Dockers zero to hero
-
Upload
nicolas-de-loof -
Category
Engineering
-
view
1.077 -
download
9
description
Transcript of Dockers zero to hero
![Page 1: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/1.jpg)
@ndeloof
![Page 2: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/2.jpg)
![Page 3: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/3.jpg)
![Page 4: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/4.jpg)
Who are you ?!
!
✓ Dev
✓ Integration/Test
✓ Acceptance / Qualif
✓ Sysdamin / Ops
![Page 5: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/5.jpg)
level 0
![Page 6: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/6.jpg)
DEV
✓Exact reproduction for target environment
!
!
!
!
![Page 7: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/7.jpg)
Not on Linux ?
![Page 8: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/8.jpg)
DEV
✓Quickly get third party tools up-and-running
![Page 9: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/9.jpg)
level 1
![Page 10: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/10.jpg)
Test
✓ Define build / test infra in your SCM
![Page 11: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/11.jpg)
✓ Quickly get low-cost iso-production environment
QA
![Page 12: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/12.jpg)
level 2
![Page 13: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/13.jpg)
Dev/Opsa WAR archive is NOT what a sysadmin expect as delivery !
!
+
![Page 14: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/14.jpg)
best DevOps tool so far (imho)
![Page 15: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/15.jpg)
Separation of concernInside container /var/log/myapp
!
!
!
On host /mnt/backup/myapp/log
![Page 16: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/16.jpg)
Separation of concerns
VOLUMEInside container /var/log/myapp
!
!
!
On host /mnt/backup/myapp/log
![Page 17: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/17.jpg)
✓ Manage hardware / infrastructure
✓ Monitoring / backups
- Not apps « implementation details »
Ops
![Page 18: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/18.jpg)
✓ Develop simplest possible solution
✓ Configuration is a runtime constraint
- Not extra-extra-flexibile application !
!
new WebServer().start(8080);
Dev
![Page 19: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/19.jpg)
level 3
![Page 20: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/20.jpg)
Continuous Delivery
•100% Reproducible environments
« docker build . » to replace « mvn install »
Dockerfile build WAR from
sources
Dockerfile run acceptance
test suite
Dockerfile build deployable
container
docker run COPY
![Page 21: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/21.jpg)
Continuous Delivery
![Page 22: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/22.jpg)
Pour quoi ?
!
✓ Cloud !
✓ devices !
✓ on-premises
more to come soon …
![Page 23: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/23.jpg)
docker @ Cloud
•« build and deploy » PaaS !
!
!
!
•binaries-based PaaS
![Page 24: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/24.jpg)
Google and Containers
“ Everything at Google, from Search to Gmail, is packaged and run in a Linux container. !Each week we launch more than 2 billion container instances across our global data centers, and the power of containers has enabled both more reliable services and higher, more-‐efficient scalability. “
http://googlecloudplatform.blogspot.fr/2014/06/an-update-on-container-support-on-google-cloud-platform.html
![Page 25: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/25.jpg)
Compute Engine
your VM
Managed VM
your docker image
AppEngine runtime
your app
Google Managed VMflexibility management
![Page 26: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/26.jpg)
Bonus
Code gde-in
![Page 27: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/27.jpg)
level 4
![Page 28: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/28.jpg)
New architectures
![Page 29: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/29.jpg)
Diviser pour mieux régnerStop the monolithes ! !
!
!
!
!
!
!
![Page 30: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/30.jpg)
Diviser pour mieux régnerembrace Micro-services ‣ « the unix way » ‣ domain focussed ‣ quick release cycles ‣ segregate resources !
!
http://yobriefca.se/blog/2013/04/29/micro-service-architecture/
!
![Page 31: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/31.jpg)
Micro-‐service avec Docker
LINK
![Page 32: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/32.jpg)
host
sample : syslog
http://jpetazzo.github.io/2014/08/24/syslog-docker/
rsyslog
/dev/log
/tmp/syslogdev
logger "hello"
/dev/log
![Page 33: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/33.jpg)
durée de vieUn serveur ou une VM : des mois, voir plus !
Un (ou des) containeur(s) : parfois juste quelques minutes !
![Page 34: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/34.jpg)
Immutable infrastructures
![Page 35: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/35.jpg)
Upgrades
!
Upgrade applicatif = build d’une nouvelle image
![Page 36: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/36.jpg)
What about CM ?
![Page 37: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/37.jpg)
pimp my Dockerfile
Dockerfile BUILD chef-solo
Dockerfile COPY /cookbooks
![Page 38: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/38.jpg)
Orchestrate Docker
load balancer
webapp
database replica
webapp
monitoring
cache- hosts: web sudo: yes tasks: - name: run tomcat servers docker: image=webapp ports=8080
![Page 39: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/39.jpg)
level 5
![Page 40: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/40.jpg)
En PROD si, si
![Page 41: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/41.jpg)
Ops is cool now !
#o
![Page 42: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/42.jpg)
#Sexists you said ?
![Page 43: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/43.jpg)
Système hôte minimaliste (160Mb RAM) cluster-ready service discovery etcd cgroup + systemd boot in ~ seconds
CoreOS
![Page 44: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/44.jpg)
Apache Mesos
![Page 45: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/45.jpg)
schedule state N replicas for a service pod = containers tied together service discovery & routage !
Kubernetes
![Page 46: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/46.jpg)
![Page 47: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/47.jpg)
and (lots) more « orchestration »
Kubeletmaestro-ng
Shipper
FleetHellios
Centurion
![Page 48: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/48.jpg)
images: - name: jenkins_master source: ryfow/jenkins:0.2 type: Default ports: - host_port: '9080' container_port: '8080' proto: TCP volumes: - host_path: "/var/jenkins" container_path: "/var/jenkins_home" - name: jenkins_slave_1 source: ryfow/docker-jenkins-slave:0.2 type: Default links: - service: jenkins_master alias: jenkins environment: - variable: SLAVE_NAME value: slave1
{ "containers":[ { "name":"rockmongo", "count":1, "image":"openshift/centos-rockmongo", "publicports":[{"internal":80,"external":6060}], "links":[{"to":"mongodb"}] }, { "name":"mongodb", "count":1, "image":"openshift/centos-mongodb", "publicports":[{"internal":27017}] } ] }
name: demo registries: my-private-registry: registry: https://my-private-registry/v1/ ships: vm1.ore1: {ip: c414.ore1.domain.com} vm2.ore2: {ip: c415.ore2.domain.com, docker_port: 4243} services: zookeeper: image: zookeeper:3.4.5 instances: zk-1: ship: vm1.ore1 ports: {client: 2181, peer: 2888, leader_election: 3888} volumes: /var/lib/zookeeper: /data/zookeeper limits: memory: 1g cpu: 2
![Page 49: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/49.jpg)
Distribute Docker images
•DockerHub private registry
•Run your own internal registry (docker image)
•Docker load/save with CM
•Dogistry / s3
![Page 50: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/50.jpg)
Monitoring
•collect cgroup metrics
•cAdvisor
•dedicated docker plugin
LogScape
![Page 51: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/51.jpg)
What about Data ?
![Page 52: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/52.jpg)
flocker
![Page 53: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/53.jpg)
Container live migration
![Page 54: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/54.jpg)
level 5
![Page 55: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/55.jpg)
security
![Page 56: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/56.jpg)
container securityContainers are NOT secured !
!
!
!
!
!
http://blog.docker.com/2014/07/new-dockercon-video-docker-security-renamed-from-docker-and-selinux/
![Page 57: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/57.jpg)
do you care ?Treat containers like regular services !
✓ drop privileges as soon as possible
✓ run as non-root as much as possible
✓ treat root within container as root on host
✓ don’t run untrusted container
![Page 58: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/58.jpg)
drop capabilitiescapabilities - overview of Linux capabilities
!Description
!For the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process's credentials (usually: effective UID, effective GID, and supplementary group list).
!Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.
!CAP_NET_ADMIN, CAP_SYS_ADMIN, …
![Page 59: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/59.jpg)
User Name SpaceMap non root user to root within container
![Page 61: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/61.jpg)
Multi Category Security (MCS)Protect containers from each other
![Page 62: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/62.jpg)
level 42
DockerHJero
![Page 63: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/63.jpg)
what’s next
![Page 64: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/64.jpg)
disclaimer
![Page 65: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/65.jpg)
de facto Standard Adoption both for Cloud and on-premises !
!
!
!
!
![Page 66: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/66.jpg)
ExtensibilityAlt. backends (AUFS is not an approved linux patch) ‣ devicemapper ‣ BTRFS ‣ ZFS ‣ …
!
Alt. implementations ‣ Solaris Zones ‣ BSD Jails
![Page 67: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/67.jpg)
Tooling
![Page 68: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/68.jpg)
Orchestration
![Page 69: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/69.jpg)
securitysignature & authorization
![Page 70: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/70.jpg)
![Page 71: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/71.jpg)
Config ManagementChef/Puppet/Salt/Ansible vs Docker
![Page 72: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/72.jpg)
![Page 73: Dockers zero to hero](https://reader034.fdocuments.in/reader034/viewer/2022042506/54705d6baf7959056d8b4711/html5/thumbnails/73.jpg)
Q?