Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Providing and Supporting Docker Images

Philipp Krenn
November 14, 2018
Programming
2
630

Providing and Supporting Docker Images

Docker is eating the world. If you want to be taken seriously, you need to provide containers to your users. It's easy — everybody is uploading containers to Docker Hub, right? Unfortunately, reality is never as easy as it sounds at first. This talk gives an overview of Elastic's ongoing journey to providing official Docker containers:
* Docker Hub: What "official" really means and why we are using our own registry.
* Base image: Just use Alpine — it is small and the perfect fit for containers. We tried that and reconsidered...
* Release policy: What do you actually get in a specific tag and how are we releasing our images?
* Support: Combine two complex systems like Elasticsearch and Docker — and you will get a lot of questions.
* Orchestration: Our current approach for orchestration and how we are treating feature requests.

Philipp Krenn

November 14, 2018
Tweet

More Decks by Philipp Krenn

See All by Philipp Krenn
Full-Text Search Explained
xeraa
11
1.9k
360° Monitoring of Your Microservices
xeraa
7
3.2k
Scale Your Metrics with Elasticsearch
xeraa
4
120
YAML Considered Harmful
xeraa
0
1.9k
Scale Your Elasticsearch Cluster
xeraa
1
260
Hands-On ModSecurity and Logging
xeraa
2
120
Centralized Logging Patterns
xeraa
1
920
Dashboards for Your Management with Kibana Canvas
xeraa
1
440
Make Your Data FABulous
xeraa
3
750

Other Decks in Programming

See All in Programming
Java 22 Overview
kishida
1
170
Tailwind CSSを本気でカスタマイズする方法
fsubal
1
120
PostmanでAPIの動作確認が楽になった話
h455h1
0
120
#phpcon_odawara オープン・クローズドなテストフィクスチャを求めて / open closed test fixtures
77web
3
220
App Router への移行は「改善」となり得るのか?/ Can migration to App Router be an improvement
takefumiyoshii
8
2.1k
Doctrine ORMでValue Objectを扱う方法4選 #phpstudy / 4 ways to handle Value Objects with Doctrine ORM
77web
4
110
Folding Cheat Sheet #2
philipschwarz
PRO
0
110
Prepare for Jakarta EE 11 - Performance and Developer Productivity
ivargrimstad
0
430
スキーマ駆動開発による品質とスピードの両立 - 私達は何故、スキーマを書くのか
kentaroutakeda
0
110
FigmaとPHPで作る1ミリたりとも表示崩れしない最強の帳票印刷ソリューション
ttskch
39
18k
本格ローグライク制作にEbitengineを選んでみた
nagainaganawa
0
290
try! Swift Tokyo 2024のLT枠に採択されたプロポーザルを出すときに考えていたこと
ski
0
340

Featured

See All Featured
Automating Front-end Workflow
addyosmani
1355
200k
Making the Leap to Tech Lead
cromwellryan
123
8.5k
Documentation Writing (for coders)
carmenintech
59
3.9k
Code Reviewing Like a Champion
maltzj
513
39k
How to Ace a Technical Interview
jacobian
272
22k
Gamification - CAS2011
davidbonilla
76
4.6k
Building Adaptive Systems
keathley
30
1.8k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
119
38k
YesSQL, Process and Tooling at Scale
rocio
163
13k
Statistics for Hackers
jakevdp
789
220k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
115
18k
Unsuck your backbone
ammeep
662
57k

Transcript

  1. Offizielle Docker Images ein Erfahrungsbericht Philipp Krenn̴̴̴̴@xeraa

  2. Infrastructure | Developer

  3. Who uses Docker?

  4. Who uses Docker in production?

  5. Who uses stateful Docker images?

  6. Who uses our images?

  7. Who uses our stack with other images?

  8. Docker: the world's most heavily funded college project Internal quote

    from Slack
  9. None

  10. Content "Official" Base Images Release Policy Security & Stability Customization

    Orchestration

  11. Docker Hub "official"

  12. What do you get? docker pull elasticsearch:X Same for Kibana

    and Logstash

  13. It's Complicated Docker Inc Deprecated Replicated

  14. None
  15. None
  16. None

  17. Custom Registry docker.elastic.co

  18. I’m surprised more people don’t just host their own container

    registries since doing that is faster than every cloud offering and docker hub https://twitter.com/jessfraz/status/978449365261082625

  19. Our Motivation Download statistics Speed & reliability

  20. None

  21. https://www.docker.elastic.co

  22. Problems Some broken tooling like automated builds, Kitematic,... China IPv6

  23. None

  24. https://hub.docker.com/r/elastic/ elasticsearch/ kibana/ *beat/ logstash/ apm-server/

  25. Base Images

  26. Elasticsearch Alpine

  27. Kibana̴Beats̴Logstash Ubuntu

  28. Common base image in 5.4+ CentOS 7

  29. https://github.com/elastic/elasticsearch-docker/blob/master/templates/Dockerfile.j2 FROM centos:7 AS prep_es_files ENV PATH /usr/share/elasticsearch/bin:$PATH RUN curl

    -s https://download.java.net/java/GA/jdk11/13/GPL/openjdk-11.0.1_linux-x64_bin.tar.gz | \ tar -C /opt -zxf - ENV JAVA_HOME /opt/jdk-11.0.1 RUN groupadd -g 1000 elasticsearch && \ adduser -u 1000 -g 1000 -d /usr/share/elasticsearch elasticsearch

  30. Upside Similar setup Shared layers JVM large anyway

  31. None

  32. Downside Size

  33. $ docker images REPOSITORY TAG IMAGE ID SIZE docker.elastic.co/kibana/kibana 6.5.0

    fcc1f039f61c 727MB docker.elastic.co/elasticsearch/elasticsearch 6.5.0 ff171d17e77c 774MB docker.elastic.co/beats/filebeat 6.5.0 aee067f4a241 299MB docker.elastic.co/kibana/kibana 6.2.4 327c6538ba4c 933MB docker.elastic.co/elasticsearch/elasticsearch 6.2.4 7cb69da7148d 515MB docker.elastic.co/beats/filebeat 6.2.4 26a00abcde82 319MB docker.elastic.co/kibana/kibana 5.6.13 59fcc69d2cc6 653MB docker.elastic.co/elasticsearch/elasticsearch 5.6.13 21673573a265 525MB docker.elastic.co/beats/filebeat 5.6.13 2aec30f6b3fc 284MB docker.elastic.co/kibana/kibana 5.3.3 ffe778f7e489 679MB docker.elastic.co/elasticsearch/elasticsearch 5.3.3 5857f98b5920 165MB docker.elastic.co/beats/filebeat 5.3.3 c01be8a8f630 232MB

  34. 5.3 5.6 6.2 6.5 ES 165MB 525MB 515MB 774MB Kibana

    679MB 653MB 933MB 727MB Filebeat 232MB 284MB 319MB 299MB

  35. Does it matter? stateful vs stateless

  36. What to include?

  37. Single image for 5.x Platinum trial

  38. Three flavors 6.0 to 6.2 Basic*, OSS, Platinum trial *

    Default

  39. Two flavors 6.3+ Basic / Platinum trial*, OSS * Default

  40. Future

  41. Multiple base images?

  42. Windows?!

  43. Release Policy

  44. No :latest

  45. Zombies ideas that should have been killed by evidence, but

    keep shambling along

  46. 6 and 6.4?

  47. What's in a tag? docker.elastic.co/elasticsearch/elasticsearch 5.3.3 5857f98b5920 4 months ago

    docker.elastic.co/beats/filebeat 5.3.3 c01be8a8f630 5 months ago docker.elastic.co/kibana/kibana 5.3.3 ffe778f7e489 5 months ago

  48. Currently Overwrite tag

  49. Label Schema LABEL org.label-schema.schema-version="1.0" \ org.label-schema.vendor="Elastic" \ org.label-schema.name="elasticsearch" \ org.label-schema.version="{{

    elastic_version }}" \ org.label-schema.url="https://www.elastic.co/products/elasticsearch" \ org.label-schema.vcs-url="https://github.com/elastic/elasticsearch-docker" \ {% if image_flavor == 'oss' -%} license="Apache-2.0" {% else -%} license="Elastic License" {% endif -%}

  50. Base image & JVM direct dependencies

  51. Future Add image version?

  52. Security & Stability

  53. Run Elasticsearch as root

  54. Cockroaches claims that disappear for a while when proved wrong,

    but just keep on coming back

  55. Mode Production: Clusterable Development: Local network

  56. "Docker" mode discovery.type=single-node

  57. Bootstrap checks are here to stay

  58. 6.0+ no more default credentials

  59. 6.x Security non-trial requires certificates

  60. The container runs Elasticsearch as user elasticsearch using uid:gid 1000:1000.

    https://www.elastic.co/guide/en/elasticsearch/reference/current/ docker.html
  61. None
  62. None
  63. None

  64. Don't mutate the bind mounted local directory

  65. Those who do not understand Unix are condemned to reinvent

    it, poorly. — Henry Spencer

  66. Docker default value? LimitNOFILE & LimitNPROC

  67. infinity https://github.com/moby/moby/commit/ 8db61095a3d0bcb0733580734ba5d54bc27a614d (July 2016)

  68. Test $ docker run --rm centos:7 /bin/bash -c \ 'ulimit

    -Hn && ulimit -Sn && ulimit -Hu && ulimit -Su' 1048576 1048576 unlimited unlimited

  69. Limit for virtual memory? vm.max_map_count

  70. Test $ docker run --rm centos:7 /bin/bash -c \ 'sysctl

    vm.max_map_count' vm.max_map_count = 262144 Must be set on the host

  71. Combine two new systems to get chaos & despair

  72. Docker is a leaky abstraction

  73. None

  74. Customization

  75. Feature Request if [ -f /custom/user_init.sh ] then . /custom/user_init.sh

    fi Or customization through environment variables

  76. No Runtime Mutation

  77. Dockerfile ARG ELASTIC_VERSION FROM docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION} RUN bin/elasticsearch-plugin install analysis-phonetic --batch

    ARG ELASTIC_VERSION RUN bin/elasticsearch-plugin install \ https://github.com/spinscale/elasticsearch-ingest-langdetect/releases/download/ ${ELASTIC_VERSION}.1/ingest-langdetect-${ELASTIC_VERSION}.1.zip --batch

  78. Generate Keystore $ docker run -p 9200:9200 -p 9300:9300 -e

    "discovery.type=single-node" \ -v /Users/philipp/Desktop/demo/config/:/usr/share/elasticsearch/config/ \ -it docker.elastic.co/elasticsearch/elasticsearch:6.4.3 /bin/bash [root@1006ed50b646 elasticsearch]# ./bin/elasticsearch-keystore create Created elasticsearch keystore in /usr/share/elasticsearch/config [root@1006ed50b646 elasticsearch]# ./bin/elasticsearch-keystore add test Enter value for test: [root@1006ed50b646 elasticsearch]# exit exit $ cat config/elasticsearch.keystore ??lelasticsearch.keystore?@g?o!?$?K?Lf?w?VAEŠԨm?[?a6?B??? y?,!В}??Ħ?ǣ?AU=?C?:?o? ?W?O8?}U?;p?ӷ???cQ????7?JY? 2A?:???ZUY??2V?9?ϧ??(??0?q\

  79. Mount Keystore (Docker Compose) elasticsearch: image: docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION} secrets: - source:

    elasticsearch.keystore target: /usr/share/elasticsearch/config/elasticsearch.keystore

  80. Orchestration

  81. Who uses Kubernetes?

  82. Who uses Swarm?

  83. Who uses Mesos?

  84. Who uses Nomad?

  85. No orchestration yet

  86. Kubernetes 1.8 allows dots in env vars https://github.com/kubernetes/kubernetes/issues/2707

  87. None
  88. None

  89. Kubernetes has made huge improvements in the ability to run

    stateful workloads including databases and message queues, but I still prefer not to run them on Kubernetes. https://twitter.com/kelseyhightower/status/963413508300812295
  90. None

  91. Conclusion

  92. "Docker is disrupting the industry"

  93. "Can I run Elasticsearch on Docker?"

  94. "Should I run Elasticsearch on Docker?"

  95. Even when stateful services do the right things managing state

    is still hard. Mixing stateful and stateless applications on the same cluster elevates the complexity of the entire cluster. Cluster security and upgrades become much harder. https://twitter.com/kelseyhightower/status/963417215608369153

  96. Quick Quiz What do you get?

  97. docker pull elastic/elasticsearch

  98. $ docker pull elastic/elasticsearch Using default tag: latest Error response

    from daemon: manifest for elastic/elasticsearch:latest not found

  99. docker pull logstash:alpine

  100. docker pull metricbeat:6.4.3

  101. $ docker pull metricbeat:6.4.3 Error response from daemon: pull access

    denied for metricbeat, repository does not exist or may require 'docker login'

  102. docker pull elastic/metricbeat:6.4.3

  103. docker pull docker.elastic.co/apm/apm-server:6.4.3

  104. "Aggregierte Logging-Patterns" Tomorrow 15:45 @ Gustav Mahler II

  105. Questions & Discussion Philipp Krenn̴̴̴@xeraa