Containerize Everything!
@oscarrenalias
github.com/oscarrenalias
[email protected]
[email protected]
www.linkedin.com/oscarrenalias
www.slideshare.net/oscarrenalias
This is going to be opinionated
Old-fashioned clients can run containers too!
Architecture
nginx
Tomcat TomcatTomcatTomcat
PostgreSQL Solr
Architecture services
Rundeck
Yum repo & mirror
Reverse proxy
Docker Registry
Why containerize everything?
Simplified packaging, deployment and execution
Flexibly provision components on inflexible infrastructure
Better resource utilization
Anyone can have a production-like environment on their local workstation…
…or any other server
Our container principles
One single logical service per container
Containers are cattle, not pets
No SSH in containers
Try not to persist state in the container
Containers are independent (and unaware!) of where they’re running
Host port forwarding for network communication
Container hierarchies
base
java
tomcat
service
nginx postgres
centos:6
frontend database Infra 1 Infra N
Building containers
Building containers automatically
Publish artifacts
Integration Test
Build & unit test
Testing containers
Container under test
Test container:• Ruby• ServersSpec• ServerSpec Tests
FROM …
Testing containersContainer under test
Test container
Storing containers
Registry 2.0
Deploying and running containers
Registry
Container host
Build & Publish
Pull
docker run
supervisor is your friend, if you need it
Application and container configuration
Application container
confd
Host
Application and container configuration
Application (container)
Application configuration
Run containers with their own user
USER <user>
Keeping containers up-to-date
base
java
tomcat
service
nginx postgres
centos:6
frontend database Infra 1 Infra N
OpenSSL Bug!
base
java
tomcat
service
nginx postgres
frontend database Infra 1 Infra N
Be mindful of SELinux
Operating containers
Container state
Real world: don’t keep it in the container if you can avoid it
Ideal world: containers don’t have state
vs
Logging
• Write to host (and use external aggregator)• Log to standard output (< 1.6)• Standard output + syslog logging driver
(>= 1.6)
Monitoring
Container processes are just like any other process and service – use existing tools
The darker side of Docker
Immutable containers are fun… until there’s an urgent security update
Docker will keep evolving
Sooner or later you will be bitten by a weird interaction between
Docker or kernel or PAM or SElinux/AppArmor, and a container
No version pinning in the registry: “centos:6, is that you? You looked
different yesterday!”
Docker security needs attention from implementers
https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=docker16.100
Our lessons learned
Docker as a container engine *is* ready for production workloads
Docker works well as a convenient way of packaging, deploying and running
applications
Containerizing everything does give you more flexibility…
…but be pragmatic
Dockerfiles are all you could possibly need to build
containers
Start small – containerizing everything is a fair goal but takes time