Managing Container Configuration with Metadata

Slide 1

Slide 1 text

Managing Container Conﬁguration with Metadata Puppet Labs Gareth Rushgrove Working towards standard interfaces

Slide 2

Slide 2 text

Gareth Rushgrove @garethr

Slide 3

Slide 3 text

Gareth Rushgrove

Slide 4

Slide 4 text

This Talk The Introduction

Slide 5

Slide 5 text

Shipping containers are cool Gareth Rushgrove

Slide 6

Slide 6 text

But nothing without all the paper work Gareth Rushgrove

Slide 7

Slide 7 text

A manifest or ship's manifest is a document listing the cargo, passengers, and crew of a ship, aircraft, or vehicle, for the use of customs and other ofﬁcials. Gareth Rushgrove

Slide 8

Slide 8 text

A bill of lading is a document issued by a carrier which details a shipment of merchandise and gives title of that shipment to a speciﬁed party. Gareth Rushgrove

Slide 9

Slide 9 text

Lets apply the same principles to a different type of container Gareth Rushgrove

Slide 10

Slide 10 text

Container Labels What have we got to work with?

Slide 11

Slide 11 text

Labels on Docker Engines Gareth Rushgrove

Slide 12

Slide 12 text

$ docker daemon \ --label com.example.environment="production" \ --label com.example.storage="ssd" Provide information about the host Gareth Rushgrove

Slide 13

Slide 13 text

Labels to guide Swarm scheduling Gareth Rushgrove $ docker run -d -P \ -e constraint:storage==ssd --name db mysql

Slide 14

Slide 14 text

Labels on Docker images Gareth Rushgrove

Slide 15

Slide 15 text

Dockerﬁle Label instruction Gareth Rushgrove LABEL [.][=] ...

Slide 16

Slide 16 text

LABEL vendor=ACME\ Incorporated LABEL com.example.version.is-beta LABEL com.example.version="0.0.1-beta" LABEL com.example.release-date="2015-02-12" Don’t do this - new layer per label Gareth Rushgrove

Slide 17

Slide 17 text

LABEL vendor="ACME\ Incorporated" \ com.example.is-beta \ com.example.version="0.0.1-beta" \ com.example.release-date="2015-02-12" Better - only one layer Gareth Rushgrove

Slide 18

Slide 18 text

$ docker inspect 4fa6e0f0c678 ... "Labels": { "vendor": "ACME Incorporated", "com.example.is-beta": "", "com.example.version": "0.0.1-beta", "com.example.release-date": "2015-02-12" } ... Access labels via inspect Gareth Rushgrove

Slide 19

Slide 19 text

Containers can have additional labels too Gareth Rushgrove

Slide 20

Slide 20 text

$ docker run \ -d \ --label com.example.group="webservers" \ --label com.example.environment="production" \ busybox \ top Add labels at docker runtime Gareth Rushgrove

Slide 21

Slide 21 text

Query based on labels with ﬁlters Gareth Rushgrove

Slide 22

Slide 22 text

$ docker images --filter "label=com.example.is-beta" Filter images by label Gareth Rushgrove

Slide 23

Slide 23 text

$ docker ps --filter "label=com.example.is-beta" Filter containers by label Gareth Rushgrove

Slide 24

Slide 24 text

Gareth Rushgrove Kubernetes labels Gareth Rushgrove

Slide 25

Slide 25 text

"labels": { "key1" : "value1", "key2" : "value2" } Apply arbitrary metadata to objects Gareth Rushgrove

Slide 26

Slide 26 text

$ kubectl get pods -l 'environment in (production, qa)’ Query using sets or equalities Gareth Rushgrove

Slide 27

Slide 27 text

Gareth Rushgrove Application container speciﬁcation Gareth Rushgrove

Slide 28

Slide 28 text

"annotations": [ { "name": "authors", "value": "Carly Container " }, { "name": "created", "value": "2014-10-27T19:32:27.67021798Z" }, { "name": "documentation", "value": “https://example.com/docs" }, { "name": "homepage", "value": "https://example.com" } ] Appc deﬁnes annotations and labels Gareth Rushgrove

Slide 29

Slide 29 text

But what metadata to store? Gareth Rushgrove

Slide 30

Slide 30 text

Package Managers A quick aside

Slide 31

Slide 31 text

Gareth Rushgrove I like system packages Gareth Rushgrove

Slide 32

Slide 32 text

The power of system packages lies not in the ﬁle format but in the metadata Gareth Rushgrove

Slide 33

Slide 33 text

DPKG and RPM Gareth Rushgrove

Slide 34

Slide 34 text

Gareth Rushgrove Debian New Maintainer’s Guide Gareth Rushgrove

Slide 35

Slide 35 text

Gareth Rushgrove Fedora Packaging Guidelines Gareth Rushgrove

Slide 36

Slide 36 text

Summary: A CD player app that rocks! Name: cdplayer Version: 1.0 Release: 1 Copyright: GPL Group: Applications/Sound Source: ftp://ftp.gnomovision.com/pub/cdplayer/cdplayer-1.0.tgz URL: http://www.gnomovision.com/cdplayer/cdplayer.html Distribution: WSS Linux Vendor: White Socks Software, Inc. Packager: Santa Claus %description It slices! It dices! It's a CD player app that can't be beat. By using the resonant frequency of the CD itself, it is able to simulate 20X Example RPM spec ﬁle Gareth Rushgrove

Slide 37

Slide 37 text

Given standard metadata what can we do? Gareth Rushgrove

Slide 38

Slide 38 text

$ dpkg -L lynx /. /usr /usr/share /usr/share/doc /usr/share/doc/lynx /usr/share/doc/lynx/copyright /usr/share/doc/lynx/changelog.gz /usr/share/doc/lynx/changelog.Debian.gz List ﬁles from packages Gareth Rushgrove

Slide 39

Slide 39 text

$ rpm -qf /usr/bin/mysqlaccess MySQL-client-3.23.57-1 What installed that ﬁle? Gareth Rushgrove

Slide 40

Slide 40 text

$ apt-cache unmet Package libdataobjects-sqlite3-ruby1.9.1 version 0.10.1.1-1 has an unmet dep: Depends: libdataobjects-ruby1.9 Find unmet dependencies Gareth Rushgrove

Slide 41

Slide 41 text

$ rpm -qdf /usr/bin/mysqlaccess /usr/share/man/man1/mysql.1.gz /usr/share/man/man1/mysqlaccess.1.gz /usr/share/man/man1/mysqladmin.1.gz /usr/share/man/man1/mysqldump.1.gz /usr/share/man/man1/mysqlshow.1.gz Find documentation Gareth Rushgrove

Slide 42

Slide 42 text

Standards The power of agreement

Slide 43

Slide 43 text

Gareth Rushgrove Docker oﬃcial label guidance Gareth Rushgrove

Slide 44

Slide 44 text

All (third-party) tools should preﬁx their keys with the reverse DNS notation of a domain controlled by the author. For example, com.example.some-label. Gareth Rushgrove

Slide 45

Slide 45 text

The com.docker.*, io.docker.* and org.dockerproject.* namespaces are reserved for Docker’s internal use. Gareth Rushgrove

Slide 46

Slide 46 text

Keys should only consist of lower- cased alphanumeric characters, dots and dashes (for example, [a- z0-9-.]). Gareth Rushgrove

Slide 47

Slide 47 text

Keys should start and end with an alpha numeric character. Gareth Rushgrove

Slide 48

Slide 48 text

Keys may not contain consecutive dots or dashes. Gareth Rushgrove

Slide 49

Slide 49 text

Keys without namespace (dots) are reserved for CLI use. Gareth Rushgrove

Slide 50

Slide 50 text

How widely adhered to? Gareth Rushgrove

Slide 51

Slide 51 text

Gareth Rushgrove < 20% from a small sample Gareth Rushgrove

Slide 52

Slide 52 text

Without complete metadata we can’t trust the tools built on top Gareth Rushgrove

Slide 53

Slide 53 text

Gareth Rushgrove Hadolint, Dockerﬁle Linter Gareth Rushgrove

Slide 54

Slide 54 text

DL3006 Always tag the version of an image explicitely. DL4000 Specify a maintainer of the Dockerfile FROM debian SC2154 node_verion is referenced but not assigned (did you mean 'node_version'?). DL3009 Delete the apt-get lists after installing something DL3015 Avoid additional packages by specifying `—no-install-recommends` RUN export node_version="0.10" \ && apt-get update && apt-get -y install nodejs="$node_verion" Includes common issues and shellcheck linting of bash Gareth Rushgrove

Slide 55

Slide 55 text

Gareth Rushgrove Docker Label Inspector Gareth Rushgrove

Slide 56

Slide 56 text

$ dli lint ========> Check all labels have namespaces [WARN] Label 'vendor' should use a namespace based on reverse DNS notation ========> Check labels don't use reserved namespaces ========> Check labels only use valid characters ========> Check labels start and end with alpanumeric characters ========> Check labels for double dots and dashes Check against Docker guidelines Gareth Rushgrove

Slide 57

Slide 57 text

$ dli validate ========> Check labels based on schema in 'schema.json' [ERROR] u'com.example.is-beta' is a required property Check against a schema Gareth Rushgrove

Slide 58

Slide 58 text

{ "title": "Dockerfile schema", "type": "object", "properties": { "com.example.release-date": { "type": "string" }, "com.example.is-beta": { "type": "string" }, "com.example.version": { "description": "Version", "type": "integer", "minimum": 0 } }, "required": ["com.example.is-beta", "com.example.version"] } Deﬁne labels in JSON Schema Gareth Rushgrove

Slide 59

Slide 59 text

DEMO

Slide 60

Slide 60 text

Runtime Metadata A missing piece, and some ideas

Slide 61

Slide 61 text

What temperature is a refrigerated shipping containers at? Gareth Rushgrove

Slide 62

Slide 62 text

docker exec as an API Gareth Rushgrove

Slide 63

Slide 63 text

FROM alpine LABEL net.morethanseven.dockerfile="/Dockerfile" \ net.morethanseven.exec.packages="apk info -vv" RUN apk add --update bash && rm -rf /var/cache/apk/* COPY Dockerfile / Dockerﬁle example Gareth Rushgrove

Slide 64

Slide 64 text

$ docker inspect -f "{{json .Config.Labels }}" \ garethr/alpine \ | jq { "net.morethanseven.dockerfile": "/Dockerfile", “com.containermetadata.exec.packages”: "apk info -vv" } Discover our API Gareth Rushgrove

Slide 65

Slide 65 text

$ docker run -i -t garethr/alpine cat /Dockerfile FROM alpine LABEL net.morethanseven.dockerfile="/Dockerfile" \ net.morethanseven.exec.packages="apk info -vv" RUN apk add --update bash && rm -rf /var/cache/apk/* COPY Dockerfile / Read the Dockerﬁle Gareth Rushgrove

Slide 66

Slide 66 text

$ docker run -i -t garethr/alpine apk info -vv musl-1.1.11-r2 - the musl c library (libc) implementation busybox-1.23.2-r0 - Size optimized toolbox of many common UNIX utilities alpine-baselayout-2.3.2-r0 - Alpine base dir structure and init scripts openrc-0.15.1-r3 - OpenRC manages the services, startup and shutdown of alpine-conf-3.2.1-r6 - Alpine configuration management scripts List installed packages Gareth Rushgrove