Professional Documents
Culture Documents
1
What am I going to cover?
• Overview of Microservices
C, C++ Java, J2EE Ruby on Rails, Python Django Node, Angular, Swift, Whisk
Code and Manual Test Manual Deployment Automated Testing Automated Deployment
Monolithic Programs Tiered Applications Service Oriented, RESTful Stateless Microservices
Bare Metal Virtual Machines Platform As A Service Docker Containers
5
Microservices
6
What Are Microservices?
https://www.martinfowler.com/microservices/#what
7
Microservice Architecture
• An architecture style aimed to achieve flexibility, resiliency and control, based on the following
principles:
• Single Purpose Services that are Loosely Coupling with a Bounded Context
• Independent life cycle: developed, deployed and scaled... and hopefully, fail independently
• Design for resiliency and owns it’s own data
• Polyglot — independent code base
• Built by autonomous teams with end-to-end responsibility, doing Continuous Delivery
• Communicates with other services over a well defined API
8
Monolithic vs Microservices
Monolithic Applications Microservices-based Applications
Web / Presentation User Interface
(Apache/Nginx) Service
Customers Promotions
eCommerce Application
(WebSphere/Tomcat/PHP/Django) Shopping Cart Orders Catalog
Database
(DB2, MySQL, PostgreSQL) Relational Store NoSQL
10
Monolithic Organization
Organized around technology
Organization Structure Application Structure
Web Tier
App Tier
Database
Login Inventory
Registration Personalization Shipping
Users Receiving
12
How do you deploy all these Microservices?
13
The Three Pillars of Software Agility
Cultural Change Loose Coupling/Binding
Automated Pipeline RESTful APIs
Everything as Code Designed to resist failures
Immutable Infrastructure DevOps Microservices Test by break / fail fast
AGILITY
Containers
(Docker)
Portability
Developer Centric
Ecosystem enabler
Fast startup
14
15
What is Docker?
• Docker is a light-weight container service that runs on Linux
• File system overlay
• One Process Space
• One Network Interface
• Shares the Linux kernel
• Containers encapsulate a run-time environment
• Your code, libraries, etc.
• Almost no overhead
• Containers spin up in milliseconds
• Native performance because there is no emulation
• Package only what you need
16
Benefits of Containers
• Great isolation
• Great manageability
• Fast deployment
17
How is it different from Virtual Machines?
• Virtual Machines are heavy-weight • Containers are light-weight like
emulations of real hardware a process
• The app looks like it’s running
on the Host OS
APP 1 APP 2 APP 3
INFRASTRUCTURE INFRASTRUCTURE
INFRASTRUCTURE INFRASTRUCTURE
19
Images, Layers, and Copy on Write
• Each Docker image references a list of read-
only layers that represent filesystem differences
• Create a file called Dockerfile and add the following two lines:
FROM nginx:alpine
COPY content /usr/share/nginx/html
• Create a file called Dockerfile and add the following two lines:
Start FROM the nginx image that’s in Docker Hub
FROM nginx:alpine
COPY content /usr/share/nginx/html
• Create a file called Dockerfile and add the following two lines:
Start FROM the nginx image that’s in Docker Hub
FROM nginx:alpine
COPY content /usr/share/nginx/html
# Add the code as the last Docker layer because it changes the most
ADD static /app/static
ADD service.py /app
https://www.datadoghq.com/docker-adoption/ 24
What does all of this have to do with building
loosely coupled microservices?
25
Managing Containers in the Cloud
a.k.a. Container Vulnerability Remediation Services
…the solution that I built using loosely coupled microservices
26
Vulnerabilities Happen!
27
…and they happen every day
28
Think Cloud Native
• The Twelve-Factor App describes patterns for cloud-
native architectures which leverage microservices
30
Is My Application Vulnerable?
• What is "the" application?
• It’s a loose collection of microservices ¯\_(ツ)_/¯
30
Is My Application Vulnerable?
• What is "the" application?
• It’s a loose collection of microservices ¯\_(ツ)_/¯
• Where do I install my Agents?
• Nowhere! Containers are immutable and single process (via best practice)
30
Is My Application Vulnerable?
• What is "the" application?
• It’s a loose collection of microservices ¯\_(ツ)_/¯
• Where do I install my Agents?
• Nowhere! Containers are immutable and single process (via best practice)
• How do I login to make changes?
• You don’t! Did I mention that Containers are immutable?
• All changes made via DevOps Pipeline
• If you are not involved in the DevOps pipeline, you are not involved in Change Management
30
Is My Application Vulnerable?
• What is "the" application?
• It’s a loose collection of microservices ¯\_(ツ)_/¯
• Where do I install my Agents?
• Nowhere! Containers are immutable and single process (via best practice)
• How do I login to make changes?
• You don’t! Did I mention that Containers are immutable?
• All changes made via DevOps Pipeline
• If you are not involved in the DevOps pipeline, you are not involved in Change Management
• When is my change window?
• Never! Changes are made by application teams using blue/green deployments for continuous up-time
30
?
How do you manage vulnerabilities with this
Explosion of Container Growth?
31
Center for Internet Security Docker Benchmark
Recommendation
• Scan and rebuild the images to include security patches
• Images should be scanned "frequently" for any vulnerabilities. Rebuild the images to include patches and then instantiate new
containers from it.
• Rationale:
• Vulnerabilities are loopholes/bugs that can be exploited and security patches are updates to resolve these vulnerabilities. We
can use image vulnerability scanning tools to find any kind of vulnerabilities within the images and then check for available
patches to mitigate these vulnerabilities.
• Remediation:
• Step 1: 'docker pull' all the base images (i.e., given your set of Dockerfiles, extract all images declared in 'FROM' instructions,
and re-pull them to check for an updated/patched versions). Patch the packages within the images too.
• Step 2: Force a rebuild of each image with 'docker build --no-cache'.
• Step 3: Restart all containers with the updated images.
32
User Story: Container Vulnerability Remediation
• User Story: Container Vulnerabilities
• As an Application Owner
• I need an automated way to patch containers
• So that they won't be vulnerable to exploits
e r
U s
S t o r y
• Assumptions:
• There will be long running containers ( > 24 hrs)
• There will be new vulnerabilities discovered every day
• Manually patching images and redeploying containers is too labor intensive
• Acceptance Criteria:
• Given a Docker image with deployed containers
• When a vulnerability has been found in the Docker image
• Then a remediation of that image will be performed
• And a new image will be created and push to the registry
• And any containers from the old image will be redeployed using the new image
33
The Solution
34
Container Vulnerability Remediation Services
Architectural Overview
Vulnerability Remediation Services Compliance Remediation Services
IBM Cloud
USN-xxxx.1
Vulnerability Advisor
Cloud Native:
Containers that conform Hybrid Cloud:
to 12-factor Integration with
Compliance Service Customer’s Compliance
Scanning
Hybrid Cloud:
Hybrid Cloud:
Integration with
Deployable on Local of
Customer’s existing
Public Kubernetes
systems
Kubernetes
35
How Does It Work?
• Compliance Service
• Analyzes the input from Vulnerability Advisor and publishes alerts for other services
• Vulnerability Remediation Services
• Maintains a knowledge base of fix procedures and compliance remediation actions
• Composes new Docker file containing the remediation actions based on the knowledge base
• Forwards the new Docker file to the build service which in turn produces new version of the image
• Redeploy Container Workload
• Redeploys the container on Kubernetes by modifying the existing deployment parameters
• Other Systems of Record
• Monitor the other service messages keeping ticking system and development up to date on activities
36
{
What’s in a CVE?
"id": "78de8449-313e-44c9-90b1-ae8277b12f95",
"scan_time": 1510759001,
"status": "WARN",
"vulnerabilities": [
{
"type": "vulnerable_package",
"description": "busybox 1.24.1-r7 has vulnerabilities",
"corrective_action": "Upgrade to busybox 1.24.2-r1",
"fixes": [
{
"cve_ids": "CVE-2016-6301",
"summary": "The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to
cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop.",
"notice": "",
"meta": {
"usn_id": ""
}
}
],
"meta": {
"package_name": "busybox"
"fix_version": "1.24.2-r1",
"installed_version": "1.24.1-r7",
}
},
37
{
What’s in a CVE?
"id": "78de8449-313e-44c9-90b1-ae8277b12f95",
"scan_time": 1510759001,
"status": "WARN",
"vulnerabilities": [
{
"type": "vulnerable_package",
"description": "busybox 1.24.1-r7 has vulnerabilities",
"corrective_action": "Upgrade to busybox 1.24.2-r1",
"fixes": [
{
"cve_ids": "CVE-2016-6301",
"summary": "The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to
cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop.",
"notice": "",
"meta": {
"usn_id": ""
}
}
], This is how we know what to patch
"meta": {
"package_name": "busybox"
"fix_version": "1.24.2-r1",
"installed_version": "1.24.1-r7",
}
},
37
Generated Dockerfile for Alpine
#
# Remediation Service
#
FROM registry.ng.bluemix.net/cloud_service_mgmt/comp-srv:2.1
#
# Patching Vulnerabilities
#
RUN apk add --no-cache busybox=1.24.2-r1;if [ $? -ne 0 ]; then apk add --no-cache busybox; fi;
RUN apk add --no-cache zlib=1.2.11-r0;if [ $? -ne 0 ]; then apk add --no-cache zlib; fi;
#
# Fixing Compliance Issues
#
# NO FIX FOR: Linux.2-1-d - Minimum days that must elapse between user-initiated password changes should be 1.
38
Generated Dockerfile for Alpine
#
# Remediation Service
# References the original image
FROM registry.ng.bluemix.net/cloud_service_mgmt/comp-srv:2.1
#
# Patching Vulnerabilities
#
RUN apk add --no-cache busybox=1.24.2-r1;if [ $? -ne 0 ]; then apk add --no-cache busybox; fi;
RUN apk add --no-cache zlib=1.2.11-r0;if [ $? -ne 0 ]; then apk add --no-cache zlib; fi;
#
# Fixing Compliance Issues
#
# NO FIX FOR: Linux.2-1-d - Minimum days that must elapse between user-initiated password changes should be 1.
38
Generated Dockerfile for Alpine
#
# Remediation Service
# References the original image
FROM registry.ng.bluemix.net/cloud_service_mgmt/comp-srv:2.1
#
# Patching Vulnerabilities Updates the libraries that are vulnerable
#
RUN apk add --no-cache busybox=1.24.2-r1;if [ $? -ne 0 ]; then apk add --no-cache busybox; fi;
RUN apk add --no-cache zlib=1.2.11-r0;if [ $? -ne 0 ]; then apk add --no-cache zlib; fi;
#
# Fixing Compliance Issues
#
# NO FIX FOR: Linux.2-1-d - Minimum days that must elapse between user-initiated password changes should be 1.
38
Generated Dockerfile for Alpine
#
# Remediation Service
# References the original image
FROM registry.ng.bluemix.net/cloud_service_mgmt/comp-srv:2.1
#
# Patching Vulnerabilities Updates the libraries that are vulnerable
#
RUN apk add --no-cache busybox=1.24.2-r1;if [ $? -ne 0 ]; then apk add --no-cache busybox; fi;
RUN apk add --no-cache zlib=1.2.11-r0;if [ $? -ne 0 ]; then apk add --no-cache zlib; fi;
#
# Fixing Compliance Issues Fixes known compliance issues
#
# NO FIX FOR: Linux.2-1-d - Minimum days that must elapse between user-initiated password changes should be 1.
38
Generated Dockerfile for Ubuntu
#
# Remediation Service
#
FROM registry.ng.bluemix.net/rofrano/counter:latest
MAINTAINER Vulnerability Remediator 1.0
#
# Patching Vulnerabilities
#
RUN apt-get install -y bash=4.3-7ubuntu1.7;if [ $? -ne 0 ]; then apt-get install -y bash; fi;
RUN apt-get install -y libexpat1=2.1.0-4ubuntu1.4;if [ $? -ne 0 ]; then apt-get install -y libexpat1; fi;
RUN apt-get install -y libffi6=3.1~rc1+r3.0.13-12ubuntu0.2;if [ $? -ne 0 ]; then apt-get install -y libffi6; fi;
RUN apt-get install -y libgcrypt11=1.5.3-2ubuntu4.5;if [ $? -ne 0 ]; then apt-get install -y libgcrypt11; fi;
RUN apt-get install -y libgnutls26=2.12.23-12ubuntu2.8;if [ $? -ne 0 ]; then apt-get install -y libgnutls26; fi;
RUN apt-get install -y libssl1.0.0=1.0.1f-1ubuntu2.23;if [ $? -ne 0 ]; then apt-get install -y libssl1.0.0; fi;
RUN apt-get install -y libtasn1-6=3.4-3ubuntu0.5;if [ $? -ne 0 ]; then apt-get install -y libtasn1-6; fi;
RUN apt-get install -y login=1:4.1.5.1-1ubuntu9.5;if [ $? -ne 0 ]; then apt-get install -y login; fi;
RUN apt-get install -y passwd=1:4.1.5.1-1ubuntu9.5;if [ $? -ne 0 ]; then apt-get install -y passwd; fi;
RUN apt-get install -y sudo=1.8.9p5-1ubuntu1.4;if [ $? -ne 0 ]; then apt-get install -y sudo; fi;
39
Possible Architecture Using Fixed Workflow
subscription Container Instance Remediation
to advisories data Knowledge Base
USN-xxxx.1
Detect non-compliant Generate
running containers and Dockerfile
Flag non- initiate remediation of to build
compliant relevant images new image
images
Vulnerability Image
Compliance Container Image Container
Remediation
Advisor Service Service Build Service ReDeploy Service
Service
40
Possible Architecture Using Fixed Workflow
subscription Container Instance Remediation
to advisories data
DO Knowledge Base
USN-xxxx.1
Flag non-
N’
Detect non-compliant
running containers and
initiate remediation of
Generate
Dockerfile
to build
compliant
images T
relevant images
Image
new image
Vulnerability
Advisor Service
Compliance
Service DO Remediation
Service
Container Image
Build Service
Container
ReDeploy Service
vulnerabilities and
compliance TH Creates new
Containers existing
violations
Policies IS Container Image
deployment specs
repository
update
open
close Based on policy, we may
redeploy existing
DevOps Pipeline ServiceNow containers from
Feedback Integration remediated
image
40
Problems with Fixed Workflow
• Microservices are tightly coupled
• No way to integrate future services without modifying several services to give them
knowledge
• Remediating images could take 30 - 40 minutes and polling for a response is not
desirable
41
A Microservice Should Have
• High Cohesion (Bounded Context around a Business Domain)
USN-xxxx.1
Container
ReDeploy
ServiceNow
Integration
Based on policy, we Container Image
may redeploy existing repository
containers from
remediated
image
43
Container Vulnerability Remediation Services Technology
Part of IBM Cloud
VA Policy Manager
New Vulnerability Remediator Vulnerability Advisor
New Compliance Remediator
Pub/Sub
Checklist Builder
Runlist Builder
Container Redeploy Service
Compliance Scanner
Compliance Remediator
* Future Services
!44
Cloud Functions with OpenWhisk
• OpenWhisk is a cloud-first distributed
event-based programming service
46
Example Python Cloud Function
def main(params):
""" Container Redeploy Function """
Compliance Service
Remediation Service
Pub/Sub
Image Build Service
Container Redeploy
Service
48
Message Pub/Sub Interactions
Each microservice is independent being called asynchronously as events are published
Vulnerable Image
Compliance Service
Vulnerable Image
Remediation Service
Pub/Sub
Image Build Service
Container Redeploy
Service
48
Message Pub/Sub Interactions
Each microservice is independent being called asynchronously as events are published
Vulnerable Image
Compliance Service
Vulnerable Image
Remediation Service Image Remediated
Container Redeploy
Service
48
Message Pub/Sub Interactions
Each microservice is independent being called asynchronously as events are published
Vulnerable Image
Compliance Service
Vulnerable Image
Remediation Service Image Remediated
48
Message Pub/Sub Interactions
Each microservice is independent being called asynchronously as events are published
Vulnerable Image
Compliance Service
Vulnerable Image
Remediation Service Image Remediated
48
How to Add a New Service
New services can be added by subscribing to events on the message bus
Compliance Service
49
How to Add a New Service
New services can be added by subscribing to events on the message bus
Vulnerable Image
Compliance Service
Vulnerable Image
Create
Ticket
49
How to Add a New Service
New services can be added by subscribing to events on the message bus
Vulnerable Image
Compliance Service
Vulnerable Image
Create
Ticket
49
How to Add a New Service
New services can be added by subscribing to events on the message bus
Vulnerable Image
Compliance Service
Vulnerable Image
Create
Ticket
49
Messaging Allows For:
• Services that are agnostic to other downstream services (a.k.a loosely
coupled)
• Long running services can simply publish when they are done instead
of polling for completion