Containerisation with Docker & KubernetesKubernetesKubernetes Hello ! • I’m Dan ! • Senior Field Engineer at Heptio VMware • Ex: • Heptio • Docker • Hewlett-Packard Enterprise • SkyBet • European Space Agency •… • Still a maintainer and contributor to various Docker and Moby projects (mainly GO, but I sometimes write C (if need be)) • @thebsdbox – for random nonsense © 2018. Heptio. All Rights Reserved AgendaAgendaAgenda • Where did Docker come from? • Docker Under the Hood • Using Docker • Questions? © 2018. Heptio. All Rights Reserved Where did Docker come from? In the beginning ... © 2018. Heptio. All Rights Reserved Where did Docker come from? Things broke a lot ... © 2018. Heptio. All Rights Reserved Where did Docker come from? FreeBSD Jails Solaris Zones RedHat adds user Docker provides expand on Unix bring the namespaces, limiting simple user tools and chroot to isolate 2001 concept of 2006 root access in 2008 images. Containers files snapshots containers go mainstream VServer cgroups LXC Jails Zones Namespaces Docker 2000 Linux-VServer 2004 Google introduces 2008 IBM creates LXC 2013 ports kernel Process Containers, providing user tools isolation, but merged as cgroups for cgroups and requires namespaces recompilation © 2018. Heptio. All Rights Reserved Docker under the hood © 2018. Heptio. All Rights Reserved Docker Installation • Linux installation(s) • apt-get install -y docker • yum install -y docker • Docker for Mac • Docker for Windows • Docker on Windows 10 / 2016 / 2019 © 2018. Heptio. All Rights Reserved Docker Components Docker CLI dockerd containerd runc © 2018. Heptio. All Rights Reserved Docker Command Line Interface • docker build build docker image from Dockerfile • docker run run docker image • docker logs show log data for a running or stopped container • docker ps list running containers, -a includes stopped containers • docker images list all images on the local volume • docker rm remove a container | docker rmi : remove an image • docker tag name a docker image • docker login login to registry • docker push/pull push or pull volumes to/from Docker Registries • docker inspect return info/metadata about a Docker object © 2018. Heptio. All Rights Reserved Docker Command Line Interface [dan@docker ~]$ docker run /var/run/docker.sock Connects to Docker CLI dockerd Exposes * x.x.x.x:<port> * Configured in /etc/docker/json © 2018. Heptio. All Rights Reserved Docker Daemon • Provides the ”standard” interaction with a container platform • Image download from registries • Plugin features to extend the container platform for other vendors • In-build orchestration for multiple docker Engines • Container build function containerd • Manages the full container lifecycle: • Container execution • Image transfer/storage • Presentation of images to the OCI runtime • Networking • Container supervision runc (or any OCI specific runtime) • Lowest level component • Implements an OCI compatible interface • Implements the namespace isolation that “defines” a container • Handles the starting, monitoring and stopping of a container All tied together Docker Image / / /bin /bin /boot /boot /dev /dev /etc /etc /home /home /lib64 /lib64 /mnt /mnt /opt /opt /var /var /usr /usr © 2018. Heptio. All Rights Reserved Docker Image / / / /bin /usr/myapp /bin /boot /boot /dev /dev /etc /etc /home /home /lib64 /lib64 /mnt /mnt /opt /opt /var /var /usr /usr /usr/myapp © 2018. Heptio. All Rights Reserved Docker Image / / / / /bin /usr/myapp /etc/ssl.keys /bin /boot /boot /dev /dev /etc /etc /home /etc/ssl.keys /lib64 /home /mnt /lib64 /opt /mnt /var /opt /usr /var /usr /usr/myapp © 2018. Heptio. All Rights Reserved Docker Image / / / / / /bin /usr/myapp /etc/ssl.keys /etc/ssl.keys /bin /boot /boot /dev /dev /etc /etc /home /home /lib64 /lib64 /mnt /mnt /opt /opt /var /var /usr /usr /usr/myapp © 2018. Heptio. All Rights Reserved Container Registry * Container registries are now standardized through the Open Containers Initiative. P_AotejcrProject_A P_Aotejcr App1App1 App1 eLtsatLatest eLtsat 5.95.9 5.9 5.85.8 5.8 4.94.9 4.9 App2App2 App2 eLtsatLatest eLtsat .101.0 .10 Registry Address/hostname Customer_100 eireb_tWWeb_tier eireb_tW .121.2 .12 1.11.1 1.1 Apeirp_tApp_tier Apeirp_t 2.02.0 2.0 * If no hostname, DBeir_tDB_tier DBeir_t 2.02.0 2.0 defaults to Docker hub NNamespaceamespace ImageImage Image agTTag agT Pulling an image from a Registry [dan@docker ~]$ docker pull quay.io/customer_a/web_tier:1.0 [dan@docker ~]$ docker pull customer_b/app_tier:2.0 * Above specifies the project(namespace), the image and the specific tag (version) of the image to be pulled. What happens if no tag is specified? © 2018. Heptio. All Rights Reserved What is a container? UID PID PPID C STIME TTY TIME CMD root 1 0 0 Jun12 ? 00:03:09 init[2] rootdrwxr-xr-x 232 root 0root 0 Jun12 4096 ?Apr 1 2014 00:00:00 . [kthreadd] rootdrwxr-xr-x 233 root 2root 0 Jun12 4096 ?Apr 1 2014 00:01:44 .. [ksoftirqd/0] rootdrwxr-xr-x 24 root 2root 0 Jun12 4096 ?Oct 20 2017 00:01:58 bin [kworker/0:0] rootdrwxr-xr-x 35 root 2root 0 Jun12 4096 ?Oct 20 2017 00:00:00 boot [kworker/u:0] rootdrwxr-xr-x 116 root 2root 0 Jun12 2780 ?Jun 12 09:37 00:00:00 dev [migration/0] rootdrwxr-xr-x 807 root 2root 0 Jun12 4096 ?Jun 12 09:37 00:01:14 etc [watchdog/0] rootdrwxr-xr-x 48 root 2root 0 Jun12 4096 ?Apr 21 2014 00:00:00 home [cpuset] rootdrwxr-xr-x 139 root 2root 0 Jun12 4096 ?Apr 10 2014 00:00:00 lib [khelper] rootdrwxr-xr-x 102 root 2root 0 Jun12 4096 ?Oct 20 2017 00:00:00 lib64 [kdevtmpfs]Traffic rootdrwx------ 112 root 2root 0 Jun1216384 ?Apr 1 2014 00:00:00 lost+found [netns] rootdrwxr-xr-x 122 root 2root 0 Jun12 4096 ?Oct 16 2013 00:00:00 media [xenwatch] rootdrwxr-xr-x 132 root 2root 0 Jun12 4096 ?Sep 22 2013 00:00:00 mnt [xenbus] rootdrwxr-xr-x 142 root 2root 0 Jun12 4096 ?Oct 16 2013 00:00:36 opt [sync_supers] root 15 2 0 Jun12 ? 00:00:00 [bdi-default] MountNetPID NamespaceNamespace Namespace dockerhost01.local © 2018. Heptio. All Rights Reserved What is a container? UID PID PPID C STIME TTY TIME CMD root 1 0 0 Jun12 ? 00:03:09 /usr/sbin/apache2 -k start PID Namespace [dan@docker ~]$ docker run –d \ drwxr-xr-x 23 root root 4096 Apr 1 2014 . drwxr-xr-x 23 root root 4096 Apr 1 2014 .. -p 8080:80 \ drwxr-xr-x 2 root root 4096 Oct 20 2017 bin drwxr-xr-x 3 root root 4096 Oct 20 2017 boot drwxr-xr-x 11 root root 2780 Jun 12 09:37 dev apache2 drwxr-xr-x 80 root root 4096 Jun 12 09:37 etc drwxr-xr-x 2 root root 4096 Oct 16 2013 opt Mount Namespace :8080 Net Namespace dockerhost01.local © 2018. Heptio. All Rights Reserved Using Docker © 2018. Heptio. All Rights Reserved Using Docker Docker FileDocker File Docker CLIDocker CLI Docker Compose Container Orchestration © 2018. Heptio. All Rights Reserved Dockerfile FFROMROMFROM defines the base image FROM golang:1.9.2-alpine3.6 that the subsequent layers will RUN go get github.com/thebsdbox/klippy build on top of. WORKDIR /go/src/github.com/thebsdbox/klippy The base image scratchscratchscratch is the smallest base image and allows RUN go build -o /bin/klippy (as the name suggests) starting ENTRYPOINT ["/bin/klippy"] from scratch. CMD ["--help"] © 2018. Heptio. All Rights Reserved Dockerfile RRUNUNRUN Creates a new empty layer and will execute a command FROM golang:1.9.2-alpine3.6 upon that layer, any filesystem changes will be then stored in RUN go get github.com/thebsdbox/klippy the new layer. WORKDIR /go/src/github.com/thebsdbox/klippy In this example go get will pull RUN go build -o /bin/klippy go source code from the internet, ENTRYPOINT ["/bin/klippy"] which will persist in this new CMD ["--help"] layer © 2018. Heptio. All Rights Reserved Dockerfile FROM golang:1.9.2-alpine3.6 RUN go get github.com/thebsdbox/klippy WWORKDIRORKDIR sets the current WORKDIR /go/src/github.com/thebsdbox/klippy working directory for any subsequent commands RUN go build -o /bin/klippy ENTRYPOINT ["/bin/klippy"] CMD ["--help"] © 2018. Heptio. All Rights Reserved Dockerfile EENTRYPOINTNTRYPOINT specifies the FROM golang:1.9.2-alpine3.6 command that will be ran by RUN go get github.com/thebsdbox/klippy default when the container is ran. WORKDIR /go/src/github.com/thebsdbox/klippy CMD specifies a command that RUN go build -o /bin/klippy is ran when no arguments are ENTRYPOINT ["/bin/klippy"] passed to a container. CMD ["--help"] © 2018. Heptio. All Rights Reserved Efficient Dockerfile(s) FROM golang:1.9.2-alpine3.6 AS build A MMultiPartultiPartMultiPart docker file allows building your image from a RUN go get github.com/thebsdbox/klippy number of other images. WORKDIR /go/src/github.com/thebsdbox/klippy RUN go build -o /bin/klippy Allows the separation of building/compiling images to the # This results in a single layer image FROM scratch final application image, creating COPY --from=build /bin/klippy /bin/klippy smaller images that only have the assets that are needed. ENTRYPOINT /bin/klippy"] CMD ["--help"] © 2018. Heptio. All Rights Reserved Docker CLI TheCLI CLI CLI is standard across all platforms, I’ll be using Docker for Mac to demonstrate some of the more useful commands. SomeCLI CLI CLI commands, such asstskac the stacks stskac and serecivservice sereciv commands will only appear once a node or multiple nodes are in a cluster (also only master nodes will be able to manage the cluster) © 2018. Heptio. All Rights Reserved Docker Compose Docker compose provides the capability to orchestrate, build and deploy an application that is built from multiple containers. A compose file is a yaml file that specifies the various containers that make up an application, and how the various containers should interact.