Harbor Registry. VMware VMware Inc. All rights reserved.

Similar documents
Table of Contents. Configure and Manage Logging in to the Management Portal Verify and Trust Certificates

CNA1699BU Running Docker on your Existing Infrastructure with vsphere Integrated Containers Martijn Baecke Patrick Daigle VMworld 2017 Content: Not fo

VMworld 2017 Content: Not for publication #CNA1699BE CONFIDENTIAL 2

VMWARE PIVOTAL CONTAINER SERVICE

Table of Contents 1.1. Overview. Containers, Docker, Registries vsphere Integrated Containers Engine

Table of Contents 1.1. Introduction. Overview of vsphere Integrated Containers 1.2

VMWARE ENTERPRISE PKS

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

VMWARE PKS. What is VMware PKS? VMware PKS Architecture DATASHEET

Who is Docker and how he can help us? Heino Talvik

Docker Universal Control Plane Deploy and Manage On-Premises, Your Dockerized Distributed Applications

Table of Contents DevOps Administrators

VMware s (Open Source) Way of Container. Dr. Udo Seidel

Arup Nanda VP, Data Services Priceline.com

/ Cloud Computing. Recitation 5 February 14th, 2017

UP! TO DOCKER PAAS. Ming

ovirt and Docker Integration

agenda PAE Docker Docker PAE

An introduction to Docker

LENS Server Maintenance Guide JZ 2017/07/28

Let s manage agents. Tom Sightler, Principal Solutions Architect Dmitry Popov, Product Management

Securing the Data Center against

Deployment Patterns using Docker and Chef

RED HAT QUAY. As part of OCP Architecture Workshop. Technical Deck

Building A Better Test Platform:

Accelerate at DevOps Speed With Openshift v3. Alessandro Vozza & Samuel Terburg Red Hat

A DEVOPS STATE OF MIND WITH DOCKER AND KUBERNETES. Chris Van Tuin Chief Technologist, West

SQL Server on Linux and Containers

Using PCF Ops Manager to Deploy Hyperledger Fabric

Microservices. Chaos Kontrolle mit Kubernetes. Robert Kubis - Developer Advocate,

Run containerized applications from pre-existing images stored in a centralized registry

/ Cloud Computing. Recitation 5 September 26 th, 2017

Citrix CloudPlatform (powered by Apache CloudStack) Version Patch D Release Notes. Revised July 02, :15 pm Pacific

Setting up Kubernetes with Day 2 in Mind. Angela Chin, Senior Software Engineer, Pivotal Urvashi Reddy, Senior Software Engineer, Pivotal

Travis Cardwell Technical Meeting

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Introduction to containers

Docker and Oracle Everything You Wanted To Know

Docker 101 Workshop. Eric Smalling - Solution Architect, Docker

docker & HEP: containerization of applications for development, distribution and preservation

WHITE PAPER SEPTEMBER 2017 VSPHERE INTEGRATED CONTAINERS 1.2. Architecture Overview

Docker for People. A brief and fairly painless introduction to Docker. Friday, November 17 th 11:00-11:45

Installation runbook for Hedvig + Cinder Driver

OpenStack Mitaka Release Overview

Containers, Serverless and Functions in a nutshell. Eugene Fedorenko

Dockerfile & docker CLI Cheat Sheet

Microsoft Cloud Workshop. Containers and DevOps Hackathon Learner Guide

Growth of Docker hub pulls

" Qué me estás container?" Docker for dummies

iscsi Target Usage Guide December 15, 2017

Important DevOps Technologies (3+2+3days) for Deployment

Docker at Lyft Speeding up development Matthew #dockercon

VMware admins: Can your DR do this?

Upcoming Services in OpenStack Rohit Agarwalla, Technical DEVNET-1102

IBM Bluemix compute capabilities IBM Corporation

INDIGO PAAS TUTORIAL. ! Marica Antonacci RIA INFN-Bari

Table of Contents. GEEK GUIDE Deploying Kubernetes with Security and Compliance in Mind. About the Sponsor...4 Introduction...5. Orchestration...

Be smart. Think open source.

MODERNIZING TRADITIONAL SECURITY:

VEMBU VS VEEAM Why Vembu is Better. VEMBU TECHNOLOGIES

Leveraging the Serverless Architecture for Securing Linux Containers

Developing and Testing Java Microservices on Docker. Todd Fasullo Dir. Engineering

DevOps Technologies. for Deployment

Container-based virtualization: Docker

Power your cloud infrastructure with Oracle VM and Cisco!

CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT

/ Cloud Computing. Recitation 5 September 27 th, 2016

ESCALATING INSIDER THREATS USING VMWARE'S API

DevOps Workflow. From 0 to kube in 60 min. Christian Kniep, v Technical Account Manager, Docker Inc.

Trust in the Cloud. Mike Foley RSA Virtualization Evangelist 2009/2010/ VMware Inc. All rights reserved

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

vsphere Integrated Containers for vsphere Administrators

Go Faster: Containers, Platforms and the Path to Better Software Development (Including Live Demo)

A Hands on Introduction to Docker

Think Small to Scale Big

Advanced Continuous Delivery Strategies for Containerized Applications Using DC/OS

Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor via

Choosing the Right Container Infrastructure for Your Organization

Docker CaaS. Sandor Klein VP EMEA

CONTAINERS AND MICROSERVICES WITH CONTRAIL

CONTINUOUS DELIVERY WITH DC/OS AND JENKINS

Data Protection Guide

VMware vcenter Server Appliance Management Programming Guide. Modified on 28 MAY 2018 vcenter Server 6.7 VMware ESXi 6.7

Anchore Container Image Scanner Plugin

Automating Security Practices for the DevOps Revolution

Docker und IBM Digital Experience in Docker Container

Build, test and release your python packages

StreamSets Control Hub Installation Guide

Data Protection Guide

Asigra Cloud Backup Provides Comprehensive Virtual Machine Data Protection Including Replication

SteelEye Solutions Extend Citrix XenServer. Bob Williamson

InterSystems Cloud Manager & Containers for InterSystems Technologies. Luca Ravazzolo Product Manager

Azure DevOps. Randy Pagels Intelligent Cloud Technical Specialist Great Lakes Region

Con$nuous Deployment with Docker Andrew Aslinger. Oct

AGENDA. 13:30-14:25 Gestion des patches, du provisionning et de la configuration de RHEL avec Satellite 6.1, par Michael Lessard, Red Hat

Investigating Containers for Future Services and User Application Support

LGTM Enterprise System Requirements. Release , August 2018

Buenos Aires 31 de Octubre de 2018

TEN LAYERS OF CONTAINER SECURITY

Migrating VMs from VMware vsphere to Oracle Private Cloud Appliance O R A C L E W H I T E P A P E R O C T O B E R

Transcription:

Harbor Registry VMware 2017 VMware Inc. All rights reserved.

VMware Harbor Registry Cloud Foundry

Agenda 1 Container Image Basics 2 Project Harbor Introduction 3 Consistency of Images 4 Security 5 Image Distribution 6 High Availability of Registry

Agenda 1 Container Image Basics 2 Project Harbor Introduction 3 Consistency of Images 4 Security 5 Image Distribution 6 High Availability of Registry

Lifecycle of Containers and Images Registry Images Push tag Pull Dockerfile Build Images Save Load tar archive Commit Run Containers Stop Start Restart 5

Registry - Key Component to Manage Images Repository for storing images Intermediary for shipping and distributing images Ideal for access control and other image management Registry Push Images Pull 6

Agenda 1 Container Image Basics 2 Project Harbor Introduction 3 Consistency of Images 4 Security 5 Image Distribution 6 High Availability of Registry

Project Harbor An open source enterprise-class registry server. Initiated by VMware China, adopted by users worldwide. Integrated into vsphere Integrated Containers. Apache 2 license. https://github.com/vmware/harbor/ 8

Key Features User management & access control RBAC: admin, developer, guest AD/LDAP integration Policy based image replication Vulnerability Scanning Notary Web UI Audit and logs Restful API for integration Lightweight and easy deployment 9

Users and Developers Users 20K+ 2600+ 200+ Downloads Stars Users Developers 700+ 55 6 Forks Contributors Partners 10

Harbor Architecture Harbor Notary client Notary Docker client Browser Nginx Core Service Registry V2 UI API Auth Replication Job Services Vulnerability Scanning Remote Harbor Instance Log Collector DB Admin Service 11 AD / LDAP

Harbor users and partners (selected) 12

Image replication (synchronization) Project Project Policy Images Initial replication Images Image incremental replication (including image deletion) Image 13

Agenda 1 Container Image Basics 2 Project Harbor Introduction 3 Consistency of Images 4 Security 5 Image Distribution 6 High Availability of Registry

Consistency of Container Images Container images are used throughout the life cycle of software development Dev Test Staging Production Consistency must be maintained Version control Issue tracking Troubleshooting Auditing 15

Same Dockerfile Always Builds Same Image? Example: FROM ubuntu RUN apt-get install y python ADD app.jar /myapp/app.jar Base image ubuntu:latest could be changed between builds ubuntu:14.04 could also be changed due to patching apt-get (curl, wget..) cannot guarantee always to install the same packages ADD depends on the build time environment to add files 16

Shipping Images in Binary Format for Consistency..................... 17

Agenda 1 Container Image Basics 2 Project Harbor Introduction 3 Consistency of Images 4 Security 5 Image Distribution 6 High Availability of Registry

Access Control to Images Organizations often keep images within their own organizations Intellectual property stays in organization Efficiency: LAN vs WAN People with different roles should have different access Developer Read/Write Tester Read Only Different rules should be enforced in different environments Dev/test env many people can access Production a limited number of people can access Can be integrated with internal user management system LDAP/Active Directory 19

Example: Role Based Access Control in Harbor Project Members Images Guest: Developer: docker pull... docker pull/push... ${Project}/ubuntu:14.04 ${Project}/nginx:1.8, 1.9 ${Project}/golang:1.6.2 ${Project}/redis:3.0... Admin: 20

Other security considerations Enable content trust by installing Notary service Image is signed by publisher s private key during pushing Image is pulled using digest Perform vulnerability scanning Prevent images with vulnerabilities from being pulled Regular scanning based on updated vulnerability database 21

Content trust for image provenance Notary Image Creator Registry Image Consumer

Vulnerability Scanning Static analysis of vulnerability by inspecting filesystem of container image and indexing features in database. Rescanning is needed only and only if new detectors are added. Update vulnerability data regularly - Debian Security Bug Tracker - Ubuntu CVE Tracker - Red Hat Security Data - Oracle Linux Security Data - Alpine SecDB

Registry Image Vulnerability Scanning Vulnerability scanning Set vulnerability threshold Prevent images from being pulled if they exceed threshold Periodic scanning based on updated vulnerability database 24

Agenda 1 Container Image Basics 2 Project Harbor Introduction 3 Consistency of Images 4 Security 5 Image Distribution 6 High Availability of Registry

Image Distribution Container images are usually distributed from a registry. Registry becomes the bottleneck for a large cluster of nodes I/O Network Scaling out an registry server Multiple instances of registry sharing same storage Multiple instances of independent registry sharing no storage 26

Image Distribution via Master-Slave Replication Docker Client.... Docker host Docker host Docker host Docker host Docker host Docker host... 27

Hierarchical Image Distribution Docker Client. 28

Agenda 1 Container Image Basics 2 Project Harbor Introduction 3 Consistency of Images 4 Security 5 Image Distribution 6 High Availability of Registry

High Availability of Registry To remove single point of failure on registry Three models to achieve HA Shared storage Replication ( no shared storage ) Using other HA platform 30

Registries using Shared Storage......

Image replication between registries.. 32

Registry HA on vsphere Registry in a VM protected by vsphere Image storage by VSAN Docker Volume Docker Host VM Harbor vsphere Docker Volume Plugin VMware ESXi-1 VMware ESXi-2 VMware ESXi-3 Docker Volume Driver for vsphere Docker Volume Driver for vsphere Docker Volume Driver for vsphere Shared Storage Docker Volume -1 Docker Volume -2 Docker Volume-3 Other Docker Volume s Virtual SAN

Registry HA on vsphere VM failed over to a healthy host Image storage still connected by VSAN Docker Host VM XHarbor vsphere Docker Volume Plugin VMware ESXi-1 Docker Volume Driver for vsphere Docker Host VM Harbor vsphere Docker Volume Plugin VMware ESXi-2 Docker Volume Driver for vsphere VMware ESXi-3 Docker Volume Driver for vsphere Shared Storage Docker Volume -1 Docker Volume -2 Docker Volume-3 Other Docker Volume s Virtual SAN

Summary Container image is the static part of container lifecycle Registry is the key component to manage images Organizations usually need a private registry Security Efficiency 35

Harbor Harbor v1.1+ Harbor 1000 2017 3 1

Thank you! https://github.com/vmware/harbor

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback