era dockera#1 best practices & anti-patterns
TRANSCRIPT
Docker Era #1 - Best practices & anti-patterns
Who is this guy?Who got 2 thumbs and doesn't give a crap?
1
Hello!I am Piotr KieszczynskiI am here because I love to give presentations. I am “The guy” who actually...
You can find me at @pkieszcz
Docker? What’s that?2
Living under the rock
“Docker containers wrap up a piece of software in a complete filesystem that contains everything it needs to run: code, runtime, system tools, system libraries – anything you can install on a server. This guarantees that it will always run the same, regardless of the environment it is running in.
One thing at the time1. Misconception2. Dockerfile3. SSHD in Docker4. “Production” Docker issues
MisconceptionYou should have only one process per Docker container!If I use Docker then I don't need a configuration management (CM) tool!I have to use Docker in order to get these speed and consistency advantages! (CM / Cloud Images / Version Pinning / Version Control Deploys)I should use Docker right now!
I should use Docker right now!Your current systems should have:
◇ secured least-privilege access (key based logins, firewalls, fail2ban, etc)
◇ restorable secure off-site database backups ◇ automated system setup (using Ansible, Puppet, etc)◇ automated deploys automated provisioning ◇ monitoring of all critical services ◇ and more (documentation, etc)
Then what?You don't need to Dockerize everythingUse role based Docker images (www/db vs nginx/mysql)Be explicit (avoid magic) as long as possibleDon't store data in containersUse a private index providerBuild on the expertise of others
Dockerfile1: Use the cache (Keep common instructions at the top of the Dockerfile to utilize the cache.)
FROM ubuntu
MAINTAINER Piotr Kieszczynski <[email protected]>
RUN echo "deb http://archive.ubuntu.com/ubuntu precise main universe" >
/etc/apt/sources.list
RUN apt-get update
RUN apt-get upgrade -y
Dockerfile2: Use tagsdocker build -t="pkieszcz/rpi-mumble" .
3: EXPOSE-ing ports
# private and public mapping
EXPOSE 80:8080
# private only
EXPOSE 80
Dockerfile4: CMD and ENTRYPOINT syntax ( /bin/sh -c )
CMD /bin/echo
# or
CMD ["/bin/echo"]
Dockerfile5. CMD and ENTRYPOINT better together
ENTRYPOINT ["/usr/bin/rethinkdb"]
CMD ["--help"]
docker run crosbymichael/rethinkdbdocker run crosbymichael/rethinkdb --bind all
Dockerfile6: Trusted builds7: Don't upgrade in builds (?)8: Use small base images9: Use specific tagsFROM debian
FROM debian:jessie
10: Group common operationsRUN apt-get update RUN apt-get upgrade -y
RUN apt-get update && apt-get upgrade -y
SSHD in Docker◇ What do you need SSH for?◇ How will you manage keys and passwords?◇ How will you manage security upgrades?◇ Do you need to “just add the SSH server” to make it
work?◇ You are in charge of putting the app inside a
container, but are you also in charge of access policies and security compliance!
But how do I ...◇ Backup my data?◇ Check logs?◇ Restart my service?◇ Edit my configuration?◇ Debug my service?
◇ nsenter ( or docker exec <id> /bin/bash )
“Production” Docker issues◇ Image building◇ Garbage collection◇ Iteration speed and state of core◇ Logging◇ Secrets◇ Filesystems◇ Reliance on edgy kernel features◇ Security◇ Image layers and transportation
◇ Storage (flocker), networking (SDN?), Orchestration (Swarm vs “prod-6-months-ready”), Service Discovery
“Production” Docker issuesOut-of-band caching for particularly heavy-weight and application-specific dependencies Accessing secrets at build time without committing them to the image Full control over layers in the final image Parallelization of building layers
“Production” Docker issueshttps://github.com/spotify/docker-gcClean up Registry/Distribution - GLHF (but I’ve made it!)Plumbing core featuresLogging into mount -> fluentdSecrets - https://www.shopify.com/technology/26892292-secrets-at-shopify-introducing-ejsonAUFS vs BTRFS vs OverlayFSContainers on VMs ?
Thanks!Any questions?You can find me at @pkieszcz