Upgrade to Pro — share decks privately, control downloads, hide ads and more …

My Docker Best Practice (2016 Winter Short Version)

Seigo Uchida
March 05, 2016
Technology
33
7.2k

My Docker Best Practice (2016 Winter Short Version)

http://dockerjp.connpass.com/event/26538/ で発表したやつ

Seigo Uchida

March 05, 2016
Tweet

More Decks by Seigo Uchida

See All by Seigo Uchida
Kubernetes Cluster Monitoring
spesnova
2
5.3k
How we monitor microservices at Mercari microservices platform team
spesnova
13
9.6k
Kubernetes RBAC in microservices
spesnova
6
3.7k
Introduction to kustomize
spesnova
17
31k
Kubernetes 運用設計ガイド / A design guide for Kubernetes in production (Japanese)
spesnova
81
17k
Microservices Monitoring at mercari
spesnova
3
3.5k
Monitoring Kubernetes with Datadog
spesnova
12
4.1k
CoreOS 運用の所感
spesnova
17
8.9k
Understanding fleet
spesnova
4
3.5k

Other Decks in Technology

See All in Technology
dbt_ベストプラクティス_完全に理解した.pdf
dach
2
100
WASMを実行する自作Microkernel, mavisの紹介
riru
0
130
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
6
4.2k
【2023】SWR vs TanStack Query
ytaisei
1
230
備えあれば患いなし:効率的なインシデント対応を目指すSREの取り組み
kazumax55
0
160
Ubieのアプリ開発を支える自動テスト
guchey
0
150
ブロックエディタをゴリゴリに使い倒してサイトを作った話 / Kansai WordPress Meetup 2023 09 23
torounit
13
6.8k
Kotlin Dynamic type
coe
0
130
"SMB vs. EP" プロダクト特性の違いから考える「何をつくる?つくらない?」
miyashino
0
410
1,800万人が利用する『家族アルバム みてね』におけるK8s基盤のアップグレード戦略と継続的改善 / FamilyAlbum's upgrade strategy and continuous improvement for K8s infrastructure
kohbis
0
160
サーバーレスは死なぬ!みんなEDA(Event Driven Architecture)として使ってるでしょ?
cyberarchitect
5
1.9k
Amazon FSx for NetApp ONTAPを 利用するときに気をつけることn選 〜移行プロセスを添えて〜 #devio2023
non97
0
140

Featured

See All Featured
Imperfection Machines: The Place of Print at Facebook
scottboms
257
12k
Put a Button on it: Removing Barriers to Going Fast.
kastner
56
2.7k
WebSockets: Embracing the real-time Web
robhawkes
58
6.5k
Six Lessons from altMBA
skipperchong
17
2.6k
Building an army of robots
kneath
300
41k
Producing Creativity
orderedlist
PRO
336
38k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
318
20k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
10
1.2k
Building Your Own Lightsaber
phodgson
97
5.2k
Optimising Largest Contentful Paint
csswizardry
6
1.8k
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
reverentgeek
177
9.8k
Faster Mobile Websites
deanohume
296
29k

Transcript

  1. https://goto.docker.com/rs/929-FJL-178/images/swarmnado.gif
    my
    Docker Best Practice
    ( 2016 Winter Short Version)

    View Slide

  2. @spesnova

    View Slide

  3. View Slide

  4. View Slide

  5. ݸਓతͳ
    ϕετϓϥΫςΟεͷ
    Ұ෦Λ঺հ
    ςʔϚ

    View Slide

  6. https://www.docker.com/sites/all/themes/docker/assets/images/turtle.png
    جຊݪଇ

    View Slide

  7. ίϯςφ͸୹໋ͳ΋ͷͱͯ͠ѻ͏
    جຊݪଇ 1

    View Slide

  8. ୹໋ͱ͍͏ͷ͸ݴ͍׵͑Δͱɺʮසൟ
    ʹىಈͯ͠͸͙͢ʹऴྃ͢Δʯͱ͍͏
    ͜ͱɻͦͷͨΊʹ͸ىಈͱऴྃࣗମ΋
    ଎͍ඞཁ͕͋Δɻ͙ͦͯ͢͠ʹऴྃͰ
    ͖Δͱ͍͏͜ͱ͸ӬଓԽ͢΂͖σʔλ
    Λ࣋ͨͳ͍ͱ͍͏͜ͱɻ
    ୹໋ͱ͸?

    View Slide

  9. ίϯςφ͕͙͢ʹىಈͯ͠ɺ͙͢ʹఀ
    ࢭͰ͖Δͱѻ͍΍ͯ͘͢ศརʹͳΔɻ
    ྫ͑͹ɺεέʔϧɺೖΕସ͑ɺҠಈͳ
    ͲͲΕ΋΍Γ΍͘͢ͳΔɻ
    ͳ͔ͥ?

    View Slide

  10. Ͱ͖Δ͚ͩίϯςφͰ΍Δ
    جຊݪଇ 2

    View Slide

  11. ίϯςφͰ΍Δɺͱ͍͏ͷ͸ʮϗετ
    ʹ௚઀Կ΋Πϯετʔϧ͠ͳ͍ʯ୅Θ
    Γʹʮίϯςφͱͯ͠Πϯετʔϧ͢
    Δʯͱ͍͏͜ͱɻ
    ίϯςφͰ΍Δͱ͸ʁ

    View Slide

  12. ʮϗετʹ௚઀Πϯετʔϧ͠ͳ͍ʯ
    ͜ͱ͸ϗετͷӡ༻Λָʹ͢ΔɻԿ΋
    Πϯετʔϧ͠ͳ͚Ε͹Ξοϓσʔτ
    ͷඞཁ΋ͳ͍ɻ৭ʑͳ΋ͷΛίϯςφ
    ʹ͓͚ͯ͠͹ɺίϯςφ؅ཧπʔϧ
    (K8S ͱ͔) ʹΑͬͯҰݩతʹίϯτ
    ϩʔϧͰ͖Δɻ
    ͳ͔ͥ?

    View Slide

  13. http://www.docker.com/sites/default/files/Compose.png
    ϓϥΫςΟε

    View Slide

  14. ίϯςφ͸ Graceful ʹࢭΊΔ
    ϓϥΫςΟε 1

    View Slide

  15. ίϯςφ͸ϥΠϑαΠΫϧ͕୹͘ɺස
    ൟʹىಈɾఀࢭ͞ΕΔɻසൟʹࢭΊͯ
    ΋αʔϏεʹӨڹ͕ͳ͍Α͏ʹ
    Graceful ʹࢭΊΔɻ
    ͳ͔ͥ?

    View Slide

  16. $ docker kill —signal=
    Ͳ͏΍ͬͯ?
    # docker-compose.yml
    services:
    nginx:
    image: nginx
    stop_signal: SIGQUIT
    stop_signal

    View Slide

  17. # Dockerfile
    # OK
    CMD ["nginx"]
    CMD exec nginx
    # NG
    CMD nginx
    Ͳ͏΍ͬͯ?
    stop_signal

    View Slide

  18. όοΫΞοϓ΋ϞχλϦϯά΋
    ϩάऩू΋ϚΠάϨʔγϣϯ΋
    ͢΂ͯ
    ίϯςφͰ΍Δ
    ϓϥΫςΟε 2

    View Slide

  19. Ͱ͖Δ͚ͩίϯςφͰ΍Δ = ʮϗετ
    ʹ௚઀Կ΋Πϯετʔϧ͠ͳ͍ʯ͜ͱ
    Ͱϗετͷӡ༻Λָʹ͢Δɻίϯςφ
    ʹد͓͚ͤͯ͹ɺCompose ʹ͠Ζ
    Kubernetes ʹ͠ΖɺͦΕͰҰݩతʹ
    ίϯτϩʔϧͰ͖Δɻ
    ͳ͔ͥ?

    View Slide

  20. Ͳ͏΍ͬͯ?

    View Slide

  21. Ͳ͏΍ͬͯ?
    # Run a container that has data
    $ docker run -d -name minecraft \
    -v /data/world minecraft
    # Backup with dockup container
    $ docker run —rm --env-file env.txt \
    —volumes-from minecraft \
    tutum/dockup
    Dockup

    View Slide

  22. Ͳ͏΍ͬͯ?
    # Run monitoring agent
    $ docker run -d \
    -h `hostname` \
    -e API_KEY= \
    - /var/run/docker.sock:/var/run/docker.sock \
    - /proc/:/host/proc/:ro \
    - /sys/fs/cgroup/:/host/sys/fs/cgroup:ro \
    datadog/docker-dd-agent:latest
    Datadog

    View Slide

  23. Ͳ͏΍ͬͯ?
    # Run log collector
    $ docker run -d -p 24224:24224 fluent/fluentd
    # Send container log to log collector
    $ docker run -d —log-driver=fluentd nginx
    Fluentd

    View Slide

  24. Ͳ͏΍ͬͯ?
    # DB migration
    $ docker run —rm rails rake db:migrate
    # Rails console
    $ docker run -it —rm rails rails console
    # AWS CLI
    $ docker run --rm \
    quay.io/spesnova/aws-cli:latest \
    aws s3 ls
    one-off container

    View Slide

  25. ίϯςφΛىಈ͢Δ؀ڥʹΑͬͯ
    มΘΔઃఆ͸؀ڥม਺ʹೖΕΔ
    ϓϥΫςΟε 3

    View Slide

  26. ࣮ߦ࣌ʹઃఆ͍ͨ͠΋ͷΛϋʔυίʔ
    υͯ͠ΔͱϏϧυ͠௚͢ඞཁ͕ग़ͯ͘
    Δɻ؀ڥม਺͸ɺίϯςφ಺ͷݴޠ΍
    ϛυϧ΢ΣΞʹґଘͤͣʹڞ௨ͯ͠ར
    ༻Ͱ͖Δઃఆ؅ཧखஈͰ͋Δɻ
    ͳ͔ͥ?

    View Slide

  27. Ͳ͏΍ͬͯ?
    # Dockerfile
    COPY ./nginx.conf.tmpl /etc/nginx/nginx.conf.tmpl
    ENTRYPOINT [
    "render", \
    "/etc/nginx/nginx.conf", "--", "/usr/sbin/nginx"
    ]
    Entrykit
    # nginx.conf.tmpl
    worker_processes {{ var "WORKER_PROCESSES" | default "1" }};

    View Slide

  28. Ͳ͏΍ͬͯϗετϚγϯΛ
    ϝϯςφϯε͢Δ͔ߟ͓͑ͯ͘
    ϓϥΫςΟε 4

    View Slide

  29. Ұ౓ίϯςφͷӡ༻Λ࢝ΊͨΒɺ
    ϗετ্ʹ͸ৗʹίϯςφ͕ࡌ͔ͬͬ
    ͯΔͷͰɺίϯςφΑΓϗετͷํ͕
    ѹ౗తʹϝϯςφϯεͮ͠Β͍ɻ
    ͳ͔ͥ?

    View Slide

  30. Ͳ͏΍ͬͯ?
    kubernetes Drain

    View Slide

  31. Ͳ͏΍ͬͯ?
    # Preparation for maintenance
    $ kubectl drain node-00
    node "node-00" cordoned
    pod "example-fcgm3" deleted
    pod "example-pi8rq" deleted
    node "node-00" drained
    # Do maintenance
    # Make the node schedulable
    $ kubectl uncordon node-00
    node "node-00" uncordoned
    kubernetes Drain

    View Slide

  32. ίϯςφ಺ͷύοέʔδ੬ऑੑΛ
    ܧଓతʹεΩϟϯ͢Δ
    ϓϥΫςΟε 5

    View Slide

  33. ͳ͔ͥ?
    ࠶ݱੑ͕ߴ͍Ώ͑ʹɺ΋ͷʹΑͬͯҰ
    ౓Ϗϧυ͖ͨ͠ΓͰߋ৽͠ͳ͘ͳΔ΋
    ͷ͕ग़ͯ͘Δɻߋ৽ػձ͕গͳ͍ͨΊ
    ʹ੬ऑੑରԠ΋์ஔ͞Ε͕ͪʹͳΔɻ

    View Slide

  34. Ͳ͏΍ͬͯ?
    # Run Clair service
    $ docker run -p 6060:6060 -p 6061:6061 -v /tmp:/tmp -v $PWD:/config \
    quay.io/coreos/clair —config /config/config.yml
    # Run image scan
    $ ./analyze-local-images postgres

    - Added by: aa0e4f075388ef6efa1cb6f243fa78b862201b3….
    ### (Medium) CVE-2016-0402
    - Link: https://security-tracker.debian.org/tracker/CVE-2016-0402
    - Description: Unspecified vulnerability in the Java SE and Java SE …….
    - Fixed version: 7u95-2.6.4-1~deb7u1
    - Metadata: ……

    Clair

    View Slide

  35. Ͳ͏΍ͬͯ?
    Quay.io

    View Slide

  36. ެࣜηΩϡϦςΟϕϯνϚʔΫ
    Λྲྀͯ͠ઃఆͷࢦ਑ʹ͢Δ
    ϓϥΫςΟε 6

    View Slide

  37. ͳ͔ͥ?
    Docker ͸पลπʔϧ΋ؚΊͯٸ଎ʹ
    ਐԽ͓ͯ͠ΓɺԿ͔ͱબ୒ࢶ͕ͨ͘͞
    Μ͋Γա͗ΔɻػձతʹϕετϓϥΫ
    ςΟεΛνΣοΫͰ͖ΔπʔϧΛ࢖ͬ
    ͓͍ͯͯଛ͸ͳ͍ɻ

    View Slide

  38. Ͳ͏΍ͬͯ?
    # Run Docker Benchmark for Security
    $ docker-compose run --rm docker-bench-security

    INFO] 1 - Host Configuration
    [WARN] 1.1 - Create a separate partition for containers
    [PASS] 1.2 - Use an updated Linux Kernel
    [PASS] 1.5 - Remove all non-essential services from the host - Network
    [WARN] 1.6 - Keep Docker up to date
    [WARN] * Using 1.10.1, when 1.10.2 is current as of 2016-02-22

    docker/docker-bench-security

    View Slide

  39. http://www.docker.com/sites/default/files/Registry.png
    ·ͱΊ

    View Slide

  40. • Ͱ͖Δ͚ͩίϯςφͰ΍Δ
    • ίϯςφ͸"୹໋"ͳ΋ͷ
    جຊݪଇ

    View Slide

  41. • Graceful ʹࢭΊΑ͏
    • backup΋migration΋ίϯςφͰ
    • ઃఆ͸ Entrykit Ͱ؀ڥม਺ʹ
    • ϗετϚγϯͷӡ༻Λ๨ΕΔͳ
    • ܧଓత੬ऑੑεΩϟϯ
    • SecurityBenchmark Λྲྀͯ͠ΈΑ͏
    ϓϥΫςΟε

    View Slide

  42. https://docs.docker.com/images/docker-friends.png
    ͓ΘΓ

    View Slide

  43. We’re Hiring!
    http://increments.co.jp/jobs

    View Slide

  44. https://goto.docker.com/rs/929-FJL-178/images/swarmnado.gif
    Docker Best Practice
    my

    View Slide