14 Jul 2016 in Docker, Security

Securing Docker With TLS Certificates

By default, Docker has no authentication or authorization for its API, instead relying on the filesystem security of its UNIX socket, /var/run/docker.sock, which by default is only accessible by the root user.

This is fine for the basic use case of only accessing the Docker API on the local machine via the socket as the root user. However if you wish to use the Docker API over TCP, you'll want to secure it so you don't have to give out root access to anyone that happens to poke you on the TCP port.

Docker supports using TLS certificates (both on the server and the client) to provide proof of identity. When set up correctly it will only allow clients and servers with a certificate signed by a specific CA to talk to eachother.

While not providing fine grained access permissions, it does at least allow us to listen on a TCP socket and restrict access with the bonus of also providing encryption.

In this post, I will detail what is required to secure Docker running on a CoreOS server. I will assume you already have a CoreOS server set up and running. If not, check out this previous Deis blog post covering CoreOS and VirtualBox.

Read More
9 Jul 2016 in Community Meeting, Helm, Deis Workflow

July 2016 Community Meeting

Bunch of updates this month, we've been busy!

Workflow 2.1 and 2.2

Expanding on the release blog post earlier this week, Deis team members join us and give a little more flavor on the 2.1 release items:

  • AWS Instance Profile Support
  • Support for off-cluster Postgres
  • Advancing application health checks
  • Windows support for Deis Workflow CLI
  • Details on the metrics and log shipping architecture changes

We are shooting to release 2.2 July 20th, 2016 and we've got the following items underway:

  • Merge final few bits required to support OpenStack Swift-flavored object storage (thanks Paul Czarkowski)
  • Support for international domains (thanks HL70)
  • Applications managed via Kubernetes Deployments
  • Install Workflow with Kubernetes Helm rather than Helm Classic
  • Full support for Docker registries on ECR and GCR

Helm Alpha.2 and Alpha.3

Deis Helmer Michelle Noorali runs us through the highlights of Alpha.2 along with a feature rundown for Alpha.3:

  • Initial support for upgrading Helm charts
  • Support for hooks including pre and post install, upgrade and delete hooks
  • Tiller support to manage multiple namespaces
  • Back Tiller storage with ConfigMaps
  • Building process to contribute community charts to official repositories

Click Play

Until Next Time

Our next community meeting will be Thursday, August 4th, 2016. If you like calendar reminders, this would be your jam.

See everyone next month!

8 Jul 2016 in Storage, Minio, Workflow

Storage in PaaS: Minio and Deis Workflow

Whether you notice it or not—as an end user—storage is an important component of almost all the software we use today. As a developer however, it is important is to be able retrieve stuff in an easy yet secure and fast way.

As I have mentioned elsewhere, object storage is a great way to achieve this. I've also previously looked at how to create a reliable data store, taking WordPress as an example.

In this post, we'll see how Deis, an open source PaaS based on Kubernetes, uses Minio for almost all of its storage requirements.

But first, introductions.

Read More
5 Jul 2016 in Workflow, Release, Announcement

Deis Workflow 2.1 Release

Happy Tuesday, I hope everyone had a wonderful weekend! Before we struck out for fun in the weekend sun we cut a hot and fresh release of Workflow. Arriving as version 2.1 we've got lots of fixes and a few goodies to boot.

Read More
29 Jun 2016 in Node.js, Install, Deis Workflow, AWS

MEAN Applications on Deis Workflow

Deis Workflow is a PaaS that lets you automatically build and deploy applications on a Kubernetes cluster via simple triggers like git push. Workflow also lets you manage app configuration, create or roll back releases, perform extensive logging, and more.

If you are concerned whether Deis Workflow can handle your application, you'll be happy to know there are three ways to deploy:

  1. Heroku buildpacks
  2. Dockerfiles
  3. Docker images

Even if you're not using Heroku buildpacks, you can usually deploy your application via Docker images or Dockerfiles. With all this scope for flexibility, Deis Workflow can cater to almost any cloud software setup.

In this post, we'll get specific though.

Node.js has emerged as one of the most popular server scripting languages. Combined with other modern tools like AngularJS and MongoDB (aka the MEAN stack) it can be a great way for developers to create modern web applications quickly.

So, how do you deploy an Express.js (a web framework based on Node.js) application via Deis Workflow? We'll get to that.

But first, we need to install and launch Deis Workflow.

Read More