Docker Containers Across Red Hat Solutions
Total Page:16
File Type:pdf, Size:1020Kb
Portable, lightweight, & interoperable Docker containers across Red Hat solutions Jérôme Petazzoni Alexander Larsson Tinkerer Extraordinaire Principal Software engineer Docker, Inc Red Hat, Inc What? Why? Deploy everything •Webapps •Backends •SQL, NoSQL •Big data •Message queues •… and desktop apps and more If it runs on Linux, it will run in a Docker container! Deploy almost everywhere •Linux servers! •Virtual machines •Bare metal •Any distro •Recent kernel Currently: focus on x86_64. (But people reported success on arm.) Deploy reliably & consistently Deploy reliably & consistently •If it works locally, it will work on the server •With exactly the same behavior •Regardless of versions •Regardless of distros •Regardless of dependencies Deploy efficiently •Containers are lightweight • Typical laptop runs 10-100 containers easily • Typical server can run 100-1000 containers •Containers can run at native speeds • Lies, damn lies, and other benchmarks: http://qiita.com/syoyo/items/bea48de8d7c6d8c73435 The performance! It's over 9000! NativeNative Docker container Native Docker container Is there really no overhead at all? •Processes are isolated, but run straight on the host •CPU performance = native performance •Memory performance = a few % shaved off for (optional) accounting •Network performance = small overhead; can be reduced to zero •Disk I/O performance = copy-on-write overhead; can be reduced to zero (use volumes) … Container ? Containers look like lightweight VMs •Own process space •Own network interface •Can run stuff as root •Can have its own /sbin/init (different from the host) « Machine Container » Containers are really chroot on steroids •Can also not have its own /sbin/init •Container = isolated process(es) •Share kernel with host •No device emulation (neither HVM nor PV) « Application Container » How does it work? Isolation with namespaces •pid •mnt •net •uts •ipc •user How does it work? Isolation with cgroups •memory •cpu •blkio •devices How does it work? Copy-on-write storage •Create a new machine instantly (Instead of copying its whole filesystem) •Storage keeps track of what has changed •Multiple storage plugins available (AUFS, device mapper, BTRFS...) Docker: the big picture •Open Source engine to commoditize container technology •Using copy-on-write for quick provisioning •Allowing to create and share images •Standard format for containers •Standard, reproducible way to easily build trusted images (Dockerfile, Stackbrew...) •Hosted services to work and cooperate around containers (e.g. docker.io hosted registry for public and private images) Authoring Docker images Authoring images with run/commit 1) docker run centos bash 2) yum install this and that 3) docker commit <containerid> <imagename> 4) docker run <imagename> bash 5) git clone git://.../mycode 6) pip install -r requirements.txt 7) docker commit <containerid> <imagename> 8) repeat steps 4-7 as necessary 9) docker tag <imagename> <user/image> 10) docker push <user/image> Authoring images with run/commit •Pros • Convenient, nothing to learn • Can roll back/forward if needed •Cons • Manual process • Iterative changes stack up • Full rebuilds are boring, error-prone Authoring images with a Dockerfile FROM fedora RUN yum -y update RUN yum -y install mongodb-server RUN mkdir -p /data/db RUN sed -i 's,dbpath=/var/lib/mongodb,dbpath=/data,' /etc/mongodb.conf VOLUME /data EXPOSE 27017 CMD /usr/bin/mongod docker build -t jpetazzo/mongodb . Authoring images with a Dockerfile •Minimal learning curve •Rebuilds are easy and reliable •Caching system makes rebuilds faster •Single file to define the whole environment! Docker on Red Hat Red Hat Enterprise Linux 6 •Available in EPEL: yum install docker-io •Works in 6.4 and later •6.5 has more complete network namespace support •Not supported, but much of the underlying kernel features are •Packages also work on CentOS Red Hat Enterprise Linux 7 Beta •Available in EPEL7 beta: yum install docker-io •More recent kernel Fedora •Available since Fedora 19: yum install docker-io Storage backends •AUFS • Not in upstream kernel or in Red Hat kernels •Device Mapper • Contributed by Red Hat • Works everywhere •BTRFS • Contributed by Red Hat • /var/lib/docker must be on a btrfs filesystem • Tech preview in RHEL6 kernel Union Filesystems Copy-on-write Snapshotting (AUFS, overlayfs) block devices filesystems Provisioning Superfast Fast Fast Supercheap Cheap Cheap Changing Superfast Fast Fast small files Supercheap Costly Cheap Changing Slow (first time) Fast Fast large files Inefficient (copy-up!) Cheap Cheap Diffing Superfast Slow Superfast Memory usage Efficient Inefficient Inefficient (at high densities) (but may improve) Drawbacks Random quirks Higher disk usage ZFS not mainline AUFS not mainline Great performance BTRFS not as nice (except diffing) Bottom line Ideal for PAAS and Dodge Ram 3500 This is the future high density things (Probably!) Running your own registry •yum install docker-registry • Fedora >= 19 • EPEL 6 • EPEL 7 Beta Push an image: docker tag 8dbd9e392a96 my-machine:5000/image docker push my-machine:5000/image Use it: docker run my-machine:5000/image Base images •Fedora • Official images available as “fedora” • Current versions: Fedora 20, rawhide •CentOS • Official images available as “centos” • Current version: 6.4 RHEL base images •Distribution problematic •Working on a nice solution •For now, build base images on entitled RHEL machines • Use yum –installroot + docker import • Distribution rules same as any other Red Hat content Docker, from development to production One-time setup •On your servers (Linux) • Packages (not only RPM, but also Ubuntu, Debian, Gentoo, Arch...) • Single binary install (Golang FTW!) • Easy provisioning on Rackspace, Digital Ocean, EC2, GCE... •On your developer environment (Linux, OS X, Windows) • In your regular Linux VM (Vagrant or other) • boot2docker (25 MB VM image) • Natively (if you run Linux) The Docker workflow 1/2 •Work in developer environment (local machine or container) •Other services (databases etc.) in containers (and behave just like the real thing!) •Whenever you want to test « for real »: • Build in seconds • Run instantly The Docker workflow 2/2 Satisfied with your local build? •Push it to a registry (public or private) •Run it (automatically!) in CI/CD •Run it in production •Happiness! Something goes wrong? Rollback painlessly! Running containers •SSH to Docker host and manual pull+run •REST API (feel free to add SSL certs, OAuth...) •Maestro NG (https://github.com/signalfuse/maestro-ng) •Many Open Source PAAS built on Docker: Deis, Flynn, … •And of course, OpenStack! OpenStack integration •Nova (OpenStack Compute) • Provisions and manages virtual machines • Docker hypervisor driver • Deploy containers instead of VMs with the same API • Available in Havana release •Glance (Image Service) • Docker registry integration OpenStack integration •Heat (OpenStack Orchestration) • Template driven engine for automated deployment of infrastructure • Docker plugin • Allows use of full Docker API in your templates • Available in Icehouse release HeatTemplateFormatVersion: '2012-12-12' Parameters: {} Mappings: {} Resources: Blog: Type: OS::Heat::Docker Properties: Image: samalba/wordpress Env: - {"Fn::Join": ["=", ["DB_HOSTNAME", {"Fn::GetAtt": ["Database", "NetworkIp"]}]]} - {"Fn::Join": ["=", ["DB_PORT", {"Fn::GetAtt": ["Database", "NetworkTcpPorts"]}]]} - {"Fn::Join": ["=", ["DB_PASSWORD", {"Fn::GetAtt": ["Database", "LogsHead"]}]]} Database: Type: OS::Heat::Docker Properties: Image: samalba/mysql Outputs: BlogURL: Value: {"Fn::Join": ["", ["http://", {"Fn::GetAtt": ["Blog", "NetworkIp"]}, ":", {"Fn::GetAtt": ["Blog", "NetworkTcpPorts"]}, "/"] ]} Description: Blog URL OpenShift Containers •Cloud applications • Cartridges • Gears •Containment of Gears • UID • SELinux category • Home directory • Cgroup •Sounds similar to Docker? OpenShift Gears Version 2 •Use Docker for containerization • Namespaces • Layers • Easier to make cartridges • Reuse existing Docker images •Geard • Combines Systemd and Docker Docker & Security History: lots of FUD •LXC used to be considered insecure “LXC is not yet secure. If I want real security I will use KVM.” —Dan Berrangé, famous LXC hacker, in 2011. •Linux has changed a tiny little bit since 2011. What you should care about •Limit root access (You don't need root privileges inside containers!) •Docker will use capabilities to limit damage (But you can re-enable them on a per-container basis!) •Make sure to protect access to the Docker socket! (If someone can create a privileged container, they can do anything they want on the machine!) SELinux •Each container runs in a separate context •All container files are labeled with per-container context •No need to write SELinux policy files for containers •Automatic for non-privileged container if SELinux is enabled Security upgrades •Traditional way: apply upgrades on regular basis • Possible with Docker, but very inefficient •Docker way: rebuild images on regular basis • Trivial as long as you use Dockerfiles • Less risky, since testing+rollback is possible • Better mitigation of dependency issues The roadmap to Docker 1.0 Docker 1.0 •Multi-arch, multi-OS •Stable control API •Stable plugin API •Resiliency •Clustering Questions? .