Docker na vida real

1. Docker na Vida Real Fernando Ike

2. Fernando Ike

3. Knowledge

4. Arquitetura anterior

5. Incidente "Day 12 Occupy Wall Street September 28 2011 Shankbone 17" by David Shankbone - Eget arbejde. Licensed under Creative Commons Attribution 3.0 via Wikimedia Commons"

6. "Stamps of Russia 2012 No 1559-61 Mascots 2014 Winter Olympics" by Russian Post, Publishing and Trade Centre "Marka" ( ). The design of the souvenir sheet by O. Shushlebina. Scanned by Dmitry Ivanov. - From a personal collection.. Licensed under Public domain

7. https://scottlinux.com/2013/04/06/wso-web-shell-php-shell-used-by-hackers/

8. Incidente Plugin Askimet PHP PHP Web Shell Injeo de pginas web

9. Rebuilding...

10. Premissas

11. Premissas / Requisitos Isolamento dos sites/aplicaes Facilidade de manuteno e migrao Facilidade de gerar documentao Portvel

12. Isolamento Fonte: http://www.itdestination.com/training/courses/adv-linux/

13. Isolamento / VMs Boa documentao 1 VM por site/aplicao Aumento da complexidade Orquestrao - Chef, Puppet, etc Muito conhecidos Custo maior total Fcil de documentar

14. Isolamento / Containers Chroot turbinado Configurao mais complexa +- conhecidos VServer no suportado no IaaS contratado Relativamente fcil de documentar

15. Isolamento / Containers Chroot turbinado Custo baixo Fcil de configurar Conhecidos Fcil de documentar Fcil manuteno

16. Escolhido...

17. Docker: Overview Criado em 2013 Baseado no LXC Versionamento de container Histrico de mudana Like Git ($docker {commit, diff, tag}) Docker Hub Disruptivo/Revolucionrio

18. Ecossistema

19. Instalando... Debian #aptitude install docker.io Ubuntu #apt-get install docker.io

20. $docker run -it php:5.6-apache /bin/bash

21. FROM php:5.6-apache COPY package /srv/www/app Dockerfile ADD app_apache.conf /etc/apache2/sites-enable/app.conf WORKDIR /srv/www/app CMD [ /usr/sbin/apache2", "-D", FOREGROUND ]

22. Container building $docker build --rm --no-cache -t=app1 .

23. Container running #docker run -d -p 80:80 app1

24. Rebuilding... http://www.geograph.org.uk/photo/3263456

25. Nova arquitetura

26. Rebuilding...

27. Servios vs Aplicaes Servios Apache/Nginx Postgres/MySQL/MongoDB/Memcache Rails/Django/Symfony/JBoss Ubuntu/Debian/CentOS Nginx/Varnish/HAProxy Aplicaes Site1 (Apache+ Nginx + PHP+Symfony Site2 (Apache+ Nginx + PHP+Symfony) App1 (Jboss+MySQL+Rabbimq) App2 (Django, Unicorn, Cassandra) App3 (Wordpress) App3 (Drupal)

28. Dependncias

29. Dependncias Composer Dependncias controladas pela "aplicao" "Independente" de SO "User friendly" para desenvolvedores Pacotes .deb, .rpm Dependncias controladas pela SO "Verses" empacotadas Atualizaes de Segurana pelo SO Controlado pelo SO

30. https://www.flickr.com/photos/clonedmilkmen/3604999084/in/photostream/

31. Docker e Rede Iptables Bridge 172.17.XXX.XXX/16 Rede entre containers: override /etc/hosts Usar o IP de outro container

32. Docker e Rede $docker run -d -p 9999:9999 app1 $docker run -d -p 9999:9999/udp -p 9999:9999 app1 $docker run [...] --name docker [...] --link database:mysql app1 $docker run [...] --net="container:CONTAINERID" app2

33. Docker e Rede [...] Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 172.17.0.83 tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 172.17.0.83 tcp dpt:25 ACCEPT udp -- 0.0.0.0/0 172.17.0.73 udp dpt:53 ACCEPT tcp -- 0.0.0.0/0 172.17.0.73 tcp dpt:53 ACCEPT tcp -- 172.17.0.2 172.17.0.6 tcp spt:5432 ACCEPT tcp -- 172.17.0.6 172.17.0.2 tcp dpt:5432 [...]

34. Segurana

35. Segurana Hardening Filesystem bind SELinux Volumes Usurios

36. http://www.pcworld.com/article/2825032/linux-botnet-mayhem-spreads- through-shellshock-exploits.html

37. Shellshock CVE-2014-6271 CVE-2014-6277 CVE-2014-6278 CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 Remover as imagens base dos containers (Debian, Ubuntu, CoreOS, etc.) Rebuild das imagens Novo deploy

38. O que no funcionou (no incio)

39. O que no funcionou (no incio) Migrar na loka! SO com muitas regras de firewall (Iptables) Versionamento de base de dados Migrao do Mailman

40. Lies aprendidas

41. Lies aprendidas docker build --rm --no-cache ... + cautela SO com muitas regras de firewall (Iptables) Monitoramento dos servios (aplicaes) Criar containers sem base dados Um comando por passo (STEPs) Nem tudo roda legal com Supervisord

42. TODO

43. TODO Usar Chef/Puppet User um "gerenciador de containers" - fig Integrao com Jenkins/Travis Open vSwich Service Discovery (Etcd, Mesos, etc) + Docker-Gen + Proxy Reverso (Nginx) Dokku/Fig/Flynn(???)

44. Links Docker - Rede avanado https://docs.docker.com/articles/networking/ deb vs. rpm vs. gem http://lwn.net/Articles/75034/ Service Discovery + Docker http://progrium.com/blog/2014/07/29/understanding-modern-service-discovery-with-docker/ Docker + OpenvSwitch https://goldmann.pl/blog/2014/01/21/connecting-docker-containers-on-multiple-hosts/ Docker Hub https://registry.hub.docker.com

45. Contatos http://www.fernandoike.com fike at gmail.com https://www.linkedin. com/in/fernandoike @fernandoike

Technology

Docker na vida real