4. today’s agenda
1. The sad VirtualMachine story
2. Containers and non-containers
3. Drupal on LXC
4. How to Puppetize a container
5. Docker & LXC
6. Shipping containers with Drupal
5. What is virtualization?
Hardware virtualization or platform
virtualization refers to the creation of a
virtual machine that acts like a real
computer with an operating system.
Software executed on these virtual
machines is separated from the underlying
hardware resources.
6. Why should i care?
Increase
Reduce
+ efficiency
+ availability
+ security
- costs
- hardware
- energy
Cloud infrastructure providers like Amazon Web Service sell virtual
machines. EC2 revenue is expected to surpass $1B in revenue this year.
That's a lot of VMs…
8. The sad Virtual Machine story...
➢ We are also paying for lot of
avoidable overhead.
➢ The Virtual Machine is a full-blown
operating system image.
➢ This is a heavyweight solution to
run applications in the cloud.
13. Virtual Machines vs Containers
Virtualization and
paravirtualization
require a full
operating system
image for each
instance.
Source : http://www.linuxjournal.com/content/containers%E2%80%94not-virtual-machines%E2%80%94are-future-cloud
14. Virtual Machines vs Containers
Containers can
share a single
Linux Kernel and,
optionally, other
binary and library
resources.
Source : http://www.linuxjournal.com/content/containers%E2%80%94not-virtual-machines%E2%80%94are-future-cloud
15. Virtual Machines vs Containers
Virtualization and paravirtualization
require a full operating system image
for each instance.
Containers can share a single operating
system and, optionally, other binary
and library resources.
Source : http://www.linuxjournal.com/content/containers%E2%80%94not-virtual-machines%E2%80%94are-future-cloud
16. The time to provision
Source : http://www.linuxjournal.com/content/containers%E2%80%94not-virtual-machines%E2%80%94are-future-cloud
17. From the simple concept of “chroot”
mount /dev/sda /target
chroot /target
source: http://openvz.org
but that had no resource and security isolation goals
for multi-tenant designs...
18. What if you could control...
Cpu
Devices
Processes
Memory
Disk space
Network
19. Containers & Cgroups
Openvz & LXC
Need
control
over
specific
host
resources
cgroups
Control Groups provide a mechanism for aggregating/partitioning sets
of tasks, and all their future children, into hierarchical groups with
specialized behaviour.
~$ ls /sys/fs/cgroup
blkio
cpu
cpuacct
cpuset
devices
freezer
hugetlb
memory
perf_event
example:
lxc-cgroup -n foo cpuset.cpus "0,3"
https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt
20. LXC on Ubuntu
ricardo@ricardo-box:~$ sudo lxc-checkconfig
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-3.8.0-26-generic
--- Namespaces --Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: missing
Network namespace: enabled
Multiple /dev/pts instances: enabled
--- Control groups --Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled
--- Misc --Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: enabled
Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig
21. LXC Security with Apparmor
Since Ubuntu 12.04, containers are constrained by apparmor by default
- /usr/bin/lxc-start is automatically transitioned to its own profile, where it is only allowed to mount into the
container’s tree.
- The default policy attempts to protect the host from accidental container abuses – such as writing to /proc/sysrqtrigger and /proc/mem,
- Each container configuration can specify a custom profile.
On Ubuntu 13.04
- We are able to exploit user namespaces and support stacked apparmor profiles
- Apport hooks for better debug support,
- Greater scriptability by providing a liblxc api.
By 14.04
User namespace should support container use by unprivileged users.
Other resources:
http://www.ibm.com/developerworks/linux/library/l-lxc-security/index.html
https://wiki.ubuntu.com/LxcSecurity
http://wiki.ubuntu.com/UserNamespace
22. Let’s start with Vagrant
and puppetize it!
Wait…
I don’t have to use
heavy virtualboxes?
You just need that guy
23. My contribution to Drupal Containers
You will get:
1. Drupal (latest version)
2. Nginx
3. Php + php-fpm
4. Mysql
5. Phpmyadmin
6. xhprof
7. xdebug
8. composer
https://github.com/ricardoamaro/drupal-lxc-vagrant-docker
25. 1 - Clone the code
Get the code from:
https://github.com/ricardoamaro/drupal-lxc-vagrant-docker
git clone git@github.com:ricardoamaro/drupal-lxc-vagrant-docker.
git
cd ~/drupal-lxc-vagrant-docker
26. 2 - Get the plugin & deploy
vagrant plugin install vagrant-lxc
vagrant up --provider=lxc
sudo lxc-ls --fancy
# redirect port 80 to the host
sudo redir --lport=80 --cport=80 --caddr={container ip} &
# and/or edit the /etc/hosts file with:
${IP}
drupal phpmyadmin xhprof
33. You can ship your image into a Docker container
Install docker:
sudo apt-get -y install docker
curl get.docker.io | sudo sh -x
Import container to docker:
sudo tar -C /var/lib/lxc/{container name}/rootfs/ -c . | sudo
docker import - dev/drupal
Start docker:
sudo docker run -i -t -p :80 dev/drupal /bin/bash
The image is already pushed to https://index.docker.io, and can be pulled using:
sudo docker pull ricardoamaro/drupal
34. Or... build it the Docker way:
https://github.com/ricardoamaro/docker-drupal
https://github.com/ricardoamaro/docker-drupal-nginx
35.
36. The docker is awesome!
the Commands:
attach
Attach to a running container
commit
diff
the Api
http://docs.docker.io/en/latest/api/registry_index_spec/
Create a new image from a container's changes
Inspect changes on a container's filesystem
export
Stream the contents of a container as a tar archive
history Show the history of an image
the Registry
images
http://docs.docker.io/en/latest/api/index_api/
import
info
List images
Create a new filesystem image from the contents of a tarball
Display system-wide information
inspect Return low-level information on a container
kill
Kill a running container
login
Register or Login to the docker registry server
logs
Fetch the logs of a container
port
Lookup the public-facing port which is NAT-ed to PRIVATE_PORT
ps
List containers
pull
Pull an image or a repository to the docker registry server
push
Push an image or a repository to the docker registry server
restart Restart a running container
rm
Remove a container
rmi
Remove an image
run
Run a command in a new container
start
Start a stopped container
stop
Stop a running container
tag
Tag an image into a repository
version Show the docker version information
wait
Block until a container stops, then print its exit code
39. Just commit the good apples
Changes to the container can be committed
to the central index or rolled back
40. Openstack and Docker...
The future has a bonus extra:
http://blog.docker.io/2013/06/openstack-docker-manage-linux-containers-with-nova/
https://wiki.openstack.org/wiki/Docker
41. ...with the Nova driver
“Nova is intended to be modular and easy to extend and adapt. It supports many
different hypervisors (KVM and Xen to name a few), different database backends
(SQLite, MySQL, and PostgreSQL, for instance), different types of user
databases (LDAP or SQL), etc.”
And it supports Docker containers!
This project is open-source and available at:
https://github.com/dotcloud/openstack-docker.
44. Acquia is hiring!
Interested?
Acquia is looking for techs, advisors, architects across Europe
or, if you know some interested, reach me
https://www.acquia.com/careers