Oct
17

My Thoughts On The Kubernetes Support For Docker EE

Jul
19

Securing the Supply Chain with Nutanix and Docker #dockercon2016

I was watching the below video from DockerCon 2016 and there was lots of striking similarities between what Nutanix and Docker is doing secure working environment for the Enterprise Cloud. There is no sense turning the alarm on for your house and then not locking the doors. You need to close all the gaps for your infrastructure and the applications that live on top of it.

The most interesting part of the session for me was the section on security scanning and gating. Docker has Security Scanning which is available as an add-on to Docker hosted private repositories on both Docker Cloud and Docker Hub. Scans run each time a build pushes a new image to your private repository. They also run when you add a new image or tag. Most scans complete within an hour, however large repositories may take up to 24 hours to scan. The scan traverses each layer of the image, identifies the software components in each layer, and indexes the SHA of each component.
docker-scanniing
The scan compares the SHA of each component against the Common Vulnerabilities and Exposures (CVE) database. The CVE is a “dictionary” of known information security vulnerabilities. When the CVE database is updated, the service reviews the indexed components for any that match the new vulnerability. If the new vulnerability is detected in an image, the service sends an email alert to the maintainers of the image.

A single component can contain multiple vulnerabilities or exposures and Docker Security Scanning reports on each one. You can click an individual vulnerability report from the scan results and navigate to the specific CVE report data to learn more about it.

On the Nutanix side of the fence all code is scanned with 2 different vulnerability scanners at every step of the development life-cycle. To top that off Nutanix already apply s an intrinsic baseline, and we already monitor and self-heal that baseline with SCMA the Security Configuration Management Automation and leverage the SaltStack framework so that your production systems can Self-Heal from any deviation and are always in compliance. Features like two factor authentication (2FA) and cluster lockdown further enhance the security posture. The cluster-wide setting can forward all logs to a central host as well. All CVEs related to the product are tracked and provide an internal turn around time of 72 hours for critical patches! There is some added time on getting a release cut but it fast and everything is tested as whole instead of a one off change that could have a domino a effect.

When evaluating infrastructure and development environments for a security-conscious environment, it’s imperative to choose one that is built with a security-first approach that continually iterate on patching new threats thereby reducing the attack surface. Docker is doing some great work on this front.

    Mar
    31

    Docker and Virtualization – Both are needed

    Today we released the Nutanix Next Community Podcast on Docker. Our guest was Nigel Poulton who I was lucky enough to first meet at a Tech Field Day event back in 2012. Nigel has a couple of courses available on Docker at Pluralsight and has great insight knowing Docker and spending a ton of time working with infrastructure.

    You can check out the full podcast on iTunes or here:
    docker

    A question that gets raised will Docker cut into a significant portion of the virtualization game? Will Hyper-V and VMware lose potential revenue to people running docker? It’s a hard question to answer and I think we tried to address it in the podcast in a round about way. Unless your a Joyent and doing something very custom like with their SmartOS it’s doubtful to me. Developers don’t tend to manage infrastructure and DevOps is only a buzz word for a lot Enterprises. Enterprises tend to be slow moving so a common management platform is important and that tends to be the virtualization layer. If the delvoplers didn’t already move out and consume public cloud resources, virtualiaztion will still be needed. There were lots of reason why people moved away from bare metal installs and lots of those same reasons still apply. Yes Docker can provide isolation but host management, security and protecting the workloads are still very important. You still need to backup and manage your images and any persistent data that may be stored. Does it make sense to make for a Enterprise Plus license from VMware to run Docker? Probably not but maybe there is the right use case. I am still need to get my head around Docker Swarm \ lattice and how it will all tie together. Like AWS, I see Xen and KVM based hypervisors flourishing here. Get the features that you lose out on from going bare-metal and but lower the cost. This is were I can see people still running Docker on a virtualized host because of the familiarity with the management layer.

    From a Nutanix perspective whichever hypervisor you want to run, ESXi, Hyper-V or KVM you get:

    • Per VM Management, per disk level metrics
    • Hardware Management thru one-click upgrades
    • Auto-scale your infrastructure thru the Prism UI or API’s
    • Snapshots/backup – think protecting your private repository
    • Network/Security Management

    Docker Resources
    Want to Learn Docker – Look no Furthur!
    Docker on Windows – Some Insight
    Nigel Poulton Blog
    Pluralsight Video – Docker Deep Dive
    First Look: Native Docker Clustering

    Have a comment, please add it!