Docker for Sysadmins: what's in it for me?

Similar documents
Orchestrating Distributed Deployments with Docker and Containers 1 / 30

The Virtualization Practice

Containers, Docker, and Security: State of the Union

Linux A first-class citizen in Windows Azure. Bruno Terkaly bterkaly@microsoft.com Principal Software Engineer Mobile/Cloud/Startup/Enterprise

Last time. Today. IaaS Providers. Amazon Web Services, overview

STRATEGIC WHITE PAPER. The next step in server virtualization: How containers are changing the cloud and application landscape

Upgrading to Ubuntu Server Edition LTS

Best Practices for Python in the Cloud: Lessons

Stackato PaaS Architecture: How it works and why.

Example of Standard API

WHITEPAPER INTRODUCTION TO CONTAINER SECURITY. Introduction to Container Security

Platform as a Service and Container Clouds

Virtualization Technologies and Blackboard: The Future of Blackboard Software on Multi-Core Technologies

ISLET: Jon Schipp, Ohio Linux Fest An Attempt to Improve Linux-based Software Training

Using Vagrant for Magento development. Alexander

Docker : devops, shared registries, HPC and emerging use cases. François Moreews & Olivier Sallou

Cloud Operating Systems for Servers

Building a Kubernetes Cluster with Ansible. Patrick Galbraith, ATG Cloud Computing Expo, NYC, May 2016

Mark Bennett. Search and the Virtual Machine

Ubuntu OpenStack on VMware vsphere: A reference architecture for deploying OpenStack while limiting changes to existing infrastructure

Why Does CA Platform Use OpenShift?

DevOps with Containers. for Microservices

Ryu SDN Framework What weʼ ve learned Where weʼ ll go

Linstantiation of applications. Docker accelerate

Data Centers and Cloud Computing

How Bigtop Leveraged Docker for Build Automation and One-Click Hadoop Provisioning

Container Clusters on OpenStack

Building a Continuous Integration Pipeline with Docker

Assignment # 1 (Cloud Computing Security)

OpenShift. Marek Jelen, OpenShift, Red Hat

Virtualization & Cloud Computing (2W-VnCC)

Cloud Security with Stackato

Do Containers fully 'contain' security issues? A closer look at Docker and Warden. By Farshad Abasi,

On- Prem MongoDB- as- a- Service Powered by the CumuLogic DBaaS Platform

Jenkins World Tour 2015 Santa Clara, CA, September 2-3

CI Pipeline with Docker

Automating Big Data Benchmarking for Different Architectures with ALOJA

Use Cases for Docker in Enterprise Linux Environment CloudOpen North America, 2014 Linda Wang Sr. Software Engineering Manager Red Hat, Inc.

System Structures. Services Interface Structure

RED HAT CONTAINER STRATEGY

Intro to Docker and Containers

An Introduction to Service Containers

Virtualization Management the ovirt way

WINDOWS AZURE EXECUTION MODELS

Cloud Simulator for Scalability Testing

Sacha Dubois RED HAT TRENDS AND TECHNOLOGY PATH TO AN OPEN HYBRID CLOUD AND DEVELOPER AGILITY. Solution Architect Infrastructure

ArcGIS for Server: In the Cloud

A Comparison of Clouds: Amazon Web Services, Windows Azure, Google Cloud Platform, VMWare and Others (Fall 2012)

Data Centers and Cloud Computing. Data Centers

The Definitive Guide To Docker Containers

Enterprise PaaS Evaluation Guide

Migration and Building of Data Centers in IBM SoftLayer with the RackWare Management Module

Scalable Architecture on Amazon AWS Cloud

IBM Bluemix. The Digital Innovation Platform. Simon

Cloud Computing and Open Source: Watching Hype meet Reality

Last time. Today. IaaS Providers. Amazon Web Services, overview

Jfokus PaaS Hands-On Lab

Virtualization System Vulnerability Discovery Framework. Speaker: Qinghao Tang Title:360 Marvel Team Leader

OpenShift and Cloud Foundry PaaS: High-level Overview of Features and Architectures

Chapter 16: Virtual Machines. Operating System Concepts 9 th Edition

Private Cloud Management

Data Centers and Cloud Computing. Data Centers. MGHPCC Data Center. Inside a Data Center

KVM, OpenStack, and the Open Cloud

Building Docker Cloud Services with Virtuozzo

Huawei and Open Source. Industry development department Shi Hao

Spotify services. The whole is greater than the sum of the parts. Niklas Gustavsson. måndag 4 mars 13

Intel IT s Cloud Journey. Speaker: [speaker name], Intel IT

PARALLELS SERVER BARE METAL 5.0 README

Virtualization, SDN and NFV

Chapter 14 Virtual Machines

Using Docker in Cloud Networks

Open Source Technologies on Microsoft Azure

Migration and Building of Data Centers in IBM SoftLayer with the RackWare Management Module

Deployment Guide: Unidesk and Hyper- V

Introduction to CoprHD: An Open Source Software Defined Storage Controller

VMware Virtualization and Software Development

STeP-IN SUMMIT June 18 21, 2013 at Bangalore, INDIA. Performance Testing of an IAAS Cloud Software (A CloudStack Use Case)

Cisco Application-Centric Infrastructure (ACI) and Linux Containers

IAN MASSINGHAM. Technical Evangelist Amazon Web Services

Migration and Disaster Recovery Underground in the NEC / Iron Mountain National Data Center with the RackWare Management Module

Cloud Hosting. QCLUG presentation - Aaron Johnson. Amazon AWS Heroku OpenShift

Virtualization. Types of Interfaces

The Art of Virtualization with Free Software

Oracle Solaris: Aktueller Stand und Ausblick

An Analysis of Container-based Platforms for NFV

JAVA IN THE CLOUD PAAS PLATFORM IN COMPARISON

Mobile Cloud Computing T Open Source IaaS

Extending your VMware Cloud Infrastructure with a Private Platform-as-a-Service

NoSQL replacement for SQLite (for Beatstream) Antti-Jussi Kovalainen Seminar OHJ-1860: NoSQL databases

Déployer son propre cloud avec OpenStack. GULL François Deppierraz

The Bro Network Security Monitor

The Cloud to the rescue!

Objectives. Chapter 2: Operating-System Structures. Operating System Services (Cont.) Operating System Services. Operating System Services (Cont.

What new with Informix Software as a Service and Bluemix? Brian Hughes IBM

Transcription:

Docker for Sysadmins: what's in it for me?

1 / 76 Who am I? Jérôme Petazzoni (@jpetazzo) French software engineer living in California Joined Docker (dotcloud) more than 4 years ago (I was at Docker before it was cool!) I have built and scaled the dotcloud PaaS I learned a few things about running containers (in production) Started an hosting company in 2004 Sysadmin since 1999

2 / 76 Outline Intro / pop quizz about Docker and containers Sysadmin point of view: VMs vs containers Ops will be ops, devs will be devs Composing stacks of containers Is it safe to use it yet?

3 / 76 Recap about Docker and containers

4 / 76 Build, ship, and run any app, anywhere

Take any Linux program, and put it in a container 5 / 76

6 / 76 Take any Linux program, and put it in a container Web apps and services, workers (Go, Java, Node, PHP, Python, Ruby...)

7 / 76 Take any Linux program, and put it in a container Web apps and services, workers (Go, Java, Node, PHP, Python, Ruby...) Data stores: SQL, NoSQL, big data (Cassandra, ElasticSearch, Hadoop, Mongo, MySQL, PostgreSQL, Redis...)

8 / 76 Take any Linux program, and put it in a container Web apps and services, workers (Go, Java, Node, PHP, Python, Ruby...) Data stores: SQL, NoSQL, big data (Cassandra, ElasticSearch, Hadoop, Mongo, MySQL, PostgreSQL, Redis...) Other server-y things (Consul, Etcd, Mesos, RabbitMQ, Zookeeper...)

9 / 76 Take any Linux program, and put it in a container Web apps and services, workers (Go, Java, Node, PHP, Python, Ruby...) Data stores: SQL, NoSQL, big data (Cassandra, ElasticSearch, Hadoop, Mongo, MySQL, PostgreSQL, Redis...) Other server-y things (Consul, Etcd, Mesos, RabbitMQ, Zookeeper...) Command-line tools (AWS CLI, Ffmpeg...)

10 / 76 Take any Linux program, and put it in a container Web apps and services, workers (Go, Java, Node, PHP, Python, Ruby...) Data stores: SQL, NoSQL, big data (Cassandra, ElasticSearch, Hadoop, Mongo, MySQL, PostgreSQL, Redis...) Other server-y things (Consul, Etcd, Mesos, RabbitMQ, Zookeeper...) Command-line tools (AWS CLI, Ffmpeg...) Desktop apps (Chrome, LibreOffice, Skype, Steam...)

What about non-linux programs? 11 / 76

12 / 76 What about non-linux programs? Desktop apps with WINE (e.g.: Spotify client)

13 / 76 What about non-linux programs? Desktop apps with WINE (e.g.: Spotify client) Coming soon: Docker for Windows (run Windows apps on Windows machines)

14 / 76 What about non-linux programs? Desktop apps with WINE (e.g.: Spotify client) Coming soon: Docker for Windows (run Windows apps on Windows machines) Coming soon: Docker for FreeBSD (port in progress)

15 / 76 What about non-linux programs? Desktop apps with WINE (e.g.: Spotify client) Coming soon: Docker for Windows (run Windows apps on Windows machines) Coming soon: Docker for FreeBSD (port in progress) Coming eventually: Docker for OS X (technically possible; but is this useful?)

16 / 76 Ship that container easily and efficiently Docker comes with an image distribution protocol Distribution server can be hosted by Docker Inc. (free for public images) Distribution protocol is public Open source reference implementation (used by Docker Inc. for the public registry) Container images are broken down into layers When updating and distributing an image, only ship relevant layers

17 / 76 Run those containers anywhere Containers can run in VMs or in physical machines Docker is available on all modern Linux variants Many IAAS providers have server images with Docker On OS X and Windows dev machines: boot2docker There are distros dedicated to run Docker containers (Atomic, CoreOS, RancherOS, Snappy Core...) Other Docker implementations exist (e.g. Joyent Triton) Docker-as-a-Service providers are blooming

Blah, blah, blah... 18 / 76

We already have zones, LXC, jails! 19 / 76

20 / 76 We already have zones, LXC, jails! Give me a one-liner to start an Ubuntu 12.04 LTS with zones/lxc/jails

21 / 76 We already have zones, LXC, jails! Give me a one-liner to start an Ubuntu 12.04 LTS with zones/lxc/jails You know how to do this, but your developers don't (and they don't want to learn, that's not their job)

22 / 76 We already have zones, LXC, jails! Give me a one-liner to start an Ubuntu 12.04 LTS with zones/lxc/jails You know how to do this, but your developers don't (and they don't want to learn, that's not their job) dockerrun-tiubuntu:12.04bash

23 / 76 We already have zones, LXC, jails! Give me a one-liner to start an Ubuntu 12.04 LTS with zones/lxc/jails You know how to do this, but your developers don't (and they don't want to learn, that's not their job) dockerrun-tiubuntu:12.04bash Why do you use dpkg/rpm/apt/yuminstead of ftp+configure+makeinstall?

24 / 76 We already have zones, LXC, jails! Give me a one-liner to start an Ubuntu 12.04 LTS with zones/lxc/jails You know how to do this, but your developers don't (and they don't want to learn, that's not their job) dockerrun-tiubuntu:12.04bash Why do you use dpkg/rpm/apt/yuminstead of ftp+configure+makeinstall? Because you're not paid to compile things by hand

25 / 76 We already have zones, LXC, jails! Give me a one-liner to start an Ubuntu 12.04 LTS with zones/lxc/jails You know how to do this, but your developers don't (and they don't want to learn, that's not their job) dockerrun-tiubuntu:12.04bash Why do you use dpkg/rpm/apt/yuminstead of ftp+configure+makeinstall? Because you're not paid to compile things by hand Guess what: you're not paid to provision environments by hand

26 / 76 "Give a man a fish, you feed him for a day; teach a man to fish..."

27 / 76 VMs vs containers

28 / 76 Portability Containers can run on top of public cloud (run the same container image everywhere) Nested hypervisors (VMs in VMs) exist, but still rare Containers are easy to move (thanks to layers, distribution protocol, registry...) VM images have to be converted and transferred (both are slow operations)

29 / 76 Format & environment VM JVM executes machine code environment = something that looks like a computer executes JVM bytecode environment = Java APIs Container executes machine code environment = Linux kernel system calls interface

30 / 76 Containers have low overhead Normal* process(es) running on top of normal kernel No device emulation (no extra code path involved in I/O) Context switch between containers = context switch between processes Benchmarks show no difference at all between containers and bare metal (after adequate tuning and options have been selected) Containers have higher density * There are extra "labels" denoting membership to given namespaces and control groups. Similar to regular UID.

31 / 76 VMs have stronger isolation Inter-VM communication must happen over the network (Some hypervisors have custom paths, but non-standard) VMs can run as non-privileged processes on the host (Breaking out of a VM will have ~zero security impact) Containers run on top of a single kernel (Kernel vulnerability can lead to full scale compromise) Containers can share files, sockets, FIFOs, memory areas... (They can communicate with standard UNIX mechanisms)

32 / 76 Analogy: brick walls vs. room dividers Brick walls sturdy slow to build messy to move Room dividers fragile deployed in seconds moved easily

33 / 76 Blurring lines Intel Clear Containers; Clever Cloud (stripped down VMs, boot super fast, tiny footprint) Joyent Triton (Solaris "branded zones," running Linux binaries securely, exposing the Docker API) Ongoing efforts to harden containers (GRSEC, SELinux, AppArmor)

34 / 76 VMs vs containers (hoster/ops perspective)

35 / 76 Inside VMs need a full OS and associated tools (Backups, logging, periodic job execution, remote access...) Containers can go both ways: machine container (runs init, cron, ssh, syslog... and the app) application container (runs the app and nothing else; relies on external mechanisms)

36 / 76 VM lifecycle Option 1: long lifecycle (provisioning update update update disposal) easily leads to configuration drift (subtle differences that add up over time) requires tight configuration management Option 2: golden images (phoenix servers, immutable infrastructure...) create new image for each modification deploy by replacing old servers with new servers nice and clean, but heavy and complex to setup

37 / 76 Container lifecycle Containers are created from an image Image creation is easy Image upgrade is fast Immutable infrastructure is easy to implement Why? Because container snapshots are extremely fast and cheap.

38 / 76 Development process (VMs) Best practice in production = 1 VM per component Not realistic to have 1 VM per component in dev Also: prod has additional/different components (e.g.: logging, monitoring, service discovery...) Result: very different environment for dev & prod

39 / 76 Development process (containers) Run tons of containers on dev machines Build the same container for dev & prod How do we provide container variants?

40 / 76 Bloated containers Containers have all the software required for production In dev mode, only essential processes are started In prod mode, additional processes run as well Problems: bigger containers behavior can differ (because of extra processes) extra processes duplicated between containers hard to test those extra processes in isolation

41 / 76 Separation of concerns (let ops do ops, and devs do dev)

42 / 76 Principle "Do one thing, do it well" One container for the component itself One container for logging One container for monitoring One container for backups One container for debugging (when needed) etc.

43 / 76 Implementation (general principles) Containers can share almost anything, selectively files (logs, data at rest, audit) network stack (traffic routing and analysis, monitoring) process space, memory (process tracing and debugging)

44 / 76 Let's dive into the details

45 / 76 Logging (option 1: Docker logging drivers) Containers write to standard output Docker has different logging drivers: writes to local JSON files by default can send to syslog Imperfect solution for now, but will be improved. Preferred in the long run.

46 / 76 Logging (option 2: shared log directory) Containers write regular files to a directory That directory is shared with another container dockerrun-d--namemyapp1-v/var/logmyapp:v1.0 In development setup: dockerrun--volumes-frommyapp1ubuntu\ sh-c'tail-f/var/log/*' In production: dockerrun-d--volumes-frommyapp1logcollector

47 / 76 Logging takeaways Application can be "dumb" about logging Log collection and shipping happens in Docker, or in separate(s) container(s) Run custom log analyzer without changing app container (e.g. apachetop) Migrate logging system without changing app container

48 / 76 "Yes, but..." "What about performance overhead?" no performance overhead both containers access files directly (just like processes running on the same machine) "What about synchronization issues?" same as previous answer!

49 / 76 Backups (file-based) Store mutable data on Docker volumes (same mechanism as for logs) Share volumes with special-purpose backup containers Put backup tools in the backup container (boto, rsync, s3cmd, unison...) dockerrun--volumes-frommydb1ubuntu\ rsync-av/var/lib/backup@remotehost:mydb1/ The whole setup doesn't touch the app (or DB) container

50 / 76 Backups (network-based) Run the backup job (pg_dump, mysqldump, etc.) from a separate container Advantages (vs. running in the same container): nothing to install in the app (or DB) container if the backup job runs amok, it remains contained (!) another team can maintain backup jobs (and be responsible for them)

51 / 76 Network analysis Packet capture (tcpdump, ngrep, ntop, etc.) Low-level metrics (netstat, ss, etc.) Install required tools in a separate container image Run a container in the same network namespace dockerrun-d--nameweb1nginx dockerrun-ti--netcontainer:web1tcpdump-pnieth0 dockerrun-ti--netcontainer:web1ubuntuss-n--tcp

52 / 76 Service discovery Docker can do linking and generic DNS injection Your code connects to e.g. redis (pretending that redisresolves to something) Docker adds a DNS alias* so that redisresolves to the right container, or to some external service In dev, Docker Compose manages service dependencies In prod, you abstract service discovery from the container * Really, an entry in the container's /etc/hosts.

53 / 76 Service discovery in practice When service A needs to talk to service B... 1. Start container B on a Docker host

54 / 76 Service discovery in practice When service A needs to talk to service B... 1. Start container B on a Docker host 2. Retrieve host+port allocated for B

55 / 76 Service discovery in practice When service A needs to talk to service B... 1. Start container B on a Docker host 2. Retrieve host+port allocated for B 3. Start ambassador (relaying to this host+port)

56 / 76 Service discovery in practice When service A needs to talk to service B... 1. Start container B on a Docker host 2. Retrieve host+port allocated for B 3. Start ambassador (relaying to this host+port) 4. Start container A linked to ambassador

57 / 76 Service discovery in practice When service A needs to talk to service B... 1. Start container B on a Docker host 2. Retrieve host+port allocated for B 3. Start ambassador (relaying to this host+port) 4. Start container A linked to ambassador 5. Profit!

58 / 76 General pattern Your code runs in the same container in dev and prod Add "sidekick*" containers for additional tasks Developers don't have to be bothered about ops Ops can do their job without messing with devs' code * Kubernetes sometimes calls them "sidecars."

59 / 76 Composing stacks of containers

Docker Compose 60 / 76

61 / 76 docker-compose.yml rng: build:rng hasher: build:hasher webui: build:webui links: -redis ports: -"80:80" volumes: -"webui/files/:/files/" redis: image:redis worker: build:worker links: -rng -hasher -redis

62 / 76 Docker Compose Start whole stack with docker-composeup Start individual containers (and their dependencies) with docker-composeupxyz Takes care of container lifecycle (creation, update, data persistence, scaling up/down...) Doesn't automatically solve networking and discovery (yet)

63 / 76 Docker Compose Start whole stack with docker-composeup Start individual containers (and their dependencies) with docker-composeupxyz Takes care of container lifecycle (creation, update, data persistence, scaling up/down...) Doesn't automatically solve networking and discovery (yet)... However...

64 / 76 docker-compose.yml, reloaded hasher: build:hasher worker: build:worker links: -rng -hasherproxy:hasher -redis hasherproxy: image:jpetazzo/hamba links: -hasher command:80hasher80 (This was automatically generated by a tiny Python script.)

65 / 76 Heads up! Docker networking is evolving quickly Docker 1.7 has hooks to support: "networks" as first class objects multiple networks overlay driver allowing to span networks across multiple hosts networking plugins from ecosystem partners

Conclusions 66 / 76

67 / 76 Conclusions Containers can share more context than VMs We can use this to decouple complexity (think "microservices" but for ops/devs separation) All tasks typically requiring VM access can be done in separate containers As a result, deployments are broken down in smaller, simpler pieces Complex stacks are expressed with simple YAML files Docker isn't a "silver bullet" to solve all problems, but it gives us tools that make our jobs easier

68 / 76 "But it's not production ready!"

Docker is just two years old 69 / 76

70 / 76 Docker is just two years old And yet...

71 / 76 Docker is just two years old And yet... Activision, Baidu, BBC News, Booz Allen Hamilton, Capital One, Disney, Dramafever, Dreamworks, General Electrics, Gilt, Grub Hub, Heroku, Iron.io, Lyft, Netflix, New York Times, New Relic, Orbitz, Paypal, Rackspace, Riot Games, Shippable, Shopify, Spotify, Stack Exchange, Uber, VMware, Yandex, Yelp,...

72 / 76 Docker is just two years old And yet... Activision, Baidu, BBC News, Booz Allen Hamilton, Capital One, Disney, Dramafever, Dreamworks, General Electrics, Gilt, Grub Hub, Heroku, Iron.io, Lyft, Netflix, New York Times, New Relic, Orbitz, Paypal, Rackspace, Riot Games, Shippable, Shopify, Spotify, Stack Exchange, Uber, VMware, Yandex, Yelp,... Reminder: it took 3 years for Linux to get to 1.0 (1991 to 1994) and 7 years to get support for big vendors

73 / 76 What are they using Docker for? Serving production traffic Rapid onboarding of new developers CI/CD Packaging applications for their customers etc.

74 / 76 What are they using Docker for? Serving production traffic Rapid onboarding of new developers CI/CD Packaging applications for their customers etc. When you have generic questions about Docker, try to s/docker/virtualization/ and ask again...

75 / 76 Thanks! Questions? @jpetazzo @docker

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information