My Docker Best Practice (2016 Winter Short Version)

by Seigo Uchida

Slide 1

Slide 1 text

https://goto.docker.com/rs/929-FJL-178/images/swarmnado.gif my Docker Best Practice ( 2016 Winter Short Version)

Slide 2

Slide 2 text

@spesnova

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

ݸਓతͳ ϕετϓϥΫςΟεͷ Ұ෦Λ঺հ ςʔϚ

Slide 6

Slide 6 text

https://www.docker.com/sites/all/themes/docker/assets/images/turtle.png جຊݪଇ

Slide 7

Slide 7 text

ίϯςφ͸୹໋ͳ΋ͷͱͯ͠ѻ͏ جຊݪଇ 1

Slide 8

Slide 8 text

୹໋ͱ͍͏ͷ͸ݴ͍׵͑Δͱɺʮසൟ ʹىಈͯ͠͸͙͢ʹऴྃ͢Δʯͱ͍͏ ͜ͱɻͦͷͨΊʹ͸ىಈͱऴྃࣗମ΋ ଎͍ඞཁ͕͋Δɻ͙ͦͯ͢͠ʹऴྃͰ ͖Δͱ͍͏͜ͱ͸ӬଓԽ͢΂͖σʔλ Λ࣋ͨͳ͍ͱ͍͏͜ͱɻ ୹໋ͱ͸?

Slide 9

Slide 9 text

ίϯςφ͕͙͢ʹىಈͯ͠ɺ͙͢ʹఀ ࢭͰ͖Δͱѻ͍΍ͯ͘͢ศརʹͳΔɻ ྫ͑͹ɺεέʔϧɺೖΕସ͑ɺҠಈͳ ͲͲΕ΋΍Γ΍͘͢ͳΔɻ ͳ͔ͥ?

Slide 10

Slide 10 text

Ͱ͖Δ͚ͩίϯςφͰ΍Δ جຊݪଇ 2

Slide 11

Slide 11 text

ίϯςφͰ΍Δɺͱ͍͏ͷ͸ʮϗετ ʹ௚઀Կ΋Πϯετʔϧ͠ͳ͍ʯ୅Θ Γʹʮίϯςφͱͯ͠Πϯετʔϧ͢ Δʯͱ͍͏͜ͱɻ ίϯςφͰ΍Δͱ͸ʁ

Slide 12

Slide 12 text

ʮϗετʹ௚઀Πϯετʔϧ͠ͳ͍ʯ ͜ͱ͸ϗετͷӡ༻Λָʹ͢ΔɻԿ΋ Πϯετʔϧ͠ͳ͚Ε͹Ξοϓσʔτ ͷඞཁ΋ͳ͍ɻ৭ʑͳ΋ͷΛίϯςφ ʹ͓͚ͯ͠͹ɺίϯςφ؅ཧπʔϧ (K8S ͱ͔) ʹΑͬͯҰݩతʹίϯτ ϩʔϧͰ͖Δɻ ͳ͔ͥ?

Slide 13

Slide 13 text

http://www.docker.com/sites/default/ﬁles/Compose.png ϓϥΫςΟε

Slide 14

Slide 14 text

ίϯςφ͸ Graceful ʹࢭΊΔ ϓϥΫςΟε 1

Slide 15

Slide 15 text

ίϯςφ͸ϥΠϑαΠΫϧ͕୹͘ɺස ൟʹىಈɾఀࢭ͞ΕΔɻසൟʹࢭΊͯ ΋αʔϏεʹӨڹ͕ͳ͍Α͏ʹ Graceful ʹࢭΊΔɻ ͳ͔ͥ?

Slide 16

Slide 16 text

$ docker kill —signal= Ͳ͏΍ͬͯ? # docker-compose.yml services: nginx: image: nginx stop_signal: SIGQUIT stop_signal

Slide 17

Slide 17 text

# Dockerfile # OK CMD ["nginx"] CMD exec nginx # NG CMD nginx Ͳ͏΍ͬͯ? stop_signal

Slide 18

Slide 18 text

όοΫΞοϓ΋ϞχλϦϯά΋ ϩάऩू΋ϚΠάϨʔγϣϯ΋ ͢΂ͯ ίϯςφͰ΍Δ ϓϥΫςΟε 2

Slide 19

Slide 19 text

Ͱ͖Δ͚ͩίϯςφͰ΍Δ = ʮϗετ ʹ௚઀Կ΋Πϯετʔϧ͠ͳ͍ʯ͜ͱ Ͱϗετͷӡ༻Λָʹ͢Δɻίϯςφ ʹد͓͚ͤͯ͹ɺCompose ʹ͠Ζ Kubernetes ʹ͠ΖɺͦΕͰҰݩతʹ ίϯτϩʔϧͰ͖Δɻ ͳ͔ͥ?

Slide 20

Slide 20 text

Ͳ͏΍ͬͯ?

Slide 21

Slide 21 text

Ͳ͏΍ͬͯ? # Run a container that has data $ docker run -d -name minecraft \ -v /data/world minecraft # Backup with dockup container $ docker run —rm --env-file env.txt \ —volumes-from minecraft \ tutum/dockup Dockup

Slide 22

Slide 22 text

Ͳ͏΍ͬͯ? # Run monitoring agent $ docker run -d \ -h `hostname` \ -e API_KEY= \ - /var/run/docker.sock:/var/run/docker.sock \ - /proc/:/host/proc/:ro \ - /sys/fs/cgroup/:/host/sys/fs/cgroup:ro \ datadog/docker-dd-agent:latest Datadog

Slide 23

Slide 23 text

Ͳ͏΍ͬͯ? # Run log collector $ docker run -d -p 24224:24224 fluent/fluentd # Send container log to log collector $ docker run -d —log-driver=fluentd nginx Fluentd

Slide 24

Slide 24 text

Ͳ͏΍ͬͯ? # DB migration $ docker run —rm rails rake db:migrate # Rails console $ docker run -it —rm rails rails console # AWS CLI $ docker run --rm \ quay.io/spesnova/aws-cli:latest \ aws s3 ls one-off container

Slide 25

Slide 25 text

ίϯςφΛىಈ͢Δ؀ڥʹΑͬͯ มΘΔઃఆ͸؀ڥม਺ʹೖΕΔ ϓϥΫςΟε 3

Slide 26

Slide 26 text

࣮ߦ࣌ʹઃఆ͍ͨ͠΋ͷΛϋʔυίʔ υͯ͠ΔͱϏϧυ͠௚͢ඞཁ͕ग़ͯ͘ Δɻ؀ڥม਺͸ɺίϯςφ಺ͷݴޠ΍ ϛυϧ΢ΣΞʹґଘͤͣʹڞ௨ͯ͠ར ༻Ͱ͖Δઃఆ؅ཧखஈͰ͋Δɻ ͳ͔ͥ?

Slide 27

Slide 27 text

Ͳ͏΍ͬͯ? # Dockerfile COPY ./nginx.conf.tmpl /etc/nginx/nginx.conf.tmpl ENTRYPOINT [ "render", \ "/etc/nginx/nginx.conf", "--", "/usr/sbin/nginx" ] Entrykit # nginx.conf.tmpl worker_processes {{ var "WORKER_PROCESSES" | default "1" }};

Slide 28

Slide 28 text

Ͳ͏΍ͬͯϗετϚγϯΛ ϝϯςφϯε͢Δ͔ߟ͓͑ͯ͘ ϓϥΫςΟε 4

Slide 29

Slide 29 text

Ұ౓ίϯςφͷӡ༻Λ࢝ΊͨΒɺ ϗετ্ʹ͸ৗʹίϯςφ͕ࡌ͔ͬͬ ͯΔͷͰɺίϯςφΑΓϗετͷํ͕ ѹ౗తʹϝϯςφϯεͮ͠Β͍ɻ ͳ͔ͥ?

Slide 30

Slide 30 text

Ͳ͏΍ͬͯ? kubernetes Drain

Slide 31

Slide 31 text

Ͳ͏΍ͬͯ? # Preparation for maintenance $ kubectl drain node-00 node "node-00" cordoned pod "example-fcgm3" deleted pod "example-pi8rq" deleted node "node-00" drained # Do maintenance # Make the node schedulable $ kubectl uncordon node-00 node "node-00" uncordoned kubernetes Drain

Slide 32

Slide 32 text

ίϯςφ಺ͷύοέʔδ੬ऑੑΛ ܧଓతʹεΩϟϯ͢Δ ϓϥΫςΟε 5

Slide 33

Slide 33 text

ͳ͔ͥ? ࠶ݱੑ͕ߴ͍Ώ͑ʹɺ΋ͷʹΑͬͯҰ ౓Ϗϧυ͖ͨ͠ΓͰߋ৽͠ͳ͘ͳΔ΋ ͷ͕ग़ͯ͘Δɻߋ৽ػձ͕গͳ͍ͨΊ ʹ੬ऑੑରԠ΋์ஔ͞Ε͕ͪʹͳΔɻ

Slide 34

Slide 34 text

Ͳ͏΍ͬͯ? # Run Clair service $ docker run -p 6060:6060 -p 6061:6061 -v /tmp:/tmp -v $PWD:/config \ quay.io/coreos/clair —config /config/config.yml # Run image scan $ ./analyze-local-images postgres … - Added by: aa0e4f075388ef6efa1cb6f243fa78b862201b3…. ### (Medium) CVE-2016-0402 - Link: https://security-tracker.debian.org/tracker/CVE-2016-0402 - Description: Unspecified vulnerability in the Java SE and Java SE ……. - Fixed version: 7u95-2.6.4-1~deb7u1 - Metadata: …… … Clair

Slide 35

Slide 35 text

Ͳ͏΍ͬͯ? Quay.io

Slide 36

Slide 36 text

ެࣜηΩϡϦςΟϕϯνϚʔΫ Λྲྀͯ͠ઃఆͷࢦ਑ʹ͢Δ ϓϥΫςΟε 6

Slide 37

Slide 37 text

ͳ͔ͥ? Docker ͸पลπʔϧ΋ؚΊͯٸ଎ʹ ਐԽ͓ͯ͠ΓɺԿ͔ͱબ୒ࢶ͕ͨ͘͞ Μ͋Γա͗ΔɻػձతʹϕετϓϥΫ ςΟεΛνΣοΫͰ͖ΔπʔϧΛ࢖ͬ ͓͍ͯͯଛ͸ͳ͍ɻ

Slide 38

Slide 38 text

Ͳ͏΍ͬͯ? # Run Docker Benchmark for Security $ docker-compose run --rm docker-bench-security … INFO] 1 - Host Configuration [WARN] 1.1 - Create a separate partition for containers [PASS] 1.2 - Use an updated Linux Kernel [PASS] 1.5 - Remove all non-essential services from the host - Network [WARN] 1.6 - Keep Docker up to date [WARN] * Using 1.10.1, when 1.10.2 is current as of 2016-02-22 … docker/docker-bench-security

Slide 39

Slide 39 text

http://www.docker.com/sites/default/ﬁles/Registry.png ·ͱΊ

Slide 40

Slide 40 text

• Ͱ͖Δ͚ͩίϯςφͰ΍Δ • ίϯςφ͸"୹໋"ͳ΋ͷ جຊݪଇ

Slide 41

Slide 41 text

• Graceful ʹࢭΊΑ͏ • backup΋migration΋ίϯςφͰ • ઃఆ͸ Entrykit Ͱ؀ڥม਺ʹ • ϗετϚγϯͷӡ༻Λ๨ΕΔͳ • ܧଓత੬ऑੑεΩϟϯ • SecurityBenchmark Λྲྀͯ͠ΈΑ͏ ϓϥΫςΟε

Slide 42

Slide 42 text

https://docs.docker.com/images/docker-friends.png ͓ΘΓ

Slide 43

Slide 43 text

We’re Hiring! http://increments.co.jp/jobs

Slide 44

Slide 44 text

https://goto.docker.com/rs/929-FJL-178/images/swarmnado.gif Docker Best Practice my