1. Automate Drupal deployments with
Linux Containers, Vagrant and Docker
An overview of deployment strategies
@ricardoamaro

2. About me
Free/Opensource software lover
Senior Cloud Engineer @Acquia
Drupal.org infrastructure/devops
Drupalist & Linux enthusiast
Father, artist, community facilitator
@ricardoamaro

3. About family
Vicente e Dália

4. today’s agenda
1. The sad VirtualMachine story
2. Containers and non-containers
3. Drupal on LXC
4. How to Puppetize a container
5. Docker & LXC
6. Shipping containers with Drupal

5. What is virtualization?
Hardware virtualization or platform
virtualization refers to the creation of a
virtual machine that acts like a real
computer with an operating system.
Software executed on these virtual
machines is separated from the underlying
hardware resources.

6. Why should i care?
Increase
Reduce
+ efficiency
+ availability
+ security
- costs
- hardware
- energy
Cloud infrastructure providers like Amazon Web Service sell virtual
machines. EC2 revenue is expected to surpass $1B in revenue this year.
That's a lot of VMs…

7. Virtual Machine platforms

8. The sad Virtual Machine story...
➢ We are also paying for lot of
avoidable overhead.
➢ The Virtual Machine is a full-blown
operating system image.
➢ This is a heavyweight solution to
run applications in the cloud.

9. What is the solution?

10. A new concept, a new hope
Containers used to be terrible, but not anymore

11. Because LXC is ready to roll!

12. On any recent Linux Kernel near you!

13. Virtual Machines vs Containers
Virtualization and
paravirtualization
require a full
operating system
image for each
instance.
Source : http://www.linuxjournal.com/content/containers%E2%80%94not-virtual-machines%E2%80%94are-future-cloud

14. Virtual Machines vs Containers
Containers can
share a single
Linux Kernel and,
optionally, other
binary and library
resources.
Source : http://www.linuxjournal.com/content/containers%E2%80%94not-virtual-machines%E2%80%94are-future-cloud

15. Virtual Machines vs Containers
Virtualization and paravirtualization
require a full operating system image
for each instance.
Containers can share a single operating
system and, optionally, other binary
and library resources.
Source : http://www.linuxjournal.com/content/containers%E2%80%94not-virtual-machines%E2%80%94are-future-cloud

16. The time to provision
Source : http://www.linuxjournal.com/content/containers%E2%80%94not-virtual-machines%E2%80%94are-future-cloud

17. From the simple concept of “chroot”
mount /dev/sda /target
chroot /target
source: http://openvz.org
but that had no resource and security isolation goals
for multi-tenant designs...

18. What if you could control...
Cpu
Devices
Processes
Memory
Disk space
Network

19. Containers & Cgroups
Openvz & LXC
Need
control
over
specific
host
resources
cgroups
Control Groups provide a mechanism for aggregating/partitioning sets
of tasks, and all their future children, into hierarchical groups with
specialized behaviour.
~$ ls /sys/fs/cgroup
blkio
cpu
cpuacct
cpuset
devices
freezer
hugetlb
memory
perf_event
example:
lxc-cgroup -n foo cpuset.cpus "0,3"
https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt

20. LXC on Ubuntu
ricardo@ricardo-box:~$ sudo lxc-checkconfig
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-3.8.0-26-generic
--- Namespaces --Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: missing
Network namespace: enabled
Multiple /dev/pts instances: enabled
--- Control groups --Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled
--- Misc --Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: enabled
Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

21. LXC Security with Apparmor
Since Ubuntu 12.04, containers are constrained by apparmor by default
- /usr/bin/lxc-start is automatically transitioned to its own profile, where it is only allowed to mount into the
container’s tree.
- The default policy attempts to protect the host from accidental container abuses – such as writing to /proc/sysrqtrigger and /proc/mem,
- Each container configuration can specify a custom profile.
On Ubuntu 13.04
- We are able to exploit user namespaces and support stacked apparmor profiles
- Apport hooks for better debug support,
- Greater scriptability by providing a liblxc api.
By 14.04
User namespace should support container use by unprivileged users.
Other resources:
http://www.ibm.com/developerworks/linux/library/l-lxc-security/index.html
https://wiki.ubuntu.com/LxcSecurity
http://wiki.ubuntu.com/UserNamespace

22. Let’s start with Vagrant
and puppetize it!
Wait…
I don’t have to use
heavy virtualboxes?
You just need that guy

23. My contribution to Drupal Containers
You will get:
1. Drupal (latest version)
2. Nginx
3. Php + php-fpm
4. Mysql
5. Phpmyadmin
6. xhprof
7. xdebug
8. composer
https://github.com/ricardoamaro/drupal-lxc-vagrant-docker

24. Vagrant LXC (demo) - Install
Install latest Vagrant from: http://downloads.vagrantup.com/tags/v1.2.7 or later.
Install lxc + redir.
sudo dpkg -i vagrant_1.2.7_x86_64.deb
sudo apt-get install lxc redir

25. 1 - Clone the code
Get the code from:
https://github.com/ricardoamaro/drupal-lxc-vagrant-docker
git clone git@github.com:ricardoamaro/drupal-lxc-vagrant-docker.
git
cd ~/drupal-lxc-vagrant-docker

26. 2 - Get the plugin & deploy
vagrant plugin install vagrant-lxc
vagrant up --provider=lxc
sudo lxc-ls --fancy
# redirect port 80 to the host
sudo redir --lport=80 --cport=80 --caddr={container ip} &
# and/or edit the /etc/hosts file with:
${IP}
drupal phpmyadmin xhprof

27. Now…
I have to
build this
every time?

29. use Docker

30. Docker Who??

31. this Docker
and ship them has containers

32. Ship containers? Build Once, Run Anywhere

33. You can ship your image into a Docker container
Install docker:
sudo apt-get -y install docker
curl get.docker.io | sudo sh -x
Import container to docker:
sudo tar -C /var/lib/lxc/{container name}/rootfs/ -c . | sudo
docker import - dev/drupal
Start docker:
sudo docker run -i -t -p :80 dev/drupal /bin/bash
The image is already pushed to https://index.docker.io, and can be pulled using:
sudo docker pull ricardoamaro/drupal

34. Or... build it the Docker way:
https://github.com/ricardoamaro/docker-drupal
https://github.com/ricardoamaro/docker-drupal-nginx

36. The docker is awesome!
the Commands:
attach
Attach to a running container
commit
diff
the Api
http://docs.docker.io/en/latest/api/registry_index_spec/
Create a new image from a container's changes
Inspect changes on a container's filesystem
export
Stream the contents of a container as a tar archive
history Show the history of an image
the Registry
images
http://docs.docker.io/en/latest/api/index_api/
import
info
List images
Create a new filesystem image from the contents of a tarball
Display system-wide information
inspect Return low-level information on a container
kill
Kill a running container
login
Register or Login to the docker registry server
logs
Fetch the logs of a container
port
Lookup the public-facing port which is NAT-ed to PRIVATE_PORT
ps
List containers
pull
Pull an image or a repository to the docker registry server
push
Push an image or a repository to the docker registry server
restart Restart a running container
rm
Remove a container
rmi
Remove an image
run
Run a command in a new container
start
Start a stopped container
stop
Stop a running container
tag
Tag an image into a repository
version Show the docker version information
wait
Block until a container stops, then print its exit code

37. Docker on Docker
(v0.6)

38. Continuous Deployments & Development
Container layers to be used for hosting applications

39. Just commit the good apples
Changes to the container can be committed
to the central index or rolled back

40. Openstack and Docker...
The future has a bonus extra:
http://blog.docker.io/2013/06/openstack-docker-manage-linux-containers-with-nova/
https://wiki.openstack.org/wiki/Docker

41. ...with the Nova driver
“Nova is intended to be modular and easy to extend and adapt. It supports many
different hypervisors (KVM and Xen to name a few), different database backends
(SQLite, MySQL, and PostgreSQL, for instance), different types of user
databases (LDAP or SQL), etc.”
And it supports Docker containers!
This project is open-source and available at:
https://github.com/dotcloud/openstack-docker.

42. Awesomeness!
Develop the box in layers
Use only one Linux Kernel
Deploy quickly
Build Once, Run Anywhere

43. Questions?
@ricardoamaro

44. Acquia is hiring!
Interested?
Acquia is looking for techs, advisors, architects across Europe
or, if you know some interested, reach me
https://www.acquia.com/careers

45. Thank you!
@ricardoamaro