Container Orchestration Deluge

Slide 1

Slide 1 text

Slide 2

Slide 2 text

Slide 3

Slide 3 text

Slide 4

Slide 4 text

Slide 5

Slide 5 text

Slide 6

Slide 6 text

© 2015 Mesosphere, Inc. All Rights Reserved. CONTAINER ==VM? 6 No! • container • dependency management for apps • also: think appops rather than devops • lightweight: startup time, avg. runtime, footprint • pets vs cattle (vs ﬂock of birds)

Slide 7

Slide 7 text

© 2015 Mesosphere, Inc. All Rights Reserved. CONTAINER ==VM? 7 Pets are individuals (servers) that you give names and manually deploy apps on When they get sick, you nurse them back to health. Cattle are anonymous, identical to other cattle you assign numbers and when they get sick you ditch them. http://www.theregister.co.uk/2013/03/18/servers_pets_or_cattle_cern/

Slide 8

Slide 8 text

© 2015 Mesosphere, Inc. All Rights Reserved. CONTAINER ==VM? 8 https://medium.com/@mhausenblas/pets-vs-cattle-vs-ﬂock-of-birds-12f1da3abfc3 Flock of birds. Per-task computing: unit of compute is a function + dynamically allocated resources. • AWS Lambda • webtask.io • StackHut

Slide 9

Slide 9 text

Slide 10

Slide 10 text

Slide 11

Slide 11 text

© 2015 Mesosphere, Inc. All Rights Reserved. 11 • Orthogonal issues … • … however, many (successful) microservices architectures I've seen are containerized • Worry ﬁrst about the basics: • Are you using Git? • Have you got your CI/CD pipeline set up? • How do you deploy your (container) images? CONTAINER ORCHESTRATION, THAT'S FOR MICROSERVICES, OR?

Slide 12

Slide 12 text

Slide 13

Slide 13 text

Slide 14

Slide 14 text

© 2015 Mesosphere, Inc. All Rights Reserved. ARE CONTAINERS SECURE? 14 • containers share same kernel (!) • namespaces (user NS: UID 0 recently introduced) • lock down networking (ICC, for example) • apply common sense when handling credentials

Slide 15

Slide 15 text

© 2015 Mesosphere, Inc. All Rights Reserved. ARE CONTAINERS SECURE? 15 Please, don't bake credentials into images … rather do: $ docker run -d -e API_TOKEN=SECRET somedatabase $ docker run -d -v $(pwd):/fsecret:/fsecret:ro somedatabase → even better: use a key-value in-memory store such as Square's KeyWhiz, HashiCorp's Vault, or Crypt or native solutions such as Kubernetes Secrets for credentials.

Slide 16

Slide 16 text

Slide 17

Slide 17 text

Slide 18

Slide 18 text

Slide 19

Slide 19 text

Slide 20

Slide 20 text

Slide 21

Slide 21 text

Slide 22

Slide 22 text

© 2015 Mesosphere, Inc. All Rights Reserved. SHOULD I REALLY BE USING A CONTAINER ORCHESTRATION TOOL? 22 Yes! • No getting up at 3am to replace a HDD or deploy an app onto a new server • Beneﬁt from the experience of Google (Kubernetes) and Twitter (Mesos) who invested BS&T

Slide 23

Slide 23 text

Slide 24

Slide 24 text

Slide 25

Slide 25 text

© 2015 Mesosphere, Inc. All Rights Reserved. BUT I ALREADY USE CHEF, PUPPET, ANSIBLE, OR SALTSTACK—DO I REALLY NEED A CONTAINER ORCHESTRATION SYSTEM? 25 Horses for courses! • Base provisioning: CM tool of your choice • Container orchestration: Apache Mesos, Kubernetes, Nomad, Firmament, (Docker Swarm)

Slide 26

Slide 26 text

Slide 27

Slide 27 text

Slide 28

Slide 28 text

Slide 29

Slide 29 text

Slide 30

Slide 30 text

Slide 31

Slide 31 text

Slide 32

Slide 32 text

Slide 33

Slide 33 text

Slide 34

Slide 34 text

© 2015 Mesosphere, Inc. All Rights Reserved. 34 • Mostly challenges are of social nature • Developer agility vs admin-to-server ratio • Convince your colleagues and boss with:  The Phoenix Project LEARNING BY DOING AND SOME USEFUL RESOURCES …

Slide 35

Slide 35 text

Slide 36

Slide 36 text

Slide 37

Slide 37 text

© 2015 Mesosphere, Inc. All Rights Reserved. 37 LEARNING BY DOING AND SOME USEFUL RESOURCES … 37 http://shop.oreilly.com/product/0636920043874.do http://www.oreilly.com/webops-perf/free/kubernetes.csp http://mhausenblas.info/dnsd/toc.pdf

Slide 38

Slide 38 text

Slide 39

Slide 39 text