SlideShare une entreprise Scribd logo

Docker Tips And Tricks at the Docker Beijing Meetup

Jérôme Petazzoni
Jérôme Petazzoni

This talk was presented in October at the Docker Beijing Meetup, in the VMware offices. It presents some of the latest features of Docker, discusses orchestration possibilities with Docker, then gives a briefing about the performance of containers; and finally shows how to use volumes to decouple components in your applications.

Technologie
1  sur  37
Télécharger pour lire hors ligne
Docker tips and tricks Docker Beijing Meetup Group
Jérôme Petazzoni (@jpetazzo) Grumpy French DevOps - Go away or I will replace you with a very small shell script Wrote dotCloud PAAS deployment tools - EC2, LXC, Puppet, Python, Shell, ØMQ... Docker contributor - Security, networking... Runs all kinds of crazy things in Docker - Docker-in-Docker, VPN-in-Docker, KVM-in-Docker, Xorg-in-Docker...
Outline Some new features that you should know about The Docker orchestration flowchart Measuring and optimizing container performance You should use volumes
latest features
Docker 0.11 SELinux integration (works better with CentOS) DNS integration for links (access linked containers by hostname) docker run --net - use host networking for high speed - share network of another container
Docker 0.12 docker pause/unpause more importantly: 1.0 release candidate :-)
Docker 1.0 It's “production-ready!” you can buy support contracts, training... (in addition to the traditional t-shirts and stickers☺)
Docker 1.1 .dockerignore (don't upload your .git anymore!) docker logs --tail - further logging improvements on the way (truncate)
Docker 1.2 New cool options for docker run --restart=always/no/on-failure --cap-add=NETADMIN --cap-drop=CHOWN --device=/dev/kvm:/dev/kvm
Docker 1.3 (almost there) docker exec (replaces nsenter) docker create (lifecycle management) Signature (for official images) --security-opts (customize SELinux/AppArmor)
Docker X.X: Windows Server Containers Windows Server Containers
orchestration
Orchestration There's more than one way to do it - describe your stack in files (Fig, Maestro-NG, Ansible and other CMs) - submit requests through an API (Mesos, Kubernetes, Helios...) - implement something that looks like a PAAS (Flynn, Deis, OpenShift...) - OpenStack (because OpenStack can do everything!)
Introducing the Docker orchestration flowchart
Do you (want to) use OpenStack? Yes - if you are building a PAAS, keep an eye on Solum (and consider contributing) - if you are moving VM workloads to containers, use Nova (that's probably what you already have; just enable the Docker driver) - otherwise, use Heat (and use Docker resources in your Heat templates) No - go to next slide
Are you looking for a PAAS?
Good question: to PAAS or not to PAAS? PAAS does not solve problems - PAAS puts all* your problems in one place - now you have N identical problems instead of N different problems All your applications must be standardized - so that they all have the same problem (instead of different ones) It's much harder to operate a PAAS than a single app - in other words: PAAS is great if you have many apps *Well, not all your problems, but things like database failover, high availability, scaling...
Are you looking for a PAAS?
Are you looking for a PAAS? Yes - CloudFoundry (Ruby, but increasing % Go) - Deis (Python, Docker-ish, runs on top of CoreOS) - Dokku (A few 100s of line of Bash!) - Flynn (Go, bleeding edge) - Tsuru (Go, more mature) - OpenShift geard (Go again!) Choose wisely (or go to the next slide) - http://blog.lusis.org/blog/2014/06/14/paas-for-realists/ “I don’t think ANY of the current private PaaS solutions are a fit right now.”
If you have only one host Fig (www.fig.sh) fig.yml: web: build: . command: python app.py links: - db ports: - "8000:8000" db: image: postgres
If you have a few hosts (10s) Maestro-NG (https://github.com/signalfuse/maestro-ng) - fig-like YAML file - can talk to multiple hosts - manual placement Your favorite Configuration Management system - Ansible, Chef, Puppet, Salt: have Docker modules - use CM to deploy hosts and start containers - use Dockerfiles to deploy code & dependencies, libraries, packages
If you have many hosts (100s) Helios - Java - needs ZK, a master server, and one agent per host <empty spot> <empty spot> <empty spot> Hmmm... There might be a start-up opportunity there
If you have many many hosts (1000s) Mesos - C++ - needs ZK, a master server, and one agent per host - and probably a few other standby servers for HA - and frameworks; e.g.: https://github.com/VoltFramework/volt https://github.com/mesosphere/marathon Kubernetes - work in progress
performance
Gathering metrics cgroups give us per-container... - CPU usage - memory usage (fine-grained: cache and resident set size) - I/O usage (per device, reads vs writes, in bytes and in ops) cgroups don't give us... - network metrics (have to do tricks with network namespaces) https://github.com/google/cadvisor http://jpetazzo.github.io/2013/10/08/docker-containers-metrics/
CPU performance Nothing to do CPU performance is native in all benchmarks
I/O performance Working set should be on a volume Volume performance is native in all benchmarks
Memory performance Memory control group has an overhead Overhead happens when memory is given by the kernel to the container, or reclaimed back Overhead is not related to memory allocations Disabling the memory control group = native speed But it is a global operation (affects all containers) … And requires a reboot
Network performance Linux bridge = overhead IPTables = overhead docker run --net host = native speed - but loss of isolation SR/IOV and macvlan = almost native speed - better performance than VMs - maintain isolation
volumes
What is a volume? Special directory in a container Mapped to normal directory on the host Can be shared by multiple containers
When should we use volumes? Bypass copy-on-write system - fast I/O path with zero overhead - keep data across container upgrades Use specific storage device in container - e.g. SAN, or fast SSD RAID for database...) Share data between containers - this is cool, and let's see why!
Logging with volumes Write log files to a volume docker run --name logs -v /var/log busybox true docker run --volumes-from logs myapp Inspect logs docker run --rm --volumes-from logs ubuntu bash Ship logs to something else (logstash, syslog...) docker run --volumes-from logs pipestash
Backups with volumes Data files should be in a volume docker run --name mysqldata -v /var/lib/mysql busybox true docker run --volumes-from mysqldata mysql Run backup job in a separate container docker run --rm --volumes-from mysqldata mysqlbackup tar -cJf- /var/lib/mysql | stream-it-to-the-cloud.py Of course, you can use anything fancier than tar (e.g. rsync, tarsnap...)
Moving containers and volumes around If the container is stateless (web app...): - get the image to the new machine - start the new container - reconfigure load balancers If the container is stateful (DB...): - Flocker - Flocker - Flocker - or move volumes around and do the network plumbing yourself
More information about volumes Docker Docs: https://docs.docker.com/userguide/dockervolumes/ Additional insights: http://blog.docker.com/2014/06/why-you-dont-need-to-run-sshd-in-docker/
Not an actual book (yet) Thank you! Docker advanced concepts Containers, containers everywhere! Questions? www.docker.com @docker @jpetazzo

Recommandé

Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015
Jérôme Petazzoni
 
Microservices. Microservices everywhere! (At OSCON 2015)
Microservices. Microservices everywhere! (At OSCON 2015)Microservices. Microservices everywhere! (At OSCON 2015)
Microservices. Microservices everywhere! (At OSCON 2015)
Jérôme Petazzoni
 
Docker and Containers for Development and Deployment — SCALE12X
Docker and Containers for Development and Deployment — SCALE12XDocker and Containers for Development and Deployment — SCALE12X
Docker and Containers for Development and Deployment — SCALE12X
Jérôme Petazzoni
 
Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...
Jérôme Petazzoni
 
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionIntroduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Jérôme Petazzoni
 
Introduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionIntroduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" Edition
Jérôme Petazzoni
 
Docker: automation for the rest of us
Docker: automation for the rest of usDocker: automation for the rest of us
Docker: automation for the rest of us
Jérôme Petazzoni
 
Introduction to Docker and deployment and Azure
Introduction to Docker and deployment and AzureIntroduction to Docker and deployment and Azure
Introduction to Docker and deployment and Azure
Jérôme Petazzoni
 

Recommandé

Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015
Jérôme Petazzoni
 
Microservices. Microservices everywhere! (At OSCON 2015)
Microservices. Microservices everywhere! (At OSCON 2015)Microservices. Microservices everywhere! (At OSCON 2015)
Microservices. Microservices everywhere! (At OSCON 2015)
Jérôme Petazzoni
 
Docker and Containers for Development and Deployment — SCALE12X
Docker and Containers for Development and Deployment — SCALE12XDocker and Containers for Development and Deployment — SCALE12X
Docker and Containers for Development and Deployment — SCALE12X
Jérôme Petazzoni
 
Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...
Jérôme Petazzoni
 
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionIntroduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Jérôme Petazzoni
 
Introduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionIntroduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" Edition
Jérôme Petazzoni
 
Docker: automation for the rest of us
Docker: automation for the rest of usDocker: automation for the rest of us
Docker: automation for the rest of us
Jérôme Petazzoni
 
Introduction to Docker and deployment and Azure
Introduction to Docker and deployment and AzureIntroduction to Docker and deployment and Azure
Introduction to Docker and deployment and Azure
Jérôme Petazzoni
 
KVM and docker LXC Benchmarking with OpenStack
KVM and docker LXC Benchmarking with OpenStackKVM and docker LXC Benchmarking with OpenStack
KVM and docker LXC Benchmarking with OpenStack
Boden Russell
 
Docker by Example - Basics
Docker by Example - Basics Docker by Example - Basics
Docker by Example - Basics
Ganesh Samarthyam
 
Docker and Puppet — Puppet Camp L.A. — SCALE12X
Docker and Puppet — Puppet Camp L.A. — SCALE12XDocker and Puppet — Puppet Camp L.A. — SCALE12X
Docker and Puppet — Puppet Camp L.A. — SCALE12X
Jérôme Petazzoni
 
Orchestration for the rest of us
Orchestration for the rest of usOrchestration for the rest of us
Orchestration for the rest of us
Jérôme Petazzoni
 
Docker-hanoi meetup #1: introduction about Docker
Docker-hanoi meetup #1: introduction about DockerDocker-hanoi meetup #1: introduction about Docker
Docker-hanoi meetup #1: introduction about Docker
Nguyen Anh Tu
 
Docker from A to Z, including Swarm and OCCS
Docker from A to Z, including Swarm and OCCSDocker from A to Z, including Swarm and OCCS
Docker from A to Z, including Swarm and OCCS
Frank Munz
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
Alan Forbes
 
Docker - The Linux Container
Docker - The Linux ContainerDocker - The Linux Container
Docker - The Linux Container
Balaji Rajan
 
LXC, Docker, and the future of software delivery | LinuxCon 2013
LXC, Docker, and the future of software delivery | LinuxCon 2013LXC, Docker, and the future of software delivery | LinuxCon 2013
LXC, Docker, and the future of software delivery | LinuxCon 2013
dotCloud
 
A Hands-on Introduction to Docker
A Hands-on Introduction to DockerA Hands-on Introduction to Docker
A Hands-on Introduction to Docker
CodeOps Technologies LLP
 
Learn docker in 90 minutes
Learn docker in 90 minutesLearn docker in 90 minutes
Learn docker in 90 minutes
Larry Cai
 
Tech Talk - Vagrant
Tech Talk - VagrantTech Talk - Vagrant
Tech Talk - Vagrant
Thomas Krille
 
Containers: The What, Why, and How
Containers: The What, Why, and HowContainers: The What, Why, and How
Containers: The What, Why, and How
Sneha Inguva
 
The Lies We Tell Our Code (#seascale 2015 04-22)
The Lies We Tell Our Code (#seascale 2015 04-22)The Lies We Tell Our Code (#seascale 2015 04-22)
The Lies We Tell Our Code (#seascale 2015 04-22)
Casey Bisson
 
Docker Introductory workshop
Docker Introductory workshopDocker Introductory workshop
Docker Introductory workshop
Runcy Oommen
 
Container Torture: Run any binary, in any container
Container Torture: Run any binary, in any containerContainer Torture: Run any binary, in any container
Container Torture: Run any binary, in any container
Docker, Inc.
 
Orchestrating Docker containers at scale
Orchestrating Docker containers at scaleOrchestrating Docker containers at scale
Orchestrating Docker containers at scale
Maciej Lasyk
 
Perspectives on Docker
Perspectives on DockerPerspectives on Docker
Perspectives on Docker
RightScale
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Jérôme Petazzoni
 
Docker Introduction + what is new in 0.9
Docker Introduction + what is new in 0.9 Docker Introduction + what is new in 0.9
Docker Introduction + what is new in 0.9
Jérôme Petazzoni
 
Docker Online Meetup #3: Docker in Production
Docker Online Meetup #3: Docker in ProductionDocker Online Meetup #3: Docker in Production
Docker Online Meetup #3: Docker in Production
Docker, Inc.
 
Shipping Applications to Production in Containers with Docker
Shipping Applications to Production in Containers with DockerShipping Applications to Production in Containers with Docker
Shipping Applications to Production in Containers with Docker
Jérôme Petazzoni
 

Contenu connexe

Tendances

KVM and docker LXC Benchmarking with OpenStack
KVM and docker LXC Benchmarking with OpenStackKVM and docker LXC Benchmarking with OpenStack
KVM and docker LXC Benchmarking with OpenStack
Boden Russell
 
Docker - The Linux Container
Docker - The Linux ContainerDocker - The Linux Container
Docker - The Linux Container
Balaji Rajan
 
A Hands-on Introduction to Docker
A Hands-on Introduction to DockerA Hands-on Introduction to Docker
A Hands-on Introduction to Docker
CodeOps Technologies LLP
 
Tech Talk - Vagrant
Tech Talk - VagrantTech Talk - Vagrant
Tech Talk - Vagrant
Thomas Krille
 
The Lies We Tell Our Code (#seascale 2015 04-22)
The Lies We Tell Our Code (#seascale 2015 04-22)The Lies We Tell Our Code (#seascale 2015 04-22)
The Lies We Tell Our Code (#seascale 2015 04-22)
Casey Bisson
 
Docker Introduction + what is new in 0.9
Docker Introduction + what is new in 0.9 Docker Introduction + what is new in 0.9
Docker Introduction + what is new in 0.9
Jérôme Petazzoni
 

Tendances (20)

KVM and docker LXC Benchmarking with OpenStack
KVM and docker LXC Benchmarking with OpenStackKVM and docker LXC Benchmarking with OpenStack
KVM and docker LXC Benchmarking with OpenStack
 
Docker by Example - Basics
Docker by Example - Basics Docker by Example - Basics
Docker by Example - Basics
 
Docker and Puppet — Puppet Camp L.A. — SCALE12X
Docker and Puppet — Puppet Camp L.A. — SCALE12XDocker and Puppet — Puppet Camp L.A. — SCALE12X
Docker and Puppet — Puppet Camp L.A. — SCALE12X
 
Orchestration for the rest of us
Orchestration for the rest of usOrchestration for the rest of us
Orchestration for the rest of us
 
Docker-hanoi meetup #1: introduction about Docker
Docker-hanoi meetup #1: introduction about DockerDocker-hanoi meetup #1: introduction about Docker
Docker-hanoi meetup #1: introduction about Docker
 
Docker from A to Z, including Swarm and OCCS
Docker from A to Z, including Swarm and OCCSDocker from A to Z, including Swarm and OCCS
Docker from A to Z, including Swarm and OCCS
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
 
Docker - The Linux Container
Docker - The Linux ContainerDocker - The Linux Container
Docker - The Linux Container
 
LXC, Docker, and the future of software delivery | LinuxCon 2013
LXC, Docker, and the future of software delivery | LinuxCon 2013LXC, Docker, and the future of software delivery | LinuxCon 2013
LXC, Docker, and the future of software delivery | LinuxCon 2013
 
A Hands-on Introduction to Docker
A Hands-on Introduction to DockerA Hands-on Introduction to Docker
A Hands-on Introduction to Docker
 
Learn docker in 90 minutes
Learn docker in 90 minutesLearn docker in 90 minutes
Learn docker in 90 minutes
 
Tech Talk - Vagrant
Tech Talk - VagrantTech Talk - Vagrant
Tech Talk - Vagrant
 
Containers: The What, Why, and How
Containers: The What, Why, and HowContainers: The What, Why, and How
Containers: The What, Why, and How
 
The Lies We Tell Our Code (#seascale 2015 04-22)
The Lies We Tell Our Code (#seascale 2015 04-22)The Lies We Tell Our Code (#seascale 2015 04-22)
The Lies We Tell Our Code (#seascale 2015 04-22)
 
Docker Introductory workshop
Docker Introductory workshopDocker Introductory workshop
Docker Introductory workshop
 
Container Torture: Run any binary, in any container
Container Torture: Run any binary, in any containerContainer Torture: Run any binary, in any container
Container Torture: Run any binary, in any container
 
Orchestrating Docker containers at scale
Orchestrating Docker containers at scaleOrchestrating Docker containers at scale
Orchestrating Docker containers at scale
 
Perspectives on Docker
Perspectives on DockerPerspectives on Docker
Perspectives on Docker
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
 
Docker Introduction + what is new in 0.9
Docker Introduction + what is new in 0.9 Docker Introduction + what is new in 0.9
Docker Introduction + what is new in 0.9
 

Similaire à Docker Tips And Tricks at the Docker Beijing Meetup

Docker Online Meetup #3: Docker in Production
Docker Online Meetup #3: Docker in ProductionDocker Online Meetup #3: Docker in Production
Docker Online Meetup #3: Docker in Production
Docker, Inc.
 
Containers, Docker, and Microservices: the Terrific Trio
Containers, Docker, and Microservices: the Terrific TrioContainers, Docker, and Microservices: the Terrific Trio
Containers, Docker, and Microservices: the Terrific Trio
Jérôme Petazzoni
 

Similaire à Docker Tips And Tricks at the Docker Beijing Meetup (20)

Docker Online Meetup #3: Docker in Production
Docker Online Meetup #3: Docker in ProductionDocker Online Meetup #3: Docker in Production
Docker Online Meetup #3: Docker in Production
 
Shipping Applications to Production in Containers with Docker
Shipping Applications to Production in Containers with DockerShipping Applications to Production in Containers with Docker
Shipping Applications to Production in Containers with Docker
 
Docker 0.11 at MaxCDN meetup in Los Angeles
Docker 0.11 at MaxCDN meetup in Los AngelesDocker 0.11 at MaxCDN meetup in Los Angeles
Docker 0.11 at MaxCDN meetup in Los Angeles
 
Dockerizing a Symfony2 application
Dockerizing a Symfony2 applicationDockerizing a Symfony2 application
Dockerizing a Symfony2 application
 
Containerization Is More than the New Virtualization
Containerization Is More than the New VirtualizationContainerization Is More than the New Virtualization
Containerization Is More than the New Virtualization
 
Introduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New YorkIntroduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New York
 
codemotion-docker-2014
codemotion-docker-2014codemotion-docker-2014
codemotion-docker-2014
 
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
 
Containers, Docker, and Microservices: the Terrific Trio
Containers, Docker, and Microservices: the Terrific TrioContainers, Docker, and Microservices: the Terrific Trio
Containers, Docker, and Microservices: the Terrific Trio
 
Docker-v3.pdf
Docker-v3.pdfDocker-v3.pdf
Docker-v3.pdf
 
Workshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
Workshop : 45 minutes pour comprendre Docker avec Jérôme PetazzoniWorkshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
Workshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
 
Docker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xDocker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12x
 
Puppet Camp Seattle 2014: Docker and Puppet: 1+1=3
Puppet Camp Seattle 2014: Docker and Puppet: 1+1=3 Puppet Camp Seattle 2014: Docker and Puppet: 1+1=3
Puppet Camp Seattle 2014: Docker and Puppet: 1+1=3
 
Docker 101
Docker 101 Docker 101
Docker 101
 
Sheep it
Sheep itSheep it
Sheep it
 
Docker Intro at the Google Developer Group and Google Cloud Platform Meet Up
Docker Intro at the Google Developer Group and Google Cloud Platform Meet UpDocker Intro at the Google Developer Group and Google Cloud Platform Meet Up
Docker Intro at the Google Developer Group and Google Cloud Platform Meet Up
 
Laravel, docker, kubernetes
Laravel, docker, kubernetesLaravel, docker, kubernetes
Laravel, docker, kubernetes
 
Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...
Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...
Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...
 
Linux containers & Devops
Linux containers & DevopsLinux containers & Devops
Linux containers & Devops
 
Build High-Performance, Scalable, Distributed Applications with Stacks of Co...
Build High-Performance, Scalable, Distributed Applications with Stacks of Co... Build High-Performance, Scalable, Distributed Applications with Stacks of Co...
Build High-Performance, Scalable, Distributed Applications with Stacks of Co...
 

Plus de Jérôme Petazzoni

Use the Source or Join the Dark Side: differences between Docker Community an...
Use the Source or Join the Dark Side: differences between Docker Community an...Use the Source or Join the Dark Side: differences between Docker Community an...
Use the Source or Join the Dark Side: differences between Docker Community an...
Jérôme Petazzoni
 
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Jérôme Petazzoni
 
How to contribute to large open source projects like Docker (LinuxCon 2015)
How to contribute to large open source projects like Docker (LinuxCon 2015)How to contribute to large open source projects like Docker (LinuxCon 2015)
How to contribute to large open source projects like Docker (LinuxCon 2015)
Jérôme Petazzoni
 
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Jérôme Petazzoni
 
Deploy microservices in containers with Docker and friends - KCDC2015
Deploy microservices in containers with Docker and friends - KCDC2015Deploy microservices in containers with Docker and friends - KCDC2015
Deploy microservices in containers with Docker and friends - KCDC2015
Jérôme Petazzoni
 
Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)
Jérôme Petazzoni
 
The Docker ecosystem and the future of application deployment
The Docker ecosystem and the future of application deploymentThe Docker ecosystem and the future of application deployment
The Docker ecosystem and the future of application deployment
Jérôme Petazzoni
 
Docker en Production (Docker Paris)
Docker en Production (Docker Paris)Docker en Production (Docker Paris)
Docker en Production (Docker Paris)
Jérôme Petazzoni
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
Jérôme Petazzoni
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
Jérôme Petazzoni
 

Plus de Jérôme Petazzoni (18)

Use the Source or Join the Dark Side: differences between Docker Community an...
Use the Source or Join the Dark Side: differences between Docker Community an...Use the Source or Join the Dark Side: differences between Docker Community an...
Use the Source or Join the Dark Side: differences between Docker Community an...
 
Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...
Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...
Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...
 
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...
 
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
 
From development environments to production deployments with Docker, Compose,...
From development environments to production deployments with Docker, Compose,...From development environments to production deployments with Docker, Compose,...
From development environments to production deployments with Docker, Compose,...
 
How to contribute to large open source projects like Docker (LinuxCon 2015)
How to contribute to large open source projects like Docker (LinuxCon 2015)How to contribute to large open source projects like Docker (LinuxCon 2015)
How to contribute to large open source projects like Docker (LinuxCon 2015)
 
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
 
Deploy microservices in containers with Docker and friends - KCDC2015
Deploy microservices in containers with Docker and friends - KCDC2015Deploy microservices in containers with Docker and friends - KCDC2015
Deploy microservices in containers with Docker and friends - KCDC2015
 
Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)
 
The Docker ecosystem and the future of application deployment
The Docker ecosystem and the future of application deploymentThe Docker ecosystem and the future of application deployment
The Docker ecosystem and the future of application deployment
 
Docker Non Technical Presentation
Docker Non Technical PresentationDocker Non Technical Presentation
Docker Non Technical Presentation
 
Pipework: Software-Defined Network for Containers and Docker
Pipework: Software-Defined Network for Containers and DockerPipework: Software-Defined Network for Containers and Docker
Pipework: Software-Defined Network for Containers and Docker
 
Introduction to Docker at Glidewell Laboratories in Orange County
Introduction to Docker at Glidewell Laboratories in Orange CountyIntroduction to Docker at Glidewell Laboratories in Orange County
Introduction to Docker at Glidewell Laboratories in Orange County
 
Docker en Production (Docker Paris)
Docker en Production (Docker Paris)Docker en Production (Docker Paris)
Docker en Production (Docker Paris)
 
Killer Bugs From Outer Space
Killer Bugs From Outer SpaceKiller Bugs From Outer Space
Killer Bugs From Outer Space
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
 

Dernier

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 

Dernier (20)

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 

Docker Tips And Tricks at the Docker Beijing Meetup

  • 1. Docker tips and tricks Docker Beijing Meetup Group
  • 2. Jérôme Petazzoni (@jpetazzo) Grumpy French DevOps - Go away or I will replace you with a very small shell script Wrote dotCloud PAAS deployment tools - EC2, LXC, Puppet, Python, Shell, ØMQ... Docker contributor - Security, networking... Runs all kinds of crazy things in Docker - Docker-in-Docker, VPN-in-Docker, KVM-in-Docker, Xorg-in-Docker...
  • 3. Outline Some new features that you should know about The Docker orchestration flowchart Measuring and optimizing container performance You should use volumes
  • 5. Docker 0.11 SELinux integration (works better with CentOS) DNS integration for links (access linked containers by hostname) docker run --net - use host networking for high speed - share network of another container
  • 6. Docker 0.12 docker pause/unpause more importantly: 1.0 release candidate :-)
  • 7. Docker 1.0 It's “production-ready!” you can buy support contracts, training... (in addition to the traditional t-shirts and stickers☺)
  • 8. Docker 1.1 .dockerignore (don't upload your .git anymore!) docker logs --tail - further logging improvements on the way (truncate)
  • 9. Docker 1.2 New cool options for docker run --restart=always/no/on-failure --cap-add=NETADMIN --cap-drop=CHOWN --device=/dev/kvm:/dev/kvm
  • 10. Docker 1.3 (almost there) docker exec (replaces nsenter) docker create (lifecycle management) Signature (for official images) --security-opts (customize SELinux/AppArmor)
  • 11. Docker X.X: Windows Server Containers Windows Server Containers
  • 13. Orchestration There's more than one way to do it - describe your stack in files (Fig, Maestro-NG, Ansible and other CMs) - submit requests through an API (Mesos, Kubernetes, Helios...) - implement something that looks like a PAAS (Flynn, Deis, OpenShift...) - OpenStack (because OpenStack can do everything!)
  • 14. Introducing the Docker orchestration flowchart
  • 15. Do you (want to) use OpenStack? Yes - if you are building a PAAS, keep an eye on Solum (and consider contributing) - if you are moving VM workloads to containers, use Nova (that's probably what you already have; just enable the Docker driver) - otherwise, use Heat (and use Docker resources in your Heat templates) No - go to next slide
  • 16. Are you looking for a PAAS?
  • 17. Good question: to PAAS or not to PAAS? PAAS does not solve problems - PAAS puts all* your problems in one place - now you have N identical problems instead of N different problems All your applications must be standardized - so that they all have the same problem (instead of different ones) It's much harder to operate a PAAS than a single app - in other words: PAAS is great if you have many apps *Well, not all your problems, but things like database failover, high availability, scaling...
  • 18. Are you looking for a PAAS?
  • 19. Are you looking for a PAAS? Yes - CloudFoundry (Ruby, but increasing % Go) - Deis (Python, Docker-ish, runs on top of CoreOS) - Dokku (A few 100s of line of Bash!) - Flynn (Go, bleeding edge) - Tsuru (Go, more mature) - OpenShift geard (Go again!) Choose wisely (or go to the next slide) - http://blog.lusis.org/blog/2014/06/14/paas-for-realists/ “I don’t think ANY of the current private PaaS solutions are a fit right now.”
  • 20. If you have only one host Fig (www.fig.sh) fig.yml: web: build: . command: python app.py links: - db ports: - "8000:8000" db: image: postgres
  • 21. If you have a few hosts (10s) Maestro-NG (https://github.com/signalfuse/maestro-ng) - fig-like YAML file - can talk to multiple hosts - manual placement Your favorite Configuration Management system - Ansible, Chef, Puppet, Salt: have Docker modules - use CM to deploy hosts and start containers - use Dockerfiles to deploy code & dependencies, libraries, packages
  • 22. If you have many hosts (100s) Helios - Java - needs ZK, a master server, and one agent per host <empty spot> <empty spot> <empty spot> Hmmm... There might be a start-up opportunity there
  • 23. If you have many many hosts (1000s) Mesos - C++ - needs ZK, a master server, and one agent per host - and probably a few other standby servers for HA - and frameworks; e.g.: https://github.com/VoltFramework/volt https://github.com/mesosphere/marathon Kubernetes - work in progress
  • 25. Gathering metrics cgroups give us per-container... - CPU usage - memory usage (fine-grained: cache and resident set size) - I/O usage (per device, reads vs writes, in bytes and in ops) cgroups don't give us... - network metrics (have to do tricks with network namespaces) https://github.com/google/cadvisor http://jpetazzo.github.io/2013/10/08/docker-containers-metrics/
  • 26. CPU performance Nothing to do CPU performance is native in all benchmarks
  • 27. I/O performance Working set should be on a volume Volume performance is native in all benchmarks
  • 28. Memory performance Memory control group has an overhead Overhead happens when memory is given by the kernel to the container, or reclaimed back Overhead is not related to memory allocations Disabling the memory control group = native speed But it is a global operation (affects all containers) … And requires a reboot
  • 29. Network performance Linux bridge = overhead IPTables = overhead docker run --net host = native speed - but loss of isolation SR/IOV and macvlan = almost native speed - better performance than VMs - maintain isolation
  • 31. What is a volume? Special directory in a container Mapped to normal directory on the host Can be shared by multiple containers
  • 32. When should we use volumes? Bypass copy-on-write system - fast I/O path with zero overhead - keep data across container upgrades Use specific storage device in container - e.g. SAN, or fast SSD RAID for database...) Share data between containers - this is cool, and let's see why!
  • 33. Logging with volumes Write log files to a volume docker run --name logs -v /var/log busybox true docker run --volumes-from logs myapp Inspect logs docker run --rm --volumes-from logs ubuntu bash Ship logs to something else (logstash, syslog...) docker run --volumes-from logs pipestash
  • 34. Backups with volumes Data files should be in a volume docker run --name mysqldata -v /var/lib/mysql busybox true docker run --volumes-from mysqldata mysql Run backup job in a separate container docker run --rm --volumes-from mysqldata mysqlbackup tar -cJf- /var/lib/mysql | stream-it-to-the-cloud.py Of course, you can use anything fancier than tar (e.g. rsync, tarsnap...)
  • 35. Moving containers and volumes around If the container is stateless (web app...): - get the image to the new machine - start the new container - reconfigure load balancers If the container is stateful (DB...): - Flocker - Flocker - Flocker - or move volumes around and do the network plumbing yourself
  • 36. More information about volumes Docker Docs: https://docs.docker.com/userguide/dockervolumes/ Additional insights: http://blog.docker.com/2014/06/why-you-dont-need-to-run-sshd-in-docker/
  • 37. Not an actual book (yet) Thank you! Docker advanced concepts Containers, containers everywhere! Questions? www.docker.com @docker @jpetazzo