Building Minimal Docker Containers

Transcript

1. Building Minimal Docker Containers Orangesys Inc.

2. $Who am I Orangesys Inc. Tachibana Shuji Twitter @yepn Running

3. Orangesys Inc. SaaS監視システム https://orangesys.io @orangesysio

4. None
5. None

6. Orangesys • All in docker • Kubernetes on GKE •

   OpsDev -> NoOps Architecture & Stack

7. Architecture: Orangesys > Kubernetes Apigateway Namespace Cloud Load Balancing Standard

   Devices HTTPS Browser Client Production Namespace Kube-system Namespace Tiller Replication Controller Grafana Container Engine Replication Controller Influxdb Container Engine Replication Controller Corporate Site App Engine Autoscaling Orangesys Firebase Autoscaling Monitoring Namespace Prometheus RC Influxdb RC Grafana RC Opsbot Namespace Kubebot RC K8s-event RC Stripe Server Api Container Engine Replication Controller PostgresSQL Container Engine Replication Controller MariaDb Container Engine Replication Controller Nginx Container Engine Replication Controller Traefik Container Engine Replication Controller Server Telegraf Ingress Container Engine Replication Controller Kong ApiGateway Container Engine Replication Controller Kubenetes API Replication Controller SSL Cert Bot Replication Controller Orange Api Container Engine Replication Controller

8. Technology Stack

9. Agenda • Docker images size • Docker images security

10. None

11. Coreos clair Security data Sources

12. Layers

13. Topic Alpineでdocker image Goalngなら、scratchベースでdocker imageを作る Layersを減らすと、build時間が短縮

14. Alpine base image base size 2MBのAlpineでdocker imageを作る、 ただし LIBCがMUSL LIBCとなりましたが、OS周りの依頼関係

    ex) Not resolving using search domain <service-name>.<namespace-name>.svc.cluster.local https://github.com/gliderlabs/docker-alpine/issues/8

15. Scratch base image Goalngなら、scratchベースでdocker imageを作る ただし コンテナから外部へhttps通信時、ca証明書の実装が必要となります。 FROM scratch ADD

    ca-certificates.crt /etc/ssl/certs/ ADD main / CMD ["/main"]

16. Layers Layersを減らすと、build時間が短縮 ただし、LIBCを使う場合は、既存のdocker imagesを利用した方が良いかも

17. 参考 https://github.com/orangesys https://stackshare.io/orangesys-inc https://hub.docker.com/u/orangesys/dashboard/