distroless docker containers for machine learning at ing
play

Distroless Docker Containers for Machine Learning at ING About me - PowerPoint PPT Presentation

Nov 05, 2022 •473 likes •797 views

Distroless Docker Containers for Machine Learning at ING About me - Bachelor of Computer Science at Delft University - Currently doing my Masters in Computer Science - Specializing in Data Science - Working as a machine learning

  1. Distroless Docker Containers for Machine Learning at ING

  2. About me - Bachelor of Computer Science at Delft University - Currently doing my Master’s in Computer Science - Specializing in Data Science - Working as a machine learning engineer at ING bank - Productionalizing Machine Learning - First time giving a talk (scary!)

  3. What I’ll be talking about today - Some context: machine learning in production - A journey of a simple use case - Analyzing our use case - Distrofying our use case

  4. Machine Learning in production - Many teams, many models - Having each team manage their model and exposing an API does not promote uniformity within an organisation

  5. Enter: The Machine Learning Platform - Many models on one infrastructure - ‘Container platform’ - Specialized pipelines for data scientists - Model orchestration - Many models running in their own environments - Excellent use-case for containers!

  6. Machine Learning, some concerns - Machine learning models handle sensitive data - Combination of features can lead to identification - Anonymization is very difficult! - Parameters of a machine learning model may be used maliciously or may also contain sensitive information - For example: transforming words into vectors - This talk: be aware of the container your model runs in

  7. Our little model

  8. Our little model from sklearn.ensemble import RandomForestClassifier from sklearn import datasets iris = datasets.load_iris() model = RandomForestClassifier() model.fit(iris.data, iris.target)

  9. Our little model, continued import numpy as np from flask import Flask, request, jsonify app = Flask(__name__) @app.route('/predict', methods=['POST']) def predict(): data = request.json["data"] prediction = model.predict(np.expand_dims(data, axis=0)) return jsonify({"result": int(prediction[0])})

  10. Our little model, a quick test $ flask run $ curl -H 'Content-Type: application/json' \ -d '{"data": [5.9, 3.0, 5.1, 1.8]}' \ -X POST http://localhost:5000/predict Returns... { "result": 2 }

  11. Our little model, dockerized FROM python:3 WORKDIR /usr/src/app COPY requirements.txt ./ RUN pip install -r requirements.txt COPY app.py app.py CMD ["flask", "run"] $ docker build -t my-python-app:1.0.0 . $ docker run -p 5000:5000 --name app my-python-app:1.0.0

  12. Our little model, a quick test flask run curl -H 'Content-Type: application/json' \ -d '{"data": [5.9, 3.0, 5.1, 1.8]}' \ -X POST http://localhost:5000/predict Returns... { "result": 2 }

  13. Scanning images - Dynamic analysis - We can actively monitor the running container - Static analysis - We can perform analysis before running the container

  14. Scanning images, static analysis with clair - Simply specify the image! $ clair-scanner -r report.json --ip docker.for.mac.localhost \ my-python-app:1.0.0

  16. Inspecting the image, miscellaneous - The size of the image is quite large, 1.1 GB - Any user who is part of the docker group can attach a shell and modify the docker container $ docker exec -it --name app sh # ls ...

  17. Distroless, what is it? “"Distroless" images contain only your application and its runtime dependencies. They do not contain package managers, shells or any other programs you would expect to find in a standard Linux distribution.” https://github.com/GoogleContainerTools/distroless

  18. Our little model, revisited FROM gcr.io/distroless/python3 WORKDIR /usr/src/app COPY requirements.txt ./ RUN pip install -r requirements.txt COPY app.py app.py CMD ["flask", "run"] $ docker build -t my-python-app:1.0.0 . /bin/sh: 1: pip: not found

  19. Our little model, revisited, multi-stage FROM p ython:3.5 AS build COPY requirements.txt . RUN pip install -r ./requirements.txt FROM gcr.io/distroless/python3 COPY --from=build /usr/local/lib/python3.5/site-packages/ \ /usr/lib/python3.5/. ENV LC_ALL C.UTF-8 WORKDIR /usr/src/app COPY app.py app.py CMD ["-m", "flask", "run"]

  21. Inspecting the image, miscellaneous - The size of the image is smaller, 250MB, quite a significant reduction! - Any user who is part of the docker group can attach a shell; however, it is more difficult to modify the docker container docker exec -it --name app sh # ls - sh: 1: ls: not found

  22. But we can do better! - If we inspect the image, 50MB originates from the distroless image and 200MB from the python dependencies!

  23. A short introduction, PyInstaller - PyInstaller allows us to freeze our dependencies - This way, we can decrease the size of our images significantly!

  24. Our little model, some changes $ flask run app = Flask(__name__) ... if __name__ == "__main__": app.run() $ python app.py

  25. Our little model, with PyInstaller FROM python:3 AS build WORKDIR /usr/src/app COPY requirements.txt app.py ./ RUN pip install --upgrade pip --upgrade setuptools && \ pip install -r requirements.txt && \ pyinstaller app.py FROM gcr.io/distroless/python3 COPY --from=build /usr/src/app/dist /usr/src/app/dist ENTRYPOINT [“/usr/src/app/dist/app”]

  26. Our little model, attempt #1 $ docker run my-distroless-python-app:1.0.0 ModuleNotFoundError: No module named 'sklearn.utils._cython_blas' - Sometimes we have to help PyInstaller find imports through specification files

  27. Our little model, PyInstaller spec file a = Analysis(['app.py'], ... hiddenimports= [ COPY requirements.txt \ 'sklearn.utils._cython_blas', app.py app.spec . 'sklearn.ensemble', ... 'sklearn.neighbors.typedefs', RUN pyinstaller app.spec 'sklearn.neighbors.quad_tree', ... 'sklearn.tree._utils' ], datas=collect_data_files(‘sklearn.datasets’) )

  28. Our little model, attempt #2 $ docker run my-distroless-python-app:1.0.0 * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit) - The size of the image has been reduced to 97MB!

  29. Our little model, further improvements - Bundle PyInstaller executable with python library files and use scratch image

  30. Lastly, Some docker tips - Don’t run as root - Use image hash instead of image name and tag - Build your own distroless images - Sign docker images

  31. To summarize - Be careful in which images you choose for your models - Use smaller (distroless) images to limit possible exposure to vulnerabilities

  32. Thanks so much! - Code highlighter for slides: - https://github.com/romannurik/SlidesCodeHighlighter - Clair-scanner: - https://github.com/arminc/clair-scanner - Awesome libraries used: - https://github.com/matplotlib/matplotlib - https://github.com/numpy/numpy - https://github.com/scikit-learn/scikit-learn - https://github.com/pallets/flask - https://github.com/docker/docker-ce

Recommend

Docker Provider The Docker provider is used to interact with Docker containers and images. It uses

Docker Provider The Docker provider is used to interact with Docker containers and images. It uses

Docker Provider The Docker provider is used to interact with Docker containers and images. It uses the Docker API to manage the lifecycle of Docker containers. Because the Docker provider uses the Docker API, it is immediately compatible not only

553 views • 34 slides
Docker for fun and profit Solomon Hykes* about Docker: "It uses Linux containers and the

Docker for fun and profit Solomon Hykes* about Docker: "It uses Linux containers and the

Docker for fun and profit Solomon Hykes* about Docker: "It uses Linux containers and the Internet won't shut up about it." (LinuxCon 2014 keynote) *Founder of dotcloud and creator of the Docker project What are Linux containers or

206 views • 19 slides
1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami

1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami

12.03.2019 Docker security 1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami M.Sc Computer Security M.Sc Software Development Worked previously as an embedded software developer Actually

586 views • 54 slides
Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni

Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni

Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni (@jpetazzo) French software engineer living in California Joined Docker (dotCloud) more than 4 years ago (I was at Docker before it was cool! ) I built

420 views • 38 slides
Containers, VMs, and Clouds: Containers & Clouds & VMs: OH My Oh My! Mike Coleman,

Containers, VMs, and Clouds: Containers & Clouds & VMs: OH My Oh My! Mike Coleman,

Containers, VMs, and Clouds: Containers & Clouds & VMs: OH My Oh My! Mike Coleman, Technology Evangelist Docker @mikegcoleman Who Am I? Technology evangelist at Docker Former: Puppet, VMware, MSFT, Intel, and HP First

390 views • 25 slides
Deliver Docker Containers Continuously on AWS Philipp Garbe @pgarbe Google Container So many

Deliver Docker Containers Continuously on AWS Philipp Garbe @pgarbe Google Container So many

Deliver Docker Containers Continuously on AWS Philipp Garbe @pgarbe Google Container So many choices... Engine Azure Container Services Cloud Foundrys Amazon ECS Diego Kubernetes Docker Swarm Mesosphere CoreOS Marathon Fleet

465 views • 45 slides
Everything you need to know about Containers Security Track Containers Jos Manuel Ortega

Everything you need to know about Containers Security Track Containers Jos Manuel Ortega

Everything you need to know about Containers Security Track Containers Jos Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container

807 views • 57 slides
DOCKER AND PYTHON Making them play nicely and securely for Data Science and Machine Learning

DOCKER AND PYTHON Making them play nicely and securely for Data Science and Machine Learning

DOCKER AND PYTHON Making them play nicely and securely for Data Science and Machine Learning TANIA ALLARD, PHD ixek | https:/ /bit.ly/europython-ml-docker Sr. Developer Advocate @Microsoft. @ixek @trallard trallard.dev THESE SLIDES

564 views • 41 slides
Docker Review Basic Commands docker image ls # list images currently present locally docker

Docker Review Basic Commands docker image ls # list images currently present locally docker

Docker Review Basic Commands docker image ls # list images currently present locally docker container ls # list running containers docker run <image_name> # run an image as a container docker exec <container> <command> # run a

1.1k views • 6 slides
A talker on Docker: How containers can make your work more reproducible, accessible, and ready

A talker on Docker: How containers can make your work more reproducible, accessible, and ready

A talker on Docker: How containers can make your work more reproducible, accessible, and ready for production. Finbarr Timbers, Analyst, Darkhorse Analytics 1 Three stories. 2 One: Moving a nonlinear regression from Excel to Python. 3 One:

844 views • 63 slides
LXC, Docker, and the future of software delivery Linuxcon New Orleans, 2013 Jrme

LXC, Docker, and the future of software delivery Linuxcon New Orleans, 2013 Jrme

LXC, Docker, and the future of software delivery Linuxcon New Orleans, 2013 Jrme Petazzoni, dotCloud Inc. Outline Why Linux Containers? What are Linux Containers exactly? What do we need on top of LXC? Why Docker?

1.11k views • 45 slides
The Modern Platform in 2020 Justin Cormack Who am I? Engineer at Docker in Cambridge, UK. Docker

The Modern Platform in 2020 Justin Cormack Who am I? Engineer at Docker in Cambridge, UK. Docker

The Modern Platform in 2020 Justin Cormack Who am I? Engineer at Docker in Cambridge, UK. Docker developers Work on security, systems software, applications, LinuxKit, containers @justincormack 2 From OS to languages? From OS to

843 views • 39 slides
ID2223 - Lab Preparation Jupyter Notebooks on Docker Containers In the lab assignments, we will

ID2223 - Lab Preparation Jupyter Notebooks on Docker Containers In the lab assignments, we will

ID2223 - Lab Preparation Jupyter Notebooks on Docker Containers In the lab assignments, we will use the Jupyter Notebook as the development environment. Since installing the required software packages in the lab assignments is a time consuming

344 views • 5 slides
Build, Ship, Run Unikernels Justin Cormack 2 Justin Cormack Cambridge based developer at Docker

Build, Ship, Run Unikernels Justin Cormack 2 Justin Cormack Cambridge based developer at Docker

Build, Ship, Run Unikernels Justin Cormack 2 Justin Cormack Cambridge based developer at Docker @justincormack 3 Co-author of Docker in the Trenches: Successful Production Deployment containers 5 6 Linux containers are an

624 views • 43 slides
Is it safe to run applications in Linux Containers? Jrme Petazzoni @jpetazzo Docker Inc.

Is it safe to run applications in Linux Containers? Jrme Petazzoni @jpetazzo Docker Inc.

Is it safe to run applications in Linux Containers? Jrme Petazzoni @jpetazzo Docker Inc. @docker Is it safe to run applications in Linux Containers? And, can Docker do anything about it? Question: Is it safe to run applications in

803 views • 59 slides
HP-Mapper: A High Performance Storage Driver for Docker Containers Fan Guo 1 , Yongkun Li 1 , Min

HP-Mapper: A High Performance Storage Driver for Docker Containers Fan Guo 1 , Yongkun Li 1 , Min

HP-Mapper: A High Performance Storage Driver for Docker Containers Fan Guo 1 , Yongkun Li 1 , Min Lv 1 , Yinlong Xu 1 , John C.S. Lui 2 1 University of Science and Technology of China 2 The Chinese University of Hong Kong Outline 1 Background

278 views • 26 slides
USING DOCKER SAFELY ADRIAN MOUAT NLUUG 28 MAY 2015 LOT OF NEGATIVE COMMENTS ON DOCKER SECURITY

USING DOCKER SAFELY ADRIAN MOUAT NLUUG 28 MAY 2015 LOT OF NEGATIVE COMMENTS ON DOCKER SECURITY

USING DOCKER SAFELY ADRIAN MOUAT NLUUG 28 MAY 2015 LOT OF NEGATIVE COMMENTS ON DOCKER SECURITY "Containers Don't Contain" Daniel Walsh, RedHat https://opensource.com/business/14/7/docker- security-selinux "... total systemic

502 views • 48 slides
Docker@OVH with Mesos/Marathon June 28th 2016 @devatoria @brouberol Devops / Python charmer

Docker@OVH with Mesos/Marathon June 28th 2016 @devatoria @brouberol Devops / Python charmer

Docker@OVH with Mesos/Marathon June 28th 2016 @devatoria @brouberol Devops / Python charmer Devops / Golang artist The Docker ecosystem Docker Engine : run containerized processes (aka: containers) Docker Compose : run multi-container

381 views • 13 slides
Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y

Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y

Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y install docker s ystemctl start docker systemctl enable docker docker images - Launch pre-canned container: hello-world (busybox is another good

480 views • 4 slides
docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer /

docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer /

docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer / mgoelzer@docker.com / @mgoelzer Docker Inc. docker service is the new docker run docker run nginx 2013-14 docker run -p 3375:2375 swarm ; 2014-15

688 views • 34 slides
Running Hadoop and Spark from R Using Docker Containers Interface 2015 E. James Harner and Mark

Running Hadoop and Spark from R Using Docker Containers Interface 2015 E. James Harner and Mark

Rc 2 Server Rc 2 Client Introduction RStudio Summary Running Hadoop and Spark from R Using Docker Containers Interface 2015 E. James Harner and Mark Lilback Department of Statistics West Virginia University June 11, 2014 Rc 2 Server Rc 2

443 views • 21 slides
containerization: more than the new virtualization Jrme Petazzoni (@jpetazzo) Grumpy

containerization: more than the new virtualization Jrme Petazzoni (@jpetazzo) Grumpy

containerization: more than the new virtualization Jrme Petazzoni (@jpetazzo) Grumpy French DevOps - Go away or I will replace you with a very small shell script Runs everything in containers - Docker-in-Docker - VPN-in-Docker -

1.06k views • 61 slides
Containers/Docker Mirna Alaisami Matthias Haeussler What is a container? in general 2

Containers/Docker Mirna Alaisami Matthias Haeussler What is a container? in general 2

Containers/Docker Mirna Alaisami Matthias Haeussler What is a container? in general 2 What is a Container? "in General" The term comes originally from the transportation world! A shipping container is any

620 views • 47 slides
Docker : devops, shared registries, HPC and emerging use cases Franois Moreews & Olivier

Docker : devops, shared registries, HPC and emerging use cases Franois Moreews & Olivier

Docker : devops, shared registries, HPC and emerging use cases Franois Moreews & Olivier Sallou P r e s e n t a t i o n Docker is an open-source engine to easily create lightweight, portable , self-sufficient containers from

418 views • 19 slides

More recommend