Dockers zero to hero

  • View
    1.058

  • Download
    5

Embed Size (px)

DESCRIPTION

présentation de l'utilisation de Docker, du niveau 0 "je joue avec sur mon poste" au niveau Docker Hero "je tourne en prod". Ce talk fait suite à l'intro de @dgageot et ne comporte donc pas l'intro "c'est quoi Docker ?".

Text of Dockers zero to hero

  • 1. @ndeloof

2. Whoareyou?!! Dev Integration/Test Acceptance / Qualif Sysdamin / Ops 3. level 0 4. DEVExact reproduction fortarget environment!!!! 5. NotonLinux? 6. DEVQuickly get third partytools up-and-running 7. level 1 8. Test Define build / test infra in your SCM 9. QA Quickly get low-cost iso-production environment 10. level 2 11. Dev/Opsa WAR archive is NOT what a sysadmin expect as delivery!!+ 12. bestDevOpstoolsofar(imho) 13. SeparationofconcernInside container/var/log/myapp!!!On host/mnt/backup/myapp/log 14. SeparationofconcernsInside container/var/log/myappVOLUME !!!On host/mnt/backup/myapp/log 15. Ops Manage hardware / infrastructure Monitoring / backups- Not apps implementation details 16. Develop simplest possible solution Configuration is a runtime constraint- Not extra-extra-flexibile application!!new WebServer().start(8080);Dev 17. level 3 18. ContinuousDelivery100% Reproducible environments docker build . to replace mvn install Dockerfilebuild WAR fromsourcesDockerfilerun acceptancetest suiteDockerfilebuild deployablecontainerdocker run COPY 19. ContinuousDelivery 20. Pourquoi?! Cloud! devicesmore to come soon ! on-premises 21. docker@Cloud build and deploy PaaS!!!!binaries-based PaaS 22. EverythingatGoogle,fromSearchtoGmail,ispackagedandruninaLinuxcontainer.!Eachweekwelaunchmorethan2billioncontainerinstancesacrossourglobaldatacenters,andthepowerofcontainershasenabledbothmorereliableservicesandhigher,more-efficientscalability.http://googlecloudplatform.blogspot.fr/2014/06/an-update-on-container-support-on-google-cloud-platform.htmlGoogleandContainers 23. your VMyour dockerimageManagedVMCompute Engineyour appAppEngineruntimeGoogleManagedVMflexibility management 24. BonusCodegde-in 25. level 4 26. New architectures 27. DiviserpourmieuxrgnerStop the monolithes !!!!!!!! 28. Diviserpourmieuxrgnerembrace Micro-services the unix way domain focussed quick release cycles segregate resources!!http://yobriefca.se/blog/2013/04/29/micro-service-architecture/! 29. Micro-serviceavecDockerLINK 30. sample:sysloghostrsyslog/dev/log/tmp/syslogdevlogger "hello"/dev/loghttp://jpetazzo.github.io/2014/08/24/syslog-docker/ 31. duredevieUn serveur ou une VM :des mois, voir plus!Un (ou des) containeur(s) :parfois juste quelques minutes! 32. Immutableinfrastructures 33. Upgrades!Upgrade applicatif = build dune nouvelle image 34. WhataboutCM? 35. pimpmyDockerfileDockerfileBUILD chef-soloDockerfileCOPY /cookbooks 36. OrchestrateDockerload balancer- hosts: web webappwebappcachemonitoringdatabase replicasudo: yestasks:- name: run tomcat serversdocker: image=webapp ports=8080 37. level 5 38. En PROD si, si 39. Opsiscoolnow!#o 40. #Sexistsyousaid? 41. CoreOSSystme hte minimaliste(160Mb RAM)cluster-readyservice discovery etcdcgroup + systemdboot in ~ seconds 42. ApacheMesos 43. schedule stateN replicas for a servicepod = containers tied togetherservice discovery & routage!Kubernetes 44. and(lots)moreorchestrationKubeletmaestro-ngShipperFleetHelliosCenturion 45. images:- name: jenkins_mastersource: ryfow/jenkins:0.2type: Defaultports:- host_port: '9080'container_port: '8080'proto: TCPvolumes:- host_path: "/var/jenkins"container_path: "/var/jenkins_home"- name: jenkins_slave_1source: ryfow/docker-jenkins-slave:0.2type: Defaultlinks:- service: jenkins_masteralias: jenkinsenvironment:- variable: SLAVE_NAMEvalue: slave1{"containers":[{"name":"rockmongo","count":1,"image":"openshift/centos-rockmongo","publicports":[{"internal":80,"external":6060}],"links":[{"to":"mongodb"}]},{"name":"mongodb","count":1,"image":"openshift/centos-mongodb","publicports":[{"internal":27017}]}]}name: demoregistries:my-private-registry:registry: https://my-private-registry/v1/ships:vm1.ore1: {ip: c414.ore1.domain.com}vm2.ore2: {ip: c415.ore2.domain.com, docker_port: 4243}services:zookeeper:image: zookeeper:3.4.5instances:zk-1:ship: vm1.ore1ports: {client: 2181, peer: 2888, leader_election: 3888}volumes:/var/lib/zookeeper: /data/zookeeperlimits:memory: 1gcpu: 2 46. DistributeDockerimagesDockerHub private registryRun your own internal registry (docker image)Docker load/save with CMDogistry / s3 47. Monitoringcollect cgroup metricscAdvisordedicated docker pluginLogScape 48. WhataboutData? 49. flocker 50. Containerlivemigration 51. level 5 52. security 53. containersecurityContainers are NOT secured!!!!!!http://blog.docker.com/2014/07/new-dockercon-video-docker-security-renamed-from-docker-and-selinux/ 54. doyoucare?Treat containers like regular services! drop privileges as soon as possible run as non-root as much as possible treat root within container as root on host dont run untrusted container 55. dropcapabilitiescapabilities - overview of Linux capabilities!Description!For the purpose of performing permission checks, traditional UNIX implementationsdistinguish two categories of processes: privileged processes (whose effective userID is 0, referred to as superuser or root), and unprivileged processes (whoseeffective UID is nonzero). Privileged processes bypass all kernel permission checks,while unprivileged processes are subject to full permission checking based on theprocess's credentials (usually: effective UID, effective GID, and supplementarygroup list).!Starting with kernel 2.2, Linux divides the privileges traditionally associated withsuperuser into distinct units, known as capabilities, which can be independentlyenabled and disabled. Capabilities are a per-thread attribute.!CAP_NET_ADMIN, CAP_SYS_ADMIN, 56. UserNameSpaceMap non root user to root within container 57. AppArmor/SELinuxhttp://stopdisablingselinux.com/ 58. MultiCategorySecurity(MCS)Protect containers from each other 59. level 42DHocJkeerro 60. whats next 61. disclaimer 62. defactoStandardAdoption both for Cloud and on-premises!!!!! 63. ExtensibilityAlt. backends (AUFS is not an approved linux patch) devicemapper BTRFS ZFS !Alt. implementations Solaris Zones BSD Jails 64. Tooling 65. Orchestration 66. securitysignature & authorization 67. ConfigManagementChef/Puppet/Salt/Ansible vs Docker 68. Q?