dockers zero to hero
TRANSCRIPT
@ndeloof
Who are you ?!
!
✓ Dev
✓ Integration/Test
✓ Acceptance / Qualif
✓ Sysdamin / Ops
level 0
DEV
✓Exact reproduction for target environment
!
!
!
!
Not on Linux ?
DEV
✓Quickly get third party tools up-and-running
level 1
Test
✓ Define build / test infra in your SCM
✓ Quickly get low-cost iso-production environment
QA
level 2
Dev/Opsa WAR archive is NOT what a sysadmin expect as delivery !
!
+
best DevOps tool so far (imho)
Separation of concernInside container /var/log/myapp
!
!
!
On host /mnt/backup/myapp/log
Separation of concerns
VOLUMEInside container /var/log/myapp
!
!
!
On host /mnt/backup/myapp/log
✓ Manage hardware / infrastructure
✓ Monitoring / backups
- Not apps « implementation details »
Ops
✓ Develop simplest possible solution
✓ Configuration is a runtime constraint
- Not extra-extra-flexibile application !
!
new WebServer().start(8080);
Dev
level 3
Continuous Delivery
•100% Reproducible environments
« docker build . » to replace « mvn install »
Dockerfile build WAR from
sources
Dockerfile run acceptance
test suite
Dockerfile build deployable
container
docker run COPY
Continuous Delivery
Pour quoi ?
!
✓ Cloud !
✓ devices !
✓ on-premises
more to come soon …
docker @ Cloud
•« build and deploy » PaaS !
!
!
!
•binaries-based PaaS
Google and Containers
“ Everything at Google, from Search to Gmail, is packaged and run in a Linux container. !Each week we launch more than 2 billion container instances across our global data centers, and the power of containers has enabled both more reliable services and higher, more-‐efficient scalability. “
http://googlecloudplatform.blogspot.fr/2014/06/an-update-on-container-support-on-google-cloud-platform.html
Compute Engine
your VM
Managed VM
your docker image
AppEngine runtime
your app
Google Managed VMflexibility management
Bonus
Code gde-in
level 4
New architectures
Diviser pour mieux régnerStop the monolithes ! !
!
!
!
!
!
!
Diviser pour mieux régnerembrace Micro-services ‣ « the unix way » ‣ domain focussed ‣ quick release cycles ‣ segregate resources !
!
http://yobriefca.se/blog/2013/04/29/micro-service-architecture/
!
Micro-‐service avec Docker
LINK
host
sample : syslog
http://jpetazzo.github.io/2014/08/24/syslog-docker/
rsyslog
/dev/log
/tmp/syslogdev
logger "hello"
/dev/log
durée de vieUn serveur ou une VM : des mois, voir plus !
Un (ou des) containeur(s) : parfois juste quelques minutes !
Immutable infrastructures
Upgrades
!
Upgrade applicatif = build d’une nouvelle image
What about CM ?
pimp my Dockerfile
Dockerfile BUILD chef-solo
Dockerfile COPY /cookbooks
Orchestrate Docker
load balancer
webapp
database replica
webapp
monitoring
cache- hosts: web sudo: yes tasks: - name: run tomcat servers docker: image=webapp ports=8080
level 5
En PROD si, si
Ops is cool now !
#o
#Sexists you said ?
Système hôte minimaliste (160Mb RAM) cluster-ready service discovery etcd cgroup + systemd boot in ~ seconds
CoreOS
Apache Mesos
schedule state N replicas for a service pod = containers tied together service discovery & routage !
Kubernetes
and (lots) more « orchestration »
Kubeletmaestro-ng
Shipper
FleetHellios
Centurion
images: - name: jenkins_master source: ryfow/jenkins:0.2 type: Default ports: - host_port: '9080' container_port: '8080' proto: TCP volumes: - host_path: "/var/jenkins" container_path: "/var/jenkins_home" - name: jenkins_slave_1 source: ryfow/docker-jenkins-slave:0.2 type: Default links: - service: jenkins_master alias: jenkins environment: - variable: SLAVE_NAME value: slave1
{ "containers":[ { "name":"rockmongo", "count":1, "image":"openshift/centos-rockmongo", "publicports":[{"internal":80,"external":6060}], "links":[{"to":"mongodb"}] }, { "name":"mongodb", "count":1, "image":"openshift/centos-mongodb", "publicports":[{"internal":27017}] } ] }
name: demo registries: my-private-registry: registry: https://my-private-registry/v1/ ships: vm1.ore1: {ip: c414.ore1.domain.com} vm2.ore2: {ip: c415.ore2.domain.com, docker_port: 4243} services: zookeeper: image: zookeeper:3.4.5 instances: zk-1: ship: vm1.ore1 ports: {client: 2181, peer: 2888, leader_election: 3888} volumes: /var/lib/zookeeper: /data/zookeeper limits: memory: 1g cpu: 2
Distribute Docker images
•DockerHub private registry
•Run your own internal registry (docker image)
•Docker load/save with CM
•Dogistry / s3
Monitoring
•collect cgroup metrics
•cAdvisor
•dedicated docker plugin
LogScape
What about Data ?
flocker
Container live migration
level 5
security
container securityContainers are NOT secured !
!
!
!
!
!
http://blog.docker.com/2014/07/new-dockercon-video-docker-security-renamed-from-docker-and-selinux/
do you care ?Treat containers like regular services !
✓ drop privileges as soon as possible
✓ run as non-root as much as possible
✓ treat root within container as root on host
✓ don’t run untrusted container
drop capabilitiescapabilities - overview of Linux capabilities
!Description
!For the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process's credentials (usually: effective UID, effective GID, and supplementary group list).
!Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.
!CAP_NET_ADMIN, CAP_SYS_ADMIN, …
User Name SpaceMap non root user to root within container
Multi Category Security (MCS)Protect containers from each other
level 42
DockerHJero
what’s next
disclaimer
de facto Standard Adoption both for Cloud and on-premises !
!
!
!
!
ExtensibilityAlt. backends (AUFS is not an approved linux patch) ‣ devicemapper ‣ BTRFS ‣ ZFS ‣ …
!
Alt. implementations ‣ Solaris Zones ‣ BSD Jails
Tooling
Orchestration
securitysignature & authorization
Config ManagementChef/Puppet/Salt/Ansible vs Docker
Q?