Portable, lightweight, & interoperable Docker containers across Red Hat solutions Jérôme Petazzoni Tinkerer Extraordinaire Docker, Inc Alexander Larsson Principal Software engineer Red Hat, Inc
What?
Why?
Deploy everything Webapps Backends SQL, NoSQL Big data Message queues and desktop apps and more If it runs on Linux, it will run in a Docker container!
Deploy almost everywhere Linux servers! Virtual machines Bare metal Any distro Recent kernel Currently: focus on x86_64. (But people reported success on arm.)
Deploy reliably & consistently
Deploy reliably & consistently If it works locally, it will work on the server With exactly the same behavior Regardless of versions Regardless of distros Regardless of dependencies
Deploy efficiently Containers are lightweight Typical laptop runs 10-100 containers easily Typical server can run 100-1000 containers Containers can run at native speeds Lies, damn lies, and other benchmarks: http://qiita.com/syoyo/items/bea48de8d7c6d8c73435
The performance! It's over 9000! Native Docker container Native Docker container
Is there really no overhead at all? Processes are isolated, but run straight on the host CPU performance = native performance Memory performance = a few % shaved off for (optional) accounting Network performance = small overhead; can be reduced to zero Disk I/O performance = copy-on-write overhead; can be reduced to zero (use volumes)
Container?
Containers look like lightweight VMs Own process space Own network interface Can run stuff as root Can have its own /sbin/init (different from the host) «Machine Container»
Containers are really chroot on steroids Can also not have its own /sbin/init Container = isolated process(es) Share kernel with host No device emulation (neither HVM nor PV) «Application Container»
How does it work? Isolation with namespaces pid mnt net uts ipc user
How does it work? Isolation with cgroups memory cpu blkio devices
How does it work? Copy-on-write storage Create a new machine instantly (Instead of copying its whole filesystem) Storage keeps track of what has changed Multiple storage plugins available (AUFS, device mapper, BTRFS...)
Docker: the big picture Open Source engine to commoditize container technology Using copy-on-write for quick provisioning Allowing to create and share images Standard format for containers Standard, reproducible way to easily build trusted images (Dockerfile, Stackbrew...) Hosted services to work and cooperate around containers (e.g. docker.io hosted registry for public and private images)
Authoring Docker images
Authoring images with run/commit
1) docker run centos bash 2) yum install this and that 3) docker commit <containerid> <imagename> 4) docker run <imagename> bash 5) git clone git://.../mycode 6) pip install -r requirements.txt 7) docker commit <containerid> <imagename> 8) repeat steps 4-7 as necessary 9) docker tag <imagename> <user/image> 10) docker push <user/image>
Authoring images with run/commit Pros Convenient, nothing to learn Can roll back/forward if needed Cons Manual process Iterative changes stack up Full rebuilds are boring, error-prone
Authoring images with a Dockerfile
FROM fedora RUN yum -y update RUN yum -y install mongodb-server RUN mkdir -p /data/db RUN sed -i 's,dbpath=/var/lib/mongodb,dbpath=/data,' /etc/mongodb.conf VOLUME /data EXPOSE 27017 CMD /usr/bin/mongod docker build -t jpetazzo/mongodb.
Authoring images with a Dockerfile Minimal learning curve Rebuilds are easy and reliable Caching system makes rebuilds faster Single file to define the whole environment!
Docker on Red Hat
Red Hat Enterprise Linux 6 Available in EPEL: yum install docker-io Works in 6.4 and later 6.5 has more complete network namespace support Not supported, but much of the underlying kernel features are Packages also work on CentOS
Red Hat Enterprise Linux 7 Beta Available in EPEL7 beta: yum install docker-io More recent kernel
Fedora Available since Fedora 19: yum install docker-io
Storage backends AUFS Not in upstream kernel or in Red Hat kernels Device Mapper Contributed by Red Hat Works everywhere BTRFS Contributed by Red Hat /var/lib/docker must be on a btrfs filesystem Tech preview in RHEL6 kernel
Union Filesystems (AUFS, overlayfs) Copy-on-write block devices Snapshotting filesystems Provisioning Superfast Supercheap Fast Cheap Fast Cheap Changing small files Superfast Supercheap Fast Costly Fast Cheap Changing large files Slow (first time) Inefficient (copy-up!) Fast Cheap Fast Cheap Diffing Superfast Slow Superfast Memory usage Efficient Inefficient (at high densities) Inefficient (but may improve) Drawbacks Random quirks AUFS not mainline Higher disk usage Great performance (except diffing) ZFS not mainline BTRFS not as nice Bottom line Ideal for PAAS and high density things Dodge Ram 3500 This is the future (Probably!)
Running your own registry yum install docker-registry Fedora >= 19 EPEL 6 EPEL 7 Beta Push an image: docker tag 8dbd9e392a96 my-machine:5000/image docker push my-machine:5000/image Use it: docker run my-machine:5000/image
Base images Fedora Official images available as fedora Current versions: Fedora 20, rawhide CentOS Official images available as centos Current version: 6.4
RHEL base images Distribution problematic Working on a nice solution For now, build base images on entitled RHEL machines Use yum installroot + docker import Distribution rules same as any other Red Hat content
Docker, from development to production
One-time setup On your servers (Linux) Packages (not only RPM, but also Ubuntu, Debian, Gentoo, Arch...) Single binary install (Golang FTW!) Easy provisioning on Rackspace, Digital Ocean, EC2, GCE... On your developer environment (Linux, OS X, Windows) In your regular Linux VM (Vagrant or other) boot2docker (25 MB VM image) Natively (if you run Linux)
The Docker workflow 1/2 Work in developer environment (local machine or container) Other services (databases etc.) in containers (and behave just like the real thing!) Whenever you want to test «for real»: Build in seconds Run instantly
The Docker workflow 2/2 Satisfied with your local build? Push it to a registry (public or private) Run it (automatically!) in CI/CD Run it in production Happiness! Something goes wrong? Rollback painlessly!
Running containers SSH to Docker host and manual pull+run REST API (feel free to add SSL certs, OAuth...) Maestro NG (https://github.com/signalfuse/maestro-ng) Many Open Source PAAS built on Docker: Deis, Flynn, And of course, OpenStack!
OpenStack integration Nova (OpenStack Compute) Provisions and manages virtual machines Docker hypervisor driver Deploy containers instead of VMs with the same API Available in Havana release Glance (Image Service) Docker registry integration
OpenStack integration Heat (OpenStack Orchestration) Template driven engine for automated deployment of infrastructure Docker plugin Allows use of full Docker API in your templates Available in Icehouse release
HeatTemplateFormatVersion: '2012-12-12' Parameters: {} Mappings: {} Resources: Blog: Type: OS::Heat::Docker Properties: Image: samalba/wordpress Env: - {"Fn::Join": ["=", ["DB_HOSTNAME", {"Fn::GetAtt": ["Database", "NetworkIp"]}]]} - {"Fn::Join": ["=", ["DB_PORT", {"Fn::GetAtt": ["Database", "NetworkTcpPorts"]}]]} - {"Fn::Join": ["=", ["DB_PASSWORD", {"Fn::GetAtt": ["Database", "LogsHead"]}]]} Database: Type: OS::Heat::Docker Properties: Image: samalba/mysql Outputs: BlogURL: Value: {"Fn::Join": ["", ["http://", {"Fn::GetAtt": ["Blog", "NetworkIp"]}, ":", {"Fn::GetAtt": ["Blog", "NetworkTcpPorts"]}, "/"] ]} Description: Blog URL
OpenShift Containers Cloud applications Cartridges Gears Containment of Gears UID SELinux category Home directory Cgroup Sounds similar to Docker?
OpenShift Gears Version 2 Use Docker for containerization Namespaces Layers Easier to make cartridges Reuse existing Docker images Geard Combines Systemd and Docker
Docker & Security
History: lots of FUD LXC used to be considered insecure LXC is not yet secure. If I want real security I will use KVM. Dan Berrangé, famous LXC hacker, in 2011. Linux has changed a tiny little bit since 2011.
What you should care about Limit root access (You don't need root privileges inside containers!) Docker will use capabilities to limit damage (But you can re-enable them on a per-container basis!) Make sure to protect access to the Docker socket! (If someone can create a privileged container, they can do anything they want on the machine!)
SELinux Each container runs in a separate context All container files are labeled with per-container context No need to write SELinux policy files for containers Automatic for non-privileged container if SELinux is enabled
Security upgrades Traditional way: apply upgrades on regular basis Possible with Docker, but very inefficient Docker way: rebuild images on regular basis Trivial as long as you use Dockerfiles Less risky, since testing+rollback is possible Better mitigation of dependency issues
The roadmap to Docker 1.0
Docker 1.0 Multi-arch, multi-os Stable control API Stable plugin API Resiliency Clustering
Questions?