Upgrade to Pro — share decks privately, control downloads, hide ads and more …

My Docker Best Practice (2016 Winter Short Version)

My Docker Best Practice (2016 Winter Short Version)

Seigo Uchida

March 05, 2016
Tweet

More Decks by Seigo Uchida

Other Decks in Technology

Transcript

  1. https://goto.docker.com/rs/929-FJL-178/images/swarmnado.gif
    my
    Docker Best Practice
    ( 2016 Winter Short Version)

    View Slide

  2. @spesnova

    View Slide

  3. View Slide

  4. View Slide

  5. ݸਓతͳ
    ϕετϓϥΫςΟεͷ
    Ұ෦Λ঺հ
    ςʔϚ

    View Slide

  6. https://www.docker.com/sites/all/themes/docker/assets/images/turtle.png
    جຊݪଇ

    View Slide

  7. ίϯςφ͸୹໋ͳ΋ͷͱͯ͠ѻ͏
    جຊݪଇ 1

    View Slide

  8. ୹໋ͱ͍͏ͷ͸ݴ͍׵͑Δͱɺʮසൟ
    ʹىಈͯ͠͸͙͢ʹऴྃ͢Δʯͱ͍͏
    ͜ͱɻͦͷͨΊʹ͸ىಈͱऴྃࣗମ΋
    ଎͍ඞཁ͕͋Δɻ͙ͦͯ͢͠ʹऴྃͰ
    ͖Δͱ͍͏͜ͱ͸ӬଓԽ͢΂͖σʔλ
    Λ࣋ͨͳ͍ͱ͍͏͜ͱɻ
    ୹໋ͱ͸?

    View Slide

  9. ίϯςφ͕͙͢ʹىಈͯ͠ɺ͙͢ʹఀ
    ࢭͰ͖Δͱѻ͍΍ͯ͘͢ศརʹͳΔɻ
    ྫ͑͹ɺεέʔϧɺೖΕସ͑ɺҠಈͳ
    ͲͲΕ΋΍Γ΍͘͢ͳΔɻ
    ͳ͔ͥ?

    View Slide

  10. Ͱ͖Δ͚ͩίϯςφͰ΍Δ
    جຊݪଇ 2

    View Slide

  11. ίϯςφͰ΍Δɺͱ͍͏ͷ͸ʮϗετ
    ʹ௚઀Կ΋Πϯετʔϧ͠ͳ͍ʯ୅Θ
    Γʹʮίϯςφͱͯ͠Πϯετʔϧ͢
    Δʯͱ͍͏͜ͱɻ
    ίϯςφͰ΍Δͱ͸ʁ

    View Slide

  12. ʮϗετʹ௚઀Πϯετʔϧ͠ͳ͍ʯ
    ͜ͱ͸ϗετͷӡ༻Λָʹ͢ΔɻԿ΋
    Πϯετʔϧ͠ͳ͚Ε͹Ξοϓσʔτ
    ͷඞཁ΋ͳ͍ɻ৭ʑͳ΋ͷΛίϯςφ
    ʹ͓͚ͯ͠͹ɺίϯςφ؅ཧπʔϧ
    (K8S ͱ͔) ʹΑͬͯҰݩతʹίϯτ
    ϩʔϧͰ͖Δɻ
    ͳ͔ͥ?

    View Slide

  13. http://www.docker.com/sites/default/files/Compose.png
    ϓϥΫςΟε

    View Slide

  14. ίϯςφ͸ Graceful ʹࢭΊΔ
    ϓϥΫςΟε 1

    View Slide

  15. ίϯςφ͸ϥΠϑαΠΫϧ͕୹͘ɺස
    ൟʹىಈɾఀࢭ͞ΕΔɻසൟʹࢭΊͯ
    ΋αʔϏεʹӨڹ͕ͳ͍Α͏ʹ
    Graceful ʹࢭΊΔɻ
    ͳ͔ͥ?

    View Slide

  16. $ docker kill —signal=
    Ͳ͏΍ͬͯ?
    # docker-compose.yml
    services:
    nginx:
    image: nginx
    stop_signal: SIGQUIT
    stop_signal

    View Slide

  17. # Dockerfile
    # OK
    CMD ["nginx"]
    CMD exec nginx
    # NG
    CMD nginx
    Ͳ͏΍ͬͯ?
    stop_signal

    View Slide

  18. όοΫΞοϓ΋ϞχλϦϯά΋
    ϩάऩू΋ϚΠάϨʔγϣϯ΋
    ͢΂ͯ
    ίϯςφͰ΍Δ
    ϓϥΫςΟε 2

    View Slide

  19. Ͱ͖Δ͚ͩίϯςφͰ΍Δ = ʮϗετ
    ʹ௚઀Կ΋Πϯετʔϧ͠ͳ͍ʯ͜ͱ
    Ͱϗετͷӡ༻Λָʹ͢Δɻίϯςφ
    ʹد͓͚ͤͯ͹ɺCompose ʹ͠Ζ
    Kubernetes ʹ͠ΖɺͦΕͰҰݩతʹ
    ίϯτϩʔϧͰ͖Δɻ
    ͳ͔ͥ?

    View Slide

  20. Ͳ͏΍ͬͯ?

    View Slide

  21. Ͳ͏΍ͬͯ?
    # Run a container that has data
    $ docker run -d -name minecraft \
    -v /data/world minecraft
    # Backup with dockup container
    $ docker run —rm --env-file env.txt \
    —volumes-from minecraft \
    tutum/dockup
    Dockup

    View Slide

  22. Ͳ͏΍ͬͯ?
    # Run monitoring agent
    $ docker run -d \
    -h `hostname` \
    -e API_KEY= \
    - /var/run/docker.sock:/var/run/docker.sock \
    - /proc/:/host/proc/:ro \
    - /sys/fs/cgroup/:/host/sys/fs/cgroup:ro \
    datadog/docker-dd-agent:latest
    Datadog

    View Slide

  23. Ͳ͏΍ͬͯ?
    # Run log collector
    $ docker run -d -p 24224:24224 fluent/fluentd
    # Send container log to log collector
    $ docker run -d —log-driver=fluentd nginx
    Fluentd

    View Slide

  24. Ͳ͏΍ͬͯ?
    # DB migration
    $ docker run —rm rails rake db:migrate
    # Rails console
    $ docker run -it —rm rails rails console
    # AWS CLI
    $ docker run --rm \
    quay.io/spesnova/aws-cli:latest \
    aws s3 ls
    one-off container

    View Slide

  25. ίϯςφΛىಈ͢Δ؀ڥʹΑͬͯ
    มΘΔઃఆ͸؀ڥม਺ʹೖΕΔ
    ϓϥΫςΟε 3

    View Slide

  26. ࣮ߦ࣌ʹઃఆ͍ͨ͠΋ͷΛϋʔυίʔ
    υͯ͠ΔͱϏϧυ͠௚͢ඞཁ͕ग़ͯ͘
    Δɻ؀ڥม਺͸ɺίϯςφ಺ͷݴޠ΍
    ϛυϧ΢ΣΞʹґଘͤͣʹڞ௨ͯ͠ར
    ༻Ͱ͖Δઃఆ؅ཧखஈͰ͋Δɻ
    ͳ͔ͥ?

    View Slide

  27. Ͳ͏΍ͬͯ?
    # Dockerfile
    COPY ./nginx.conf.tmpl /etc/nginx/nginx.conf.tmpl
    ENTRYPOINT [
    "render", \
    "/etc/nginx/nginx.conf", "--", "/usr/sbin/nginx"
    ]
    Entrykit
    # nginx.conf.tmpl
    worker_processes {{ var "WORKER_PROCESSES" | default "1" }};

    View Slide

  28. Ͳ͏΍ͬͯϗετϚγϯΛ
    ϝϯςφϯε͢Δ͔ߟ͓͑ͯ͘
    ϓϥΫςΟε 4

    View Slide

  29. Ұ౓ίϯςφͷӡ༻Λ࢝ΊͨΒɺ
    ϗετ্ʹ͸ৗʹίϯςφ͕ࡌ͔ͬͬ
    ͯΔͷͰɺίϯςφΑΓϗετͷํ͕
    ѹ౗తʹϝϯςφϯεͮ͠Β͍ɻ
    ͳ͔ͥ?

    View Slide

  30. Ͳ͏΍ͬͯ?
    kubernetes Drain

    View Slide

  31. Ͳ͏΍ͬͯ?
    # Preparation for maintenance
    $ kubectl drain node-00
    node "node-00" cordoned
    pod "example-fcgm3" deleted
    pod "example-pi8rq" deleted
    node "node-00" drained
    # Do maintenance
    # Make the node schedulable
    $ kubectl uncordon node-00
    node "node-00" uncordoned
    kubernetes Drain

    View Slide

  32. ίϯςφ಺ͷύοέʔδ੬ऑੑΛ
    ܧଓతʹεΩϟϯ͢Δ
    ϓϥΫςΟε 5

    View Slide

  33. ͳ͔ͥ?
    ࠶ݱੑ͕ߴ͍Ώ͑ʹɺ΋ͷʹΑͬͯҰ
    ౓Ϗϧυ͖ͨ͠ΓͰߋ৽͠ͳ͘ͳΔ΋
    ͷ͕ग़ͯ͘Δɻߋ৽ػձ͕গͳ͍ͨΊ
    ʹ੬ऑੑରԠ΋์ஔ͞Ε͕ͪʹͳΔɻ

    View Slide

  34. Ͳ͏΍ͬͯ?
    # Run Clair service
    $ docker run -p 6060:6060 -p 6061:6061 -v /tmp:/tmp -v $PWD:/config \
    quay.io/coreos/clair —config /config/config.yml
    # Run image scan
    $ ./analyze-local-images postgres

    - Added by: aa0e4f075388ef6efa1cb6f243fa78b862201b3….
    ### (Medium) CVE-2016-0402
    - Link: https://security-tracker.debian.org/tracker/CVE-2016-0402
    - Description: Unspecified vulnerability in the Java SE and Java SE …….
    - Fixed version: 7u95-2.6.4-1~deb7u1
    - Metadata: ……

    Clair

    View Slide

  35. Ͳ͏΍ͬͯ?
    Quay.io

    View Slide

  36. ެࣜηΩϡϦςΟϕϯνϚʔΫ
    Λྲྀͯ͠ઃఆͷࢦ਑ʹ͢Δ
    ϓϥΫςΟε 6

    View Slide

  37. ͳ͔ͥ?
    Docker ͸पลπʔϧ΋ؚΊͯٸ଎ʹ
    ਐԽ͓ͯ͠ΓɺԿ͔ͱબ୒ࢶ͕ͨ͘͞
    Μ͋Γա͗ΔɻػձతʹϕετϓϥΫ
    ςΟεΛνΣοΫͰ͖ΔπʔϧΛ࢖ͬ
    ͓͍ͯͯଛ͸ͳ͍ɻ

    View Slide

  38. Ͳ͏΍ͬͯ?
    # Run Docker Benchmark for Security
    $ docker-compose run --rm docker-bench-security

    INFO] 1 - Host Configuration
    [WARN] 1.1 - Create a separate partition for containers
    [PASS] 1.2 - Use an updated Linux Kernel
    [PASS] 1.5 - Remove all non-essential services from the host - Network
    [WARN] 1.6 - Keep Docker up to date
    [WARN] * Using 1.10.1, when 1.10.2 is current as of 2016-02-22

    docker/docker-bench-security

    View Slide

  39. http://www.docker.com/sites/default/files/Registry.png
    ·ͱΊ

    View Slide

  40. • Ͱ͖Δ͚ͩίϯςφͰ΍Δ
    • ίϯςφ͸"୹໋"ͳ΋ͷ
    جຊݪଇ

    View Slide

  41. • Graceful ʹࢭΊΑ͏
    • backup΋migration΋ίϯςφͰ
    • ઃఆ͸ Entrykit Ͱ؀ڥม਺ʹ
    • ϗετϚγϯͷӡ༻Λ๨ΕΔͳ
    • ܧଓత੬ऑੑεΩϟϯ
    • SecurityBenchmark Λྲྀͯ͠ΈΑ͏
    ϓϥΫςΟε

    View Slide

  42. https://docs.docker.com/images/docker-friends.png
    ͓ΘΓ

    View Slide

  43. We’re Hiring!
    http://increments.co.jp/jobs

    View Slide

  44. https://goto.docker.com/rs/929-FJL-178/images/swarmnado.gif
    Docker Best Practice
    my

    View Slide