Presentation is loading. Please wait.

Presentation is loading. Please wait.

Containers as a Service with Docker to Extend an Open Platform

Similar presentations


Presentation on theme: "Containers as a Service with Docker to Extend an Open Platform"— Presentation transcript:

1 1st International Workshop on Open Platforms in the Field of Independent Living and Active Ageing
Containers as a Service with Docker to Extend an Open Platform Tobias Hardes ( )

2 ALFRED as an Open Platform
Marketplace to act as an open platform “Google Play for ALFRED” Apps are provided by 3rd parties „Privacy by Design“ Users need to be in control of the own data This limits the possibilities for 3rd parties Different services / stacks / components for each developer How to solve this?! Google Play for ALFRED - App store - “Google Play Services”  For updates and downloads - privacy throughout the whole engineering process

3 Third party Webservice
ALFRED System ALFRED Apps ALFRED Infrastructure ALFRED Services Personal Assistant Service ALFRED Webservice ALFRED Apps Third party Webservice ALFRED Apps Deployment is linked to major efforts New VM/Server for each partner Different softwarestack Data privacy? How to ensure data is not given away? Core Apps Sensor Abstraction Framework ALFRED Sensors Image source:

4 Docker “Docker containers wrap up a piece of software in a complete filesystem that contains everything it needs to run: code, runtime, system tools, system libraries – anything you can install on a server.” “Docker allows you to package an application with all of its dependencies into a standardized unit for software development.” Docker: - Wrap software with all things need to run the software will always run the same, regardless of its environment. - Started in 2013 Image source:

5 Containers Each Container has ist own Root filesystem Processes Memory
Container based virtualization uses the kernel on the host‘s operating system to run multiple guest instances Each Container has ist own Root filesystem Processes Memory Devices Network ports Container Container Container App App App Docker Engine From outside, it looks and operates like a VM, but it is NOT a VM The Question is now: Why don‘t we install all those applications without using containers? Most applications need to use various 3rd party libraries Example: 3 java applications, each using a different java/jvm implementation Its very difficult to have all three running on the same machine without any conflicts By using containers, we can isolate these runtime environments and eliminate the potential for conflicts Host Operating System Physical server

6 Why Docker? Containers are more lightweight No need to install guest OS Less CPU, RAM and storage space required Greater portability Containers are isolated, but share the host OS kernel Erst rechts die Bilder – Dann links Image source:

7 Use Granular Access Rights
Docker can be used to solve DevOps issues But what about data privacy? Individual ACL for every ressource ALFRED Authentication Service But what if access is granted for a 3rd party webservice and this access is exploited? Object Security Field AC 1 AC 2 AC 3 “Privacy by design” Individual records can be protected for each user “caregiver x is allowed to access user y”

8 Scenario Third party developer publishes container that contains dangerous code The developer is able to download health records from the ALFRED servers and sell them Image source:

9 Problem We get the same problem with virtual machines
Docker allows to add new services quick, cheap and independent from each other But it enables third party developers to access existing parts and users data Access to userdata is handled by the ALFRED Authentication Service Does the data leave the ALFRED system? ALFRED Authentication Service  ACL But it enables third party developers to access existing parts and users data - Would be the same with VMs We get the same problem with virtual machines

10 Approach Provide predefined images/containers (Base Images)
Stored in ALFRED Docker Registry Allow 3rd party developers to extend Base Images 3rd party publishes Dockerfile in ALFRED Docker Registry Dockerfile gets reviewed by the ALFRED Team Dockerfile gets published, if ordinary Registry Stateless highly scalable server side application stores / distribute Docker images Docker Security Scanning - free of vulnerabilities? Image source:

11 Approach - Problem What happens inside the

12 Approach - Problem The file „dangerous.war“ could contain dangerous code Solution 1 Solution 2 Perform a code review Every developer needs to push source code to a central repository (git) Servlet containers Shell scripts Customized executables …. Make sure the dangerous code cannot „use the bad intentions“ Solution 1: Repository is only accessible for the ALFRED Team The complete source code needs to be reviewed individual Requires a lot of time May require multiple project members Size of the new component Different programming languages Image source:

13 Use the Base Image Image source:

14 How to? Set everything to „Deny-all“
Access to www resources need to be granted specifically for a certain container and a certain URI URI needs to be well defined like: Decision needs to be individual for each request Works like the permissions for users

15 More specialized Image
Base Architecture Container Container More specialized Image Container Predefined Image Container Base Image

16 Proxy in Action Image source:

17 Proxy in Action Image source:

18 How to Implement a Proxy
Deploy proxy (as a container) Define new routes and configurations in the base image  Affects any container uses this image Create an non-privileged user in the Dockerfile The user is not able to change the routes afterwards

19 How to Use the Proxy A new service needs to be deployed with access to the internet The developer specifies the exact API Travelmode: Bicycling, driving, walking, transit

20 Grant Permissions Personal Assistant Service

21 Discussion and Questions

22 Image references © 2016 Google Inc. All rights reserved. Google and the Google Logo are registered trademarks of Google Inc. © Docker, Inc. All rights reserved.


Download ppt "Containers as a Service with Docker to Extend an Open Platform"

Similar presentations


Ads by Google