Getting Started With Containers

DEVNET 2042 Getting Started With Containers Matt Johnson Developer Evangelist @mattdashj

Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot# 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Agenda Containers: Business vs Technical What containers are. What containers aren t. Build Package Distribute Use Next Steps & Conclusion

Containers Business vs Technical

Container Many things to many people. Technically speaking (History lesson) Containers are just a way of separating or isolating running code without full virtualization. Nothing new, has existed for a long time (~1970 s Mainframes, chroot jails, solaris zones with varying levels of success/security). It changes how we have to lay out code/files/binaries/libraries on systems... What the industry have done *around* this core technology is the real value. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7

Container Technical: Changing how we deploy code into reality. app1 Manual RPM DEB Puppet app2 app1 app2 app3 app3 app3 /usr /etc /bin / Baked container images. app1 app1 app 2 app2 /usr /etc /bin /usr /etc /bin Container 1 / Container 2 / Server One. Server One. app1 app1 app 2 app2 /usr /etc /bin /usr /etc /bin Manual RPM DEB Puppet (Treat as servers) OR Bake Images (AMI / Packer) / / VM one VM two Hypervisor Server One. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8

Container Changing how we deploy code into reality. app1 Manual RPM DEB Puppet app2 app3 app1 app3 /usr /etc /bin Oldest Method. Simplest to Start - Gets messy quickly. Usually relies on OPS team to validate changes. Conflicts Hard to isolate issues don t touch the server Hard to migrate applications Inter-app communication??? / Server One. app2 app3 Manual RPM DEB Puppet (Treat as servers) OR Bake Images (AMI / Packer) Separate VM s per application. Clean separation of risks with added overhead of a whole OS per application (separate Linux / windows installs) May still be managed like a server, or OS images may be baked app1 app1 app 2 app2 /usr /etc /bin and thrown away. / / VM one VM two Hypervisor Server One. /usr /etc /bin Baked container images. app1 app1 app 2 app2 /usr /etc /bin Container 1 / Server One. /usr /etc /bin Container 2 / Provides similar code separation to VM s, without the overheads of VM s. (Density, quicker startup). Separation is handled by one operating system kernel. Containerized applications see a different filesystem than others, emulated. Methodology: bake your container images ahead of time. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

Container Many things to many people. From a Business value perspective. The use of containers ties into new software methodologies, designed to remove roadblocks from the development process and get things into production quicker. Tools to make user experience better, reduce developer and operations time to get stuff done the driving reason behind recent explosion of use. How we build. How we deploy. How we share. It changes how developers package and deploy their apps. What the industry have done *around* the core technology is the real value. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10

Container Business: Doing things faster, realising value using new tools. Container Container User A Versioned Container Standardized* Format Container Repository Container Container User B Container Container User C Tools for building your application into a container. Often automated. Build output: A container image. Versioned container image given a name, uploaded to a repository. Allows other systems to consume the container, run it immediately on their systems. Container image is pulled from repository and run. The container system on the destination OS will automate the necessary kernel features to set up the isolated contents of the container image and run the binaries / code inside. Systems could be same company (Private repo) or anyone online (Public repo) A manifest (embedded with the built container image) tells the system what to run and what ports (if any) are needed to access the application. Experience is consistent. BUILD TOOLING STANDARD FORMAT DISTRIBUTION & VERSIONING APP ISOLATION CONSISTENT EXPERIENCE SPEED 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11

Container Business: Doing things faster, realizing value using new tools. Container Container User A Versioned Container Standardized* Format Container Repository Container Container User B Container Container User C Tools for building your application into a container. Often automated. Build output: A container image. Versioned container image given a name, uploaded to a repository. Allows other systems to consume the container, run it immediately on their systems. Container image is pulled from repository and run. The container system on the destination OS will automate the necessary kernel features to set up the isolated contents of the container image and run the binaries / code inside. Systems could be same company (Private repo) or anyone online (Public repo) A manifest (embedded with the built container image) tells the system what to run and what ports (if any) are needed to access the application. Experience is consistent. BUILD TOOLING STANDARD FORMAT DISTRIBUTION & VERSIONING APP ISOLATION CONSISTENT EXPERIENCE SPEED 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12

Container Business: Doing things faster, realizing value using new tools. Note the actual containerization of processes and code is a tiny part of the process from building a container, to consuming it. When people talk about containers, generally they will be talking about one of (many) products/projects offering the toolchain below. Docker is one of these toolchains. (the most popular one) ** Docker is also the company that makes Docker, that sells a paid-for Docker enterprise... words. BUILD TOOLING $ docker build. STANDARD FORMAT $ docker images DISTRIBUTION & VERSIONING $ docker push $ docker pull APP ISOLATION CONSISTENT EXPERIENCE $ docker run SPEED We ll be talking about Docker s flavor of container + toolchain from here on out. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

Containers are...

Containers Are... A way to package up our applications and dependencies. A way to guarantee execution consistency and portability. A way to keep your applications isolated. A way to use your compute resources without the overhead of VM s. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

Containers aren t...

Containers Are not... Microservices We hear containers and microservice used a lot together. Microservices benefit from a lightweight packaging, distribution and deployment solution. However, you can put package anything into a container, including a badly written legacy app in some cases, using containers doesn t magically make bad code better. VM s Sounds obvious, but worth remembering they are different. Containers are purely user-space, if you need kernel extensions/modules or a custom kernel, containers probably aren't what you re looking for. Magic They bring their own nuances and require deployment consideration just like any other toolchain. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17

Workshop Time!

Workshop 0 Docker run (someone elses image)

Searching for public images $ docker search <keyword> Connects to Docker Hub by default, could be a private company or team registry instead. A word of warning on public images. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22

Running public images $ docker run hello-world No docker image called hello-world exists locally, so docker CLI looks at the docker hub first. Downloads the image from docker hub, run s it as a container. What Just Happened? 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

The Dockerfile $ docker build. Uses Dockerfile to create a docker image. Image has then been uploaded to docker hub as hello-world. Word of warning on public images and imports. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

The Dockerfile Continued FROM We can build on existing docker images if we wish. scratch means start with a completely empty image. COPY Copy the local directory file hello into the container image. CMD The command to run inside the image whenever someone run s your image. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26

Workshop 1 Small or Large Images.

A Containerised App needs all it s dependencies. Exactly the same code... Just isolated The compiled C binary hello was the only thing in the last container, because it needed no dependencies. Putting it in a container isolated it from the rest of the system and made it easily shareable with other developers docker run hello-world. Something more complex What if we wanted to run something like NGINX (webserver) as part of our containerised application? There will be more dependencies. In the Sever / VM model, these dependencies would be installed as extra packages via your package management tool (APT, YUM, etc). Full OS containers A container can have a whole Linux userspace to build on (such as Ubuntu) in order to make complex software installs easier. * 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28

In our container $ touch /HELLO HELLO doesn t exist outside of the container. HELLO isn't persisted if we kill the container and start it again (as it s not baked in the ubuntu docker image). 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30

How the Ubuntu container is built.. (Another Dockerfile) All the needed files coming from the repository, this time just a lot more of them. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31

Workshop 2 Docker build From Dockerfile to image.

Building the ubuntu image ourselves. $ git clone -b dist https://github.com/tianon/docker-brew-ubuntu-core.git Source control, download the code repository holding the ubuntu Dockerfile & dependent files. $ cd docker-brew-ubuntu-core/xenial This repository has many docker files for different versions of Ubuntu, we re changing into the xenial directory (latest). $ docker build. Looks for a Dockerfile in the local directory and uses it to build a Docker image. $ docker images Show the local docker images (both downloaded from public and built locally). $ docker run ti <image id> Run our locally built ubuntu image. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33

Customize our Ubuntu Docker image. $ vi hellodevnet.py Create a new python script we want to include in our Docker image. $ vi Dockerfile Edit the Dockerfile to: Install python into the Ubuntu image. (RUN) Add our new python script to the image. (ADD) Change the default container command to our new script (CMD) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Customize our Ubuntu Docker image. $ docker build. Rebuild the Ubuntu docker image with our changes! $ docker run <new image ID> Give it a try! 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36

Congratulations! You just built a custom version of the Ubuntu docker image. BUT... You ve mixed bits that matter to you and bits that matter to making ubuntu work into the same Dockerfile. What if... There is an Ubuntu security update?... You re going to have to go and look at what has changed in their Dockerfile, manually apply it to your version of the Dockerfile and re-build your docker image... If only... There was a nice way to build on top of other peoples images... 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37

Workshop 3 Making less work for yourself...

Remember FROM scratch? FROM We can build on existing Docker images if we wish. scratch means start with a completely empty image. FROM ubuntu RUN apt-get update RUN apt-get y install python ADD hellodevnet.py /hellodevnet.py CMD [ /hellodevnet.py ] Would produce exactly the same results as our previous workshop. But using the existing public ubuntu image and adding to it, instead of rebuilding the whole thing ourselves. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39

FROM ubuntu... $ git clone https://github.com/matjohn2/container-intro-devnet.git $ cd container-intro-devnet $ cat Dockerfile $ docker build. Future builds then take into account updates of ubuntu image automatically. (But only when we rebuild) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40

Workshop 4 Putting it all together Building something useful.

So far... All our output has been on the command line. Not all that useful! Lets build a server application... There needs to be a way of allowing inbound connections to a sever application. it s time to introduce another valid Dockerfile item.. FROM ADD RUN CMD EXPOSE EXPOSE Tells Docker this image expects to serve connections on a TCP/IP PORT 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42

Simple Python Server... python -m SimpleHTTPServer 8000 Serves current directory listing over HTTP, port 8000 New Dockerfile.. FROM ubuntu RUN apt-get update RUN apt-get -y install python EXPOSE 8000 ENTRYPOINT [ python, -m, SimpleHTTPServer, 8000 ] EXPOSE Tells Docker this image expects to serve connections on a TCP/IP PORT ENTRYPOINT Allows you to pass arguments to the CMD (replaces CMD) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43

Our containerized webserver! $ docker run <new image id> & $ docker ps $ docker inspect <Container ID> Every container gets it s own IP address. Usually on a NAT ed network in the host. Inspect gives you the details. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44

Congratulations! You ve created Docker containers that serve web content and run them.

Workshop 5 Naming, Distributing.

Tag an image == give an image a name & version hub.docker.com Common docker repository offering free public repo s Others are available Requires signup $ docker tag <image id> registry:version Name is the repository URL you re planning to push the image to. Version is arbitrary and under your control. No URL defaults to Docker Hub. $docker tag 8a0d280fc794 trxuk/testrepo:0.1 $docker images 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48

Push images to a registry $ docker login Authenticates your local docker CLI with the docker registry. You ll need to signup for the docker registry at hub.docker.com (free) to get credentials. $ docker push trxuk/testrepo Name My docker hub account ID is trxuk. This will try to upload new images i ve tagged locally as trxuk/testrepo to the docker registry for public consumption. Other users could then $docker run trxuk/testrepo to run the latest version of my container image. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49

Next Steps...

using docker CLI is all well and good as a developer.. But you re probably not going to manage production like this Container Container Container Docker Engine Linux Kernel Host / VM 1 Docker Engine Linux Kernel Host / VM 2 $ssh host1 host1# docker run container $ssh host2 host2# docker run container $ssh host3 host3# docker run container Docker Engine Linux Kernel Host / VM 3 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51

Solution: Orchestrators. Once you ve built your containers and pushed them. Container Orchestrators manage running containers across a pool of resources for you Container Container Container Kubernetes / Docker Swarm / Other Orchestrator. Host / VM 1 Host / VM 2 Host / VM 3 $kubectl scale deployment <name> --replicas=3 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52

Manually running and waiting for $docker build. Solution: CI/CD... Is going to get boring fairly soon, especially if you build often.... Is going to become problematic if you have other team members working on the codebase. Your code Your startup scripts Code Dependencies Container Versioned Standardized* Format Container Repository SOLUTION: Learn how to automate and test your docker builds using source control and continuous integration. Check out DEVNET-2203 Building a DevOPS CI Pipeline from scratch 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 53

Summary $ docker run <image> $ docker run ti <image> $ vi Dockerfile $ docker build. $ docker login $ docker tag <image> <hubname> $ docker push <hubname> Learninglabs.cisco.com for Docker101 content & more!

Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Tech Circle Meet the Engineer 1:1 meetings Related sessions 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57

Thank you