNS for duke.edu pointed to

AWS

●Internal traffic kept inside Duke

THE RESULT

●Duke.edu unaffected for internal customers

●Duke.edu traffic handled by AWS for external customers/DDoS

●30-minute migration!

●Attack removed from load balancers

●Other load-balanced services back to normal

PROBLEM

●Legacy IDM apps

●Unpredictable behavior after patching

●Result: Infrequent patching

●Inability to easily upgrade

●Result: Ancient hardware

Real-world Example #2:

Internet Download Manager (IDM) in a Container

SOLUTION

●Build IDM apps in containers

●Jenkins builds every 4 hours w/latest

patches

●Automated testing notifies of failures

●Last “known good” image kept

THE RESULT

●“Known good” image always available; uptime assured

●Breaking patches can be investigated while “known good” images are kept in use

●Extremely portable

●Hardware independent

●Other environment can be set up, tested, torn down in minutes

PROBLEM

●Researchers want custom tool chains

●IT wants researchers on shared

infrastructure

●Researchers need to be able to

reproduce/share environment

Real-world Example #3: Research Computing

Serving Up Multiple Stacks

SOLUTION

●Run every job in a custom Docker-

formatted container

●Keep archive of old container images

with log of which version was used for

which job run

THE RESULT

●Self service: Researchers at Duke are starting to build their own Docker-formatted

container images to run their analysis

THE REALITY OF ADOPTING

CONTAINERS: WHAT ARE THE

TOP CHALLENGES?

Top Challenges by Container Users

Base: 171 IT and Developer/programmer decision-makers at companies with 500+ employees in APAC, EMEA, and NA

Source: A commissioned study conducted by Forrester Consulting on behalf of Red Hat, January, 2015

TECHNOLOGY

Challenges Duke Is Seeing

PROCESS/STRATEGIC

CONTAINING THE MOST

INTERESTING APPLICATION

IN THE WORLD

The Reality: Security Implications

Security Inside the Container

●High vulnerabilities: ShellShock (bash), Heartbleed (OpenSSL), etc.●Medium vulnerabilities: Poodle (OpenSSL), etc.●Low vulnerabilities: gcc: array memory allocations could cause integer overflow

36% of official images available for download

contain high-priority security vulnerabilities

Source: Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities, Jayanth Gummaraju, Tarun Desikan, and Yoshio Turner, BanyanOps, May 2015

(http://www.banyanops.com/pdf/BanyanOps-AnalyzingDockerHub-WhitePaper.pdf)

And That's Why the Ops Guy Is

Freaking Out

Container Host & Container Image

UNTRUSTED●Will what’s inside the containers compromise your infrastructure?

●How and when will apps and libraries be updated?

●Will it work from host to host?

RED HAT CERTIFIED ●Trusted source for the host and the containers

●Trusted content inside the container with security fixes available as

part of an enterprise lifecycle

●Portability across hosts

●Container Development Kit

●Certification as a service

●Certification catalog

●Red Hat Container Registry

HOST OS

CONTAINER

OS

RUNTIME

APP

HOST OS

CONTAINER

OS

RUNTIME

APP

RECOMMENDATIONS

AND A WORD OF ADVICE

TRUST PORTABILITY COMPREHENSIVE

Red Hat’s Container Strategy

Start Small, but Think Big:

Advanced Tools & Planning

portability across environments

PHYSICAL VIRTUAL PRIVATE CLOUD PUBLIC CLOUD

portability across platforms

A Word of Advice

●Adoption Patterns

Start small for quick wins

Top-down approach for confidence

Advanced management tools

Single vs. multiple containers

Portability

●Trust

Supply chain, build methodology, temporal

Training and education

●Tenancy

Resources, security, and configuration

•Talk with Red Hat container experts at booth #409

•Follow our blogs:http://rhelblog.redhat.com/tag/containers/

https://blog.openshift.com/

•Connect with us:

Learn more

Red Hat Atomic

@RedHatAtomic

Scott McCarty

@fatherlinux

Sean Dilda Chris Collins

@ChrisInDurham

Remember to complete

your evaluations!

Thank you!