Container Days ATX – Advanced Docker
Container Days ATX – Advanced Docker
1 2
cdatx-advanced-docker
training material for cdatxOn Github paulczar / cdatx-advanced-docker
Container Days ATX
Advanced Docker
Created by Paul Czarkowski / @pczarkowski
Who Am I ?
Cloud Engineer - BlueBox Cloud
Blue Box Cloud
Agenda
- Optimizing Dockerfiles
- Docker vs Config Management
- Logging and Metrics
- Running multiple processes in a container
- Container Centric OSes
- App Configuration via ENV or service discovery
- Demo / Workshop
Agenda
- Optimizing Dockerfiles
- Docker vs Config Management
- Logging and Metrics
- Running multiple processes in a container
- Container Centric OSes
- App Configuration via ENV or service discovery
Optimizing Dockerfiles
Optimizing Dockerfiles
- Docker images are “supposed” to be small and fast.
- Software is complicated, languages like Python/Ruby can result in large images.
- Dockerfile != $ curl | sudo bash
Optimizing Dockerfiles
FROM ubuntu:latest ADD . /home/docker ADD https://dist.torproject.org/torbrowser/4.0.4/tor-browser-linux64-4.0.4_en-US.tar.xz /home/docker/tor.tar.xz RUN apt-get update && true ENV DEBIAN_FRONTEND noninteractive RUN apt-get install -y firefox RUN localedef -v -c -i en_US -f UTF-8 en_US.UTF-8 || : RUN useradd -m -d /home/docker docker RUN cd /home/docker && tar xJf /home/docker/tor.tar.xz USER docker CMD ["/home/docker/tor-browser_en-US/start-tor-browser"]
Optimizing Dockerfiles
Order Matters
Optimizing your Dockerfile for build cache hits.
- The more cache hits the faster the build
- First command to change invalidates all cache
- Smart ordering can save minutes
Optimizing Dockerfiles
Order Matters
Sort your commands by
Sharable with other images Frequency of change Time to runOptimizing Dockerfiles
Know your commands
- ADD always invalidates cache
- WORKDIR, CMD are cheap
Optimizing Dockerfiles
Choose your base images wisely
- Remember you're using a layered FS
- ubuntu:trusty + busybox > 2 x Ubuntu:trusty
Optimizing Dockerfiles
Layers are your friend
- Each command is a layer
- Join RUN commands together with && \
- A shared layer is free for subsequent containers.
- Create your own common base image from when lots of shared layers.
Optimizing Dockerfiles
Cheat!
- Add new changes to bottom of Dockerfile
- Once locked in, then move them up.
Optimizing Dockerfiles
Volume Containers
Use the image of the application that is consuming it as the base for the volume container.
- It's free because it's shared.
- Volume container now contains the Data and the Application.
Optimizing Dockerfiles
FROM ubuntu:latest ADD . /home/docker ADD https://dist.torproject.org/torbrowser/4.0.4/tor-browser-linux64-4.0.4_en-US.tar.xz /home/docker/tor.tar.xz RUN apt-get update && true ENV DEBIAN_FRONTEND noninteractive RUN apt-get install -y firefox RUN localedef -v -c -i en_US -f UTF-8 en_US.UTF-8 || : RUN useradd -m -d /home/docker docker RUN cd /home/docker && tar xJf /home/docker/tor.tar.xz USER docker CMD ["/home/docker/tor-browser_en-US/start-tor-browser"]
Agenda
- Optimizing Dockerfiles
- Docker vs Config Management
- Logging and Metrics
- Running multiple processes in a container
- Container Centric OSes
- App Configuration via ENV or service discovery
- Demo / Workshop
Docker vs Config Management
"I don't need Config Management now that I have Docker."
Docker vs Config Management
Docker vs Config Management
You probably shouldn't be trusting docker [yet] for managing long term persistent data.
- Volume Containers
- Volume mounts from Host
Docker vs Config Management
Persistent data stores and other infrastructure services have to be managed by something.
- Chef recipes to spin up databases, Key Value stores, etc.
- Ansible or Cloud Formations for RDS, ELB, etc.
Docker vs Config Management
Chef and Docker
[the tools, not the companies]have a great history of working together.https://supermarket.chef.io/cookbooks/docker
include_recipe "docker::default"
Docker vs Config Management
docker_image 'registry' do
action [:pull]
end
docker_container 'registry' do
detach true
port '5000:5000'
action [:run]
end
node['my_app']['images'].each do |image|
docker_image image do
action [:pull]
end
docker_image image do
repository "#{node['my_app']['registry']}/#{image}"
registry node['my_app']['registry']
action [:tag, :push]
end
end
Docker vs Config Management
git "#{Chef::Config[:file_cache_path]}/docker-testcontainerd" do
repository 'git@github.com:bflad/docker-testcontainerd.git'
notifies :build, 'docker_image[tduffield/testcontainerd]', :immediately
end
docker_image 'tduffield/testcontainerd' do
action :pull_if_missing
end
Docker vs Config Management
Almost anything that can be done with docker can be done via the docker cookbook.
Puppet and Ansible both have a similar story.
Docker vs Config Management
Config Management in the container ?
You probably shouldn't...
But if it makes sense in your use case ... go for it.
Consider Chef for Containers if you want to do this, it will help deal with managing services etc.
Run Chef from a volume mount so that it doesn't actually live in your container.
Docker vs Config Management
Config Management to build images ?
If you're already using a tool like Packer to create images with Config Management, you can probably switch it to build Docker images very easily.
Docker vs Config Management
ChefDK in a container?
If you're like me and run an OS that's not well supported by ChefDK ... run it in a container.
$ docker run -d -v ~/chef/cookbook:/cookbook --name chefdk spheromak/docker-chefdk sleep 6000000 $ docker exec -ti chefdk bundle install $ docker exec -ti chefdk rake test
Agenda
- Optimizing Dockerfiles
- Docker vs Config Management
- Logging and Metrics
- Running multiple processes in a container
- Container Centric OSes
- App Configuration via ENV or service discovery
- Demo / Workshop
Logging and Metrics
This used to be hard. It's a lot less hard now.
Logging and Metrics
Try your very best not to ever log to a file in the container. Otherwise you will probably face logfile management issues.
Logging and Metrics
Logspout by @progrium
- Runs in a container, watches the docker log stream
- all stdout/sderr is seen by logspout
- can be set to forward to a syslog server.
$ docker run -v=/var/run/docker.sock:/tmp/docker.sock \ progrium/logspout \ syslog://logs.papertrailapp.com:55555
Logging and Metrics
But my app doesn't log to stdout/stderr.
It does now!
# /etc/nginx/nginx.conf worker_processes 1; daemon off; user app app; pid /app/nginx.pid; error_log /dev/stderr; access_log /dev/stdout; ...
Logging and Metrics
But seriously I can't configure it to log to /dev/stdout
- symlink /dev/stdout to the known location of logfile.
- run syslog in container, push directly to your syslog server.
- logspout will hopefully soon also include a syslog server.
- run a volume container and mount in path for logs
- log to volume mount from host.
Logging and Metrics
Logging improvements coming soon!
Logging and Metrics
- Docker is a wrapper for LXC.
- LXC exposes metrics in /proc
- Example - /sys/fs/cgroup/memory/lxc/[longid]/
- Hard to track where all of these metrics live.
Logging and Metrics
CAdvisor to the rescue.
sudo docker run \ --volume=/:/rootfs:ro \ --volume=/var/run:/var/run:rw \ --volume=/sys:/sys:ro \ --volume=/var/lib/docker/:/var/lib/docker:ro \ --publish=8080:8080 \ --detach=true \ --name=cadvisor \ google/cadvisor:latest
Logging and Metrics
CAdvisor
Cadvisor natively support Docker and most linux containers based on LXC
- Web UI - Demo Later
- Rest API
- InfluxDB and Prometheus outputs.
- Probably needs to support Graphite.
Agenda
- Optimizing Dockerfiles
- Docker vs Config Management
- Logging and Metrics
- Running multiple processes in a container
- Container Centric OSes
- App Configuration via ENV or service discovery
- Demo / Workshop
Multiple Processes
There are times when you need to run multiple processes in a container.
Ignore the nay-sayers ... this is OK.
Multiple Processes
Backgrounded in a start script
#!/bin/boot mysqld_safe & /usr/bin/hhvm --config /etc/hhvm/server.ini --user app -m server & apache2 -DFOREGROUND
Multiple Processes
Backgrounded in a start script
Problems
- Any process could die, container would still run.
- Zombie Processes ( [defunc] )
- Trying to resolve a solved problem ( init systems )
- use exec any time calling "pid 1" app from script in docker.
Multiple Processes
Init system ... Runit
- Simple lightweight init system
- place executable script in /etc/services/[NAME]/run
- restarts processes on exit/crash
- `$ docker exec wordpress service apache2 restart`
- handles zombie processes ( I think! )
Zombie Processess
Docker and the pid 1 zombie reaping problem
- When process dies, turns into zombie process.
- Parent process must explicitly wait for child process termination.
- Is this really a big deal? Probably not...
- However it can be avoided - Phusion - my_init
- myinit when called with no arguments will start runit and let runit handle service mangement.
Agenda
- Optimizing Dockerfiles
- Docker vs Config Management
- Logging and Metrics
- Running multiple processes in a container
- Container Centric OSes
- App Configuration via ENV or service discovery
- Demo / Workshop
Container Centric OSes
- CoreOS
- Atomic
- Snappy ( Ubuntu Core )
- RancherOS ( brand new! )
CoreOS
- Free with pay for support & premium features
- A fork of ChromeOS
- FastPatch for updates
- No package manager!
- Clustering support.
- Rocket
CoreOS
Clustering Support
- etcd
- fleet
- flannel*
Agenda
- Optimizing Dockerfiles
- Docker vs Config Management
- Logging and Metrics
- Running multiple processes in a container
- Container Centric OSes
- App Configuration via ENV or service discovery
- Demo / Workshop
App Configuration
via ENV or service discovery
I have an application in a container ... but how do I actually configure it ?
App Configuration
During `docker build`
This is the simplest use case, if your configuration file is very static just use ADD in your `Dockerfile` to put it in the correct place.
App Configuration
via volume mount
You can also mount it in from your host ( useful if already using CM to write the config file on the host ).
docker run -d -v /my/app/apache2/httpd.conf:/etc/apache2/httpd.conf myapp
It's OK to do this, but be aware of the potential security implications.
App Configuration
As part of a start script
#!/bin/bash
PORT=${PORT:-5000}
sed -i "s/xxxPORTxxx/$PORT/" /etc/apache2/httpd.conf
exec apache2 -DFOREGROUND
App Configuration
Using confd
- lightweight templating engine written in GO.
- Take key/value pairs from a number of supported storage engines.
- Environment Variables, ETCD, Consul, etc.
App Configuration
Using confd
FROM ubuntu:trusty RUN \ curl -sSL -o /usr/local/bin/etcdctl \ https://s3-us-west-2.amazonaws.com/opdemand/etcdctl-v0.4.6 \ && chmod +x /usr/local/bin/etcdctl \ && curl -sSL -o /usr/local/bin/confd \ https://github.com/kelseyhightower/confd/releases/download/v0.7.1/confd-0.7.1-linux-amd64 \ && chmod +x /usr/local/bin/confd
App Configuration
Using confd
#!/bin/bash
BACKEND=${BACKEND:-env}
until confd -onetime -backend=${BACKEND} -confdir=/etc/confd ; do
echo "echo ==> ${APP_NAME}: waiting for confd to write initial templates..."
sleep 1
done
exec apache2 -DFOREGROUND
App Configuration
Using confd
$ docker run -d -p 8080 \ -e APACHE_PORT=8080 -e APACHE_ROOT=/app/web \ apache /app/bin/boot
App Configuration
Using confd
Deeper dive into confd during demo / workshop.
Agenda
- Optimizing Dockerfiles
- Docker vs Config Management
- Logging and Metrics
- Running multiple processes in a container
- Container Centric OSes
- App Configuration via ENV or service discovery
- Demo / Workshop
Demo / Workshop
Factorish - Example Appdocker pull factorish/example
Demo / Workshop
$ docker run -d -e SERVICES_EXAMPLE_TEXT=father \ -p 8080:8080 --name father factorish/example $ curl localhost:8080 # or IP of boot2docker $ docker run -d -e SERVICES_EXAMPLE_TEXT=mother \ -p 8081:8080 --name mother factorish/example $ curl localhost:8080 # or IP of boot2docker $ docker kill father mother $ docker rm father mother
Demo / Workshop
$ vagrant up ..... $ vagrant ssh core-01 $ etcd ctl / --recursive