UT Container Services (DEM, MCE)
These services can be used to deploy Docker container-based applications on a highly-available run-time platform, managed by ITS.
The Managed Container Environment (MCE) is suitable for applications that need isolated/dedicated computing nodes. The Deployment Environment Management (DEM) is suitable for less resource-intensive applications that are appropriate for a multi-tenant computing platform.
The Managed Container Environment (MCE) is a set of one or more Red Hat Enterprise Linux 7 virtual machines, with Docker Community Edition installed on them to host Docker containers, as well as an option for Docker Swarm installed for container orchestration in a single cluster.
Click Request to order an MCE solution based on the Managed Linux Server platform.
Support is provided during normal business hours, Monday through Friday between 8am – 5pm, excluding all university holidays and closures.
A Managed Container Environment has many advantages over a traditional application stack besides the promise of better uptime. More importantly, it allows the customer to focus on the application and removes the burden of managing the container infrastructure.
- MSS managed RHEL 7 Virtual Machine Hosts
- Built to MSS Linux Server Standards
- Automated Patching
- Active Directory (AD) for user and service account access and authorization
- Dedicated Storage for Docker Containers
- Designated virtual block device independent of the OS disk
- Dedicated Network Address Space
- Designated RFC1918 subnet assigned by ITS-Networking to avoid collisions with network devices on UTnet
- Docker Swarm for orchestration
- Scalability to demand – Docker Swarm can start or gracefully shutdown existing containers in order to use whatever resources are necessary for customer demand at a given time.
- High Availability -- Docker Swarm includes load balancing and failover features across containers.
- Easy-to-use orchestration tools
- Offers an alternative to cloud deployment
- Customers with applications with an upgrade path that require containers.
- Customers with expertise in creating and deploying containerized applications that need a platform for container management and orchestration.
- Customers with existing containers on isolated Docker nodes who are interested in rebuilding their Docker service in a clustered environment to MCE standards.
The MCE service offering is provided at no additional cost with the purchase of an annual contract for one or more Managed Linux Servers with Basic Support.
Service Level Objectives
- Outlined in Service Level Agreement for Managed Server Support
- Addendum listed below
- Purpose of Addendum: This Service Level Agreement ("SLA") addendum defines the services and service levels between ITS Systems ("Provider") and the users ("Customer") of the Managed Container Environment service ("Service") as an offering of the Managed Service Support service.
- The Service offers standards-based Docker and Docker Swarm administration for Customer-owned, Red Hat Enterprise Linux virtual machines, conforming to the standards of, and managed by the Managed Server Support service.
- Support services may include planning, installation, and configuration; application of security updates of Docker engine itself; log analysis, and troubleshooting; documenting Docker configurations and Customer requirements; and grant access for the installation and configuration of Docker images by the Customer.
- Any services provided outside of scope of this addendum are subject to additional charge
- Where the SLA and addendum conflict, the former supersedes.
- Optional Data Backups: While Virtual Machines are backed up as part of the Managed Server Support service, for Docker Swarm environments, it is not recommended to store container data directly on the hosts, due to the way clustering works. If container storage is needed it is recommended to use storage that can be attached to every node in the cluster such as NFS.
- Provider Responsibilities:
- Offer Docker and Docker Swarm provisioning and set-up. Docker updates will be reviewed for their criticality as they are released. Security patches deemed critical may be applied outside the predefined maintenance window.
- Provide Docker and Docker Swarm technical support and problem resolution.
- Provide Docker and Docker Swarm upgrades. Provider will install, support, maintain the installation of Docker and Docker Swarm as needed, and manage the hardware and operating system of each server under this SLA.
- Maintain container platform security in accordance with policies governing UT information technology resources.
- Coordinate with other ITS Infrastructure Services, Departments, and external vendors as needed to provision and support managed container(s).
- May provide root administrative access to individuals designated by the Customer in order to perform container installation, support, and development.
- Will block access to Docker Hub in our managed setup to comply with Information Security Office (ISO) policy.
- Will audit for images that do not use the ITS Systems trusted base and/or out of patch compliance and reserve the right to shutdown comprised vulnerable, or unpatched Docker containers.
- Customer Responsibilities:
- Customer should have expertise in creating and deploying containerized applications using Docker.
- Maintain container security in accordance with policies governing UT information technology resources. This includes but is not limited to:
- Storing images in a trusted registry, using ut-rhel base images.
- Patching container images (and derived containers) every 30 days.
Appendix A: Definitions
Customer – individual users or units that use the Managed Server Support Service.
CSU – Colleges, Schools, and Units
Provider – the provider team of the Managed Server Support Service. This is ITS
Service Account Manager – designated individual on the Provider team that will act as the business service liaison with the Customer
DEM is an on-campus “platform as a service”, which may be used by a software development team to deploy and manage applications; each application comprising a group of one or more cooperating Docker containers. In contrast to the Managed Container Environment offering, DEM is a multi-tenant environment with container isolation between applications.
Request Types may include:
General Request firstname.lastname@example.org (via email)
- Based on Docker EE (Enterprise Edition) and Docker UCP (Universal Control Plane), running on an ITS-managed Docker host cluster. UCP is a Web-based application for deployment and management of Docker containers.
- Includes DTR (Docker Trusted Registry) as a repository service for Docker images
- User interface accessible by anyone with a high assurance EID
- Assistance with setup of end-user EID authentication by deployed applications provided by service stewards
Available to UT Colleges/Schools/Units at no extra cost ("common good" service)
Planned availability: 98.76%
Users of the service and identified owners/administrators agree to be aware of and adhere to the university's Acceptable Use Policy.
Development teams using this platform are responsible for the cyber-security of Docker containers that they deploy. Specifically, the Operating System and third-party software/utilities in their container(s) should be kept up-to-date with the latest security patches.