My Docker Best Practice (2016 Winter Short Version)

My Docker Best Practice (2016 Winter Short Version)

32f2e5ddb187baa2abac66d7e8b283fe?s=128

Seigo Uchida

March 05, 2016
Tweet

Transcript

  1. https://goto.docker.com/rs/929-FJL-178/images/swarmnado.gif my Docker Best Practice ( 2016 Winter Short Version)

  2. @spesnova

  3. None
  4. None
  5. ݸਓతͳ ϕετϓϥΫςΟεͷ Ұ෦Λ঺հ ςʔϚ

  6. https://www.docker.com/sites/all/themes/docker/assets/images/turtle.png جຊݪଇ

  7. ίϯςφ͸୹໋ͳ΋ͷͱͯ͠ѻ͏ جຊݪଇ 1

  8. ୹໋ͱ͍͏ͷ͸ݴ͍׵͑Δͱɺʮසൟ ʹىಈͯ͠͸͙͢ʹऴྃ͢Δʯͱ͍͏ ͜ͱɻͦͷͨΊʹ͸ىಈͱऴྃࣗମ΋ ଎͍ඞཁ͕͋Δɻ͙ͦͯ͢͠ʹऴྃͰ ͖Δͱ͍͏͜ͱ͸ӬଓԽ͢΂͖σʔλ Λ࣋ͨͳ͍ͱ͍͏͜ͱɻ ୹໋ͱ͸?

  9. ίϯςφ͕͙͢ʹىಈͯ͠ɺ͙͢ʹఀ ࢭͰ͖Δͱѻ͍΍ͯ͘͢ศརʹͳΔɻ ྫ͑͹ɺεέʔϧɺೖΕସ͑ɺҠಈͳ ͲͲΕ΋΍Γ΍͘͢ͳΔɻ ͳ͔ͥ?

  10. Ͱ͖Δ͚ͩίϯςφͰ΍Δ جຊݪଇ 2

  11. ίϯςφͰ΍Δɺͱ͍͏ͷ͸ʮϗετ ʹ௚઀Կ΋Πϯετʔϧ͠ͳ͍ʯ୅Θ Γʹʮίϯςφͱͯ͠Πϯετʔϧ͢ Δʯͱ͍͏͜ͱɻ ίϯςφͰ΍Δͱ͸ʁ

  12. ʮϗετʹ௚઀Πϯετʔϧ͠ͳ͍ʯ ͜ͱ͸ϗετͷӡ༻Λָʹ͢ΔɻԿ΋ Πϯετʔϧ͠ͳ͚Ε͹Ξοϓσʔτ ͷඞཁ΋ͳ͍ɻ৭ʑͳ΋ͷΛίϯςφ ʹ͓͚ͯ͠͹ɺίϯςφ؅ཧπʔϧ (K8S ͱ͔) ʹΑͬͯҰݩతʹίϯτ ϩʔϧͰ͖Δɻ ͳ͔ͥ?

  13. http://www.docker.com/sites/default/files/Compose.png ϓϥΫςΟε

  14. ίϯςφ͸ Graceful ʹࢭΊΔ ϓϥΫςΟε 1

  15. ίϯςφ͸ϥΠϑαΠΫϧ͕୹͘ɺස ൟʹىಈɾఀࢭ͞ΕΔɻසൟʹࢭΊͯ ΋αʔϏεʹӨڹ͕ͳ͍Α͏ʹ Graceful ʹࢭΊΔɻ ͳ͔ͥ?

  16. $ docker kill —signal=<SIGNAL> <CONTAINER> Ͳ͏΍ͬͯ? # docker-compose.yml services: nginx:

    image: nginx stop_signal: SIGQUIT stop_signal
  17. # Dockerfile # OK CMD ["nginx"] CMD exec nginx #

    NG CMD nginx Ͳ͏΍ͬͯ? stop_signal
  18. όοΫΞοϓ΋ϞχλϦϯά΋ ϩάऩू΋ϚΠάϨʔγϣϯ΋ ͢΂ͯ ίϯςφͰ΍Δ ϓϥΫςΟε 2

  19. Ͱ͖Δ͚ͩίϯςφͰ΍Δ = ʮϗετ ʹ௚઀Կ΋Πϯετʔϧ͠ͳ͍ʯ͜ͱ Ͱϗετͷӡ༻Λָʹ͢Δɻίϯςφ ʹد͓͚ͤͯ͹ɺCompose ʹ͠Ζ Kubernetes ʹ͠ΖɺͦΕͰҰݩతʹ ίϯτϩʔϧͰ͖Δɻ

    ͳ͔ͥ?
  20. Ͳ͏΍ͬͯ?

  21. Ͳ͏΍ͬͯ? # Run a container that has data $ docker

    run -d -name minecraft \ -v /data/world minecraft # Backup with dockup container $ docker run —rm --env-file env.txt \ —volumes-from minecraft \ tutum/dockup Dockup
  22. Ͳ͏΍ͬͯ? # Run monitoring agent $ docker run -d \

    -h `hostname` \ -e API_KEY=<KEY> \ - /var/run/docker.sock:/var/run/docker.sock \ - /proc/:/host/proc/:ro \ - /sys/fs/cgroup/:/host/sys/fs/cgroup:ro \ datadog/docker-dd-agent:latest Datadog
  23. Ͳ͏΍ͬͯ? # Run log collector $ docker run -d -p

    24224:24224 fluent/fluentd # Send container log to log collector $ docker run -d —log-driver=fluentd nginx Fluentd
  24. Ͳ͏΍ͬͯ? # DB migration $ docker run —rm rails rake

    db:migrate # Rails console $ docker run -it —rm rails rails console # AWS CLI $ docker run --rm \ quay.io/spesnova/aws-cli:latest \ aws s3 ls one-off container
  25. ίϯςφΛىಈ͢Δ؀ڥʹΑͬͯ มΘΔઃఆ͸؀ڥม਺ʹೖΕΔ ϓϥΫςΟε 3

  26. ࣮ߦ࣌ʹઃఆ͍ͨ͠΋ͷΛϋʔυίʔ υͯ͠ΔͱϏϧυ͠௚͢ඞཁ͕ग़ͯ͘ Δɻ؀ڥม਺͸ɺίϯςφ಺ͷݴޠ΍ ϛυϧ΢ΣΞʹґଘͤͣʹڞ௨ͯ͠ར ༻Ͱ͖Δઃఆ؅ཧखஈͰ͋Δɻ ͳ͔ͥ?

  27. Ͳ͏΍ͬͯ? # Dockerfile COPY ./nginx.conf.tmpl /etc/nginx/nginx.conf.tmpl ENTRYPOINT [ "render", \

    "/etc/nginx/nginx.conf", "--", "/usr/sbin/nginx" ] Entrykit # nginx.conf.tmpl worker_processes {{ var "WORKER_PROCESSES" | default "1" }};
  28. Ͳ͏΍ͬͯϗετϚγϯΛ ϝϯςφϯε͢Δ͔ߟ͓͑ͯ͘ ϓϥΫςΟε 4

  29. Ұ౓ίϯςφͷӡ༻Λ࢝ΊͨΒɺ ϗετ্ʹ͸ৗʹίϯςφ͕ࡌ͔ͬͬ ͯΔͷͰɺίϯςφΑΓϗετͷํ͕ ѹ౗తʹϝϯςφϯεͮ͠Β͍ɻ ͳ͔ͥ?

  30. Ͳ͏΍ͬͯ? kubernetes Drain

  31. Ͳ͏΍ͬͯ? # Preparation for maintenance $ kubectl drain node-00 node

    "node-00" cordoned pod "example-fcgm3" deleted pod "example-pi8rq" deleted node "node-00" drained # Do maintenance # Make the node schedulable $ kubectl uncordon node-00 node "node-00" uncordoned kubernetes Drain
  32. ίϯςφ಺ͷύοέʔδ੬ऑੑΛ ܧଓతʹεΩϟϯ͢Δ ϓϥΫςΟε 5

  33. ͳ͔ͥ? ࠶ݱੑ͕ߴ͍Ώ͑ʹɺ΋ͷʹΑͬͯҰ ౓Ϗϧυ͖ͨ͠ΓͰߋ৽͠ͳ͘ͳΔ΋ ͷ͕ग़ͯ͘Δɻߋ৽ػձ͕গͳ͍ͨΊ ʹ੬ऑੑରԠ΋์ஔ͞Ε͕ͪʹͳΔɻ

  34. Ͳ͏΍ͬͯ? # Run Clair service $ docker run -p 6060:6060

    -p 6061:6061 -v /tmp:/tmp -v $PWD:/config \ quay.io/coreos/clair —config /config/config.yml # Run image scan $ ./analyze-local-images postgres … - Added by: aa0e4f075388ef6efa1cb6f243fa78b862201b3…. ### (Medium) CVE-2016-0402 - Link: https://security-tracker.debian.org/tracker/CVE-2016-0402 - Description: Unspecified vulnerability in the Java SE and Java SE ……. - Fixed version: 7u95-2.6.4-1~deb7u1 - Metadata: …… … Clair
  35. Ͳ͏΍ͬͯ? Quay.io

  36. ެࣜηΩϡϦςΟϕϯνϚʔΫ Λྲྀͯ͠ઃఆͷࢦ਑ʹ͢Δ ϓϥΫςΟε 6

  37. ͳ͔ͥ? Docker ͸पลπʔϧ΋ؚΊͯٸ଎ʹ ਐԽ͓ͯ͠ΓɺԿ͔ͱબ୒ࢶ͕ͨ͘͞ Μ͋Γա͗ΔɻػձతʹϕετϓϥΫ ςΟεΛνΣοΫͰ͖ΔπʔϧΛ࢖ͬ ͓͍ͯͯଛ͸ͳ͍ɻ

  38. Ͳ͏΍ͬͯ? # Run Docker Benchmark for Security $ docker-compose run

    --rm docker-bench-security … INFO] 1 - Host Configuration [WARN] 1.1 - Create a separate partition for containers [PASS] 1.2 - Use an updated Linux Kernel [PASS] 1.5 - Remove all non-essential services from the host - Network [WARN] 1.6 - Keep Docker up to date [WARN] * Using 1.10.1, when 1.10.2 is current as of 2016-02-22 … docker/docker-bench-security
  39. http://www.docker.com/sites/default/files/Registry.png ·ͱΊ

  40. • Ͱ͖Δ͚ͩίϯςφͰ΍Δ • ίϯςφ͸"୹໋"ͳ΋ͷ جຊݪଇ

  41. • Graceful ʹࢭΊΑ͏ • backup΋migration΋ίϯςφͰ • ઃఆ͸ Entrykit Ͱ؀ڥม਺ʹ •

    ϗετϚγϯͷӡ༻Λ๨ΕΔͳ • ܧଓత੬ऑੑεΩϟϯ • SecurityBenchmark Λྲྀͯ͠ΈΑ͏ ϓϥΫςΟε
  42. https://docs.docker.com/images/docker-friends.png ͓ΘΓ

  43. We’re Hiring! http://increments.co.jp/jobs

  44. https://goto.docker.com/rs/929-FJL-178/images/swarmnado.gif Docker Best Practice my