INTRODUCTION TO

by Tom Verelst

Automation & Tooling Competence Center

© 2016 JWorks

BEFORE WE BEGIN...Join https://tlk.io/ordina-docker

WHAT IS DOCKER?

Build Ship Run

WHAT IS A CONTAINER?

Contains the complete runtime environment

Application

Dependencies

It feels like a

LIGHTWEIGHT VIRTUAL MACHINEIt has a shell (SSH, ...)

Has its own namespace

Has its own network interface

Run stuff as root

Services

Packages

But if it's not a VM, so what's the difference?

VIRTUAL MACHINES

App

bins/libs

Guest OS

App

bins/libs

Guest OS

App

bins/libs

Guest OS

Hypervisor

Host OS / Kernel

Infrastructure

CONTAINERSProcesses that share the same kernel

App

bins/libs

App

bins/libs

App

bins/libs Daemon

Kernel

Infrastructure

DockerArchitecture

BASIC DOCKER WORKFLOW

DOCKER HOSTDocker Daemon

Docker Remote API (REST)

unix:///var/run/docker.sock

https://dockerhost:2376

Downloads and runs the containers

DOCKER CLIENTTalks to Docker daemon

DOCKER REGISTRYImage repository

Official Docker Registry @ hub.docker.com

As a service @ Docker Trusted Registry

Host your own @ github.com/docker/distribution

DOCKER IMAGEBasis for each container

Layers

LAYERSTop layer is thrown away when container stops

Writeable Container

Image: My application

Image: Java 8

Base Image: Ubuntu

bootfs (Kernel)

CONTENT ADDRESSABLE IMAGE IDSPreviously random UUIDs

Secure hash of image and layer data (SHA-256)

Separation of images and layers

ID collision prevention

Data integrity

Migration needed from pre-1.10

VOLUMES

Write and read data from outside

Mount local folders onto the container

Docker Volume drivers available

Basic Docker

DEMO TIME!

Commands

DOCKERFILEInstructions to automate building of your image

Steps are cached for fast-reuse

FROM java:8

COPY target/application.jar app.jar

ENTRYPOINT ["java", "-jar", "app.jar"]

BASIC DOCKER COMMANDS# Build the image in the working directory $ docker build -t myapp .

# Run the image we just built as a container $ docker run --name mycontainer myapp

# Stop the container $ docker stop mycontainer

# Start the container again $ docker start mycontainer

MANAGE CONTAINERS AND IMAGES# List running containers $ docker ps

# List all containers, including stopped $ docker ps -a

# List all images $ docker images

# Remove an image $ docker rmi myapp

PUSH DOCKER IMAGES TO THE REGISTRY# Login to Docker Registry $ docker login --username=tomverelst --email=tom.verelst@ordina.be

# Push the image to the Docker Registry $ docker push myapp

HOW DO CONTAINERS REALLY WORK?

WARNINGReal low-level Linux stuff ahead!

BACK TO 2007, KERNEL 2.6.24

Control Groups aka cgroups

Kernel feature

Linux Containers aka lxc

Linux package that uses cgroups

CONTROL GROUPResource limiting

Prioritization

Accounting

Controlling

LINUX CONTAINERSPackage

Different on different Linux distro's

REDESIGN IN 2013

KERNEL 3.15 AND 3.16

NAMESPACE ISOLATIONPID namespace

Network namespace

Hostname

Mount namespace

Inter-process communication namespace

User namespace

FIRST DOCKER RELEASE IN 2013Depended on LXC

Now abstracted with libcontainer

Benefits of containerisation

SCALING

IMMUTABLE INFRASTRUCTURE

DevOps

DEVApplication and dependencies

Inside of the container

OPSInfrastructure

Outside of the container

CONTINUOUS INTEGRATIONSame artifact for all environments

No more "It worked on my laptop"

Run your builds and tests inside containers

Orchestration

Compose Machine Swarm Networking

Compose

Define and run multi-container applications

Single host

Multi-host experimental

Machine

Create and provision machines as Docker hosts

Create new Docker hosts

Run containers on these new hosts

Drivers

Swarm

Clustering tool

Turn multiple hosts into one virtual host

Service discovery

Scheduling

LABELSDefine custom labels to your Docker host

$ docker daemon --label env="production" --label storage="ssd"

$ docker-machine --engine-label env="production" --label storage="ssd"

$ docker run -e constraint:env==production -e constraint:storage==ssd ...

Filters

NODEConstraint

Health

 

CONTAINERAffinity

Port

Dependency

Networking

Create overlay networks

Replaces links (bridge)

Network plugins (Weave)

Embedded DNS server

Compose + Swarm Production Ready?

NOPE

https://github.com/docker/compose/issues/2866

https://cloud.docker.com/

(Tutum: )https://www.tutum.co/

Tools

Kubernetes

etcd etcd etcdDocker Docker Docker

CoreOS host CoreOS host CoreOS host

Host #1 Host #2 Host #3

etcd

fleetctl

etcdctl

fleetd

nServices

systemd service files pool

Docker containers

Docker containers

Docker containers

Local machine

Lattice

Flocker

Data Volume Manager

CONTAINER SECURITYIsolation

Dependencies

Seccomp profiles

Coming soon: Unikernels

Security patches

NODE SECURITYDaemon must run as root

Default authorization is all or nothing

Authorization plugins

Roadmap

Thank You!

Automation & Tooling Competence Center

© 2016 JWorks