Upload
eric-windisch
View
451
Download
4
Tags:
Embed Size (px)
DESCRIPTION
Introduction to using Docker for dev, testing, and deployment. Covering best practices for image building, to advice for simple and complicated CI configurations, through to orchestrating and running images in production.
Citation preview
19 Months Later: An Incredible Platform and Ecosystem
Official Repos & 14K+ Dockerized Apps
Community 640+ Contributors 250+ Meetups on Docker 2.75M Downloads 6.7K Projects on GitHub
Support Enterprise Support Robust Documentation Implementation, Integration, Training Network of Partners
The Docker Platform ! Docker Engine
Docker Hub !Build, Ship, and Run
Partners
Content
Users
60+ People and a Turtle
Now up to 60+ people (and our pet turtle, Gordon)
…to Build, Ship, and Run
Build Ship
Run
Dev
QA
Source
Staging
Physical
Virtual
Cloud
Infrastructure Management
Infrastructure Management
DockerFile
Source Code Repository
TESTTEST
TESTTEST
TEST
GCE RAX IBM
Mac/Win Dev Machine
Boot2Docker
Doc
ker
Analytics DB
Prod Machine
Linux OS
Doc
ker
Doc
ker
++
Users Collab
Provenance Policy
Docker Hub
Registries
Public Curated Private
Docker Hub API
Third Party Tools
Prod Machine
Linux OS
Doc
ker
Doc
ker
Prod Machine
Linux OS
Doc
ker
Doc
ker
VM
Doc
ker
Doc
ker
VM
Doc
ker
Doc
ker
VM
Doc
ker
Doc
ker
QA Machine
Linux OS
Doc
ker
Doc
ker
Deploy servicesreliably & consistently
• If it works locally, it will work on the server
• With exactly the same behavior
• Regardless of versions
• Regardless of distros
• Regardless of dependencies
Better! Faster! Stronger!
Better! Faster! Stronger!
Hardware
VM (n)
Hardware
process (n)
process (n)
Hardware
VM (n)
Hardware
"contained"process (n)
"contained"process (n)process (n)
"contained"process (n)
Traditional Containerized
Traditional Host
syslogd nginx backup-agent sshd
Traditional Host
syslogd nginx backup-agent sshd
Dockerized Host
syslogd nginx backup-agent sshd
a security product?
• Docker Engine can be used as a security product.
• It provides a wrapper around processes
• Provides a path toward attestation of arbitrary processes (Trusted Compute)
• You can use VMs to wrap containers (and you can use containers inside of VMs)
Dockerized Host
syslogd nginx backup-agent sshd
golden image:
FROM ubuntu
RUN apt-get install \ rsyslog nginx amanda opensshd
Dockerized Host
syslogd nginx backup-agent sshd
syslog image:
FROM ubuntu
RUN apt-get install rsyslog
nginx image:
FROM fedora:f20
RUN yum install nginx
backup-agent image:
FROM ubuntu
RUN apt-get install amanda
sshd image:
FROM debian
RUN apt-get install opensshd
Do it!
‣ Build an image"
‣ Run it locally
‣ Push it to a registry (public or private)
‣ Run it (automatically!) in CI/CD and staging
‣ Run it in production
It’s an image builder.
Anatomy of achef-container run:
Docker ContainerInitiates Creates
Image
Linux
Chef
Chef
Runs
Configures
Chef
Runs
Configures
Build Creates
Stage 1 Stage 2
Do it!
‣ Build an image
‣ Run it locally
‣ Push it to a registry (public or private)
‣ Run it (automatically!) in CI/CD and staging
‣ Run it in production
“docker run -t -i \ —rm=true my-image“
Legend:-t = allocate tty -i = interactive —rm = remove ephemeral filesystem when exiting
“docker ps”
Do it!
‣ Build an image
‣ Run it locally
‣ Push it to a registry (public or private)"
‣ Run it (automatically!) in CI/CD and staging
‣ Run it in production
“docker push user/image”
Do it!
‣ Build an image
‣ Run it locally
‣ Push it to a registry (public or private)
‣ Run it (automatically!) in CI/CD and staging
‣ Run it in production
CI services…
and others…?
$ ID=$(docker build $app-dir) $ docker run —rm=true $ID $ echo $?
fig - local orchestration——fig.yml——web: build: . command: python app.py ports: - "5000:5000" volumes: - .:/code links: - redis redis: image: orchardup/redis
$ ls Dockerfile fig.yml src$ docker run —privileged -v .:/opt/figapp \ ewindisch/figleaf $ echo $?
Legend:—privileged = run “uncontained”. A permissive “firewall”, if you will. -v = provide volume or bind-mount filesystem into container
Do it!
‣ Build an image
‣ Run it locally
‣ Push it to a registry (public or private)
‣ Run it (automatically!) in CI/CD and staging
‣ Run it in production
$ docker run -t -i \ —rm=false \ —restart=“on-failure[:5]” busybox
Legend:—restart=Restart policy on exit (no, on-failure[:max-retry], always)
Managing Docker at scale
Creating Containers is Easy
Managing them SUCKS
needs improvement
Management Ecosystem
Mesos
FlynnClockerClusterHQ
PaaS ecosystem
Configuration / Infrastructure Management
• Chef
• Puppet
• Salt
• Ansible
• CFEngine
• etc…
Container Inventory
• discoverd / sdutil • serf • skydock • others?
Docker Remote API
• By default the Docker daemon listens on unix:///var/run/docker.sock
• Can listen on a TCP socket with TLS 1.0+Plain-text also possible, but do not use it!(enabled by default with boot2docker)
• Used by various community tools:fig, vagrant, ansible, etc.
POST /containers/create HTTP/1.1 Content-Type: application/json !
{ "Hostname":"", "Domainname": "", "User":"", "Memory":0, "MemorySwap":0, "Env":null, “Cmd":[ "date" ], "Image":"base", “Volumes":{ "/tmp": {} }, "WorkingDir":"", "NetworkDisabled": false, "ExposedPorts":{ "22/tcp": {} }, "RestartPolicy": { "Name": "always" } }
HTTP/1.1 201 Created Content-Type: application/json !
{ "Id":"e90e34656806" "Warnings":[] }
Containers • List containers • Create a
container • Inspect a
container • List processes
running inside a container
• Get container logs
• Inspect changes on a container's filesystem
• Export a container
• Resize a container TTY
• Start a container
• Stop a container
• Restart a container
• Kill a container • Pause a
container
• Unpause a container
• Attach to a container
• Wait a container • Remove a
container • Copy files or
folders from a container
!
!
Images
• List Images
• Create an image
• Inspect an image
• Get the history of an image
• Push an image on the registry
• Tag an image into a repository
• Remove an image
• Search images
Misc • Build an image from Dockerfile
via stdin • Check auth configuration • Display system-wide
information • Show the docker version
information • Ping the docker server • Create a new image from a
container's changes
• Monitor Docker's events • Get a tarball containing all
images in a repository • Get a tarball containing all
images. • Load a tarball with a set of
images and tags into docker • Image tarball format • Exec Create • Exec Start • Exec Resize
Q & A
@ewindisch