Docker in Production (PHP London, July 2016)

Transcript

1. Docker in Production PHP London July 2016

2. [email protected] @rawkode github.com/rawkode Me! ★ Software Consultant ★ Docker Glasgow

   Organiser ★ Scotland PHP Organiser ★ Running Docker in production since March 2014

3. Why use Docker?

4. On-Boarding a New Developer Install Docker docker-compose up

5. Environment Parity Your development, staging, acceptance, and production environments are

   COMPLETELY the same

6. Deployment Deploy, or rollback, in under a second

7. Isolation: Reduced Attack Surface Compromised container isn’t a compromised host

   (Unless you do something silly!)

8. Isolation: Reduced Friendly Fire You don’t need to seek permission

   / compatibility before upgrading or changing your stack

9. Auditability You’ve been hacked. What did your system ACTUALLY look

   like at the time?

10. Better Allocation of Resources Single auto-scaling group and allocate resources,

    rather than an auto-scaling group for each project, with under utilised resources

11. There’s no such thing as a free lunch

12. Orchestration How do I get my containers into production?

13. Options • ECS • Swarm • Kubernetes • OpenShift •

    Mesos

14. ECS Good • You’re already on AWS • Handles load

    balancing and service discovery • FINALLY handles auto-scaling at container level

15. ECS Bad • Behind on Docker version • Deploying is

    a very manual process / API is convoluted • Can’t use dynamic port allocation due to ELB requirements

16. Swarm Good • Same CLI as Docker • Service Discovery

    • Load Balancing • One click EVERYTHING

17. Swarm Bad • Must be on latest version for the

    good stuff • Changing fast • Not proven at scale

18. Kubernetes Good • Service discovery • Load balancing • “Planet

    Scale” • Secret / config management • Lots of storage driver support, including AWS • EVERYTHING

19. Kubernetes Bad • EVERYTHING

20. OpenShift Good • It’s Kubernetes with RedHat support

21. Mesosphere Meh • DCOS is cool • Mesos doesn’t do

    much on it’s own • Marathon and other plugins required • I’ve not really used it

22. Docker Tips & Gotchas

23. Small Steps Gotcha Don’t jump straight into Kubernetes / Mesos

    / OpenShift Orchestrate containers using your current tooling

24. Service Discovery Gotcha How do I speak to other containers?

    Assuming you’re not using Kubernetes, etc

25. Port Based Tip Pick a random port for each service

    and never change it. Load balance across ALL hosts

26. Docker Events Tip $ docker events

27. $ docker events time container create 53487539487534 ( image=php:7-cli ,

    name=sharp_meninsky) time container attach 53487539487534 ( image=php:7-cli , name=sharp_meninsky) time network connect 38274982374222 (container=53487539487534, type=bridge) time container start 53487539487534 (image=php:7-cli, name=sharp_meninsky) time container die 53487539487534 (exitCode=0, image=php:7-cli , name=sharp_meninsky) time network disconnect 38274982374222 (container=53487539487534, type=bridge) time container destroy 53487539487534 ( image=php:7-cli , name=sharp_meninsky)

28. Registrator Tip https://github.com/ /gliderlabs /registrator

29. Logging Gotcha Getting logs out of your containers

30. Do not run remote_syslog inside your container

31. Do not use volume mounts to the host

32. Docker Log Drivers

33. Docker Log Drivers Since Docker >= 1.6 --log-driver=<driver> • json-file

    • syslog • fluentd • awslogs • gelf (LogStash and Graylog)

34. Docker Changes Gotcha Ignore everything I’ve said The Docker project

    moves FAST Docker 1.12 is pretty sweet

35. Docker 1.12 Tip Stay upgraded! Docker 1.12 provides end to

    end encryption and so much more

36. Private Registry Gotcha You WILL run out of disk space

37. Sign Your Images Tip Don’t suffer because of a poisoned

    image https://github.com/docker/notary

38. Read Only Tip docker run --read-only

39. ICC Gotcha By default, any container can communicate with another

    container Turn off inter-container communication

40. Containers Die Tip --restart

41. Container Health Checks Tip --health-cmd --health-interval --health-retries --health-timeout

42. Filesystem Gotcha On RedHat distributions, devicemapper is default Upgrade your

    kernel, use overlayfs if you can

43. Massive Images Gotcha Don’t use CHMOD / CHOWN inside your

    Dockerfile

44. Permissions Tip CHMOD / CHOWN In an ENTRYPOINT script

45. Secret Management Gotcha Don’t store secrets inside your image ALSO

    12-Factor http://12factor.net/

46. ONBUILD Tip Dockerfile Parity with ONBUILD

47. Privileged Gotcha PLEASE DO NOT USE --host Or --privileged

48. Tip Random Ports Avoid -p 80:80 Encourage -p 80

49. Community Images Tip Avoid whenever possible. They do DISAPPEAR

50. Finally ...

51. composer.lock STOP COMMITTING Since “composer install” won’t be part of

    your deployment strategy, don’t commit your lock file. “composer install” should always get your latest and greatest during build and those dependencies are BAKED into your image.

52. composer.lock If your CI/D build passes it’s tests, you’re golden.

    If it fails, you’re not pinning your dependencies well enough. STOP COMMITTING

53. Questions? Thanks!