Let's Talk About Containers

Transcript

1. Let’s Talk About Containers

2. Let’s Talk About Containers What Are Containers? ▸ Lightweight virtual

   containers for applications ▸ Runs its own libraries and programs on host kernel ▸ Uses resource isolation and namespaces to secure host ▸ Docker and Containers are commonly used synonymously @davejlong

3. “Docker is a tool that can package an application and

   its dependencies in a virtual container that can run on any Linux server*.” 451 Research Let’s Talk About Containers @davejlong

4. Let’s Talk About Containers Virtual Machines Containers @davejlong

5. Let’s Talk About Containers Containers In Development ▸ Clean environment

   ▸ Similar setup as production ▸ Easy startup and shutdown ▸ Easily on-board new developers ▸ Self-documenting system changes Containers In Production ▸ Isolation of applications ▸ Better security* ▸ Smaller than traditional VMs ▸ Easy to remediate issues ▸ Easy to scale @davejlong

6. Containers In Development

7. Containers In Development Never Have I Ever… ▸ Added a

   new dependency without documentation? ▸ Upgraded your runtime without notifying ops? ▸ Wanted to do something else besides develop? @davejlong

8. Containers In Development Docker Compose ▸ Run in production-like environment

   ▸ Version lock runtimes ▸ Run required services for application ▸ Easy shutdown and cleanup ▸ Foreman like CLI @davejlong

9. Containers In Development Setting Up Docker Compose ▸ Setup 2

   configuration files ▸ Dockerfile ▸ docker-compose.yml ▸ Build the environment ▸ Develop awesome software! $ docker-compose build
 ... $ docker-compose up server_redis_1 is up-to-date
 server_db_1 is up-to-date
 Creating server_worker_1
 Creating server_app_1
 Attaching to server_redis_1, server_db_1, server_worker_1, server_app_1 @davejlong

10. Dockerfile FROM ruby:2.3 MAINTAINER Dave Long <[email protected]> RUN apt-get update

    && apt-get install -yqq nodejs postgresql-client \
 && rm -rf /var/lib/apt/lists/* ENV TS_NODE /usr/bin/nodejs WORKDIR /app COPY Gemfile* /app/ RUN bundle install COPY . /app/ EXPOSE 3000 VOLUME [“/app"] CMD ["bin/rails", "server", "--binding", "0.0.0.0", "--port", “3000"] @davejlong

11. docker-compose.yml version: “2” services: db: image: postgres:9.5 redis: image: redis:3.2

    app: ... @davejlong

12. docker-compose.yml app: build: . # Just like `docker build .`

    environment: - RAILS_ENV=development volumes: - .:/app ports: - “3000:3000” depends_on: - db - redis command: bin/rails server —binding 0.0.0.0 —port 3000 @davejlong

13. @davejlong

14. Containers In Development Running Some Commands ▸ Load up migrations

    ▸ docker-compose run app bin/rake db:migrate ▸ Run the test suite ▸ docker-compose run app bin/rspec ▸ Start the server ▸ docker-compose up @davejlong

15. Containers In Development Lessons Learned ▸ up has no tty

    and is not interactive ▸ docker-compose run {service} instead ▸ Sometimes things don’t start the first time you try ▸ Postgres is a big culprit ▸ When possible use Alpine images ▸ They’re much smaller and so pull much faster ▸ Version in compose file must be a string @davejlong

16. Demo Time

17. https://asciinema.org/a/avni4aa2tseqwn7dvnh7neyk0

18. https://asciinema.org/a/142642ln1gyaxxj40qf93knyx

19. https://asciinema.org/a/7s059par769xih05stqe8z557

20. https://asciinema.org/a/4dzum9dqnsvybq556w0tz7zs1

21. Containers In Production

22. Containers In Production What’s Different Than Development? ▸ Running containers

    across a cluster ▸ Managing security across containers and hosts ▸ Maintaining persistent data ▸ Logging and monitoring! @davejlong

23. Docker In Production Clustering Docker Hosts ▸ Operating systems ▸

    CoreOS ▸ DC/OS ▸ Linux ▸ Windows (2016) ▸ Orchestration systems ▸ Docker Swarm ▸ Mesosphere ▸ Kubernetes ▸ Cloud Hosts ▸ Google Cloud ▸ Amazon Web Services ▸ Azure ▸ OpenShift ▸ On-Prem Hosting ▸ Windows Hyper-V (2016) ▸ VMWare vSphere @davejlong

24. Just Do It

25. Containers In Production Securing Containers And Hosts ▸ Docker runs

    as root… mostly ▸ Kernel capabilities means “container root” != “host root” ▸ OpenSSL in a container is still OpenSSL ▸ Docker doesn’t do magic ▸ Outdated packages in containers are still bad ▸ If your app can talk to the database, so can a hacker ▸ Follow best practices for securing any server ▸ Security by destruction @davejlong

26. Containers In Production Managing Persistent Data ▸ When a container

    dies, so does it’s data ▸ If you need it, don’t keep it in a container ▸ Can it be built into the container? ▸ Rails assets ▸ Storage must be available across cluster @davejlong

27. Containers In Production Logging And Monitoring ▸ Again, when a

    container dies, so does it’s data ▸ Setup logging system ▸ ELK ▸ Loggly ▸ Logentries ▸ Pick a monitoring system that can monitor containers ▸ New Relic ▸ Dynatrace @davejlong

28. It Comes With Public Clouds*

29. Containers In Production Keep Containers Small ▸ Clean up after

    yourself ▸ Don’t build in your tools unless you need them ▸ Read up on the best practices @davejlong

30. Talking About Containers More Resources ▸ docker.com - Home Page

    ▸ docs.docker.com - Doc Site ▸ hub.docker.com - Public Image Library ▸ cloud.google.com - Container Engine ▸ YouTube - DockerCon 2016 @davejlong

31. Talking About Containers Dave Long ▸ @davejlong ▸ Director of

    Dev, Cage Data ▸ Co-Founder of DevOps CT ▸ I blog sometimes at davejlong.com