ODL and Docker

Ryan Wallner

@ryanwallner

wallnerryan@gmail.com

Docker

open-source linux container engine. "commoditize containers"

use cases include

automation
lightweight PaaS
testing/continuos deployment
horizontal scale for webapps, dbs, service

"Configure once, run many"

escape dependency hell

run docker

once installed

```
sudo docker run -i -t ubuntu /bin/bash 
```

or create a "Dockerfile"

Docker Cont'd

Different than a VM

if you know LXC/Linux Namespaces, those are the basics

Share host kernel/libraries/binaries, no boot process

isolation of network, mem, cpu etc through cgroups

CoW

unified file system ensures any changes to an application are only a "diff" of sorts.

significant memory / resource saving. ten's of VM's vs. thousands of Containers.

union file system

At first, the top read-write layer has nothing in it, but any time a process creates a file, this happens in the top layer. And if something needs to update an existing file in a lower layer, then the file gets copied to the upper layer and changes go into the copy. The version of the file on the lower layer cannot be seen by the applications anymore, but it is there, unchanged.

device-mapper

An alternate to the AuFS dependency

If running RedHat/CentOS/Fedora etc

use [--storage-driver|-s]="devicemapper"

Uses thin provisioning, sparse file, and snapshots to achieve similar flexibility as without dm. Commit and push images as you did before.

Other options include btrfs, overlayfs etc. So far this is all been /is being talked about in the docker community.

Final product

*note, LXC dependensies are going away, latest master uses native docker (Go) driver.

cgroups

(on ubuntu 12.04+), cgroups available are located in /sys/fs/cgroup
Docker containers are listed here with there cgroups

e.g find /sys/fs/cgroup/devices -name <uuid*>

cpu, net, mem cgroups and allocation will be listed inside its dir.

"tasks" will also be listed, these are things like the running network namespace.

this netns process will be locate in /proc/<task-id>/ns/net

Other namspaces here as well, pid uts...

namespaces

the important ones : pid, uts, net, mount

I'll focus on the network namespace

```
sudo docker run -i -t ubuntu /bin/bash 
```

NSPID= $(head -n 1 $(cat /sys/fs/cgroup/devices/docker/d6c508.../tasks))

```
mkdir -p /var/run/netns 
```
```
rm -f /var/run/netns/$NSPID 
```

ln -s /proc/$NSPID/ns/net /var/run/netns/$NSPID

```
ip netns exec $NSPID ifconfig 
```

aufs

docker mounts aufs at /var/lib/docker/aufs/mnt/<uuid>

mounts rw overtop the rootfs usually ro, this union fs portion is where all the "diffs" of image to image come from.

cat /proc/mounts 
none /var/lib/docker/aufs/mnt/d6c508b18f1568c964b76ce60113f8bf72062fc9a9882dc20f6447d194855924 aufs rw,relatime,si=ce51a2b9063aa9a1 0 0
none /var/lib/docker/containers/d6c508b18f1568c964b76ce60113f8bf72062fc9a9882dc20f6447d194855924/root aufs rw,relatime,si=ce51a2b9063aa9a1 0 0
/dev/disk/by-uuid/2c1e470e-c411-4ed2-ad4d-581f3d433c55 /var/lib/docker/containers/d6c508b18f1568c964b76ce60113f8bf72062fc9a9882dc20f6447d194855924/root/.dockerinit ext4 ro,relatime,errors=remount-ro,data=ordered 0 0
/dev/disk/by-uuid/2c1e470e-c411-4ed2-ad4d-581f3d433c55 /var/lib/docker/containers/d6c508b18f1568c964b76ce60113f8bf72062fc9a9882dc20f6447d194855924/root/.dockerenv ext4 ro,relatime,errors=remount-ro,data=ordered 0 0
tmpfs /var/lib/docker/containers/d6c508b18f1568c964b76ce60113f8bf72062fc9a9882dc20f6447d194855924/root/etc/resolv.conf tmpfs ro,relatime,size=203428k,mode=755 0 0
/dev/disk/by-uuid/2c1e470e-c411-4ed2-ad4d-581f3d433c55 /var/lib/docker/containers/d6c508b18f1568c964b76ce60113f8bf72062fc9a9882dc20f6447d194855924/root/etc/hostname ext4 ro,relatime,errors=remount-ro,data=ordered 0 0
/dev/disk/by-uuid/2c1e470e-c411-4ed2-ad4d-581f3d433c55 /var/lib/docker/containers/d6c508b18f1568c964b76ce60113f8bf72062fc9a9882dc20f6447d194855924/root/etc/hosts ext4 ro,relatime,errors=remount-ro,data=ordered 0 0

use cases

Memcached as a Service

http://bit.ly/11nL8vh

Push-button Deployment with Docker

http://bit.ly/1bTKZTo

Dokku - Docker powered mini-Heroku. The smallest PaaS

http://bit.ly/191Tgsx

Docker Registry

Docker Networking

not going to spend a ton of time

http://docs.docker.io/en/latest/use/networking/
linux bridge, veth-pairs to container, iptables masquerading

What about OVS?

https://github.com/jpetazzo/pipework

*no "true" netvirt (no overlay impl)
http://docs.openstack.org/trunk/config-reference/content/docker.html

docker/iptables

fore those who like to see the rules

#INITIAL CHAIN
sudo iptables -t nat -F DOCKER
sudo iptables -t nat -X DOCKER
sudo iptables -t nat -N DOCKER

#ADD
sudo iptables -t nat -A POSTROUTING -s 172.17.42.1/24 ! -d 172.17.42.1/24 -j MASQUERADE
sudo iptables -I FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -I FORWARD -i docker0 ! -o docker0 -j ACCEPT
sudo iptables -D FORWARD -i docker0 -o docker0 -j DROP
sudo iptables -C FORWARD -i docker0 -o docker0 -j ACCEPT
sudo iptables -I FORWARD -i docker0 -o docker0 -j ACCEPT
sudo iptables -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
sudo iptables -t nat -D OUTPUT -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER
sudo iptables -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER
sudo iptables -t nat -D PREROUTING -j DOCKER
sudo iptables -t nat -D OUTPUT -j DOCKER
sudo iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
sudo iptables -t nat -A OUTPUT -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER

current implementation...

def plug_vifs(self, instance, network_info):
        """Plug VIFs into networks."""
        msg = _("VIF plugging is not supported by the Docker driver.")
        raise NotImplementedError(msg)


def unplug_vifs(self, instance, network_info):
        """Unplug VIFs from networks."""
        msg = _("VIF unplugging is not supported by the Docker         driver.")
        raise NotImplementedError(msg)

End

Im sure i missed things, docker community is a great one though, plenty of resources.

Proposal

enable docker to participate in the overlay

start a discussion

Title

Docker

open-source container engine

if your familiar with LXC

ease of use, scale, orchestration

Use cases

automation

escape package dependency hell

* as a service

scale

Docker is used for odl installs

https://wiki.opendaylight.org/view/Release/Hydrogen/Virtualization/Installation_Guide#Docker_Image

*could use for dev environment.

//TODO example

ODL and Docker

run docker

Docker Cont'd

CoW

union file system

device-mapper

Final product

cgroups

namespaces

the important ones : pid, uts, net, mount

aufs

use cases

Docker Registry

Docker Networking

docker/iptables

fore those who like to see the rules

current implementation...

End

Proposal

enable docker to participate in the overlay

start a discussion

Title

Title

Title

Title

Title

Title

Title

Title

Title

Title

Title

Title

Title

Docker

Docker is used for odl installs

Docker + ODL + NetVirt

ODL and Docker

run docker

Docker Cont'd

CoW

union file system

device-mapper

Final product

cgroups

namespaces

the important ones : pid, uts, net, mount

aufs

use cases

Docker Registry

Docker Networking

docker/iptables

fore those who like to see the rules

current implementation...

End

Proposal enable docker to participate in the overlay

start a discussion

Title

Title

Title

Title

Title

Title

Title

Title

Title

Title

Title

Title

Title

Docker

Docker is used for odl installs

Docker + ODL + NetVirt

Proposal

enable docker to participate in the overlay