Tuesday, July 22, 2014

Secure provisioning of Docker containers


By Nicholas Clements, Director of Engineering at CohesiveFT

One of the areas for which CohesiveFT is known is our technical support, with everyone pitching in. We provide such a high quality of support for our products that customers often ask about support and best practices for other products and services. One such event occurred recently when a customer was asking about best practices in the secure provisioning and configuration of Docker images and containers. Since we support the use of containers in version 3.5 of VNS3 Manager we were more than happy to talk.

The customer wanted to know how to create and customize Docker containers in a safe and secure manner. In general terms they wanted to have each container be individual with keys and configurations that would be applicable only to the group/user accessing the container. This would allow them to control who sees what and to easily add or revoke privileges. They wanted to distribute images and Dockerfiles without make them available to the world at large, they wanted to keep the generated credentials in a controlled, private repository.

And they wanted to do this without doing a ton of development work.

There are many ways to inject data into an image or a container. One approach used by many Docker aficionados is to keep the image itself suitable for public consumption and then pass sensitive information at container start time, either by environment variables or by mounting an external location into the container. Both the customer and CohesiveFT view that this approach compromises the “sandbox” aspect of Docker, although it is certainly a useful method to keep in the mental toolbox as Docker evolves.

Image credit: Lifehacker


This approach is not feasible with VNS3 -- the customer has no direct access to the VNS3 filesystem and we don’t (currently) support the passing of environment variables through our API or GUI. (We’re working on it. Promise. Maybe in version 3.7.)

Currently, customers can upload images directly or have the VNS3 appliance build them into the network platform. Customers can either start from scratch using Dockerfiles and public repositories or they can upload their own images.

We ran through a few scenarios with the customer. Their view was that there were two immediate options available with minimal risk:

Running a configuration management client inside the container -- but on reflection it was decided that this just pushed the issue further down the road, since the same problems would need to be solved at a later date.
Building images with predefined SSH keys, running sshd in the container, and connecting after the fact to deliver the individual keys and config files etc -- Issues here include timing, plus the need to figure out a method for pre-generating and storing all of the keys (or using a common key which, it was agreed, is a bad idea).

Even though Docker 1.0 is now out, Docker is still evolving rapidly as are the accepted best practices. In order to protect our customers as much as possible we decided to approach things from a conservative perspective.

The goals were:
  • Creation of a standard image in a secure manner, with as little exposure as possible
  • Customization of that image on a per-VNS3 instance, per-container possible, securely
  • Secure storage of modifications
  • Minimal development

We started with a secure but accessible way for storing objects, image files, Dockerfiles, configuration and supporting files. This was simple and the final implementation choice was left to the customer. Our suggestion was to use an internal, behind-the-firewall web server and have it join the VNS3 topology. An alternative was to use S3 and signed URLs with a long expiration.

Next we examined the choice between the use of a Dockerfile or a pre-built image. Since the customer was looking at adding containers to a preexisting topology we recommended the latter. It would have a lesser effect on the network. The result is the same - when we use images we use Dockerfiles to build them and then export the resulting container.

Finally, per-manager customization. One of the features that we implemented in VNS3 3.5 is the ability to rebuild an image based on a locally stored one. This approach uses a Dockerfile but since the base image being used is local the impact on the manager is slight. And if the commands used in the Dockerfile are minimal then the overall rebuild is quick.

The initial proof-of-concept used the VNS3 GUI to import a base image (unimaginatively called “base_image”) with an unknown root password and personalize it through an external Dockerfile archive.

   FROM vns3local:base_image
   RUN mkdir -p /root/.ssh
   RUN echo "[PUBLIC KEY HERE]" >> /root/.ssh/authorized_keys
   RUN chmod 400 /root/.ssh/authorized_keys

It took a further couple of hours to put together a simple bash script that made use of the VNS3 API and pulled the public key from a private key server as a proof-of-concept.

So with a couple of lines of code it’s possible to securely create -- and, more importantly, securely destroy -- personalized Docker containers within VNS3. The customer didn’t need to spend a lot of time or money on an elegant solution to their problem. Security and control.

Friday, July 18, 2014

Cloud & networking weekly news roundup: July 14 - 18

Cloud and Networking news for the week of July 7

  •  Gigaom Research Survey: new business will drive second wave of cloud adoption >> Surveys predict a near-term second wave of cloud technology adoption, driven by companies re-inventing their business. "Tech buyers of all stripes tell us they expect to nearly double their usage of software-defined-networking (SDN) in two years, to a nearly 30 percent adoption rate. "
  • BizTech : SMB Awareness of SDN Technology Is Small, but Growing >> "Techaisle estimates SDN awareness among SMBs will grow substantially over the next couple of years, reaching $204 million in 2016." 
  • Gigaom: Getting enterprise-y, AWS Marketplace adds annual software subscriptions >> hey, that's us! VNS3 Lite is one of the pay-as-you-go options in AWS
    https://aws.amazon.com/marketplace/pp/B00KFPTGA0/ref=_ptnr_ftpromo_cohesiveft
    Try VNS3 in the AWS Marketplace promo
  • Network World: Rackspace rolls out new hosted computing tier: Managed cloud >> on Tuesday Rackspace announced "Managed Cloud" a combination of managed service with cloud.
  • Chris Swan on InfoQ: New Low End T2 Instances for Amazon EC2 >> Our CTO takes the new t2 instances for a test drive in AWS 


CohesiveFT in the news:
  • VNS3 Lite Edition available for free in the AWS Marketplace in July. The Network Infrastructure Campaign runs from July 1 - 31, and active VNS3 users can qualify for $100 in AWS credit!
  • Annual pricing for VNS3 Lite Edition inside the AWS Marketplace. Now you can use VNS3 in AWS on an hourly, monthly, or annual subscription basis. Learn more.
Source: Gigaom Research 

Catch up with the CohesiveFT team:
  • Wed, July 23 AWS User Group London
  • Thurs, July 24 CloudCamp Chicago at TechNexus “Developer Night” theme
  • Wed, July 30 CohesiveFT hosts the July AWS User Group 
  • Sept 11 London CloudCamp on FinTech
  • Sept 12 DockerConf in London

Thursday, July 17, 2014

Cloud Price Wars Part 4 - Sub Penny

Amazon recently announced the new t2 family of low end instances, which I wrote about on InfoQ. Pricing wise the headline is that the t2.micro is ¢1.3/hr, which is a fair bit cheaper than the ¢2/hr of the t1.micro it replaces. It also has much better performance, and more consistent performance, and more transparent performance characteristics, and more RAM.

¢1.3/hr is good, but it's still not sub penny. It somehow reminds me of the big old pre decimal pennies that people still had in little china pots when I was a kid.


¢1.3/hr is however the on demand pricing. It's also possible to get t2.micro reserved instances in medium and heavy usage varieties. Pushing things to the max gets a 3yr heavy utilisation reserved instance that costs $109 up front and ¢0.2/hr. If we leave the instance up for the full 3 years, and amortise the $109 up front then that comes out to ¢0.615/hr - a little less than half the on demand pricing.

¢0.615/hr - now that's sub penny :)

Tuesday, July 15, 2014

Guest Post - The Beginning of CohesiveFT and the Cloud

Fred Hoch originally wrote this exclusive lookback for the CohesiveFT ebook “Cloud Memoirs: Views from Below, Inside, and Above" He is the President and CEO of the Illinois Technology Association and a founder and Advisor at TechNexus.

While the Cloud seems ubiquitous now, that wasn’t always the case. In 2006, software as a service was still an early concern. I had just come to start the Illinois Technology Association (or ITA) after spending the last five years evangelizing the service movement. While the industry was certainly moving in that direction, customers were still hesitant.

It was in this time frame that I met Pat, Dwight, and Craig...three financial services executives who had the vision of where things were going and how CohesiveFT was going to be a key part of that vision.

The software industry was ripe for change. The expense of enterprise IT has become too much for large corporations, and small corporations couldn’t reap the benefits. Smart leaders saw that the movement to -as-a-Service was the answer. Cohesive saw that virtualization (now people call it “cloud”) would become vital to businesses, and security would be the biggest challenge and opportunity.

I first saw what they were working on when they came by our ITA offices in early 2006. We were planning to use our space on Jefferson Street for events and promoting the tech industry in Illinois. But when the Cohesive team came by, we realized that we could let small companies share the space and build out their software right here. TechNexus grew from our first tenants to a much broader co-working and tech incubator space after that.

The most memorable thing from the early days of CohesiveFT at the original TechNexus location was in mid-2007. The team was working on a version of their first product, an application-specific virtual appliance for banks and high frequency trading. Then on May 24th 2007, Pat realized VMware was doing an application challenge to recognize and promote new apps for their Virtual Appliance Marketplace. They stayed in the offices almost all night to build and adapt their app to fit with VMware’s marketplace. The product they build that night became “AppliaNCE” and did get certified later in August.

Only today is the market really catching up to what Cohesive saw back in 2006. Like most startups, the global recession taught everyone to be flexible. CohesiveFT later pivoted from a financial industry focus to making more multi-purpose tools for enterprises using cloud. Their first network software product, VcubeV, evolved into VPN-Cubed as they refocused, and now they’ve adapted again and renamed it VNS3. I think this year will be the year that businesses understand the benefits and ease of using the cloud.

The Chicago startup scene, including TechNexus and the ITA, has been a great atmosphere to work in. Everyone from the mayor to local universities get involved in boosting local startups and promoting companies who succeed. We’re on our way to becoming a rich technology community. The CohesiveFT team has really embraced our reputation of “honest Midwesterners” by creating real, valuable B2B software. It’s been my pleasure to be part of that journey and I always find myself excited for the what’s next.

Marcy Malagon and Dwight Koop in the
CohesiveFT offices at TechNexus
Photo credit: Tribune BlueSky Chicago 

This contributed piece first appeared in the CohesiveFT ebook “Cloud Memoirs: Views from Below, Inside, and Above" For all the downloadable versions, visit http://www.cohesiveft.com/ebook

Friday, July 11, 2014

Cloud & networking weekly news roundup: July 7 - 11

Cloud and Networking news for the week of July 7
Flexiant Cloud can't wait infographic
  • Big announcements from Thursday's AWS Summit in NYC include 3 new mobile services, Zocalo, and CloudWatch Logs. More on the implications of Zocalo from GigaOM
  • Network World: This is what the new hybrid cloud looks like >> "Gartner Vice President and distinguished analyst Lydia Leong says it’s not common to see customers “bursting” between public and private clouds, which is what many consider to be a hybrid cloud. Most customers have workloads they run in the public cloud, and maybe some they run on their own existing infrastructure."
  • From ReadWriteWeb: Why The Cloud You Want Is Not The Cloud You Deserve
  • Flexiant's infographic "cloud can't wait" on the right >> 44% annual growth in workloads for the public cloud vs. only 8.9% growth in on-premise workloads
  • From InfoWorld: What does PaaS really mean? Let us know if you find out >> watch our blog for our take on PaaS and how networking is crossing the lines of IaaS and PaaS. 

CohesiveFT in the news:

Catch up with the CohesiveFT team:
Related Posts Plugin for WordPress, Blogger...