Building and

testing

docker containers

 
@sublimino
YLD.io
News UK, Visa, British Gas
www.binarysludge.com

codes


Containment

data

efficacy

   
 

containerised component types

  • Queue
  • Datastore
  • Black box
  • Microservice
  • Infrastructure

design Principles

  • Continuous integration/deployment
  • Deterministic pipeline
  • Favour simplicity
  • JSON everywhere
  • Constant cycle-time optimisation
  • Partial or whole stack deployable 
    on developers' machines
  • Containers identical from dev
    through test to production

building containers - shared code

  • Shared code repository
    • npm module
    • Present in every repository/image (even couchbase/redis)
    • Contains linting rules, extensible task runner, read-only credentials
    • Idempotent npm post-install task creates test directories and manipulates filesystem
    • Any change triggers cascading builds in dependent jobs

building containers - base image

FROM ubuntu:14.04
MAINTAINER Andrew Martin "sublimino@gmail.com" ENV APT_PACKAGES curl build-essential wget git
ENV NPM_PACKAGES forever gulp http-server
ENV NODE_VERSION 0.11.16
# apt and npm installation
#
RUN apt-get update && apt-get install -y $APT_PACKAGES && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
RUN curl https://cdn.rawgit.com/isaacs/nave/master/nave.sh > /bin/nave && \ chmod a+x /bin/nave && \
    nave usemain $NODE_VERSION;
RUN npm install -g $NPM_PACKAGES;
# configure private npm
#
ADD ./node_modules/cb-shared/npmrc /root/.npmrc

BUILDING CONTAINERS -  Task runner

  • Stream processing and parallel task execution
  • Abstract invocation of language/library specificities
  • Tight dev feedback loop, reduced cycle-time

BUILDING CONTAINERS -  TASK RUNNER

Abstracts docker, fleet and test commands
$ gulp <tab> 
browserify              fleet:restart          test:functional
build                   fleet:start            test:functional:remote
build-properties        help                   test:functional:watch
build:watch             less                   test:integration
default                 lint                   test:integration:remote
docker:build            livereload             test:integration:watch
...
  • 4 different test runners
  • Defers test execution to cross platform BASH scripts
    • BATS acceptance tested
      • https://github.com/sstephenson/bats
    • OSX vs Linux - some GNU-ish complexities
  • Build server has no logic

building containers - a microservice

FROM harbour.example.com/cb-baseimage:latest
MAINTAINER Andrew Martin "sublimino@gmail.com"
# create installation directory
#
RUN mkdir -p /opt/d2
WORKDIR /opt/d2
# add package.json and npm install
#
ADD package.json /opt/d2/
RUN HOME=/root npm install ADD ./bin /opt/d2/bin
ADD ./lib /opt/d2/lib
ADD ./test /opt/d2/test
ADD exemplary.crt /opt/d2/exemplary.crt EXPOSE 4000 ENTRYPOINT ["bin/server.js"]

building containers - in summary

  • Manage dependencies via NPM
  • Common task API
  • Jenkins has no hidden logic 
  • Same containers from dev to prod

testing, testing, 123

testing a container

  • Isolate the component
  • Ensure its veracity as early as possible
  • Granular reporting of failures

components - Datastores



COMPONENTS - Queues

COMPONENTS - Black box


COMPONENTS - Microservice



COMPONENTS - other


TESTING PROCESS - 

unit/integration

  • Unit: "Smallest piece of testable software"
  • Integration: "Verify communication 
    paths and interactions"

  • Each runnable from outside the container
    for tighter feedback loop
  • But run inside the container to test as
    close to production as possible

Testing process - functional/acceptance

  • Functional/Component Integration: 
    "Limited component test using test doubles"
  • Acceptance/E2E: "Verify system meets
    external requirements from end to end"

  • Global setup/teardown and test override hooks
  • External services brought up with fig
  • Each repository's fig.yml configuration file:
    • Defines the component's invocation
    • ...and that of any immediate dependencies
  • (database fixtures in a separate image)

TESTING PROCESS - fig.yml

  • fig.yml  of c omponent under test is copied
    to  fig-test.yml
  • Dependent components'  fig.yml  files 
    merged into  fig-test.yml
    • Brings in transitive dependencies
  • Environment variables are templated
    • NODE_ENV 
    • Database names
    • IPs and ports

    fig.yml FOR "NHS" MICROSERVICE

    redis:
      image: harbour.example.com/cb-nhs-redis:latest
      ports:
       - "6379:6379"
    ... nhs:   build: .
      # image: harbour.example.com/cb-nhs:latest
      environment:
       - CBNHS_LOGLEVEL=debug
       - CBNHS_DBBUCKET=cb-api - CBNHS_PRE_AUTHENTICATE=0 ...
      ports:
       - "58000:8000"
      links:
       - redis
       - couchbase
       - api

    FIG-test.YML FOR "NHS" MICROSERVICE

    redis:
      image: harbour.example.com/cb-nhs-redis:latest
      ports:
       - "6379:6379" nhs:
      build: .
      # image: harbour.example.com/cb-nhs:latest
      environment:
       ...
      ports:
       - "58000:8000"
      links:
       - redis
       - couchbase
       - api couchbase:
      image: harbour.example.com/cb-couchbase-server:latest
    ...
    api:
      image: harbour.example.com/cb-api:latest
    ...

    in the test Setup script...

    • fig --file=fig-test.yml \
      --project-name cb-nhs \ up &

    • fig ps,  HTTP health checks and  /health   
      RESTful endpoints are used to determine availability

    • Polling preferred to sleeping                 
    • Any other necessary pre-test config
      • API oAuth authentication
      • Endpoints for exposing tunnels to Sauce labs 
      • JS/CSS build chains

    test demo


    actual test demo


    POST-TEST

    • On build server test completion, image is tagged  
      • :latest-dev                                   

      • :20150106-42 (date-jenkinsBuild#)

    • Tagged image pushed to private docker registry
              


    system integration test

    • Production-like environment 
    • Test that the interfaces between
      components match or "hang together"
    • Tests parts of the system not 
      covered by component tests
      • infrastructure
      • routing
      • systemd units
      • support containers
    • On completion, non-functional tests 
      are run in an isolated environment

    non-functional testing

    • Same configuration  as system
      integration environment

    • Tests
      • Load/capacity
      • Stress
      • Resilience

    container Deployment

    • Current design informed by Kubernetes
    • Automated by a Deployment Bot
      • Journalling service manifest
      • Service discovery via etcd
      • HAProxy routing via confd
      • Rolling updates
      • Cluster/service health monitoring

    a note on logging

    • systemd logs container output to journald
    • Every CoreOS host runs a 
      logstash-forwarder container
      with /var/log/journal
       mounted inside
    • Forwards logs, buffering in case of failure
    • Logstash runs on another host, decoding 
      incoming JSON and munging various
      fields

    Logstash Config - pt 1

    input {
      lumberjack {
        port => 54321
        codec => "json"
        ssl_certificate => "server.crt"
        ssl_key => "server.key"
      }
    }

    filter {
      mutate {
        remove_field => [ "__CURSOR", "__MONOTONIC_TIMESTAMP" ]
      }
      if [type] == "stdin" {
        mutate {
          # microsecs to millisecs
          gsub => [ "__REALTIME_TIMESTAMP", "\d{3}$", "" ]
        }
        date {
          match => [ "__REALTIME_TIMESTAMP", "UNIX_MS" ]
        }
      }
      # (continued on next slide...)

    LOGSTASH CONFIG - PT 2

      # (continued from last slide...)
    
      # if messages start and end with curly brace, interpret as json,
      # except messages from the logstash container, which do start and
      # end with curly brace and are NOT json!
      if [MESSAGE] =~ /^\{.*\}$/ and [_SYSTEMD_UNIT] !~ /^logstash/ {
        json {
          source => "MESSAGE"
          target => "json"
        }
      }
    }
    output {
      elasticsearch {
        host => "${ES_HOST}"
        port => ${ES_PORT}
        protocol => "http"
      }
    }

    BRING PAIN FORWARD: 

    deliver continuously




    Questions?





    @sublimino
    www.binarysludge.com