ITB2019 Try This At Home: Building a Personal Docker Swarm - Matt Clemente

Try This At HomeTry This At Home
Building a Personal Docker SwarmBuilding a Personal Docker Swarm
Matthew Clemente
@mjclemente
@mjclemente84
blog.mattclemente.com
@mjclemente

A Familiar StoryA Familiar Story
» Adobe ColdFusion 10 /11
» Windows Server 2008
» Microsoft IIS
» Rackspace
» FTP Deployments
» Dev Server (in basement)

Nyan Whale originally by Andrew Kennedy
Every ConferenceEvery Conference

Looking for DirectionLooking for Direction
Legacy
Infrastructure
Scriptable
Scalable
Containerized
12-Factor App
CI/CD
Microservices

Bret Fisher ResourcesBret Fisher Resources
»
»
»
»
»
»
»
»
»
BretFisher.com
Github AMA
Github Sample Swarm tools
Podcast
Docker Mastery
Docker Swarm Mastery
Docker Mastery for Node.js
Taking Docker to Production
Building Your Swarm Production Stack

Learned a LotLearned a Lot
Still don't know how to do this.
¯_(ツ)_/¯

You'll learn more onYou'll learn more on
the first day ofthe first day of
production than theproduction than the
previous two months.previous two months.
Bret Fisher, , DockerCon Europe 2017Taking Docker to Production

DoingDoing
isis
LearningLearning

All genuine learningAll genuine learning
comes throughcomes through
experience.experience.
John Dewey, Experience & Education, 1938

How do IHow do I
actuallyactually do do
this?this?
Don't tell me that it's possible without
showing me how!

GoalGoal
Learning By Doing
Concrete Examples

What This Talk Is Not:What This Talk Is Not:
» Intro to Docker
» Intro to Swarm
» Comprehensive
» "The Best Way"*

» Starting point
» Practical and concrete
» Code Samples!
» Necessarily limited
What This Talk Is:What This Talk Is:

Tooling and ServicesTooling and Services

» Structure my project?
» Minimize divergence between Dev and Prod?
» Use environment variables?
» Manage sensitive information?
» Use a private image registry?
» Tag images properly?
» Add Lucee extensions?
» Conﬁgure CI/CD for deployment?
» Monitor with FusionReactor?
» Handle sessions?
» File a tax extension?
How Do I...How Do I...

It can be doneIt can be done
_ಠ_ಠ

Begin with the endBegin with the end
in mind.in mind.
Stephen Covey, The 7 Habits of Highly Eﬀective People, 1989

https://gitlab.com/mjclemente/apimashupcfmlswarm/

https://gitlab.com/mjclemente/starterswarmcfml

Project StructureProject Structure
.
├── .env
├── .gitlab-ci.yml
├── .secrets
│   ├── cfml.admin.password.dev
│   └── cfml.admin.password.v1
├── app
│   ├── .CFConfig.json
│   ├── box.json
│   ├── server.json
│   └── wwwroot
│   └── index.cfm
├── build
│   ├── cfml
│   │   ├── Dockerfile
│   │   └── config
│   │   └── extensions
│   │   └── extension-loganalyzer-2.3.2.16.lex
│   └── deploy-secrets.sh
├── docker-compose.override.yml
├── docker-compose.prod.yml
└── docker-compose.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
├── .env
├── .secrets
│   ├── cfml.admin.password.dev
.1
2
├── .gitlab-ci.yml3
4
5
6
├── app7
│   ├── .CFConfig.json8
│   ├── box.json9
│   ├── server.json10
│   └── wwwroot11
│   └── index.cfm12
├── build13
│   ├── cfml14
│   │   ├── Dockerfile15
│   │   └── config16
│   │   └── extensions17
│   │   └── extension-loganalyzer-2.3.2.16.lex18
│   └── deploy-secrets.sh19
├── docker-compose.override.yml20
├── docker-compose.prod.yml21
└── docker-compose.yml22
├── .gitlab-ci.yml
.1
├── .env2
3
├── .secrets4
│   ├── cfml.admin.password.dev5
├── app7
├── build13
│   ├── cfml14
│   │   └── config16
├── app
│   ├── .CFConfig.json
│   ├── box.json
│   ├── server.json
│   └── wwwroot
│   └── index.cfm
.1
├── .env2
├── .secrets4
7
8
9
10
11
12
├── build13
│   ├── cfml14
│   │   └── config16
├── build
│   ├── cfml
│   │   ├── Dockerfile
│   │   └── config
│   │   └── extensions
│   │   └── extension-loganalyzer-2.3.2.16.lex
│   └── deploy-secrets.sh
.1
├── .env2
├── .secrets4
├── app7
13
14
15
16
17
18
19
.1
├── .env2
├── .secrets4
├── app7
├── build13
│   ├── cfml14
│   │   └── config16
20
21
22
https://gitlab.com/mjclemente/starterswarmcfml

Sharing ConfigurationSharing Configuration
.
1
2
3
4
.1
2
4
.1
3
4
Understanding Multiple Compose Files
Bret Fisher AMA on dockercompose.override.yml
$ docker-compose up
Minimize Divergence Between Dev and ProdMinimize Divergence Between Dev and Prod

Sharing ConfigurationSharing Configuration
$ docker-compose
-f docker-compose.yml
-f docker-compose.prod.yml
up
# Works if not dependent on Swarm features
1
2
3
4
5
$ docker-compose 1
-f docker-compose.yml 2
3
up4
# Works if not dependent on Swarm features5
$ docker-compose 1
2
-f docker-compose.prod.yml 3
up4
$ docker-compose 1
2
3
up4
$ docker-compose
up
# Works if not dependent on Swarm features
1
2
3
4
5
docker stack deploy
-c docker-compose.yml
-c docker-compose.prod.yml
test
# For Swarm deployments
1
2
3
4
5
docker stack deploy 1
-c docker-compose.yml 2
3
test4
# For Swarm deployments5
2
-c docker-compose.prod.yml 3
test4
2
3
test4
docker stack deploy
test
# For Swarm deployments
1
2
3
4
5
Minimize Divergence Between Dev and ProdMinimize Divergence Between Dev and Prod

version: "3.7"
services:
cfml:
image: "registry.gitlab.com/${CI_PROJE
build:
context: .
dockerfile: ./build/cfml/Dockerfile
environment:
PORT: 8080
SSL_PORT: 8443
cfconfigfile: .CFConfig.json
cfconfig_inspectTemplate: never
secrets:
- source: cfml.admin.password
target: cfml.admin.password
ports:
- target: 8080
published: 80
- target: 8443
published: 443
networks:
internal:
driver: overlay
secrets:
cfml.admin.password:
external: true
name: cfml.admin.password.v1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
version: "3.7"1
2
services:3
cfml:4
image: "registry.gitlab.com/${CI_PROJE5
build:6
context: .7
dockerfile: ./build/cfml/Dockerfile8
environment:9
PORT: 808010
SSL_PORT: 844311
cfconfigfile: .CFConfig.json12
13
secrets:14
- source: cfml.admin.password15
target: cfml.admin.password16
ports:17
- target: 808018
published: 8019
- target: 844320
published: 44321
22
networks:23
internal:24
driver: overlay25
26
secrets:27
cfml.admin.password:28
external: true29
networks:
internal:
driver: overlay
version: "3.7"1
2
services:3
cfml:4
build:6
context: .7
environment:9
PORT: 808010
SSL_PORT: 844311
cfconfig_inspectTemplate: never13
secrets:14
ports:17
- target: 808018
published: 8019
- target: 844320
published: 44321
22
23
24
25
26
secrets:27
external: true29
secrets:
external: true
version: "3.7"1
2
services:3
cfml:4
build:6
context: .7
environment:9
PORT: 808010
SSL_PORT: 844311
secrets:14
ports:17
- target: 808018
published: 8019
- target: 844320
published: 44321
22
networks:23
internal:24
driver: overlay25
26
27
28
29
30
version: "3.7"
services:
cfml:
volumes:
- ./app:/app
environment:
cfconfig_inspectTemplate: always
ports:
- target: 8080
published: 8080
- target: 8443
published: 8443
networks:
internal:
driver: bridge
secrets:
external: false
file: ./.secrets/cfml.admin.password.dev
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
cfconfig_inspectTemplate: always
version: "3.7"1
2
services:3
cfml:4
volumes:5
- ./app:/app6
environment:7
8
ports:9
- target: 808010
published: 808011
- target: 844312
published: 844313
14
networks:15
internal:16
driver: bridge17
18
secrets:19
external: false21
file: ./.secrets/cfml.admin.password.dev22
networks:
internal:
driver: bridge
version: "3.7"1
2
services:3
cfml:4
volumes:5
- ./app:/app6
environment:7
cfconfig_inspectTemplate: always8
ports:9
- target: 808010
published: 808011
- target: 844312
published: 844313
14
15
16
17
18
secrets:19
external: false21
file: ./.secrets/cfml.admin.password.dev22
secrets:
external: false
version: "3.7"1
2
services:3
cfml:4
volumes:5
- ./app:/app6
environment:7
cfconfig_inspectTemplate: always8
ports:9
- target: 808010
published: 808011
- target: 844312
published: 844313
14
networks:15
internal:16
driver: bridge17
18
19
20
21
22
dockercompose.override.ymldockercompose.yml

the last slidethe last slide
was awas a lielie

The real worldThe real world
doesn't look likedoesn't look like
demos.demos.
┻━┻︵(°□°)/ ︵┻━┻

https://github.com/mjclemente/doswarmcreate

Swarm CreationSwarm Creation
doctl
# Create Docker Droplet
doctl compute droplet create test
--size 1gb
--image docker-18-04
--region nyc1
# List Droplets
doctl compute droplet list
#Delete a Droplet
doctl compute droplet delete 123456
#List SSH Key Ids and Names
doctl compute droplet list --format "ID,Name"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
(Official DigitalOcean CommandLine Client)

Swarm CreationSwarm Creation
Swarm Creation Script for DigitalOcean

Swarm InitializedSwarm Initialized

https://12factor.net/config
https://github.com/OrtusSolutions/dockercommandbox#environmentvariables
https://docs.docker.com/compose/environmentvariables/
Environment VariablesEnvironment Variables
» Environment for conﬁguration
» Modular and easy to change
» Managed in .env ﬁle

.env
CI_PROJECT_NAMESPACE=mjclemente
OTHER_SETTING=
FOO=bar
1
2
3
https://direnv.net/

${Env} in Compose${Env} in Compose
image:
"registry.gitlab.com/${CI_PROJECT_NAMESPACE}/starter-swarm-
cfml/cfml:${BUILD_TAG:-latest}"
version: "3.7"1
2
services:3
cfml:4
5
build:6
context: .7
environment:9
PORT: 808010
SSL_PORT: 844311
CF_ADMINPASSWORD: <<SECRET:cfml.admin.password>>14
secrets:15
environment:
PORT: 8080
SSL_PORT: 8443
CF_ADMINPASSWORD: <<SECRET:cfml.admin.password>>
version: "3.7"1
2
services:3
cfml:4
image:
"registry.gitlab.com/${CI_PROJECT_NAMESPACE}/starter-swarm-
cfml/cfml:${BUILD_TAG:-latest}"
5
build:6
context: .7
9
10
11
12
13
14
secrets:15

${Env} in CFConfig.json${Env} in CFConfig.json
"adminPassword":"${CF_ADMINPASSWORD}",
{1
2
"applicationListener":"modern",3
"applicationMode":"curr2root",4
"applicationTimeout":"1,0,0,0",5
"cacheDefaultFile":"",6
"cacheDefaultFunction":"",7
"cacheDefaultHTTP":"",8
"cacheDefaultInclude":"",9
"cacheDefaultObject":"object",10
"cacheDefaultQuery":"",11
"cacheDefaultResource":"",12
"cacheDefaultTemplate":"",13
"cacheDefaultWebservice":"",14
"caches":{},15
"CGIReadOnly":"true",16
"clientCookies":"true",17
(Same behavior in server.json)

Env variables prone to leakEnv variables prone to leak

Docker Swarm SecretsDocker Swarm Secrets
» Immutable by design
» Account for rotation
» Account for Dev and Production
» Team conventions are essential
https://docs.docker.com/engine/swarm/secrets/
https://docs.docker.com/compose/composefile/#secrets

secrets:
external: true
secrets:
external: false
dockercompose.override.ymldockercompose.yml
version: "3.7"
services:
cfml:
...
environment:
PORT: 8080
SSL_PORT: 8443
CF_ADMINPASSWORD: <<SECRET:cfml.admin.password>>
secrets:
- source: cfml.admin.password
target: cfml.admin.password

( ••)( ••)
( ••)>⌐■-■( ••)>⌐■-■
(⌐■_■) #Secrets!(⌐■_■) #Secrets!
https://gitlab.com/mjclemente/starterswarmcfml/blob/master/build/deploysecrets.sh

CI/CD with Gitlab RunnersCI/CD with Gitlab Runners
» Conﬁgured via .gitlab-ci.yml
» Run automagically
» Multiple types of runners
» Use a dedicated SSH Key
https://docs.gitlab.com/ee/ci/quick_start/

https://gitlab.com/mjclemente/starterswarmcfml/blob/master/.gitlabci.yml
₍₍ ᕕ( ಠ‿ಠ)ᕗ

.gitlabci.yml
» File containing all deﬁnitions of how
your project should be built
https://docs.gitlab.com/ee/ci/yaml/

before_script:
before_script:
## We're gonna log into the gitlab registry, as that's where
these images are stored
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN
registry.gitlab.com
## Git needed to get the date from the commit sha
- apk add git
## So we can see what's going on in the logs
- docker info
## setup environment variables
- [configuration continues]
1
2
3
4
5
6
7
8
9
registry.gitlab.com
before_script:1
2
3
## Git needed to get the date from the commit sha4
- apk add git5
## So we can see what's going on in the logs6
- docker info7
## setup environment variables8
- [configuration continues]9
- apk add git
before_script:1
2
registry.gitlab.com
3
## Git needed to get the date from the commit sha4
5
## So we can see what's going on in the logs6
- docker info7
## setup environment variables8
- [configuration continues]9
before_script:
registry.gitlab.com
## Git needed to get the date from the commit sha
- apk add git
## So we can see what's going on in the logs
- docker info
## setup environment variables
- [configuration continues]
1
2
3
4
5
6
7
8
9
Getting everything set up
.gitlabci.yml
https://docs.gitlab.com/ee/ci/yaml/#before_scriptandafter_script

Tagging Custom ImagesTagging Custom Images
» Don't just use "latest"
» Combination of date and commit
before_script:
- export COMMIT_TIME=$(git show -s --format=%ci $CI_COMMIT_SHA)
- export COMMIT_TIME_SHORT=$(echo $COMMIT_TIME | head -c10)
- export BUILD_TAG="${COMMIT_TIME_SHORT}_$CI_COMMIT_SHORT_SHA"
1
- [earlier configuration]2
## Use git `show` with --format=%ci to get ISO 8601 date3
4
## Use first 10 characters of the datetime (ie: 2019-03-19)5
6
7
- export COMMIT_TIME=$(git show -s --format=%ci $CI_COMMIT_SHA)
before_script:1
4
- export COMMIT_TIME_SHORT=$(echo $COMMIT_TIME | head -c10)6
- export BUILD_TAG="${COMMIT_TIME_SHORT}_$CI_COMMIT_SHORT_SHA"7
- export COMMIT_TIME_SHORT=$(echo $COMMIT_TIME | head -c10)
before_script:1
- export COMMIT_TIME=$(git show -s --format=%ci $CI_COMMIT_SHA)4
6
- export BUILD_TAG="${COMMIT_TIME_SHORT}_$CI_COMMIT_SHORT_SHA"7 - export BUILD_TAG="${COMMIT_TIME_SHORT}_$CI_COMMIT_SHORT_SHA"
before_script:1
- export COMMIT_TIME=$(git show -s --format=%ci $CI_COMMIT_SHA)4
- export COMMIT_TIME_SHORT=$(echo $COMMIT_TIME | head -c10)6
7
.gitlabci.yml

Control Pipeline StagesControl Pipeline Stages
deploy:
stage: deploy
only:
- deploy
except:
variables:
- $CI_COMMIT_MESSAGE =~ /Initial commit/i
- $CI_COMMIT_MESSAGE =~ /skip deploy/i
- $CI_COMMIT_MESSAGE =~ /don't deploy/i
https://docs.gitlab.com/ee/ci/yaml/#onlyexceptbasic
.gitlabci.yml

Building Custom ImagesBuilding Custom Images
build:
stage: build
only:
- deploy
script:
## Build the image, with the build tag and the latest tag
- docker build --tag $CONTAINER_IMAGE:$BUILD_TAG --tag
$CONTAINER_IMAGE:latest -f ./build/cfml/Dockerfile .
## List images, so we can confirm success
- docker image ls
## Push with the build tag
- docker push $CONTAINER_IMAGE:$BUILD_TAG
## Push with latest
- docker push $CONTAINER_IMAGE:latest
.gitlabci.yml

Stack DeploymentStack Deployment

Stack DeploymentStack Deployment
deploy:
stage: deploy
script:
- [a lot of SSH related config]
## Enable SSH functionality made possible in 18.0.9 to switch
our context to the remote server
- export DOCKER_HOST=ssh://root@${HOST_IP}
## Deploy the stack - registry auth is for gitlab
- docker stack deploy -c docker-compose.yml -c docker-
compose.prod.yml basetest --with-registry-auth
.gitlabci.yml

» Swarm's missing UI
» Conﬁguration and management
» Separate from application stack
PortainerPortainer

»
»
»
Hybrid license
Easy installation (ForgeBox)
Some manual conﬁguration
FusionReactor (Cloud)FusionReactor (Cloud)

» Required in multi-node Swarms
» Free options
» Provided via (beta) Lucee Extensions
» Paid options are superior
Sessions and CachingSessions and Caching
https://blog.mattclemente.com/2018/08/17/installluceeextensionsoncommandboxdockercontainers.html

SSLSSL
https://blog.filippo.io/mkcertvalidhttpscertificatesforlocalhost/
https://letsencrypt.org/docs/certificatesforlocalhost/
mkcert
(Zeroconfig tool to make locally trusted development certificates)
+

All things areAll things are
difficult before theydifficult before they
are easy.are easy.
Dr. Thomas Fuller, Gnomologia, 1732

ITB2019 Try This At Home: Building a Personal Docker Swarm - Matt Clemente

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to ITB2019 Try This At Home: Building a Personal Docker Swarm - Matt Clemente

Similar to ITB2019 Try This At Home: Building a Personal Docker Swarm - Matt Clemente (20)

More from Ortus Solutions, Corp

More from Ortus Solutions, Corp (20)

Recently uploaded

Recently uploaded (20)

ITB2019 Try This At Home: Building a Personal Docker Swarm - Matt Clemente