Modernization Hub

Modernization and Improvement
Modernizing .NET Apps for IT Pros Part 5

Modernizing .NET Apps for IT Pros Part 5

Hey how you doing? I’m Elton and this is
the final part of the Docker MTA series Modernising .NET apps for IT Pros. In Part
4, I deployed my .NET 3.5 application to a staging environment built with
Docker for Azure. Docker Cloud works with AWS and Azure, and it provisions a
swarm using Docker Community Edition, which is fine for non production
environments. For production you’ll want support for your containers, an
integrated management solution, and secure software controls. You get that
with Docker Enterprise Edition which you can run in the cloud, or in your own data
center. In this video I’ll cover Docker EE Advanced. I’ll deploy and manage my
application using Universal Control Plane and I’ll show you how security,
administration and monitoring work in a production Docker environment. Docker Enterprise Edition gives you fine
control over how you set things up. You can provision a cluster in the cloud
with the template from Docker, or you can prepare your own cluster manually in the
data center. It’s very simple to deploy Docker EE and the Advanced Edition comes
with a comprehensive management suite. Docker Trusted Registry which i’ve
already used as the private registry for my images, and Universal Control Plane
which is the container management platform. This is Universal Control Plane,
UCP. It’s a single pane of glass for monitoring your entire environment. The
dashboard is an overview of the containers which are running and any
which have errors or unknown state. It also shows basic infrastructure metrics:
the aggregate CPU and memory usage for the manager nodes and the worker nodes. From here there are shortcuts showing you how to do the key tasks like adding
a node to the cluster. That’s as simple as installing Docker on a machine in the
UCP network and running this command. From the dashboard you can also download
a client bundle, which you use with your local Docker command line to securely
connect to UCP. UCP has a rich access control model, which applies across the
UI and the Docker command line. Access control gives you huge flexibility over
how you use UCP in production. I’ve signed into UCP, which also means i’m
signed into DTR – there’s single sign-on between the two. I’m using a UCP managed
account and you can also configure authentication with an LDAP provider, so
you can link UCP to Active Directory and use Windows accounts to log in.
Authorization is separate from authentication, and that’s controlled
completely within UCP. You create organizations and teams to group users,
and these are the subjects for access control. Users can be in multiple teams
and their permissions are the superset of all the teams’ permissions. The
targets for access control are collections, which are groups of Docker
resources. You can put any resource into a collection – like nodes, volumes containers or images. The final piece of access control is the
grant, which is how you assign permissions so that subjects can use the
resources in a target collection. The flexible role based access control in
UCP lets you segregate your cluster in whatever way works for your organization.
As a simple example this worker node is in the Unit 1 collection which could
represent a business unit. Only members of the Admin team have scheduler access
to the Unit 1 collection, which means you have to be a user in the Admin
team to run containers on that worker node. Access control lets you segregate a
large cluster to give delegated compute resources to different areas of the
business, as well as defining fine-grained permissions within teams.
You can also use security in UCP to enforce policies over the software that
the cluster will run, using Docker Content Trust. Content Trust is a mechanism for digitally signing Docker images to establish provenance and you
enable it on the client with an environment setting . When you push an
image to DTR with Content Trust enabled, you sign in with the certificate that
you get from UCP in your client bundle, so Docker can securely link a signature
to a user. Here I can see that version 5 of my app image is signed, but the other
versions are not. DTR records that an image has been signed and it also
records all the users who are signatories for that image, which you can
use as proof of sign-off for a software release. In the admin settings of UCP,
under Docker Content Trust, you can require that the cluster will only run
images that are signed by known UCP users. You can even specify a list of teams
that need to be signatories, so this configuration means images need to have
been signed by users in the Admin team. I can try to deploy a stack using my v4
application image which isn’t signed ,and UCP refuses to run it. There’s no way
around that. Even administrators can’t run unsigned
images. This is a security policy which is easy to audit and it’s
enforced by the platform. To deploy my app now I need to use signed images, so I’ll
need to use new versions in my compose file. This compose file uses versions of
my application image and Prometheus image which I’ve signed in DTR. There’s
no database image here because in production I’m using a SQL Azure
database. You can integrate Docker containers with other services in your
network, so running UCP on Azure I can connect my Dockerized web app to a
cloud database. If I was running in the datacenter I could connect the web app
in a container to a local SQL server database. I’m making use of one more
Docker security feature here – secrets, which are a first-class resource in
Docker swarm mode and in UCP. I’m using a secret to store my database connection
string. In the compose file I reference the secret by name, and the actual
content of the secret is securely stored in the swarm. I’ll create that a secret
in UCP and paste in the connection string. Once I save this the data is no longer
visible – not even administrators can see the
plaintext of the secret. The contents only get delivered unencrypted to the
services which need it, and v5 of my web app is configured to read the connection
strings from the secret file in the container. In UCP I’ll create a stack and
upload my compose file. These images are all signed, so UCP
will run them and deploy my app. I’ve set up my UCP infrastructure in a
similar way to Docker for Azure, with a load balancer in front of the worker
nodes and a public IP address for the load balancer. When I browse to the
address, I see the same old app but now it’s running in a container in UCP,
connecting to a SQL Azure database, with a connection string securely stored
in a Docker secret. I’ve used SQL Server in a container for non production
environments, and now in production I’ve switched to a managed SQL service, just
by changing the configuration. The last thing I want to show you is how
monitoring looks in UCP. UCP is a centralized portal and I’m
logged in with administrator rights, so I can see all the resources in the system.
In the stacks there’s my own Newsletter application, and there’s also UCP and DTR.
The Docker Enterprise Edition products all run as containers too. Stacks are
a group of resources and I can inspect the services to see the current status. From the service I can inspect the containers, and I see the combined CPU
and memory usage of all the containers in the service. Inspecting the container
shows its configuration, like the startup command and any volume mounts and the
environment variables. From here I can also see the container logs, and I can
even run a console session and run commands inside the container. All of
this is available from the UI and is all subject to access control, so I could set
up permissions for testers to be able to view containers and see the logs, but not
be able to stop or start containers. The management of services and containers is
the same no matter what technology the container is using. The DTR registry
container is a Go application running on Linux, but I can see the configuration,
and read the logs, and connect to the container in the same way as I did with
the Newsletter website – which is an ASP.NET app running on a Windows Server
container. You secure deploy and manage all your services in the same way with
Docker. UCP provides you infrastructure monitoring of containers and nodes, and
you can bring your own application monitoring. My application stack includes
the Prometheus monitoring from the last video, and I can browse to the
endpoint and see the same performance metrics in production that I have in the
test environments. These values are from the performance counters in the ASP.NET
container, and it’s the same monitoring experience that a developer has when
they run locally. And that’s the end of the series. In this
video I’ve shown you how Docker Enterprise Edition gives you a
production grade containers as a service solution in your own datacenter, or in
the cloud. You can run a Docker EE cluster with high availability for UCP
DTR and your own applications, with just six servers, and you can scale that up to
hundreds of nodes. You can mix Linux and Windows servers, and you can manage them
all in exactly the same way. On your servers you just install the operating
system and Docker – everything else you deploy and manage using containers. UCP
is the single pane of glass that gives you a consistent way of managing diverse
workloads. That includes new apps and old apps. The focus of this series has been
on modernizing traditional .NET applications without changing code. You
can add portability, security and efficiency to existing apps without any
development effort, and running in Docker is the easiest way to move those apps to
the cloud or onto modern infrastructure. If you’re keen to try this out for
yourself on the Play with Docker website there are self-paced labs where you can
practice modernizing .NET applications in a sandboxed environment, before you
move on to your own apps. My name is Elton, thanks for watching and stay tuned
to the Docker YouTube channel for more great videos on using Docker – and head to for more information on starting your own journey,
modernizing traditional apps with Docker.

1 comment on “Modernizing .NET Apps for IT Pros Part 5

Leave a Reply

Your email address will not be published. Required fields are marked *