Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Introduction to Docker @galvanize

Introduction to Docker @galvanize

Introduction to Docker + Zero downtime deployment using Hipache

Victor Vieux

April 23, 2014
Tweet

More Decks by Victor Vieux

Other Decks in Technology

Transcript

  1. Outline •  Whom is this for ? •  What’s a

    the problem ? •  What’s a Container ? •  Docker 101 •  Docker index vs registry & How-To •  Demo: Deployment with zero downtime •  Docker future •  Questions
  2. Outline •  Whom is this for ? •  What’s a

    the problem ? •  What’s a Container ? •  Docker 101 •  Docker index vs registry & How-To •  Demo: Deployment with zero downtime •  Docker future •  Questions
  3. Devs •  all languages •  all databases •  all O/S

    •  targeting Linux system Docker will eventually be able to target FreeBSD, Solaris, and maybe OS X (jails) (zones)
  4. Ops •  any distro •  any cloud •  any machine

    (physical, virtual…) •  recent kernels – at least 3.8 – Or the one that comes with RHEL 6.5
  5. Outline •  Whom is this for ? •  What’s a

    the problem ? •  What’s a Container ? •  Docker 101 •  Docker index vs registry & How-To •  Demo: Deployment with zero downtime •  Docker future •  Questions
  6. Linux containers… Units of software delivery. •  run everywhere – 

    regardless of kernel version –  regardless of host distro •  (but container and host distro must match*) •  run anything –  if it can run on the host, it can run in the container –  i,e., if it can run on a Linux kernel, it can run *Unless you emulate CPU with QEMU and binfmt
  7. Outline •  Whom is this for ? •  What’s a

    the problem ? •  What’s a Container ? •  Docker 101 •  Docker index vs registry & How-To •  Demo: Deployment with zero downtime •  Docker future •  Questions
  8. High level approach: lightweight VM •  own process space • 

    own network interface •  can run stuff as root •  can have it’s own /sbin/init (different from the host) “Machine Container”
  9. Low level approach: chroot on steroids •  can also not

    have it’s own /sbin/init •  container = isolated process(es) •  share kernel with the host “Application Container”
  10. Separation of concerns: dev POV •  inside my container: – my

    code – my libraries – my packages – my app – my data
  11. Separation of concerns: ops POV •  outside the container: – logging

    – remote access – network configuration – monitoring
  12. How does it works ? Isolation with namespaces •  pid

    •  mnt •  net •  uts •  ipc •  user
  13. pid namespace user@dockerhost:~$ ps aux | wc –l 212 user@dockerhost:~$

    docker run –it ubuntu bash root@1b55513ade2e:/# ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.0 18044 1956 ? S 02:54 0:00 bash root 16 0.0 0.0 15276 1136 ? R+ 02:55 0:00 ps aux •  only 2 processes, bash and ps •  bash is pid 1
  14. mnt namespace user@dockerhost:~$ wc –l /proc/mounts 32 /proc/mounts user@dockerhost:~$ docker

    run –it ubuntu bash root@1b55513ade2e:/# wc –l /proc/mounts 10 /proc/mounts
  15. net namespace user@dockerhost:~$ docker run –it ubuntu ip addr 1:

    lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 22: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 2a:d1:4b:7e:bf:b5 brd ff:ff:ff:ff:ff:ff inet 10.1.1.3/24 brd 10.1.1.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::28d1:4bff:fe7e:bfb5/64 scope link valid_lft forever preferred_lft forever
  16. uts namespace user@dockerhost:~$ hostname dockerhost user@dockerhost:~$ docker run –it ubuntu

    bash root@1b55513ade2e:/# hostname 1b55513ade2e user@host:~$ docker run –it –h containerhost ubuntu bash root@containerhost :/# hostname containerhost
  17. user namespace •  kernel 3.12+, not yet in docker • 

    Will look like: UID 0→1999 in container C1 is mapped to UID 10000→11999 in host UID 0→1999 in container C2 is mapped to UID 12000→13999 in host etc… •  What about volumes ? Probably one docker-root user in all container
  18. How does it works ? Isolation with cgroups •  memory

    •  cpu •  cpuset •  blkio •  devices •  …
  19. memory cgroup Limit the memory that can be used by

    a container. user@dockerhost:~$ docker run -m 512m ubuntu bash user@dockerhost:~$ docker run --memory 1g ubuntu bash
  20. cpu & cpuset cgroups cpu: Limit share of cpu a

    container can use (% of you cpus) user@dockerhost:~$ docker run -c 30 ubuntu bash user@dockerhost:~$ docker run –-cpu_shares 15 ubuntu bash cpuset: Set on which core you want to run Not yet in docker, soon with –o / --opts
  21. How does it works ? Copy-on-write storage •  unioning filesystems

    – AUFS, overlayFS •  snapshotting filesystems – BTRFS, ZFS •  copy-on-write block devices – Thin snapshots with LVM or device-mapper
  22. Compute efficiency: almost no overhead •  Processes isolation –  but

    run straight on the host •  CPU performance –  equal to native performance •  Memory performance –  small overhead for (optional) accounting •  Network performance –  small overhead, can be reduced to zero
  23. Outline •  Whom is this for ? •  What’s a

    the problem ? •  What’s a Container ? •  Docker 101 •  Docker index vs registry & How-To •  Demo: Deployment with zero downtime •  Docker future •  Questions
  24. Classic: hello world •  Get one base image (ubuntu, centos,

    busybox, …) $> docker pull ubuntu •  List images on you system $> docker images •  Display hello world $> docker run ubuntu:12.10 echo “hello world”
  25. Detached mode •  Run docker using the detach flag (-d)

    $> docker run –d busybox ping google.com •  Get container’s id $> docker ps •  Attach to the container $> docker attach <container_id> •  Stop/Start/Restart the container $> docker stop/start/restart <container_id>
  26. Container vs Images •  Remove a file from an image

    $> docker run busybox rm /etc/passwd •  The file is still there ?? $> docker run busybox cat /etc/passwd •  Commit the changes $> docker ps –n=2 #get the container’s id $> docker commit <id> broken-busybox •  The file is gone $> docker run broken-busybox cat /etc/passwd
  27. Public index & Network •  Pull an apache image from

    the public index $> docker search apache $> docker pull creack/apache2 •  Run the image and check the ports $> docker run –d creack/apache2 $> docker ps •  Expose public ports $> docker run –d –p 8888:80 –p 4444:443 creack/apache2 $> docker ps
  28. Creating your 1st app: the interactive way •  Using docker

    in interactive mode $> docker run –i -t ubuntu bash root@82c63ee50c3d:/# root@82c63ee50c3d:/# apt-get update root@82c63ee50c3d:/# apt-get install memcached -y root@82c63ee50c3d:/# exit •  Commit the image $> docker commit `docker ps –q –l` vieux/memcached •  Start the image $> docker run –d –p 11211 –u daemon vieux/memcached memcached
  29. Creating your 1st app: the boring way •  Using run

    / commit $> docker ubuntu bash apt-get update $> $ID=(docker commit `docker ps –l –q`) $> docker run $ID apt-get install memcached -y $> docker commit `docker ps –q –l` vieux/memcached •  Start the image $> docker run –d –p 11211 –u daemon vieux/memcached memcached
  30. Creating your 1st app: the scripted way •  Write a

    Dockerfile # Memcache FROM UBUNTU MAINTAINER Victor Vieux <[email protected]> RUN apt-get update RUN apt-get install memcached –y ENTRYPOINT [“memcached”] USER daemon EXPOSE 11211 •  Build the image $> docker build –t vieux/memcached •  Start the image $> docker run –d vieux/memcached # Memcache FROM UBUNTU:12.10 MAINTAINER Victor Vieux <[email protected]> RUN apt-get update RUN apt-get install memcached –y ENTRYPOINT [“memcached”] USER daemon EXPOSE 11211  
  31. Outline •  Whom is this for ? •  What’s a

    the problem ? •  What’s a Container ? •  Docker 101 •  Docker index vs registry & How-To •  Demo: Deployment with zero downtime •  Docker future •  Questions
  32. Registry •  https://github.com/dotcloud/docker-registry •  Open source, written in Python • 

    Manage actual images files. •  Multiple storage backend: – Local – S3 – Google Cloud Storage – etc…
  33. How to use a private registry $> docker push <namespace>/<name>

    •  Docker uses the namespace to know where to push, if the namespace is an url, it will push on this url #push <image> in the namespace <namespace> to the index $> docker push <namespace>/<name>   #push the <name> to your a private registry <url> $> docker push <url>/<name> •  Same mechanism for docker pull
  34. Example: push busybox to your registry # Rename add a

    new name to the busybox image $> docker tag busybox my.registry.com:5000/busybox       # Push the image to your registry $> docker push my.registry.com:5000/busybox  
  35. Outline •  Whom is this for ? •  What’s a

    the problem ? •  What’s a Container ? •  Docker 101 •  Docker index vs registry & How-To •  Demo: Deployment with zero downtime •  Docker future •  Questions
  36. Local development •  App running in prod http://app.vieux.fr/ •  Build

    local  $> docker build –t=app . •  Test local $> docker run –p 49200:8000 app  http://localhost:49200 •  Change some files •  Rebuild & test $> docker build –t=app . $> docker run –p 49200:8000 app
  37. Push to production •  Tag image in order to push

    it $> docker tag app registry.vieux.fr/app •  Push image to local registry $> docker push registry.vieux.fr/app •  On production server, download image $> docker pull registry.vieux.fr/app •  Start the new container $> docker run –d registry.vieux.fr/app  
  38. Seamless update •  List running containers •  Update hipache config

    $> docker inspect –f ’{{.NetworkSettings.IPAddress}} <id> $> redis-cli lset frontend:app.vieux.fr -1 http://<ip>:<port> •  See the changes live http://app.vieux.fr/
  39. Outline •  Whom is this for ? •  What’s a

    the problem ? •  What’s a Container ? •  Docker 101 •  Docker index vs registry & How-To •  Demo: Deployment with zero downtime •  Docker future •  Questions
  40. Docker: the community •  11000+ GitHub stars •  400+ Contributors

    •  ~50% of all commits made by external contributors •  1800+ GitHub forks •  260k+ index pulls •  and counting…
  41. Docker: the future •  0.11, and then 1.0 around the

    corner... •  Supports AUFS, BTRFS and device-mapper as storage drivers, more to come… (ZFS?, OverlayFS?) •  Support our native go implementation and LXC as execution driver, more to come... (systemd-nspawn?) •  Stable plugins (as container?) API •  Introspection