DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0
-
Upload
laurent-grangeau -
Category
Internet
-
view
1.376 -
download
0
Transcript of DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0
![Page 1: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/1.jpg)
The missing piece: when Docker networking unleashes software architecture 2.0A. Blind
DevOps coachSociete Generale@adrienblind
L. GrangeauSolutions architect
Finaxys@laurentgrangeau
![Page 2: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/2.jpg)
Agenda
2 - StartersDocker networking & volume features discovered
4 - DessertTaste-an-app
1 - ApetizerBack on current Docker paradigms
3 - Main courseApplication architecture shifts
![Page 3: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/3.jpg)
Back on current docker paradigms
![Page 4: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/4.jpg)
Back on Docker paradigms‘’A universal, self-sufficient and standard artifact embedding an app
module, and its subsequent infrastructure configuration’’
Immutable
Versionned
Light
Portable
Disposable
Programatic
Social
Incremental
It’s mainly focused on enclosing computingcapabilities: what about storage ? Network ?
![Page 5: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/5.jpg)
Networking & volume features discovered
![Page 6: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/6.jpg)
Docker networking
![Page 7: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/7.jpg)
Docker networking
![Page 8: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/8.jpg)
Docker networkingThe Container Network Model (CNM)
A docker contai-ner
Endpoint
A docker contai-ner
Endpoint
A docker contai-ner
EndpointEndpoint
Network sandbox Network sandbox Network sandbox
Front net-work
Back net-work
![Page 9: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/9.jpg)
Docker networking
$ docker network create mynetwork
5000dec7c180a63d87031de7e6bfcf2b25cf1e5daef6338f16fbd4451210a938
$ docker network create –d overlay multihostnetwork
e6537b859359843bc02392245ab226070f79dbf87be2d492969c843f89fb6de6
![Page 10: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/10.jpg)
Docker networking$ docker network inspect mynetwork[ { "Name": "mynetwork", "Id": "5000dec7c180a63d87031de7e6bfcf2b25cf1e5daef6338f16fbd4451210a938", "Scope": "local", "Driver": "bridge", "IPAM": { "Driver": "default", "Config": [ {} ] }, "Containers": {}, "Options": {} }]
![Page 11: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/11.jpg)
Docker networking
Host Host Host Host
SDN
s
SDN 1
SDN 2
SDN 3
![Page 12: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/12.jpg)
Docker networking
![Page 13: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/13.jpg)
Docker networking
Docker Compose evolved to embrace new networking features
$ docker-compose --x-networking --x-network-driver=overlay up
$ docker-compose up
![Page 14: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/14.jpg)
Docker volumes
![Page 15: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/15.jpg)
Docker volumes
Host file system Host file system
‘’Former data management locked in a host’’
![Page 16: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/16.jpg)
Docker volumes
Host file system
Container
Volume
‘’Containers mount a volume which may be backed externaly’’
![Page 17: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/17.jpg)
Docker volumes
$ docker volume create –d volplugin --name pool/name
Cf872ca21d27843f6b6319ac1a34390dd38d94ed4649cd985456d523fb05d4cc
$ docker run –d –p 8080:8080 –v pool/name:/var/jenkins_home jenkins
96aec6f4e45e050dfb4f75a1009e7f105bced5b406752e62d470615d07348b07
![Page 18: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/18.jpg)
Docker volumes$ docker volume lsDRIVER VOLUME NAMElocal cf872ca21d27843f6b6319ac1a34390…local f19f50251f48c64a6b33a5c637c2330…
$ docker volume inspect cf872ca21d27843f6b6319ac1a34390dd38d94…[ { "Name": "cf872ca21d27843f6b6319ac1a34390dd38d94…", "Driver": "local", "Mountpoint": "/mnt/sda1/var/lib/docker/volumes/[…]/_data" }]
![Page 19: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/19.jpg)
Take-away
![Page 20: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/20.jpg)
Application
Compute(Run containers)
Docker building blocks
![Page 21: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/21.jpg)
Application
Compute(Run containers)
Storage(Volumes)
‘’Immutability of containers, resiliency & scalability led to data externalization in separate objects’’
![Page 22: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/22.jpg)
‘’Fine-granularity of containers led to closely interconnect them’’
Application
Compute(Run containers)
Storage(Volumes)
Transport(Network)
![Page 23: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/23.jpg)
‘’The whole topology can nowbe described’’
Application
Compute(Run containers)
Storage(Volumes)
Transport(Network)
Topology(Compose)
![Page 24: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/24.jpg)
‘’Docker finally shifted toobject-oriented infra. architecture’’
Application
Compute(Run containers)
Storage(Volumes)
Transport(Network)
Topology(Compose)
CaaS platform (Swarm, Machine...)
![Page 25: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/25.jpg)
Application architecture shifts
![Page 26: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/26.jpg)
Security paradigms shifts
![Page 27: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/27.jpg)
Security paradigms shifts
Your IT opens up• Externalization (housing, hosting)• Cloud (IaaS/PaaS/SaaS)
Open up your IS• B2B, services exposition• Multi tenancy
More & more breaches appears in your Great Wall of China!
![Page 28: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/28.jpg)
Security paradigms shiftsThe necessary porosity of your IS requires to stick
security closer to each application: sandbox your appsand expose protected interfaces!
Network is part of application topology Security is an app topic, not just infra.
concern Onboard security in feature
teamSecDevOps
![Page 29: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/29.jpg)
Network paradigms shifts
VMVMVM
VMVMVM
VMVMVM
Internet
InternetDMZ
Physical overviewLogical overview
Tenant#1
Tenant#2
LAN
LAN
DMZ1
DMZ2
Traditional networks relies a lot on low layers (L2, etc.)
Application topologies are quite different from physical ones
![Page 30: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/30.jpg)
Network paradigms shiftsSDNs propose network solutions
embracing cloud paradigmsMassively multi-tenant
Thousands tenants, massively scalable
Easy & fast (de)provisioningInfra as code, API centric
Infrastructure agnosticL3, does not stick with lower levels (physical designs, vlans & co)Decouple infrastructure & tenants lifecyclesCross technology, vendor agnostic
![Page 31: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/31.jpg)
From Enterprise Services busesto full-mesh topologies
ESB
Ser-vice
Ser-vice
Ser-vice
Ser-vice
Ser-vice
>Ser-vice
Ser-vice
Ser-vice
Ser-vice
Ser-vice
Micro services
![Page 32: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/32.jpg)
Fine-grained, highly decoupled and atomic purpose centric services
Designedfor failure
Multi-versioned
Scalable
Micro services
Stateless
Share-nothingImmutable
Continuouslydelivered
Distributed
![Page 33: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/33.jpg)
Serviceconsumer
Serviceprovider
Regis-try2. Find 1. Publish
3. Bind
Leverage on a Service registry to discoverwhere are services located
Micro services
![Page 34: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/34.jpg)
Resilience & scalability: apps problem now!
Vertical >horizontal
Apps designed for failure & scalability
Data to be externalized
Dumber infrastructure
Structured: MongoDB, Hadoop, Cassandra, Elastic Search... Binaries: object storage with Ceph, OpenStack Swift...
Helpful patterns: stateless, multi-versioning, loose coupling...
Infrastructure rationalization Low-cost, poor-SLA commodity
![Page 35: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/35.jpg)
« Organizations which design systems... are constrained to produce designs which are copies of the communication structures of these organizations ». - M. Conway, 1968
Consider shifting your organization if you wish to shift your architec-
ture
Forget about the central architects myth of organizing, integrating everything
Consider changing your organization to ex-pect changing the architecture! promote fea-ture teams
Organization
![Page 36: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/36.jpg)
Docker suits perfectly new applications challenges
Create docker networks to isolate applicationsDocker container properties fits micro-services
challengesResilience & scalability is mostly about multiplying
containers
Expect to discuss roles shift in organization
![Page 37: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/37.jpg)
Taste-an-app
![Page 38: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/38.jpg)
Execution platform
Registry
Docker-machine Docker-swarm
The registratordiscovers newcontainers and
feeds the registry
![Page 39: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/39.jpg)
Application design
Provider micro serviceConsumersThe python app module exposes a REST service
searching information in the MongoDBThe NGINX reverse proxy forward app. requests on
one of the python instance registered in Consul
Find
![Page 40: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/40.jpg)
Application topology & runtime
The whole application topology is stored as:docker-compose yaml filedocker-compose args (aka --x-networking & --x-
network-driver)
You can scale up or down the python instances of the micro-service using traditionnal docker-compose scale command
![Page 41: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/41.jpg)
Network view
Only the load balancer VIP is exposed externallyA WAF instance could secure this entrypoint
SDN « dockerconeu15 »
Host network
Provider micro serviceConsumers
![Page 42: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/42.jpg)
Network view - advancedProvider micro service
ConsumersSDN « front »
SDN « back »
Host network
Back
Middle
Front
‘’To enhance securityyou may decoupleeach application tier’’
![Page 43: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/43.jpg)
Zoom on the registry usages
Between micro-services, consumers asks the registry where a desired micro-service is located
Inside a micro-service, NGINX is made aware of the backend API instances available, via the registry
At container level, the registrator enable to registers any container instances, grouped per type
At infrastructure level, the registry is used by swarm (internally) to be aware of the cluster’s participants
Noticed the different usages of a registry ?
You may consider using different registries for each usage : for example an internal registry for the micro service internal topology
![Page 44: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/44.jpg)
Conclusions
![Page 45: DockerCon - The missing piece : when Docker networking unleashes software archtecture 2.0](https://reader036.fdocuments.in/reader036/viewer/2022062822/5881302b1a28ab00438b65f3/html5/thumbnails/45.jpg)
Docker shifted from universal containers to object-oriented infrastructure
Security is an app concern
Software is eating the world: application architecture is the key, infrastructure is commodity