Docker in a nutshell
About me
Henry Huang
DevOps in IWSaaS, TrendMicro
mostly on AWS, VMware, etc.
This presentation:
Agenda
-
What's docker?
-
Docker Basic
-
Demo
-
Questions
Virtualization Tool?
Solomon Hykes
Founder & CEO, dotCloud, 28
Docker Creator
What's Docker?
a tool that can package an application and its dependencies in a virtual container that can run on any Linux server, help enable flexibility and portability on where the application can run, whether "on premise", public cloud, private cloud, bare metal, etc."
About Docker
- It's a tool
- Living with Linux Container
- Packaged as Docker Images
- Docker Images can run anywhere
About Docker
- It's a tool
- Living with Linux Container
- Packaged as Docker Images
- Docker Images can run anywhere
Container?
- Container with a long history since 2000
- OpenVZ, LxC, FreeBSD Jail, Solaris Containers
- Complex, hard to setup
- Difficult to manage and automate
- Google has taken the container since 2006
- #1 kernel patch about container by Rohit Seth
- "We have 2 billion containers per week!"
- OpenVZ, LxC, FreeBSD Jail, Solaris Containers
- Docker origins on the shoulders of giants
- no special but improved
- help dev & ops much more
Container vs VM
Containers are isolated,but share OS and, where appropriate, bins/libraries
…result is significantly faster deployment, much less overhead, easier migration, faster restart
What we have inside the container?
- own process space
- own network interface
- can run stuff as root
What we have inside the container?
- container = isolated process(es)
- with their own instances of resources
- share kernel with host
-
Less overhead
-
Less flexible: require similar OS/kernel
-
Less secure: not full isolated
-
- no device emulation (neither HVM nor PV)
Faster!
- More lightweight & less overhead
- No hypervisor layer
- Share with host kernel
- No guest kernel booting!!!
Efficiency: almost no overhead
- processes are isolated, but run straight on the host
- CPU performance = native performance
- memory performance = a few % shaved off for (optional) accounting
- network performance = small overhead; can be optimized to zero overhead
Linux Container Performance
Linux Container Performance
Resource Isolatation
- Utilize "cgroups" framework with 6 "namespaces" to share/isolate system resources
- pid, net, ipc, mnt, uts, user
- Since Linux Kernel 3.8
cgroups
- Limit, account and isolate resource usage (CPU, memory, disk I/O, etc.) of process groups
- Resource limiting
- Memory size, including swap
- Prioritization
- # of CPU cores,
- relevant weight to share CPU time
No Official Support
- Disk I/O limiting
- Disk size limiting
- Network bandwidth limiting
More discussions in http://linkd.in/1cmbn0b
[Q] There are so many Containers in the history, why Docker so damn popular?
Docker is not only a container,
but a container engine and makes it dirty easy to manage.
Docker: Container Engine
- Portable deployment across machines
- Automatic build
- Versioning
- Component re-use
- Sharing
- Tool ecosystem
About Docker
- It's a tool
- Living with Linux Container
- Packaged as Docker Images
- Docker Images can run anywhere
Workflow of Docker Images
Portablity
- Run in any Linux servers
- dev ~= staging ~= production
- No more assumptions on:
- Linux distribution (guest)
- Packaging tool (rpm/deb, etc.)
- Coding languages
- ... ...
Docker Image & Layer
-
When Docker mounts the rootfs, it starts read-only, it takes advantage of a union mount to add a read-write file system over the read-only file system
-
There may be multiple read-only file systems stacked on top of each other. We think of each one of these file systems as a layer.
Union Mount
allow several filesystems to be simultaneously mounted and visible through a single mount point, appearing to be one filesystem
Layers
Extended and Supported
- unioning filesystems (AUFS, overlayfs)
- snapshotting filesystems (BTRFS, ZFS)
- copy-on-write (thin snapshots with LVM or device-mapper)
Benifits
- Each image consists of a series of layers
- No need to distribute a whole image, just the update
- Versioning works on these images (layers)
- Provisioning now takes a few milliseconds
- Creating a new image takes a few seconds
Summary
- Faster (container + unionfs)
- Resource isolation (namespace)
- Resource allocation (cgroups)
- Flexibility & Portability (image)
About Docker
- It's a tool
- Living with Linux Container
- Packaged as Docker Images
- Docker Images can run anywhere
First take "Docker Client" to tell "Docker Daemon" to create a process from an existing "Docker Image", and then set up a resouce-isolated environment for the process, which can be called as "Docker Container".
Run a Container?
Docker Components
Demo
- "Hello World" via node.js app
- Create a docker image from scratch
- Run the image as a container
- Resource Limiting
- Troubleshooting
Now?
Questions?
About Developmet and Testing
- WTF to CentOS/RPM/YUM (out of date)
- WTF to Poor CI...
- WTF to Python 2.x, 3.x, etc.
- WTF to repeatly wait for VMs ready on ESXi
- WTF to any waiting....
:High efficiency saves your life:
Docker = Efficiency
No Worry!
- Carelessly destroy the dev/test env
- Cannot be directly deployed to the production
- No binding on programming language
- Versioning and see what you have done
- One image runs anywhere
:High efficiency saves the RD life:
Development environments
Continuous Integration (CI)
CI, CI, CI
Be careful
- Docker host
- kernel version? newer than v3.8
- docker version? v1.6
- Linux distribution: CoreOS, RancherOS?
- Docker image
- base (golden) images?
- Docker registry
- private and local registry
- synced/backed up to S3
Be careful
- App inside the container
- one process?
- data?
- logging?
- Utilize the existing infrastructure
- run on bare metal
- run on vCenter/ESXi
- run on AWS EC2 (also ECS)
One Process?
- Only a single process invoked when the container launched
- Suggest one container only serving a single purpose
- Otherwises, a supervisor process must be launched that can then spawn these desired processes
-
No init system within containers
- anything that relies on systemd, upstart or similar won’t work without modification
Data Volume
Data Volume
- Volumes initialized when a container created
- If base image contains data at the same mount point, data is copied into the new volume
- Can be shared and reused among containers
- Changes to a data volume are made directly
- Changes to a data volume will not be included when you update an image
- Data volumes persist even if the container itself is deleted
- machine: to deploy Docker Engines
-
compose: to define and run multi-containers
- swarm: native clustering for Docker containers
Take Docker in the existing infrastructure
About Deployment
- Monitoring?
- app & system inside container
- containers
- hosts
- Configuration Management?
- Auto Scaling?
- Load Blancer?
- HA & Failover?
- Complicated Network Setting? (libnetwork)
- Security? (selinux, etc.)
Typical docker architecture
Sweating!
I am trying my best to learn...
will be added soon...
Docker Container != VM
Need to remember
It is a long way out.
Docker in a nutshell
By Henry Huang
Docker in a nutshell
brief introduction of docker
- 2,140