Docker in a nutshell

About me

Henry Huang

DevOps in IWSaaS, TrendMicro

mostly on AWS, VMware, etc.

@henrysher

 

This presentation: 

http://slides.com/henryhuang/docker

Agenda

  • What's docker?

  • Docker Basic

  • Demo

  • Questions

LXC?

Virtualization Tool?





Configuration Manager?
VM Manager?

Solomon Hykes

Founder & CEO, dotCloud, 28

Docker Creator

What's Docker?

a tool that can package an application and its dependencies in a virtual container that can run on any Linux server, help enable flexibility and portability on where the application can run, whether "on premise", public cloud, private cloud, bare metal, etc."

About Docker

  • It's a tool
  • Living with Linux Container
  • Packaged as Docker Images
  • Docker Images can run anywhere

About Docker

  • It's a tool
  • Living with Linux Container
  • Packaged as Docker Images
  • Docker Images can run anywhere

Container?

  • Container with a long history since 2000
    • OpenVZ, LxC, FreeBSD Jail, Solaris Containers
      • Complex, hard to setup
      • Difficult to manage and automate
    • Google has taken the container since 2006
      • #1 kernel patch about container by Rohit Seth
      •  "We have 2 billion containers per week!"
  • Docker origins on the shoulders of giants
    • ​no special but improved
    • help dev & ops much more

Container vs VM

Containers are isolated,but share OS and, where appropriate, bins/libraries

…result is significantly faster deployment, much less overhead, easier migration, faster restart

What we have inside the container?

  • own process space
  • own network interface
  • can run stuff as root

What we have inside the container?

  • container = isolated process(es)
    • with their own instances of resources
  • share kernel with host

    • Less overhead

    • Less flexible: require similar OS/kernel

    • Less secure: not full isolated

  • no device emulation (neither HVM nor PV)​

Faster!

  • More lightweight & less overhead
    • No hypervisor layer
    • Share with host kernel
    • No guest kernel booting!!!

Efficiency: almost no overhead

  • processes are isolated, but run straight on the host
  • CPU performance = native performance
  • memory performance = a few % shaved off for (optional) accounting
  • network performance = small overhead; can be optimized to zero overhead

Linux Container Performance

Linux Container Performance

Resource Isolatation

  • Utilize "cgroups" framework with 6 "namespaces"  to share/isolate system resources
    • pid, net, ipc, mnt, uts, user
    • Since Linux Kernel 3.8

cgroups

  • Limit, account and isolate resource usage (CPU, memory, disk I/O, etc.) of process groups
  • Resource limiting
    • Memory size, including swap
  • Prioritization
    • # of CPU cores,
    • relevant weight to share CPU time

No Official Support

  • Disk I/O limiting 
  • Disk size limiting
  • Network bandwidth limiting

More discussions in http://linkd.in/1cmbn0b

[Q] There are so many Containers in the history, why Docker so damn popular?

Docker is not only a container,

but a container engine and makes it dirty easy to manage.

Docker: Container Engine

  • Portable deployment across machines
  • Automatic build 
  • Versioning
  • Component re-use
  • Sharing
  • Tool ecosystem

https://docs.docker.com/faq/

About Docker

  • It's a tool
  • Living with Linux Container
  • Packaged as Docker Images
  • Docker Images can run anywhere

Workflow of Docker Images

Portablity

  • Run in any Linux servers
    • dev ~= staging ~= production
  • No more assumptions on:
    • Linux distribution (guest)
    • Packaging tool (rpm/deb, etc.)
    • Coding languages
    • ... ...

Docker Image & Layer

  • When Docker mounts the rootfs, it starts read-only, it takes advantage of a union mount to add a read-write file system over the read-only file system

  • There may be multiple read-only file systems stacked on top of each other. We think of each one of these file systems as a layer.   

Union Mount

allow several filesystems to be simultaneously mounted and visible through a single mount point, appearing to be one filesystem

Layers

Extended and Supported

  • unioning filesystems (AUFS, overlayfs)
  • snapshotting filesystems (BTRFS, ZFS)
  • copy-on-write (thin snapshots with LVM or device-mapper)

Benifits

  • Each image consists of a series of layers
  • No need to distribute a whole image, just the update
  • Versioning works on these images (layers)
  • Provisioning now takes a few milliseconds
  • Creating a new image takes a few seconds

Summary

  • Faster (container + unionfs)
  • Resource isolation (namespace)
  • Resource allocation (cgroups)
  • Flexibility & Portability (image)

About Docker

  • It's a tool
  • Living with Linux Container
  • Packaged as Docker Images
  • Docker Images can run anywhere

First take "Docker Client" to tell "Docker Daemon" to create a process from an existing "Docker Image", and then set up a resouce-isolated environment for the process, which can be called as "Docker Container".

Run a Container?

Docker Components

Demo

  • "Hello World" via node.js app
    • Create a docker image from scratch
    • Run the image as a container
    • Resource Limiting 
    • Troubleshooting

Now?

Questions?

About Developmet and Testing

  • WTF to CentOS/RPM/YUM (out of date)
  • WTF to Poor CI... 
  • WTF to Python 2.x, 3.x, etc.
  • WTF to repeatly wait for VMs ready on ESXi
  • WTF to any waiting....

:High efficiency saves your life:

Docker = Efficiency

No Worry!

  • Carelessly destroy the dev/test env
  • Cannot be directly deployed to the production
  • No binding on programming language
  • Versioning and see what you have done
  • One image runs anywhere

:High efficiency saves the RD life:



Development environments




Continuous Integration (CI)


CI, CI, CI

Be careful

  • Docker host
    • kernel version? newer than v3.8
    • docker version? v1.6
    • Linux distribution: CoreOS, RancherOS?
  • Docker image
    • base (golden) images?
  • Docker registry
    • private and local registry
    • synced/backed up to S3

Be careful

  • App inside the container
    • one process?
    • data?
    • logging?
  • Utilize the existing infrastructure
    • run on bare metal
    • run on vCenter/ESXi 
    • run on AWS EC2 (also ECS)

One Process?

  • Only a single process invoked when the container launched
  • Suggest one container only serving a single purpose
  • Otherwises, a supervisor process must be launched that can then spawn these desired processes
  • No init system within containers
    • anything that relies on systemd, upstart or similar won’t work without modification

https://docs.docker.com/articles/using_supervisord/

Data Volume

Data Volume

  • Volumes initialized when a container created
    • If base image contains data at the same mount point, data is copied into the new volume
  • Can be shared and reused among containers
  • Changes to a data volume are made directly
  • Changes to a data volume will not be included when you update an image
  • Data volumes persist even if the container itself is deleted

https://docs.docker.com/userguide/dockervolumes/

  • machine: to deploy Docker Engines

  • compose: to define and run multi-containers 

  • swarm: native clustering for Docker containers

Take Docker in the existing infrastructure

About Deployment

  • Monitoring?
    • app & system inside container
    • containers
    • hosts
  • Configuration Management?
  • Auto Scaling? 
  • Load Blancer? 
  • HA & Failover?
  • Complicated Network Setting? (libnetwork)
  • Security? (selinux, etc.)


Typical docker architecture


Rule of thumb: One container for each process

Sweating!

I am trying my best to learn...

will be added soon...

Docker Container != VM

Need to remember

It is a long way out.

Docker in a nutshell

By Henry Huang

Made with Slides.com

Docker in a nutshell

brief introduction of docker

  • 2,140

More from Henry Huang