Slide 1

Slide 1 text

© 2015 Mesosphere, Inc. All Rights Reserved. BUILDING HYBRID MICROSERVICES Michael Hausenblas

Slide 2

Slide 2 text

© 2015 Mesosphere, Inc. All Rights Reserved. BUILDING HYBRID MICROSERVICES
 WITH DOCKER,
 APACHE MESOS/MARATHON & KUBERNETES 2 Day of Docker | Oslo | 2015-12-01

Slide 3

Slide 3 text

© 2015 Mesosphere, Inc. All Rights Reserved. AGENDA 3 1. Background (30 min) 2. Hands-on (50 min) 3. Wrap up and Q & A (25 min)

Slide 4

Slide 4 text

© 2015 Mesosphere, Inc. All Rights Reserved. sys admin devops developer architect management other

Slide 5

Slide 5 text

© 2015 Mesosphere, Inc. All Rights Reserved. BACKGROUND 5

Slide 6

Slide 6 text

© 2015 Mesosphere, Inc. All Rights Reserved. LINUX
 CONTAINERS 6 The why and the what • Containers vs VMs • app-level dependency management • lightweight (startup time, footprint, average runtime) • security considerations • pets vs cattle (and flock of birds)

Slide 7

Slide 7 text

© 2015 Mesosphere, Inc. All Rights Reserved. LINUX
 CONTAINERS 7 • namespaces • Isolate PIDs between processes • Isolate network resources (stacks, devices, etc.) • Isolate hostname/NIS (UTS) • Isolate filesystem mount (chroot) • Isolate inter process communication (IPC) • Isolate users/groups • cgroups
 https://sysadmincasts.com/episodes/14-introduction-to-linux-control-groups-cgroups

Slide 8

Slide 8 text

© 2015 Mesosphere, Inc. All Rights Reserved. DOCKER 8

Slide 9

Slide 9 text

© 2015 Mesosphere, Inc. All Rights Reserved. DOCKER 9 Registries • Docker Hub
 https://hub.docker.com/ • Google Cloud
 https://cloud.google.com/tools/container-registry/ • AWS
 https://aws.amazon.com/ecr/ • Run your own
 https://docs.docker.com/registry/deploying/

Slide 10

Slide 10 text

© 2015 Mesosphere, Inc. All Rights Reserved. ARE CONTAINERS SECURE? 10

Slide 11

Slide 11 text

© 2015 Mesosphere, Inc. All Rights Reserved. ARE CONTAINERS SECURE? 11 • containers share same kernel (!) • namespaces (user NS: UID 0 recently introduced) • lock down networking (ICC, for example) • apply common sense when handling credentials

Slide 12

Slide 12 text

© 2015 Mesosphere, Inc. All Rights Reserved. ARE CONTAINERS SECURE? 12 Please, don't bake credentials into images … rather do: $ docker run -d -e API_TOKEN=SECRET somedatabase $ docker run -d -v $(pwd):/fsecret:/fsecret:ro somedatabase → even better: use a key-value in-memory store such as Square's KeyWhiz, HashiCorp's Vault, or Crypt or native solutions such as Kubernetes Secrets for credentials.

Slide 13

Slide 13 text

© 2015 Mesosphere, Inc. All Rights Reserved. PETS VS CATTLE 13 Pets are individuals that you give names and when they get ill you nurse them back to health. Cattle are anonymous, identical to other cattle you assign numbers and when they get ill → next one. http://www.theregister.co.uk/2013/03/18/servers_pets_or_cattle_cern/

Slide 14

Slide 14 text

© 2015 Mesosphere, Inc. All Rights Reserved. … AND FLOCK OF BIRDS 14 https://medium.com/@mhausenblas/pets-vs-cattle-vs-flock-of-birds-12f1da3abfc3 Flock of birds. Per-task computing: unit of compute is a function + dynamically allocated resources. • AWS Lambda • webtask.io • StackHut

Slide 15

Slide 15 text

© 2015 Mesosphere, Inc. All Rights Reserved. A WORD ON MICROSERVICES
 AND CONTAINERS 15

Slide 16

Slide 16 text

© 2015 Mesosphere, Inc. All Rights Reserved. WORKLOADS* … 16 *) kudos to Timothy St. Clair, @timothysc batch streaming PaaS MapReduce

Slide 17

Slide 17 text

© 2015 Mesosphere, Inc. All Rights Reserved. WHAT DOES A SCHEDULER DO? 17

Slide 18

Slide 18 text

© 2015 Mesosphere, Inc. All Rights Reserved. 18 SHORT INTERLUDE ON CONTAINER MANAGEMENT

Slide 19

Slide 19 text

© 2015 Mesosphere, Inc. All Rights Reserved. 19 SHORT INTERLUDE ON CONTAINER MANAGEMENT

Slide 20

Slide 20 text

© 2015 Mesosphere, Inc. All Rights Reserved. 20

Slide 21

Slide 21 text

© 2015 Mesosphere, Inc. All Rights Reserved. 21

Slide 22

Slide 22 text

© 2015 Mesosphere, Inc. All Rights Reserved. 22 Kubernetes, Mesos+Marathon, Nomad, etc. >>
 write your own container manager >>
 manually managing containers http://www.cloudtp.com/2015/11/30/docker-container-landscape/

Slide 23

Slide 23 text

© 2015 Mesosphere, Inc. All Rights Reserved. • A top-level ASF project • A cluster resource negotiator • Scalable to 10,000s of nodes but also useful for a handful of nodes • Fault-tolerant, battle-tested • An SDK for distributed apps • Native Docker support 23 Apache Mesos

Slide 24

Slide 24 text

© 2015 Mesosphere, Inc. All Rights Reserved. ARCHITECTURE 24 Mesos http://mesos.berkeley.edu/mesos_tech_report.pdf *) now: agent *

Slide 25

Slide 25 text

© 2015 Mesosphere, Inc. All Rights Reserved. RESOURCES 25 Mesos • resource == anything a task/executor consumes in order to do their work • standard resources: cpu, mem, disk, ports • DRF

Slide 26

Slide 26 text

© 2015 Mesosphere, Inc. 26

Slide 27

Slide 27 text

© 2015 Mesosphere, Inc. 27

Slide 28

Slide 28 text

© 2015 Mesosphere, Inc. 28

Slide 29

Slide 29 text

© 2015 Mesosphere, Inc. 29

Slide 30

Slide 30 text

© 2015 Mesosphere, Inc. 30

Slide 31

Slide 31 text

© 2015 Mesosphere, Inc. 31

Slide 32

Slide 32 text

© 2015 Mesosphere, Inc. 32

Slide 33

Slide 33 text

© 2015 Mesosphere, Inc. 33

Slide 34

Slide 34 text

© 2015 Mesosphere, Inc. 34

Slide 35

Slide 35 text

© 2015 Mesosphere, Inc. 35

Slide 36

Slide 36 text

© 2015 Mesosphere, Inc. 36

Slide 37

Slide 37 text

© 2015 Mesosphere, Inc. 37

Slide 38

Slide 38 text

© 2015 Mesosphere, Inc. 38

Slide 39

Slide 39 text

© 2015 Mesosphere, Inc. 39

Slide 40

Slide 40 text

© 2015 Mesosphere, Inc. 40

Slide 41

Slide 41 text

© 2015 Mesosphere, Inc. 41

Slide 42

Slide 42 text

© 2015 Mesosphere, Inc. All Rights Reserved. MARATHON 42 An init System for datacenters • starts instances of a long-running service somewhere in the cluster, for example, as
 Docker containers • restarts the instances if they crash • provides composition primitives • supports health checks • supports rolling upgrades

Slide 43

Slide 43 text

© 2015 Mesosphere, Inc. All Rights Reserved. MARATHON 43 { "id": "webserver", "cmd": "python3 -m http.server 8080", "cpus": 0.5, "mem": 32.0, "container": { "type": "DOCKER", "docker": { "image": "python:3", "network": "BRIDGE", "portMappings": [ { "containerPort": 8080, "hostPort": 0 } ] } }, "acceptedResourceRoles": [ "slave_public" ], "constraints": [ [ "hostname", "UNIQUE" ] ] }

Slide 44

Slide 44 text

© 2015 Mesosphere, Inc. All Rights Reserved. WHAT IS KUBERNETES? 44 • open source container orchestration system • scheduling apps onto nodes + scaling • manages apps to match declared intentions • based on Google's internal cluster managers such as Borg

Slide 45

Slide 45 text

© 2015 Mesosphere, Inc. All Rights Reserved. KUBERNETES ARCHITECTURE 45

Slide 46

Slide 46 text

© 2015 Mesosphere, Inc. All Rights Reserved. KUBERNETES CONCEPTS 46 • container—sealed application package (Docker) • pod—small group of tightly coupled containers • labels—identifying metadata attached to objects (pods, services, etc.) • selector—query against labels, producing a set result • controller—control loop driving current state towards desired state • service—set of pods that work together (incl. proxy/load balancer)

Slide 47

Slide 47 text

© 2015 Mesosphere, Inc. All Rights Reserved. KUBERNETES: PODS 47 • unit of scheduling • data sharing between its containers • shared mount point (volumes) • shared network namespace (same IP, see each other on localhost)

Slide 48

Slide 48 text

© 2015 Mesosphere, Inc. All Rights Reserved. KUBERNETES: LABELS & SELECTORS 48 • arbitrary metadata (in key-value format) attached to any API object • used for grouping, queryable by selectors • examples • pods managed by a replication controller • nodes capabilities for scheduling

Slide 49

Slide 49 text

© 2015 Mesosphere, Inc. All Rights Reserved. KUBERNETES: REPLICATION CONTROLLERS 49 • constitutes a control loop • ensures a desired state (x pods running) • scoped by selector

Slide 50

Slide 50 text

© 2015 Mesosphere, Inc. All Rights Reserved. KUBERNETES: SERVICES 50 • compensate for dynamics of pods • provides a stable VIP (through proxy) • access policy: load-balanced or headless

Slide 51

Slide 51 text

© 2015 Mesosphere, Inc. All Rights Reserved. KUBERNETES: CLUSTER-WIDE SERVICES 51 • monitoring (e.g.: cAdvisor + InfluxDB + Heapster) • logging (e.g.: fluentd + ES + Kibana) • DNS (e.g.: skydns + kube2sky) • all of the above can be replaced by custom solutions (GCP, AWS, etc.)

Slide 52

Slide 52 text

© 2015 Mesosphere, Inc. All Rights Reserved. SERVICE DISCOVERY 52

Slide 53

Slide 53 text

© 2015 Mesosphere, Inc. All Rights Reserved. LOCAL OS VS. DISTRIBUTED OS 53 http://bitly.com/os-vs-dcos

Slide 54

Slide 54 text

© 2015 Mesosphere, Inc. All Rights Reserved. MEET THE DATACENTER OPERATING SYSTEM 54 Any Service or Container Any Infrastructure Mesosphere DCOS Your favorite services, container formats, and those yet to come Build apps once on DCOS, and run it anywhere Runs distributed apps anywhere 
 as simply as running apps on your laptop

Slide 55

Slide 55 text

© 2015 Mesosphere, Inc. All Rights Reserved. DCOS BENEFITS 55 • Run stateless services such as Web servers, app servers (via Marathon) and stateful services like Crate, Kafka, HDFS, Cassandra, ArangoDB etc. together on one cluster • Dynamic partitioning of your cluster, depending on your needs (business requirements) • Increased utilization (10% → 80% an more)

Slide 56

Slide 56 text

© 2015 Mesosphere, Inc. All Rights Reserved. DCOS ARCHITECTURE 56 https://docs.mesosphere.com/getting-started/dcosarchitecture/

Slide 57

Slide 57 text

© 2015 Mesosphere, Inc. All Rights Reserved. HANDS-ON 57

Slide 58

Slide 58 text

© 2015 Mesosphere, Inc. All Rights Reserved. 58 Source: mashable.com/2015/11/23/slack-down-reactions

Slide 59

Slide 59 text

© 2015 Mesosphere, Inc. All Rights Reserved. 59 Source: twitter.com/mhausenblas/status/668898187265056772

Slide 60

Slide 60 text

© 2015 Mesosphere, Inc. All Rights Reserved. LOOK MA, I FIXED SLACK … 60 mattermost.org DCOS

Slide 61

Slide 61 text

© 2015 Mesosphere, Inc. All Rights Reserved. 61 A SOMEWHAT MORE COMPLETE EXAMPLE mesosphere.com/blog/2015/11/18/dcos-time-series-demo/

Slide 62

Slide 62 text

© 2015 Mesosphere, Inc. 62 http://j.mp/dod-dcos

Slide 63

Slide 63 text

© 2015 Mesosphere, Inc. All Rights Reserved. WRAP UP
 
 Q & A 63

Slide 64

Slide 64 text

© 2015 Mesosphere, Inc. All Rights Reserved. 64 WHERE CAN
 I LEARN MORE? http://shop.oreilly.com/product/9781939902184.do 64 http://shop.oreilly.com/product/0636920035671.do

Slide 65

Slide 65 text

© 2015 Mesosphere, Inc. All Rights Reserved. 65 WHERE CAN
 I LEARN MORE? http://shop.oreilly.com/product/0636920039952.do https://manning.com/books/mesos-in-action 65

Slide 66

Slide 66 text

© 2015 Mesosphere, Inc. All Rights Reserved. 66 WHERE CAN
 I LEARN MORE? 66 http://shop.oreilly.com/product/0636920043874.do http://www.oreilly.com/webops-perf/free/kubernetes.csp http://mhausenblas.info/dnsd/toc.pdf

Slide 67

Slide 67 text

© 2015 Mesosphere, Inc. All Rights Reserved. 67 WHERE CAN
 I LEARN MORE? http://p24e.io 67 http://k8s.info