How Containers Are Made

© 2016 Mesosphere, Inc. All Rights Reserved. HOW CONTAINERS ARE
MADE  A LOOK INTO THE  SAUSAGE FACTORY 1 Michael Hausenblas, Distributed Systems Jester | 2016-06-08 | ContainerSched, London @mhausenblas

© 2016 Mesosphere, Inc. All Rights Reserved. sys admin/SRE appops
developer architect QA/test engineer data engineer

© 2016 Mesosphere, Inc. All Rights Reserved. WTF IS CONTAINER
OPERATIONS? 4 containerization runtime  speciﬁcation deployment day 2  operations

© 2016 Mesosphere, Inc. All Rights Reserved. WTF IS CONTAINER
OPERATIONS? 5 examples layer source artifacts .scala, .go, .py, .sh, etc.  and config files packaging Dockerfile, runc runtime Marathon app spec, Kubernetes RC, Docker compose

© 2016 Mesosphere, Inc. All Rights Reserved. 6 appops The
person who writes an app is also the person responsible for operating the app in prod.

© 2016 Mesosphere, Inc. All Rights Reserved. 7 It's not
about provisioning  a VM or installing a DC/OS cluster or replacing a faulty HDD …    … this would be on the infrastructure team. appops

© 2016 Mesosphere, Inc. All Rights Reserved. APPOPS  LIFE CYCLE
9

© 2016 Mesosphere, Inc. All Rights Reserved. APPOPS  LIFE CYCLE
10 dev CI/CD CI/CD time QA prod dev QA prod release

© 2016 Mesosphere, Inc. All Rights Reserved. PICK YOUR POISON
11 templated  serverless IFTTT,  Microsoft Flow free-style   serverless AWS Lambda, Microsoft Services PaaS Heroku,  Google App Engine containerized Docker/rkt  with Marathon  or Kubernetes traditional  multi-tier monolith  on bare metal  or VM agility level of control

© 2016 Mesosphere, Inc. All Rights Reserved. PICK YOUR POISON
12 serverless microservices monolith nanoservices function container container machine unit: env: maintenance utilization costs/unit

© 2016 Mesosphere, Inc. All Rights Reserved. CONTAINER  101 14
The why and the what: • Containers vs VMs • app-level dependency management • lightweight (startup time, footprint, average runtime) • isolation & security containerization runtime  speciﬁcation deployment day 2  operations

© 2016 Mesosphere, Inc. All Rights Reserved. CONTAINER  101 15
• namespaces (isolation) • Isolate PIDs between processes • Isolate process to network resources • Isolate the hostname to fake it out (UTS) • Isolate the filesystem mount points (chroot) • Isolate inter process communication (IPC) • Isolate specific users to specific processes • cgroups (limiting & accounting)  https://sysadmincasts.com/episodes/14-introduction-to-linux-control-groups-cgroups containerization runtime  specification deployment day 2  operations

© 2016 Mesosphere, Inc. All Rights Reserved. DOCKER 16 containerization
runtime  speciﬁcation deployment day 2  operations

© 2016 Mesosphere, Inc. All Rights Reserved. REGISTRIES 17 •
Docker Hub  https://hub.docker.com/ • Google Cloud  https://cloud.google.com/tools/container-registry/ • AWS  https://aws.amazon.com/ecr/ • CoreOS  https://quay.io/ • SUSE Portus  http://port.us.org/ • JFrog Artifactory  https://www.jfrog.com/artifactory/ • Run your own  https://docs.docker.com/registry/deploying/ containerization runtime  speciﬁcation deployment day 2  operations

© 2016 Mesosphere, Inc. All Rights Reserved. SECRETS 18 Please,
don't bake credentials into images … rather do: $ docker run -d -e API_TOKEN=SECRET somedatabase $ docker run -d -v $(pwd):/fsecret:/fsecret:ro somedatabase Even better: use key-value in-memory stores such as Square's KeyWhiz, HashiCorp's Vault, or Crypt or native solutions such as Kubernetes Secrets containerization runtime  speciﬁcation deployment day 2  operations

© 2016 Mesosphere, Inc. All Rights Reserved. A WORD OF
CAUTION 19 containerize != Docker image containerization runtime  speciﬁcation deployment day 2  operations github.com/mhausenblas/marvin

© 2015 Mesosphere, Inc. All Rights Reserved. WHAT IS  CONTAINER
ORCHESTRATION? 21 containerization runtime  speciﬁcation deployment day 2  operations

© 2016 Mesosphere, Inc. All Rights Reserved. WHAT DOES A
SCHEDULER DO? 22 containerization runtime  speciﬁcation deployment day 2  operations

© 2015 Mesosphere, Inc. All Rights Reserved. DOCKER SWARM 23
http://www.slideshare.net/snrism/swarm-container-cluster-service containerization runtime  speciﬁcation deployment day 2  operations

© 2015 Mesosphere, Inc. All Rights Reserved. KUBERNETES 24 http://k8s.info/cs.html
containerization runtime  speciﬁcation deployment day 2  operations

© 2015 Mesosphere, Inc. All Rights Reserved. APACHE MESOS +
MARATHON 30 http://mesos.berkeley.edu/mesos_tech_report.pdf Marathon  scheduler Spark  scheduler Spark  executor Marathon  executor Spark  executor Marathon  executor Mesos Agent Mesos Agent Mesos Agent Mesos  Master Standby  Master Standby  Master Framework containerization runtime  speciﬁcation deployment day 2  operations

© 2016 Mesosphere, Inc. All Rights Reserved. MARATHON  APP SPEC
31 { "id": "/webserver", "instances": 5, "cpus": 0.1, "mem": 128, "container": { "type": "DOCKER", "docker": { "image": "nginx:1.9.14", "network": "BRIDGE", "portMappings": [ { "containerPort": 80, "hostPort": 0 } ] } }, "upgradeStrategy": { "minimumHealthCapacity": 0.9 }, "acceptedResourceRoles": [ "slave_public" ] } containerization runtime  speciﬁcation deployment day 2  operations

© 2016 Mesosphere, Inc. All Rights Reserved. DC/OS SERVICE DISCOVERY
35 DNS-based easy to integrate SRV records no health checks TTL Proxy-based no port conflicts fast failover no UDP management of VIPs (Minuteman) or service ports (Marathon-lb) Application-aware developer fully in control and full-feature implementation effort requires distributed state management (ZK, etcd or Consul) examples:  Mesos-DNS,Consul examples:  Minuteman, Marathon-lb examples:  roll-your-own, Finagle containerization runtime  speciﬁcation deployment day 2  operations

© 2016 Mesosphere, Inc. All Rights Reserved. ZERO-DOWNTIME DEPLOYMENTS 36
rolling deployment bring up N instances of new app & terminate N instances of old app until all old instances are gone goal: minimize capacity requirements blue-green deployment launch a new stack and switch traffic from old to new when the new instances are healthy goal: minimize impact of regressions, friction, delays, and allow easy rollbacks canary deployment bring up a new stack, start by routing a small portion of traffic to the new app, and slowly increase goal: test production traffic slowly & safely containerization runtime  speciﬁcation deployment day 2  operations

© 2016 Mesosphere, Inc. All Rights Reserved. DEPLOYMENT STRATEGIES (DC/OS)
37 • Based on health checks • Policy via • minimumHealthCapacity float value between 0—1, specifies % of app instances to maintain healthy while performing deployment • maximumOverCapacity float value between 0 — 1, specifies the maximum % of instances that can be over capacity during deployment containerization runtime  speciﬁcation deployment day 2  operations

© 2016 Mesosphere, Inc. All Rights Reserved. DAY 2  OPERATIONS
39 • Logging • Monitoring and alerting • Sysdig • Prometheus • DataDog • Auditing • Capacity planning, auto-scaling, oversubscription containerization runtime  speciﬁcation deployment day 2  operations

I LEARN MORE? 44 http://301.sh/ora2016-dnsd http://301.sh/ora2016-dnsd

I LEARN MORE? http://shop.oreilly.com/product/0636920039952.do https://manning.com/books/mesos-in-action 45

How Containers Are Made

How Containers Are Made

More Decks by Michael Hausenblas

Other Decks in Technology

Featured

Transcript