Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Codebits 2014 - A Docker Tale

Codebits 2014 - A Docker Tale

Pedro Dias

April 11, 2014
Tweet

More Decks by Pedro Dias

Other Decks in Technology

Transcript

  1. Who am I • Pedro Dias • Lecturer at Polytechnic

    Institute of Tomar • Fullstack Engineer at ptisp.pt • Freelancer/consultant • @pedromdias • github.com/apocas • [email protected]
  2. So many questions…. • Was this doable? • Could the

    statistics be expressive enough? • Could the results have enough quality? • Do I have resources for this? • Is there enough data available openly?
  3. ~3 hours later… (3:00AM) Cool, I pulled this off. (4:00AM)

    Few thousands modules tested. (4:05AM) WTF!? Where’s my data? (4:30AM) F**k… that dude’s tests wiped my local redis instance. (4:31AM) I need containment.
  4. Virtual Machines • Isolation at a lower level • Larger

    overhead • Agnostic to management • Less agile • Guest OS my be different from Host’s OS
  5. Containers • Isolation at a higher level (OS) • Smaller

    overhead. • One OS to manage. • OS shared between Guest and Host • Agile
  6. From Wikipedia: "Docker is a tool that can package an

    application and its dependencies in a virtual container that can run on any Linux server …”
  7. What it tries to solve Multiplicity of Goods Multiplicity of

    methods for transporting/storing Do I worry about how goods interact (e.g. coffee beans next to spices) Can I transport quickly and smoothly (e.g. from boat to train to truck) …in between, can be loaded and unloaded, stacked, transported efficiently over long distances, and transferred from one mode of transport to another A standard container that is loaded with virtually any goods, and stays sealed until it reaches final delivery.
  8. What it tries to solve Static website Web frontend User

    DB Queue Analytics DB Development VM QA server Public Cloud Contributor’s laptop Multiplicity of Stacks Multiplicity of hardware environments Production Cluster Customer Data Center Do services and apps interact appropriately? Can I migrate smoothly and quickly …that can be manipulated using standard operations and run consistently on virtually any hardware platform An engine that enables any payload to be encapsulated as a lightweight, portable, self- sufficient container…
  9. Docker • Lightweight. • Commoditization of containers. • Features an

    integration API. • Image index. • By default uses LXC. • Execution/app focused. • Builtin builder.
  10. Why lightweight? App A ! ! ! ! ! !

    ! ! ! Bins/ Libs ! ! ! App A’ ! ! ! ! ! ! ! ! ! Guest OS ! ! ! ! ! ! ! Bins/ Libs ! ! ! VMs Every app, every copy of an app, and every slight modification of the app requires a new virtual server App A ! ! ! ! ! ! ! ! ! Guest OS ! ! ! ! ! ! ! ! ! ! Bins/ Libs ! ! ! ! ! ! ! Guest OS ! ! ! ! ! ! ! ! ! ! Guest OS ! ! ! ! ! ! VMs ! ! ! ! Bins/ Libs ! ! ! App A Original App (No OS to take up space, resources, or require restart) App Δ ! ! ! ! Bins/ Modified App ! Copy on write capabilities allow us to only save the diffs Between container A and container A’ Copy of App No OS. Can Share bins/ libs App A Containers
  11. How lightweight Docker Engine ! ! Docker Container Image Registry

    Docker Engine Push Update ! ! ! ! Bins/ Libs ! ! ! App A App Δ ! ! ! ! Bins/ Base Container Image Host is now running A’’ Container Mod A’’ App Δ ! ! ! ! Bins/ ! ! ! ! Bins/ Libs ! ! ! App A ! ! ! ! Bins/ ! ! ! ! Bins/ Libs ! ! ! App A’’ Host running A wants to upgrade to A’’. Requests update. Gets only diffs Container Mod A’
  12. Commoditization • Docker cli • http://docs.docker.io/en/ latest/reference/ commandline/cli/ • Remote

    API • http://docs.docker.io/en/ latest/reference/api/ docker_remote_api/
  13. Docker CLI • Containers • run, start, stop, attach, kill,

    rm, diff, logs, ... • Images • commit, pull, push, rmi, search, ... • Misc • version, events, ...
  14. Remote API • REST(’ish) • Supports auth • Listens on

    a unix socket by default. • unix:///var/run/docker.sock • Able to listen on TCP socket (supports TLS/SSL certificates since yesterday v0.10) • 127.0.0.1:4243 OpenStack implementation
  15. Build System • Dockerfile • Each instruction that manipulates storage

    generates a new image. • Features caching. • If your app have one, it is “containerizable/dockerized”. • http://docs.docker.io/en/latest/reference/builder/
  16. Dockerfile Dockerfile: FROM ubuntu:precise RUN apt-get install -q -y wget

    RUN wget -O - http://nodejs.org/dist/v0.10.19/node-v0.10.19-linux- x64.tar.gz | tar -C /usr/local/ --strip-components=1 -zxv ADD . /src RUN cd /src; npm install EXPOSE 80 CMD ["node", "/src/main.js"] Build it: docker build -t myapp .
  17. Workflow ! ! ! ! Source Code Repository Dockerfile For

    A Docker Engine ! ! Docker Container Image Registry Build Docker Host 2 OS (Linux) Container A Container B Container C Container A Push Search Pull Run Host 1 OS (Linux)
  18. Version History • v0.2.0 - April 13 - Interactive shell,

    network. • v0.3.0 - May 13 - Open source registry, data volumes. • v0.4.0 - Jun 13 - Remote API, build. • v0.5.0 - Jul 13 - External volumes, self-hosted registry. • v0.6.0 - Aug 13 - Privileged containers, events api. • v0.6.5 - Nov 13 - Container naming, links. • v0.7.0 - Dec 13 - Distros comp, storage drivers, network. • v0.8.0 - Feb 14 - Quality, builder, btrfs, OSX. • v0.9.0 - March 14 - Execution drivers, libcontainer. • v0.10.0 - April 14 - Quality, Ops Tooling.
  19. Docker usage • Test standardisation/ repeatability • Process isolation •

    Resource throttling • Easy to integrate with (Remote API)
  20. nodechecker.com • Each module is tested inside a container. •

    Multiple Docker instances. • Single point interaction. • Test’s stdout and stderr stored.
  21. Issues at the time • Time = Docker v0.5.0 •

    High load scenarios were tricky. • “Container not found” locks. • Stuck containers. ! Keep in mind it was spawning ~40k containers daily.
  22. Docker in production • “Not ready for production software in

    production” rules apply. • Particular to Docker: • Containers are cheap. F**ked up? Spawn a new one. • You have a standard container! Leverage this. • Keep your integration loose. Move as fast as Docker.
  23. Builder & image system • One of the Docker’s best

    assets. • It’s VCS for your env. • Production and development env reuse. • http://crosbymichael.com/dockerfile-best-practices.html
  24. Dynamic building • Slower. (unless caches apply) • Tweak for

    cache. • Stack always updated. • Allows automation. (without puppet, chef, …)
  25. Pre-built images ! • External automation may be required. •

    State locked-in. • Repeatable envs. • Public or private registry advisable.
  26. Metrics • Not yet integrated into Docker. • No CLI

    or Remote API endpoints. • cgroups, iptables, lxc • http://blog.docker.io/2013/10/gathering-lxc-docker-containers- metrics/
  27. Quick Hack • Janitor • Standalone process. • Monitors container

    pool. • Keeps the pool clean. • Kills/remove something stuck. • Triggers alarms. • Uses CLI and/or API.
  28. Security • Don’t give a non-root user access to Docker

    for now. • https://github.com/dotcloud/docker/issues/1655 • https://github.com/subuser-security/subuser/issues/131 • Need inception? • Privileged containers
  29. Dockerode • Most used Node.js module for Docker. • Implements

    all Remote API endpoints. • Leverages streams • Stdin/out demux • Implements some specs from CLI. (run, build) • Tests • https://github.com/apocas/ dockerode
  30. Docker-modem • Network loose-coupled • Remote API network related change

    will not impact ~20 dependent public modules, … private. • https://github.com/apocas/docker-modem