Slide 1
Slide 1 text
Building Minimal Docker
Containers
Orangesys Inc.
Slide 2
Slide 2 text
$Who am I
Orangesys Inc.
Tachibana Shuji
Twitter @yepn
Running
Slide 3
Slide 3 text
Orangesys Inc.
SaaS監視システム
https://orangesys.io
@orangesysio
Slide 4
Slide 4 text
No content
Slide 5
Slide 5 text
No content
Slide 6
Slide 6 text
Orangesys
● All in docker
● Kubernetes on
GKE
● OpsDev -> NoOps
Architecture & Stack
Slide 7
Slide 7 text
Architecture: Orangesys > Kubernetes
Apigateway Namespace
Cloud Load
Balancing
Standard
Devices
HTTPS
Browser
Client
Production Namespace
Kube-system Namespace
Tiller
Replication
Controller
Grafana
Container Engine
Replication Controller
Influxdb
Container Engine
Replication Controller
Corporate Site
App Engine
Autoscaling
Orangesys
Firebase
Autoscaling
Monitoring Namespace
Prometheus
RC
Influxdb
RC
Grafana
RC
Opsbot Namespace
Kubebot
RC
K8s-event
RC
Stripe Server Api
Container Engine
Replication Controller
PostgresSQL
Container Engine
Replication Controller
MariaDb
Container Engine
Replication Controller
Nginx
Container Engine
Replication Controller
Traefik
Container Engine
Replication Controller
Server
Telegraf
Ingress
Container Engine
Replication Controller
Kong ApiGateway
Container Engine
Replication Controller
Kubenetes API
Replication
Controller
SSL Cert Bot
Replication
Controller
Orange Api
Container Engine
Replication Controller
Slide 8
Slide 8 text
Technology Stack
Slide 9
Slide 9 text
Agenda
● Docker images size
● Docker images security
Slide 10
Slide 10 text
No content
Slide 11
Slide 11 text
Coreos clair Security data Sources
Slide 12
Slide 12 text
Layers
Slide 13
Slide 13 text
Topic
Alpineでdocker image
Goalngなら、scratchベースでdocker imageを作る
Layersを減らすと、build時間が短縮
Slide 14
Slide 14 text
Alpine base image
base size 2MBのAlpineでdocker imageを作る、
ただし
LIBCがMUSL LIBCとなりましたが、OS周りの依頼関係
ex) Not resolving using search domain
..svc.cluster.local
https://github.com/gliderlabs/docker-alpine/issues/8
Slide 15
Slide 15 text
Scratch base image
Goalngなら、scratchベースでdocker imageを作る
ただし
コンテナから外部へhttps通信時、ca証明書の実装が必要となります。
FROM scratch
ADD ca-certificates.crt /etc/ssl/certs/
ADD main /
CMD ["/main"]
Slide 16
Slide 16 text
Layers
Layersを減らすと、build時間が短縮
ただし、LIBCを使う場合は、既存のdocker imagesを利用した方が良いかも
Slide 17
Slide 17 text
参考
https://github.com/orangesys
https://stackshare.io/orangesys-inc
https://hub.docker.com/u/orangesys/dashboard/