SlideShare a Scribd company logo

JOSA TechTalk: Taking Docker to Production

Jordan Open Source Association
Jordan Open Source Association

Docker and Containers are proven solutions, but are they ready to replace your current deployment? And more importantly, are you aware of the changes you'll have to make to accommodate them? Are there any risks involved? This talk will answer these questions and talk about how to plan, automate, build, deploy, and orchestrate the whole process.

Technology
1 of 52
Download to read offline
Taking Docker To production JOSA TechTalk by Muayyad Saleh Alsadi http://muayyad-alsadi.github.io/
What is Docker again? (quick review) Containers uses linux kernel features like: ● namespaces ● cgroups (control groups) ● capabilities. Platform Docker is a key component of many PaaS. Docker provide a way to host images, pull them, run them, pause them, snapshot them into new images, view diffs .. etc. Ecosystem Like github, Docker Hub provide publicly available community images.
Containers vs. VMs No kernel in guest OS (shared with host) containers are more secure and isolated than chroot and less isolated than VM
Why DevOps? Devs want change Ops wants stability (no change) DevOps resolve the conflict. for devs: docker image contains the same os, same libraries, same version, same config, ... etc. for admins: host is untouched and stable Blame each other Fight each other
Devs Heaven (not for production) docker compose can bring everything up and connect them and link them with a single command. can mount local dir inside the image (so that developer can use his/her favorite IDE). The command is docker-compose up it will read “docker-compose.yml” which might look like: mywebapp: image: mywebapp volumes: - .:/code links: - redis redis: image: redis
Operations Heaven Having a stable host! CoreOS does not include any package manager. and does not even have python or tools installed. They have a Fedora based docker image called toolbox. You can mix and match. Some containers runs Java 6 or Java 7. Some uses CentOS 6, others 7, others ubuntu 14.04 others Fedora 22 ..etc. in the same host.
Linking Containers docker run -d --name r1 redis docker run -d --name web --link r1:redis myweb r1 is container name redis is link alias it will update /etc/hosts and set ENVs: ● <alias>_NAME = <THIS>/<THAT> # myweb/r1 ● REDIS_PORT=<tcp|udb>://<IP>:<PORT> ● REDIS_PORT_6379_TCP_PROTO=tcp ● REDIS_PORT_6379_TCP_PORT=6379 ● REDIS_PORT_6379_TCP_ADDR=172.17.1.15
Pets vs. Cattle vs.Ants Pets (virtualization) The VM has ● lovely distinct names ● emotions ● many highly coupled roles ● if down it’s a catastrophe Cattle (cloud) ● no names ● no emotions ● single role ● decoupled (loosely coupled) ● load-balanced ● if down other VMs take over. ● VM failure is planned and part of the process Ants (docker containers) containers are like cloud vms, no names no emotions, load balanced. A single host (might be a VM) is highly dense. The host is stable. Large group of containers are designed to fail as part of the process.
What docker is not ● docker is not a hypervisor ○ docker is for process containers not system containers ○ example of system containers: LXD and OpenVZ ● no systemd/upstart/sysvinit in the container ○ docker is for process containers not system containers ○ just run apache, nginx, solr, whatever ○ TTYs are not needed ○ crons are not needed ● Docker is not for multi-tenant HINT: LXD is stupid way of winning a meaningless benchmark
Docker ecosystem ● CoreOS, Atomic OS, Ubuntu Core ● Openshift (redhat PaaS) ● CloudFoundary ● Mesos / mesosphere (by Twitter and now apache) ● Google Kubernetes (scheduler containers to hosts) ● Swarm ● etcd/Fleet ● Drone ● Deis, Flynn, Rancher
Docker golden rules by twitter@gionn: ● only one process per image ● no embedded configuration ● no sshd, no syslog, no tty ● no! you don't touch a running container to adjust things ● no! you will not use a community image
Theory vs. Reality docker imaginary “unicorn” apps ● statically compiled (no dependencies) ● written in golang ● container ~ 10MB on real world ● interpreted application (python, php) ● system dependencies, config files, log files ● multiple processes (nginx, php- fpm) ● container image >500MB
12 Factor - http://12factor.net/ 1. One codebase (in git), many deploys 2. Explicitly declare and isolate dependencies 3. get config from environment or service discovery 4. Treat backing services as attached resources (Database, SMTP, S3, ..etc.) 5. Strictly separate build and run stages (no minify css/js on run stage) 6. Execute the app as one or more stateless processes (data and state are persisted elsewhere apart from the app, no need for sticky sessions) 7. Export a port (an end point to talk to) 8. Scale out via the process model 9. Disposability: Maximize robustness with fast startup and graceful shutdown 10. Keep development, staging, and production as similar as possible 11. Logs: they are flow of events written to stdout that is captured by execution env.
12 Factor last factor is administrative processes ● Run admin/management tasks as one-off processes ○ in django: manage.py migrate ● One-off admin processes should be run in an identical environment as the regular long-running processes of the app ● shipped from same code (same git repo) Example of 12 Factor: bedrock - a 12 factor wordpress https://roots.io/bedrock/
12 Factor - Factorish can be found on https://github.com/factorish/factorish example: https://github.com/factorish/factorish-elk
Config ● confd ○ written in go (a statically linked binary) ○ input ■ env variables ■ service discovery (like etcd and consul) ■ redis ○ output ■ golang template with {{something}} ● crudini, jq ● http://gliderlabs.com/registrator/latest/user/quickstart/
Config ● container’s entry point (“/start.sh”) calls REST API to add itslef to haproxy or anyother loadbalancer ● container’s entry point uses discovery service client (ex. etcdctl) ● something listen to docker events and send each container ENV and labels to discovery service
Multiple Process ● supervisord ● runit ● fake systemd ○ see free-ipa docker image ○ https://github.com/adelton/docker-freeipa
Logging/Monitoring ● ctop ● cadvisor: https://github.com/google/cadvisor ● logstash ● logspout - https://github.com/gliderlabs/logspout
Logging/Monitoring nginx logging use “error_log /dev/stderr;” and “access_log /dev/stdout;” with daemon off. for example in supervisord [program:nginx] directory=/var/lib/nginx command=/usr/sbin/nginx -g 'daemon off;' user=root autostart=true autorestart=true redirect_stderr=false stdout_logfile=/dev/stdout stderr_logfile=/dev/stderr stdout_logfile_maxbytes=0 stderr_logfile_maxbytes=0
Logging/Monitoring
Web UI ● tumtum ● cockpit-project.org ● Shipyard ● FleetUI ● CoreGI ● SUSE/Portus
Web UI - cockpit-project
Web UI - shipyard
Web UI - tumtum
Building Docker Images ● Dockerfile and “docker build -t myrepo/myapp .” ○ I have a proposal using pivot root inside dockerfile (docker build will build the build environment then use another fresh small container as target, copy build result and pivot). Docker builder is frozen but details are here ● Dockramp ○ https://github.com/jlhawn/dockramp ○ external builder written in golang ○ uses only docker api (needs new “cp” api) ○ can implement my proposal ● Atomic app / Nulecule/ openshift have their ownway ● Use Fabric/Ansible to build
Simple Duct tape launching. Systemd @ magic. ex: have container@.service # systemctl start container@myweb [Unit] Description=Docker Container for %I After=docker.service Requires=docker.service [Service] Type=simple ExecStartPre=bash -c “/usr/bin/mkdir /var/lib/docker/vfs/dir/%i || :” ExecStartPre=/usr/bin/docker kill %i ExecStartPre=/usr/bin/docker rm %i ExecStart=/usr/bin/docker run -i --name=”%i” --env-file=/etc/sysconfig/container/%i.rc --label-file=/etc/sysconfig/container/%i.labels -v /var/lib/docker/vfs/dir/%i:/data myrepo/%i
Seriously? Docker on production! “Docker is about running random code downloaded from the Internet and running it as root.”[1][2] -- a redhat engineer Source 1, source 2
● host a private docker registry (so you don’t download random code from random people on internet) ● use HTTPS and be your own certificate authority and trust it on your docker hosts ● use registry version 2 and apply ACL on images ○ URLs in v2 look /v2/<name>/blobs/<digest> ● use HTTP Basic Auth (apache/nginx) with whatever back- end you like (ex. LDAP or just plain files) ● have a Read-Only user as your “deployer” on servers ● have a build server to push images (not developers) Host your own private registry
“Containers do not contain.” -- Dan Walsh (Redhat / SELinux) Seriously? Docker on production!
in may 2015, a catastrophic vulnerability affected kvm/xen almost every datacenter. Fedora/RHEL/CentOS had been secure because of SELinux/sVirt (since 2009) AppArmor was a joke that is not funny. http://www.zdnet.com/article/venom-security-flaw-millions-of- virtual-machines-datacenters/ https://fedoraproject. org/wiki/Features/SVirt_Mandatory_Access_Control Docker and The next Venom? sVirt do support Docker What happens in a container stays in the container.
● Drop privileges as quickly as possible ● Run your services as non-root whenever possible ○ apache needs root to open port 80, but you are going to proxy the port anyway, so run it as non-root directly ● Treat root within a container as if it is root outside of the container ● do not give CAP_SYS_ADMIN to a container (it’s equivalent to host root) Recommendations
Setting proper storage backend ● docker info | grep ‘Storage Driver’ ● possible drivers/backends: ○ aufs: a union filesystem that is so low quality that was never part of official linux kernel ○ overlay: a modern union filesystem that was accepted in kernel 4.0 (too young) ○ zfs: linux port of the well-established filesystem in solaris. the quality of the port and driver is still questionable ○ btrfs: the most featureful linux filesystem. too early to be on production ○ devicemapper (thin provisioning): well-established redhat technology (already in production ex. LVM) ● do not use loopback default config in EL (RHEL/CentOS/Fedora) ○ WARNING: No --storage-opt dm.thinpooldev specified, using loopback; this configuration is strongly discouraged for production use ● in EL edit /etc/sysconfig/docker-storage ● http://developerblog.redhat.com/2014/09/30/overview-storage-scalability-docker/ ● http://www.projectatomic.io/blog/2015/06/notes-on-fedora-centos-and-docker-storage-drivers/ ● http://www.projectatomic.io/docs/docker-storage-recommendation/
Storage backend (using script) man docker-storage-setup vim /etc/sysconfig/docker-storage-setup docker-storage-setup ● DEVS=“/dev/sdb /dev/sdc” ○ list of unpartitioned devices to be used or added ○ if you are adding more, remove old ones ○ required if VG is specified and does not exists ● VG=“<my-volume-group>” ○ set to empty to use unallocated space in root’s VG
Storage backend (manual) pvcreate /dev/sdc vgcreate direct-lvm /dev/sdc lvcreate --wipesignatures y -n data direct-lvm -l 95%VG lvcreate --wipesignatures y -n metadata direct-lvm -l 5%VG dd if=/dev/zero of=/dev/direct-lvm/metadata bs=1M vim /etc/sysconfig/docker-storage # to add next line DOCKER_STORAGE_OPTIONS = --storage-opt dm.metadatadev=/dev/direct- lvm/metadata --storage-opt dm.datadev=/dev/direct-lvm/data systemctl restart docker
Docker Volumes Never put data inside the container (logs, database files, ..etc.). Data should go to mounted volumes. You can mount folders or files. You can mount RW or RO. You can have a busybox container with volumes and mount all volumes of that container in another container. # docker run -d --volumes-from my_vols --name db1 training/postgres
Everything is a child processes of a single daemon. Seriously! Seriously? Docker on production!
Docker process model is flawed Docker daemon launches containers as attached child processes. if the daemon dies all of them will collapse in a fatal catastrophe. Moreover, docker daemon has so many moving parts. For example fetching images is done inside the daemon. Bad network while fetching an image or having an evil image might collapse all containers. https://github.com/docker/docker/issues/15328 An evil client, an evil request, an evil image, an evil contain, or an evil “inspect” template might cause docker daemon to go crazy and risk all containers.
Docker process model is flawed CoreOS introduced more sane process model in rkt (Rocket) an alternative docker-like containers run time. RedHat contributes to both docker and rocket as both has high potential. Rkt is just a container runtime where you can run containers as non-root and without being a child to anything (ex. rely on systemd/D-Bus). Rocket is not a platform (no layers, no image registry service, .. etc.) https://github.com/coreos/rkt/ Docker might evolve to fix this, dockerlite is a shell script uses LXC and BTRFS https://github.com/docker/dockerlite For now just design your cluster to fail and use anti-affinity
Networking. Linux Bridges, IPTables NATing, Export ports using a young proxy written in golang. Seriously! Seriously? Docker on production!
Docker Networking now Docker uses Linux bridges which only connect within same host. Containers on host A can’t talk to container on host B! And uses NAT to talk to outside world # iptables -t nat -A POSTROUTING -s 172.17.0.0/16 -j MASQUERADE Exported ports in docker are done via a docker proxy process (written in go). check “netstat -tulnp” Deprecated geard used to connect multiple hosts using NAT and configured each container to talk to localhost for anything (ex. talk to localhost MySQL and NAT will take it to MySQL container on another host): # iptables -t nat -A PREROUTING -d ${local_ip}/32 -p tcp -m tcp --dport ${local_port} -j DNAT --to-destination ${remote_ip}:${remote_port} # iptables -t nat -A OUTPUT -d ${local_ip}/32 -p tcp -m tcp --dport ${local_port} -j DNAT --to-destination ${remote_ip}:${remote_port} # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source ${container_ip}
Docker Networking now A Similar approach is manually hard-code and divide docker bridges on each host 172.16.X.y and where X is the host and y is the container and use NAT to deliver packets (or 172.X.y.y depending on number hosts and number of containers on each host). http://blog.sequenceiq.com/blog/2014/08/12/docker-networking/ given a remote host with IP 192.168.40.12 and its docker0 bridge with 172.17.52.0 /24, and given a host with docker0 on 172.17.51.0/24 in the later host type route add -net 172.17.52.0 netmask 255.255.255.0 gw 192.168.40.12 iptables -t nat -F POSTROUTING# or pass "--iptables=false" to docker daemon iptables -t nat -A POSTROUTING -s 172.17.51.0/24 ! -d 172.17.0.0/16 -j MASQUERADE
Docker Networking Alternatives ● OpenVSwitch (well-established production technology) ● Flannel (young project from CoreOS written in golang) ● Weave (https://github.com/weaveworks/weave) ● Calico (https://github.com/projectcalico/calico)
Docker Networking Alternatives OpenVSwitch: Just like a physical, this virtual switch connects different hosts. One setup would be connecting each container to OVS without bridge. “docker run --net=none” then use ovs-docker script The other setup just replace docker0 bridge with one that is connected to OVS. (no change need to be done to each container)
Docker Networking Alternatives # ovs_vsctl add-br sw0 or /etc/sysconfig/network-scripts/ifcfg-sw0 then # ip link add veth_s type veth peer veth_c # brctl addif docker0 veth_c # ovs_vsctl add-port sw0 veth_s see /etc/sysconfig/network-scripts/ifup-ovs http://git.openvswitch.org/cgi-bin/gitweb.cgi? p=openvswitch;a=blob_plain;f=rhel/README. RHEL;hb=HEAD
Networking the future in the feature libnetwork will allow docker to use SDN plugins. Docker acquired SocketPlane to implement this. https://github.com/docker/libnetwork https://github.com/docker/libnetwork/blob/master/ROADMAP.md
Introducing Docker Glue ● docker-glue - modular pluggable daemon that can run handlers and scripts ● docker-balancer - a standalone daemon that just updates haproxy (a special case of glue) https://github.com/muayyad-alsadi/docker-glue autoconfigure haproxy to pass traffic to your containers uses docker labels “-l” to specify http host or url prefix # docker run -d --name wp1 -l glue_http_80_host='wp1.example.com' mywordpress/wordpress # docker run -d --name wp2 -l glue_http_80_host='wp2.example.com' mywordpress/wordpress # docker run -d --name panel -l glue_http_80_host=example.com-l glue_http_80_prefix=dashboard/ myrepo/control- panel
Introducing Docker Glue run any thing based on docker events (test.ini) [handler] class=DockerGlue.handlers.exec.ScriptHandler events=all enabled=1 triggers-none=0 [params] script=test-handler.sh demo-option=some value # it will run test-handler.sh /path/to/test.ini <EVENT> <CONTAINER_ID>
Introducing Docker Glue #! /bin/bash cd `dirname $0` function error() { echo "$@" exit -1 } [ $# -ne 3 ] && error "Usage `basename $0` config.ini status container_id" ini="$1" status="$2" container_id="$3" ini_demo_option=$( crudini --inplace --get $ini params demo-option 2>/dev/null || : ) echo "`date +%F` container_id=[$container_id] status=[$status] ini_demo_option=[$ini_demo_option]" >> /tmp/docker-glue-test.log
Resources ● http://opensource.com/business/14/7/docker-security- selinux ● http://opensource.com/business/14/9/security-for- docker ● http://www.projectatomic.io/blog/2014/09/yet-another- reason-containers-don-t-contain-kernel-keyrings/ ● http://developerblog.redhat.com/2014/11/03/are- docker-containers-really-secure-opensource-com/ ● https://www.youtube.com/watch?v=0u9LqGVK-aI ● https://github.com/muayyad-alsadi/docker-glue ● http://blog.sequenceiq.com/blog/2014/08/12/docker- networking/ ● https://docs.docker.com/userguide/dockervolumes/ ● https://docs.docker.com/userguide/dockerlinks/ ● https://docs.docker.com/articles/networking/ ● https://github. com/openvswitch/ovs/blob/master/INSTALL.Docker. md ● http://radar.oreilly.com/2015/10/swarm-v-fleet-v- kubernetes-v-mesos.html
Q & A

Recommended

JOSA TechTalk: Introduction to docker
JOSA TechTalk: Introduction to dockerJOSA TechTalk: Introduction to docker
JOSA TechTalk: Introduction to docker
Jordan Open Source Association
 
Visualising Basic Concepts of Docker
Visualising Basic Concepts of Docker Visualising Basic Concepts of Docker
Visualising Basic Concepts of Docker
vishnu rao
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker Introduction
MANAOUIL Karim
 
Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015
Jérôme Petazzoni
 
Docker Introduction + what is new in 0.9
Docker Introduction + what is new in 0.9 Docker Introduction + what is new in 0.9
Docker Introduction + what is new in 0.9
Jérôme Petazzoni
 
Orchestrating Docker containers at scale
Orchestrating Docker containers at scaleOrchestrating Docker containers at scale
Orchestrating Docker containers at scale
Maciej Lasyk
 
Docker 101: An Introduction
Docker 101: An IntroductionDocker 101: An Introduction
Docker 101: An Introduction
POSSCON
 
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @GuidewireIntroduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
dotCloud
 

Recommended

JOSA TechTalk: Introduction to docker
JOSA TechTalk: Introduction to dockerJOSA TechTalk: Introduction to docker
JOSA TechTalk: Introduction to docker
Jordan Open Source Association
 
Visualising Basic Concepts of Docker
Visualising Basic Concepts of Docker Visualising Basic Concepts of Docker
Visualising Basic Concepts of Docker
vishnu rao
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker Introduction
MANAOUIL Karim
 
Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015
Jérôme Petazzoni
 
Docker Introduction + what is new in 0.9
Docker Introduction + what is new in 0.9 Docker Introduction + what is new in 0.9
Docker Introduction + what is new in 0.9
Jérôme Petazzoni
 
Orchestrating Docker containers at scale
Orchestrating Docker containers at scaleOrchestrating Docker containers at scale
Orchestrating Docker containers at scale
Maciej Lasyk
 
Docker 101: An Introduction
Docker 101: An IntroductionDocker 101: An Introduction
Docker 101: An Introduction
POSSCON
 
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @GuidewireIntroduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
dotCloud
 
Docker - introduction
Docker - introductionDocker - introduction
Docker - introduction
Michał Kurzeja
 
Docker Basics
Docker BasicsDocker Basics
Docker Basics
DuckDuckGo
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
Alan Forbes
 
Introduction to Docker and all things containers, Docker Meetup at RelateIQ
Introduction to Docker and all things containers, Docker Meetup at RelateIQIntroduction to Docker and all things containers, Docker Meetup at RelateIQ
Introduction to Docker and all things containers, Docker Meetup at RelateIQ
dotCloud
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
Layne Peng
 
Docker from A to Z, including Swarm and OCCS
Docker from A to Z, including Swarm and OCCSDocker from A to Z, including Swarm and OCCS
Docker from A to Z, including Swarm and OCCS
Frank Munz
 
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionIntroduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Jérôme Petazzoni
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
Jo Ee Liew
 
Introdution to Docker (theory and hands on) dbCafé - dbTrento
Introdution to Docker (theory and hands on) dbCafé - dbTrentoIntrodution to Docker (theory and hands on) dbCafé - dbTrento
Introdution to Docker (theory and hands on) dbCafé - dbTrento
Cristian Consonni
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to docker
Justyna Ilczuk
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned
RightScale
 
Developer workflow with docker
Developer workflow with dockerDeveloper workflow with docker
Developer workflow with docker
Lalatendu Mohanty
 
Introduction to Containers - From Docker to Kubernetes and everything in between
Introduction to Containers - From Docker to Kubernetes and everything in betweenIntroduction to Containers - From Docker to Kubernetes and everything in between
Introduction to Containers - From Docker to Kubernetes and everything in between
All Things Open
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker Introduction
Robert Reiz
 
Docker Continuous Delivery Workshop
Docker Continuous Delivery WorkshopDocker Continuous Delivery Workshop
Docker Continuous Delivery Workshop
Jirayut Nimsaeng
 
Introduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionIntroduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" Edition
Jérôme Petazzoni
 
All Things Containers - Docker, Kubernetes, Helm, Istio, GitOps and more
All Things Containers - Docker, Kubernetes, Helm, Istio, GitOps and moreAll Things Containers - Docker, Kubernetes, Helm, Istio, GitOps and more
All Things Containers - Docker, Kubernetes, Helm, Istio, GitOps and more
All Things Open
 
Docker
DockerDocker
Docker
Patrick Oberdorf
 
Docker Introductory workshop
Docker Introductory workshopDocker Introductory workshop
Docker Introductory workshop
Runcy Oommen
 
Docker by Example - Basics
Docker by Example - Basics Docker by Example - Basics
Docker by Example - Basics
Ganesh Samarthyam
 
Docker 0.11 at MaxCDN meetup in Los Angeles
Docker 0.11 at MaxCDN meetup in Los AngelesDocker 0.11 at MaxCDN meetup in Los Angeles
Docker 0.11 at MaxCDN meetup in Los Angeles
Jérôme Petazzoni
 
Introduction to Docker and Containers
Introduction to Docker and ContainersIntroduction to Docker and Containers
Introduction to Docker and Containers
Docker, Inc.
 

More Related Content

What's hot

Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionIntroduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Jérôme Petazzoni
 
Introduction to Containers - From Docker to Kubernetes and everything in between
Introduction to Containers - From Docker to Kubernetes and everything in betweenIntroduction to Containers - From Docker to Kubernetes and everything in between
Introduction to Containers - From Docker to Kubernetes and everything in between
All Things Open
 
All Things Containers - Docker, Kubernetes, Helm, Istio, GitOps and more
All Things Containers - Docker, Kubernetes, Helm, Istio, GitOps and moreAll Things Containers - Docker, Kubernetes, Helm, Istio, GitOps and more
All Things Containers - Docker, Kubernetes, Helm, Istio, GitOps and more
All Things Open
 

What's hot (20)

Docker - introduction
Docker - introductionDocker - introduction
Docker - introduction
 
Docker Basics
Docker BasicsDocker Basics
Docker Basics
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
 
Introduction to Docker and all things containers, Docker Meetup at RelateIQ
Introduction to Docker and all things containers, Docker Meetup at RelateIQIntroduction to Docker and all things containers, Docker Meetup at RelateIQ
Introduction to Docker and all things containers, Docker Meetup at RelateIQ
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
 
Docker from A to Z, including Swarm and OCCS
Docker from A to Z, including Swarm and OCCSDocker from A to Z, including Swarm and OCCS
Docker from A to Z, including Swarm and OCCS
 
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionIntroduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
 
Introdution to Docker (theory and hands on) dbCafé - dbTrento
Introdution to Docker (theory and hands on) dbCafé - dbTrentoIntrodution to Docker (theory and hands on) dbCafé - dbTrento
Introdution to Docker (theory and hands on) dbCafé - dbTrento
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to docker
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned
 
Developer workflow with docker
Developer workflow with dockerDeveloper workflow with docker
Developer workflow with docker
 
Introduction to Containers - From Docker to Kubernetes and everything in between
Introduction to Containers - From Docker to Kubernetes and everything in betweenIntroduction to Containers - From Docker to Kubernetes and everything in between
Introduction to Containers - From Docker to Kubernetes and everything in between
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker Introduction
 
Docker Continuous Delivery Workshop
Docker Continuous Delivery WorkshopDocker Continuous Delivery Workshop
Docker Continuous Delivery Workshop
 
Introduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionIntroduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" Edition
 
All Things Containers - Docker, Kubernetes, Helm, Istio, GitOps and more
All Things Containers - Docker, Kubernetes, Helm, Istio, GitOps and moreAll Things Containers - Docker, Kubernetes, Helm, Istio, GitOps and more
All Things Containers - Docker, Kubernetes, Helm, Istio, GitOps and more
 
Docker
DockerDocker
Docker
 
Docker Introductory workshop
Docker Introductory workshopDocker Introductory workshop
Docker Introductory workshop
 
Docker by Example - Basics
Docker by Example - Basics Docker by Example - Basics
Docker by Example - Basics
 

Similar to JOSA TechTalk: Taking Docker to Production

Introduction to Docker and Containers
Introduction to Docker and ContainersIntroduction to Docker and Containers
Introduction to Docker and Containers
Docker, Inc.
 
A Gentle Introduction to Docker and Containers
A Gentle Introduction to Docker and ContainersA Gentle Introduction to Docker and Containers
A Gentle Introduction to Docker and Containers
Docker, Inc.
 
DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline
Docker, Inc.
 

Similar to JOSA TechTalk: Taking Docker to Production (20)

Docker 0.11 at MaxCDN meetup in Los Angeles
Docker 0.11 at MaxCDN meetup in Los AngelesDocker 0.11 at MaxCDN meetup in Los Angeles
Docker 0.11 at MaxCDN meetup in Los Angeles
 
Introduction to Docker and Containers
Introduction to Docker and ContainersIntroduction to Docker and Containers
Introduction to Docker and Containers
 
Workshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
Workshop : 45 minutes pour comprendre Docker avec Jérôme PetazzoniWorkshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
Workshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
 
A Gentle Introduction to Docker and Containers
A Gentle Introduction to Docker and ContainersA Gentle Introduction to Docker and Containers
A Gentle Introduction to Docker and Containers
 
codemotion-docker-2014
codemotion-docker-2014codemotion-docker-2014
codemotion-docker-2014
 
Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'a
 
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
 
Dockerizing a Symfony2 application
Dockerizing a Symfony2 applicationDockerizing a Symfony2 application
Dockerizing a Symfony2 application
 
The internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesThe internals and the latest trends of container runtimes
The internals and the latest trends of container runtimes
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
 
Accelerate your development with Docker
Accelerate your development with DockerAccelerate your development with Docker
Accelerate your development with Docker
 
Accelerate your software development with Docker
Accelerate your software development with DockerAccelerate your software development with Docker
Accelerate your software development with Docker
 
Docker_AGH_v0.1.3
Docker_AGH_v0.1.3Docker_AGH_v0.1.3
Docker_AGH_v0.1.3
 
Using Docker to build and test in your laptop and Jenkins
Using Docker to build and test in your laptop and JenkinsUsing Docker to build and test in your laptop and Jenkins
Using Docker to build and test in your laptop and Jenkins
 
DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline
 
Docker+java
Docker+javaDocker+java
Docker+java
 
Docker linuxday 2015
Docker linuxday 2015Docker linuxday 2015
Docker linuxday 2015
 
Docker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xDocker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12x
 
Docker dDessi november 2015
Docker dDessi november 2015Docker dDessi november 2015
Docker dDessi november 2015
 
Puppet Camp Seattle 2014: Docker and Puppet: 1+1=3
Puppet Camp Seattle 2014: Docker and Puppet: 1+1=3 Puppet Camp Seattle 2014: Docker and Puppet: 1+1=3
Puppet Camp Seattle 2014: Docker and Puppet: 1+1=3
 

More from Jordan Open Source Association

JOSA TechTalks - Word Embedding and Word2Vec Explained
JOSA TechTalks - Word Embedding and Word2Vec ExplainedJOSA TechTalks - Word Embedding and Word2Vec Explained
JOSA TechTalks - Word Embedding and Word2Vec Explained
Jordan Open Source Association
 

More from Jordan Open Source Association (20)

JOSA TechTalks - Data Oriented Architecture
JOSA TechTalks - Data Oriented ArchitectureJOSA TechTalks - Data Oriented Architecture
JOSA TechTalks - Data Oriented Architecture
 
JOSA TechTalks - Machine Learning on Graph-Structured Data
JOSA TechTalks - Machine Learning on Graph-Structured DataJOSA TechTalks - Machine Learning on Graph-Structured Data
JOSA TechTalks - Machine Learning on Graph-Structured Data
 
OpenSooq Mobile Infrastructure @ Scale
OpenSooq Mobile Infrastructure @ ScaleOpenSooq Mobile Infrastructure @ Scale
OpenSooq Mobile Infrastructure @ Scale
 
Data-Driven Digital Transformation
Data-Driven Digital TransformationData-Driven Digital Transformation
Data-Driven Digital Transformation
 
Data Science in Action
Data Science in ActionData Science in Action
Data Science in Action
 
Processing Arabic Text
Processing Arabic TextProcessing Arabic Text
Processing Arabic Text
 
JOSA TechTalks - Downgrade your Costs
JOSA TechTalks - Downgrade your CostsJOSA TechTalks - Downgrade your Costs
JOSA TechTalks - Downgrade your Costs
 
JOSA TechTalks - Docker in Production
JOSA TechTalks - Docker in ProductionJOSA TechTalks - Docker in Production
JOSA TechTalks - Docker in Production
 
JOSA TechTalks - Word Embedding and Word2Vec Explained
JOSA TechTalks - Word Embedding and Word2Vec ExplainedJOSA TechTalks - Word Embedding and Word2Vec Explained
JOSA TechTalks - Word Embedding and Word2Vec Explained
 
JOSA TechTalks - Better Web Apps with React and Redux
JOSA TechTalks - Better Web Apps with React and ReduxJOSA TechTalks - Better Web Apps with React and Redux
JOSA TechTalks - Better Web Apps with React and Redux
 
JOSA TechTalks - RESTful API Concepts and Best Practices
JOSA TechTalks - RESTful API Concepts and Best PracticesJOSA TechTalks - RESTful API Concepts and Best Practices
JOSA TechTalks - RESTful API Concepts and Best Practices
 
Web app architecture
Web app architectureWeb app architecture
Web app architecture
 
Intro to the Principles of Graphic Design
Intro to the Principles of Graphic DesignIntro to the Principles of Graphic Design
Intro to the Principles of Graphic Design
 
Intro to Graphic Design Elements
Intro to Graphic Design ElementsIntro to Graphic Design Elements
Intro to Graphic Design Elements
 
JOSA TechTalk: Realtime monitoring and alerts
JOSA TechTalk: Realtime monitoring and alerts JOSA TechTalk: Realtime monitoring and alerts
JOSA TechTalk: Realtime monitoring and alerts
 
JOSA TechTalk: Metadata Management
in Big Data
JOSA TechTalk: Metadata Management
in Big DataJOSA TechTalk: Metadata Management
in Big Data
JOSA TechTalk: Metadata Management
in Big Data
 
JOSA TechTalk: Introduction to Supervised Learning
JOSA TechTalk: Introduction to Supervised LearningJOSA TechTalk: Introduction to Supervised Learning
JOSA TechTalk: Introduction to Supervised Learning
 
D programming language
D programming languageD programming language
D programming language
 
A taste of Functional Programming
A taste of Functional ProgrammingA taste of Functional Programming
A taste of Functional Programming
 
JOSA TechTalks - Machine Learning in Practice
JOSA TechTalks - Machine Learning in PracticeJOSA TechTalks - Machine Learning in Practice
JOSA TechTalks - Machine Learning in Practice
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Recently uploaded (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

JOSA TechTalk: Taking Docker to Production

  • 1. Taking Docker To production JOSA TechTalk by Muayyad Saleh Alsadi http://muayyad-alsadi.github.io/
  • 2.
  • 3. What is Docker again? (quick review) Containers uses linux kernel features like: ● namespaces ● cgroups (control groups) ● capabilities. Platform Docker is a key component of many PaaS. Docker provide a way to host images, pull them, run them, pause them, snapshot them into new images, view diffs .. etc. Ecosystem Like github, Docker Hub provide publicly available community images.
  • 4. Containers vs. VMs No kernel in guest OS (shared with host) containers are more secure and isolated than chroot and less isolated than VM
  • 5. Why DevOps? Devs want change Ops wants stability (no change) DevOps resolve the conflict. for devs: docker image contains the same os, same libraries, same version, same config, ... etc. for admins: host is untouched and stable Blame each other Fight each other
  • 6. Devs Heaven (not for production) docker compose can bring everything up and connect them and link them with a single command. can mount local dir inside the image (so that developer can use his/her favorite IDE). The command is docker-compose up it will read “docker-compose.yml” which might look like: mywebapp: image: mywebapp volumes: - .:/code links: - redis redis: image: redis
  • 7. Operations Heaven Having a stable host! CoreOS does not include any package manager. and does not even have python or tools installed. They have a Fedora based docker image called toolbox. You can mix and match. Some containers runs Java 6 or Java 7. Some uses CentOS 6, others 7, others ubuntu 14.04 others Fedora 22 ..etc. in the same host.
  • 8. Linking Containers docker run -d --name r1 redis docker run -d --name web --link r1:redis myweb r1 is container name redis is link alias it will update /etc/hosts and set ENVs: ● <alias>_NAME = <THIS>/<THAT> # myweb/r1 ● REDIS_PORT=<tcp|udb>://<IP>:<PORT> ● REDIS_PORT_6379_TCP_PROTO=tcp ● REDIS_PORT_6379_TCP_PORT=6379 ● REDIS_PORT_6379_TCP_ADDR=172.17.1.15
  • 9. Pets vs. Cattle vs.Ants Pets (virtualization) The VM has ● lovely distinct names ● emotions ● many highly coupled roles ● if down it’s a catastrophe Cattle (cloud) ● no names ● no emotions ● single role ● decoupled (loosely coupled) ● load-balanced ● if down other VMs take over. ● VM failure is planned and part of the process Ants (docker containers) containers are like cloud vms, no names no emotions, load balanced. A single host (might be a VM) is highly dense. The host is stable. Large group of containers are designed to fail as part of the process.
  • 10. What docker is not ● docker is not a hypervisor ○ docker is for process containers not system containers ○ example of system containers: LXD and OpenVZ ● no systemd/upstart/sysvinit in the container ○ docker is for process containers not system containers ○ just run apache, nginx, solr, whatever ○ TTYs are not needed ○ crons are not needed ● Docker is not for multi-tenant HINT: LXD is stupid way of winning a meaningless benchmark
  • 11. Docker ecosystem ● CoreOS, Atomic OS, Ubuntu Core ● Openshift (redhat PaaS) ● CloudFoundary ● Mesos / mesosphere (by Twitter and now apache) ● Google Kubernetes (scheduler containers to hosts) ● Swarm ● etcd/Fleet ● Drone ● Deis, Flynn, Rancher
  • 12. Docker golden rules by twitter@gionn: ● only one process per image ● no embedded configuration ● no sshd, no syslog, no tty ● no! you don't touch a running container to adjust things ● no! you will not use a community image
  • 13. Theory vs. Reality docker imaginary “unicorn” apps ● statically compiled (no dependencies) ● written in golang ● container ~ 10MB on real world ● interpreted application (python, php) ● system dependencies, config files, log files ● multiple processes (nginx, php- fpm) ● container image >500MB
  • 14. 12 Factor - http://12factor.net/ 1. One codebase (in git), many deploys 2. Explicitly declare and isolate dependencies 3. get config from environment or service discovery 4. Treat backing services as attached resources (Database, SMTP, S3, ..etc.) 5. Strictly separate build and run stages (no minify css/js on run stage) 6. Execute the app as one or more stateless processes (data and state are persisted elsewhere apart from the app, no need for sticky sessions) 7. Export a port (an end point to talk to) 8. Scale out via the process model 9. Disposability: Maximize robustness with fast startup and graceful shutdown 10. Keep development, staging, and production as similar as possible 11. Logs: they are flow of events written to stdout that is captured by execution env.
  • 15. 12 Factor last factor is administrative processes ● Run admin/management tasks as one-off processes ○ in django: manage.py migrate ● One-off admin processes should be run in an identical environment as the regular long-running processes of the app ● shipped from same code (same git repo) Example of 12 Factor: bedrock - a 12 factor wordpress https://roots.io/bedrock/
  • 16. 12 Factor - Factorish can be found on https://github.com/factorish/factorish example: https://github.com/factorish/factorish-elk
  • 17. Config ● confd ○ written in go (a statically linked binary) ○ input ■ env variables ■ service discovery (like etcd and consul) ■ redis ○ output ■ golang template with {{something}} ● crudini, jq ● http://gliderlabs.com/registrator/latest/user/quickstart/
  • 18. Config ● container’s entry point (“/start.sh”) calls REST API to add itslef to haproxy or anyother loadbalancer ● container’s entry point uses discovery service client (ex. etcdctl) ● something listen to docker events and send each container ENV and labels to discovery service
  • 19. Multiple Process ● supervisord ● runit ● fake systemd ○ see free-ipa docker image ○ https://github.com/adelton/docker-freeipa
  • 20. Logging/Monitoring ● ctop ● cadvisor: https://github.com/google/cadvisor ● logstash ● logspout - https://github.com/gliderlabs/logspout
  • 21. Logging/Monitoring nginx logging use “error_log /dev/stderr;” and “access_log /dev/stdout;” with daemon off. for example in supervisord [program:nginx] directory=/var/lib/nginx command=/usr/sbin/nginx -g 'daemon off;' user=root autostart=true autorestart=true redirect_stderr=false stdout_logfile=/dev/stdout stderr_logfile=/dev/stderr stdout_logfile_maxbytes=0 stderr_logfile_maxbytes=0
  • 23. Web UI ● tumtum ● cockpit-project.org ● Shipyard ● FleetUI ● CoreGI ● SUSE/Portus
  • 24. Web UI - cockpit-project
  • 25. Web UI - shipyard
  • 26. Web UI - tumtum
  • 27. Building Docker Images ● Dockerfile and “docker build -t myrepo/myapp .” ○ I have a proposal using pivot root inside dockerfile (docker build will build the build environment then use another fresh small container as target, copy build result and pivot). Docker builder is frozen but details are here ● Dockramp ○ https://github.com/jlhawn/dockramp ○ external builder written in golang ○ uses only docker api (needs new “cp” api) ○ can implement my proposal ● Atomic app / Nulecule/ openshift have their ownway ● Use Fabric/Ansible to build
  • 28. Simple Duct tape launching. Systemd @ magic. ex: have container@.service # systemctl start container@myweb [Unit] Description=Docker Container for %I After=docker.service Requires=docker.service [Service] Type=simple ExecStartPre=bash -c “/usr/bin/mkdir /var/lib/docker/vfs/dir/%i || :” ExecStartPre=/usr/bin/docker kill %i ExecStartPre=/usr/bin/docker rm %i ExecStart=/usr/bin/docker run -i --name=”%i” --env-file=/etc/sysconfig/container/%i.rc --label-file=/etc/sysconfig/container/%i.labels -v /var/lib/docker/vfs/dir/%i:/data myrepo/%i
  • 29. Seriously? Docker on production! “Docker is about running random code downloaded from the Internet and running it as root.”[1][2] -- a redhat engineer Source 1, source 2
  • 30. ● host a private docker registry (so you don’t download random code from random people on internet) ● use HTTPS and be your own certificate authority and trust it on your docker hosts ● use registry version 2 and apply ACL on images ○ URLs in v2 look /v2/<name>/blobs/<digest> ● use HTTP Basic Auth (apache/nginx) with whatever back- end you like (ex. LDAP or just plain files) ● have a Read-Only user as your “deployer” on servers ● have a build server to push images (not developers) Host your own private registry
  • 31. “Containers do not contain.” -- Dan Walsh (Redhat / SELinux) Seriously? Docker on production!
  • 32. in may 2015, a catastrophic vulnerability affected kvm/xen almost every datacenter. Fedora/RHEL/CentOS had been secure because of SELinux/sVirt (since 2009) AppArmor was a joke that is not funny. http://www.zdnet.com/article/venom-security-flaw-millions-of- virtual-machines-datacenters/ https://fedoraproject. org/wiki/Features/SVirt_Mandatory_Access_Control Docker and The next Venom? sVirt do support Docker What happens in a container stays in the container.
  • 33. ● Drop privileges as quickly as possible ● Run your services as non-root whenever possible ○ apache needs root to open port 80, but you are going to proxy the port anyway, so run it as non-root directly ● Treat root within a container as if it is root outside of the container ● do not give CAP_SYS_ADMIN to a container (it’s equivalent to host root) Recommendations
  • 34. Setting proper storage backend ● docker info | grep ‘Storage Driver’ ● possible drivers/backends: ○ aufs: a union filesystem that is so low quality that was never part of official linux kernel ○ overlay: a modern union filesystem that was accepted in kernel 4.0 (too young) ○ zfs: linux port of the well-established filesystem in solaris. the quality of the port and driver is still questionable ○ btrfs: the most featureful linux filesystem. too early to be on production ○ devicemapper (thin provisioning): well-established redhat technology (already in production ex. LVM) ● do not use loopback default config in EL (RHEL/CentOS/Fedora) ○ WARNING: No --storage-opt dm.thinpooldev specified, using loopback; this configuration is strongly discouraged for production use ● in EL edit /etc/sysconfig/docker-storage ● http://developerblog.redhat.com/2014/09/30/overview-storage-scalability-docker/ ● http://www.projectatomic.io/blog/2015/06/notes-on-fedora-centos-and-docker-storage-drivers/ ● http://www.projectatomic.io/docs/docker-storage-recommendation/
  • 35. Storage backend (using script) man docker-storage-setup vim /etc/sysconfig/docker-storage-setup docker-storage-setup ● DEVS=“/dev/sdb /dev/sdc” ○ list of unpartitioned devices to be used or added ○ if you are adding more, remove old ones ○ required if VG is specified and does not exists ● VG=“<my-volume-group>” ○ set to empty to use unallocated space in root’s VG
  • 36. Storage backend (manual) pvcreate /dev/sdc vgcreate direct-lvm /dev/sdc lvcreate --wipesignatures y -n data direct-lvm -l 95%VG lvcreate --wipesignatures y -n metadata direct-lvm -l 5%VG dd if=/dev/zero of=/dev/direct-lvm/metadata bs=1M vim /etc/sysconfig/docker-storage # to add next line DOCKER_STORAGE_OPTIONS = --storage-opt dm.metadatadev=/dev/direct- lvm/metadata --storage-opt dm.datadev=/dev/direct-lvm/data systemctl restart docker
  • 37. Docker Volumes Never put data inside the container (logs, database files, ..etc.). Data should go to mounted volumes. You can mount folders or files. You can mount RW or RO. You can have a busybox container with volumes and mount all volumes of that container in another container. # docker run -d --volumes-from my_vols --name db1 training/postgres
  • 38. Everything is a child processes of a single daemon. Seriously! Seriously? Docker on production!
  • 39. Docker process model is flawed Docker daemon launches containers as attached child processes. if the daemon dies all of them will collapse in a fatal catastrophe. Moreover, docker daemon has so many moving parts. For example fetching images is done inside the daemon. Bad network while fetching an image or having an evil image might collapse all containers. https://github.com/docker/docker/issues/15328 An evil client, an evil request, an evil image, an evil contain, or an evil “inspect” template might cause docker daemon to go crazy and risk all containers.
  • 40. Docker process model is flawed CoreOS introduced more sane process model in rkt (Rocket) an alternative docker-like containers run time. RedHat contributes to both docker and rocket as both has high potential. Rkt is just a container runtime where you can run containers as non-root and without being a child to anything (ex. rely on systemd/D-Bus). Rocket is not a platform (no layers, no image registry service, .. etc.) https://github.com/coreos/rkt/ Docker might evolve to fix this, dockerlite is a shell script uses LXC and BTRFS https://github.com/docker/dockerlite For now just design your cluster to fail and use anti-affinity
  • 41. Networking. Linux Bridges, IPTables NATing, Export ports using a young proxy written in golang. Seriously! Seriously? Docker on production!
  • 42. Docker Networking now Docker uses Linux bridges which only connect within same host. Containers on host A can’t talk to container on host B! And uses NAT to talk to outside world # iptables -t nat -A POSTROUTING -s 172.17.0.0/16 -j MASQUERADE Exported ports in docker are done via a docker proxy process (written in go). check “netstat -tulnp” Deprecated geard used to connect multiple hosts using NAT and configured each container to talk to localhost for anything (ex. talk to localhost MySQL and NAT will take it to MySQL container on another host): # iptables -t nat -A PREROUTING -d ${local_ip}/32 -p tcp -m tcp --dport ${local_port} -j DNAT --to-destination ${remote_ip}:${remote_port} # iptables -t nat -A OUTPUT -d ${local_ip}/32 -p tcp -m tcp --dport ${local_port} -j DNAT --to-destination ${remote_ip}:${remote_port} # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source ${container_ip}
  • 43. Docker Networking now A Similar approach is manually hard-code and divide docker bridges on each host 172.16.X.y and where X is the host and y is the container and use NAT to deliver packets (or 172.X.y.y depending on number hosts and number of containers on each host). http://blog.sequenceiq.com/blog/2014/08/12/docker-networking/ given a remote host with IP 192.168.40.12 and its docker0 bridge with 172.17.52.0 /24, and given a host with docker0 on 172.17.51.0/24 in the later host type route add -net 172.17.52.0 netmask 255.255.255.0 gw 192.168.40.12 iptables -t nat -F POSTROUTING# or pass "--iptables=false" to docker daemon iptables -t nat -A POSTROUTING -s 172.17.51.0/24 ! -d 172.17.0.0/16 -j MASQUERADE
  • 44. Docker Networking Alternatives ● OpenVSwitch (well-established production technology) ● Flannel (young project from CoreOS written in golang) ● Weave (https://github.com/weaveworks/weave) ● Calico (https://github.com/projectcalico/calico)
  • 45. Docker Networking Alternatives OpenVSwitch: Just like a physical, this virtual switch connects different hosts. One setup would be connecting each container to OVS without bridge. “docker run --net=none” then use ovs-docker script The other setup just replace docker0 bridge with one that is connected to OVS. (no change need to be done to each container)
  • 46. Docker Networking Alternatives # ovs_vsctl add-br sw0 or /etc/sysconfig/network-scripts/ifcfg-sw0 then # ip link add veth_s type veth peer veth_c # brctl addif docker0 veth_c # ovs_vsctl add-port sw0 veth_s see /etc/sysconfig/network-scripts/ifup-ovs http://git.openvswitch.org/cgi-bin/gitweb.cgi? p=openvswitch;a=blob_plain;f=rhel/README. RHEL;hb=HEAD
  • 47. Networking the future in the feature libnetwork will allow docker to use SDN plugins. Docker acquired SocketPlane to implement this. https://github.com/docker/libnetwork https://github.com/docker/libnetwork/blob/master/ROADMAP.md
  • 48. Introducing Docker Glue ● docker-glue - modular pluggable daemon that can run handlers and scripts ● docker-balancer - a standalone daemon that just updates haproxy (a special case of glue) https://github.com/muayyad-alsadi/docker-glue autoconfigure haproxy to pass traffic to your containers uses docker labels “-l” to specify http host or url prefix # docker run -d --name wp1 -l glue_http_80_host='wp1.example.com' mywordpress/wordpress # docker run -d --name wp2 -l glue_http_80_host='wp2.example.com' mywordpress/wordpress # docker run -d --name panel -l glue_http_80_host=example.com-l glue_http_80_prefix=dashboard/ myrepo/control- panel
  • 49. Introducing Docker Glue run any thing based on docker events (test.ini) [handler] class=DockerGlue.handlers.exec.ScriptHandler events=all enabled=1 triggers-none=0 [params] script=test-handler.sh demo-option=some value # it will run test-handler.sh /path/to/test.ini <EVENT> <CONTAINER_ID>
  • 50. Introducing Docker Glue #! /bin/bash cd `dirname $0` function error() { echo "$@" exit -1 } [ $# -ne 3 ] && error "Usage `basename $0` config.ini status container_id" ini="$1" status="$2" container_id="$3" ini_demo_option=$( crudini --inplace --get $ini params demo-option 2>/dev/null || : ) echo "`date +%F` container_id=[$container_id] status=[$status] ini_demo_option=[$ini_demo_option]" >> /tmp/docker-glue-test.log
  • 51. Resources ● http://opensource.com/business/14/7/docker-security- selinux ● http://opensource.com/business/14/9/security-for- docker ● http://www.projectatomic.io/blog/2014/09/yet-another- reason-containers-don-t-contain-kernel-keyrings/ ● http://developerblog.redhat.com/2014/11/03/are- docker-containers-really-secure-opensource-com/ ● https://www.youtube.com/watch?v=0u9LqGVK-aI ● https://github.com/muayyad-alsadi/docker-glue ● http://blog.sequenceiq.com/blog/2014/08/12/docker- networking/ ● https://docs.docker.com/userguide/dockervolumes/ ● https://docs.docker.com/userguide/dockerlinks/ ● https://docs.docker.com/articles/networking/ ● https://github. com/openvswitch/ovs/blob/master/INSTALL.Docker. md ● http://radar.oreilly.com/2015/10/swarm-v-fleet-v- kubernetes-v-mesos.html
  • 52. Q & A