SlideShare una empresa de Scribd logo

Challenges of container configuration

L
lutter

Introducing containers into your infrastructure brings new capabilities, but also new challenges, in particular around configuration. This talk will take a look under the hood at some of those operational challenges including: * The difference between runtime and build-time configuration, and the importance of relating the two together. * Configuration drift, immutable mental models and mutable container file systems. * Who configures the orchestrators? * Emergent vs. model driven configuration. In the process we will identify some common problems and talk about potential solutions. Talk from PuppetConf 2016

Software
1 de 87
Descargar para leer sin conexión
The challenges of container configuration David Lutterkort @lutterkort lutter@puppet.com
Overview ● What is configuration ? ● Immutability ● Build vs Run ● Who configures the scheduler ? ● Conclusions 3
What is configuration ?
package/file/service is only one instance of a more general problem 5
Configuration is any input into infrastructure It needs to be managed over time and at scale 6
Core configuration management features: ❏ describe system aspects in isolation ❏ combine aspects into whole ❏ common format for querying ❏ bridge across entire infrastructure 7
$ docker run -d -e MYSQL_HOST=mysql.example.com -e MYSQL_PORT=3306 --health-cmd /usr/bin/check webapp
Immutability
$ docker run --name example fedora:24 /bin/sh -c ‘while true; do cat /etc/system-release; sleep 1; done’
$ docker run … Fedora release 24 (Twenty Four) Fedora release 24 (Twenty Four) Fedora release 24 (Twenty Four) Fedora release 24 (Twenty Four) Fedora release 24 (Twenty Four) Fedora release 24 (Twenty Four) Fedora release 24 (Twenty Four) Fedora release 24 (Twenty Four)
$ docker exec example /bin/sh -c ‘sed -i -e s/24/25/ /etc/system-release’
Fedora release 24 (Twenty Four) Fedora release 24 (Twenty Four) Fedora release 25 (Twenty Four) Fedora release 25 (Twenty Four) Fedora release 25 (Twenty Four) Fedora release 25 (Twenty Four) Fedora release 25 (Twenty Four) Fedora release 25 (Twenty Four) $ docker exec …
$ docker diff example C /run A /run/secrets C /etc C /etc/system-release
Containers are not immutable by default Only as immutable as packages 15
$ docker run --read-only --name example fedora:24 /bin/sh -c ‘while true; do cat /etc/system-release; sleep 1; done’
$ docker exec example /bin/sh -c ‘sed -i -e s/24/25/ /etc/system-release’ sed: couldn't open temporary file /etc/sed5OCs5t: Read-only file system
$ docker diff example C /run A /run/secrets
Suggestion Enable --read-only whenever possible 19
require 'rubygems' require 'sinatra' require 'haml' # Handle GET-request (Show the upload form) get "/upload" do haml :upload end # Handle POST-request (Receive and save the uploaded file) post "/upload" do File.open('uploads/' + params['myfile'][:filename], "w") do |f| f.write(params['myfile'][:tempfile].read) end return "The file was successfully uploaded!" end
$ docker run -d --read-only lutter/lolcat
require 'rubygems' require 'sinatra' require 'haml' # Handle GET-request (Show the upload form) get "/upload" do haml :upload end # Handle POST-request (Receive and save the uploaded file) post "/upload" do File.open('uploads/' + params['myfile'][:filename], "w") do |f| f.write(params['myfile'][:tempfile].read) end return "The file was successfully uploaded!" end
$ docker run -d --read-only -v /srv/lolcat/uploads:/app/uploads lutter/lolcat
require 'rubygems' require 'sinatra' require 'haml' # Handle GET-request (Show the upload form) get "/upload" do haml :upload end # Handle POST-request (Receive and save the uploaded file) post "/upload" do File.open('uploads/' + params['myfile'][:filename], "w") do |f| f.write(params['myfile'][:tempfile].read) end return "The file was successfully uploaded!" end
$ docker run -d --read-only -v /srv/lolcat/uploads:/app/uploads --tmpfs /tmp lutter/lolcat
Suggestion Use --tmpfs where needed 26
Without technical controls you only have social guarantees of immutability 27
How do you know the correct invocation for an image ? 28
Build vs Run
Given an image ❏ What machine built this image ? ❏ How do you run this image ? ❏ Who supports this image ? ❏ Does the image contain malware ? 30
Given a container ❏ Who built it ? ❏ How was it built ? ❏ What software does it contain ? ❏ Is the software up-to-date ? 31
FROM fedora:24 RUN dnf update -y && dnf install -y ruby rubygem-bundler && dnf clean all COPY . /app RUN cd /app && bundle install --path vendor/bundle WORKDIR /app VOLUME /app/uploads EXPOSE 9292 CMD ["/usr/bin/bundle", "exec", "rackup"]
FROM fedora:24 RUN dnf update -y && dnf install -y ruby rubygem-bundler && dnf clean all COPY . /app RUN cd /app && bundle install --path vendor/bundle WORKDIR /app VOLUME /app/uploads EXPOSE 9292 CMD ["/usr/bin/bundle", "exec", "rackup"] Where did the base image come from ?
FROM fedora:24 RUN dnf update -y && dnf install -y ruby rubygem-bundler && dnf clean all COPY . /app RUN cd /app && bundle install --path vendor/bundle WORKDIR /app VOLUME /app/uploads EXPOSE 9292 CMD ["/usr/bin/bundle", "exec", "rackup"] What repositories and what package versions ?
FROM fedora:24 RUN dnf update -y && dnf install -y ruby rubygem-bundler && dnf clean all COPY . /app RUN cd /app && bundle install --path vendor/bundle WORKDIR /app VOLUME /app/uploads EXPOSE 9292 CMD ["/usr/bin/bundle", "exec", "rackup"] What was in this directory at build time ?
Time is your enemy 36
When do you rebuild images ? 37
Code changes and external factors should trigger rebuild 38
Explain yourself with metadata Docker labels are a great way to do that 39
Name : glibc Version : 2.23.1 Release : 10.fc24 Architecture: x86_64 License : LGPLv2+ and LGPLv2+ with exceptions and GPLv2+ Signature : RSA/SHA256, Thu 18 Aug 2016 09:27:43 AM PDT, Key ID 73bde98381b46521 Source RPM : glibc-2.23.1-10.fc24.src.rpm Build Date : Thu 18 Aug 2016 06:37:42 AM PDT Build Host : buildvm-16.phx2.fedoraproject.org Packager : Fedora Project Vendor : Fedora Project Summary : The GNU libc libraries
$ docker inspect -f "{{json .Config.Volumes}}" lutter/lolcat { "/app/uploads": {} }
$ docker inspect -f "{{json .Config.ExposedPorts}}" lutter/lolcat { "9292/tcp": {} }
LABEL vendor=”ACME Incorporated” com.acme.release-status=”beta” com.acme.version=”0.1.0-beta” com.acme.git.sha=”f260653a”
$ docker inspect -f "{{json .Config.Labels}}" lutter/lolcat | jq { "com.acme.git.sha": "f260653a", "com.acme.release-status": "beta", "com.acme.version": "0.1.0-beta", "vendor": "ACME Incorporated" }
Suggestion Decide upon and enforce metadata standards 45
LABEL com.acme.dockerfile=”/Dockerfile”
$ docker inspect -f "{{json .Config.Labels}}" lutter/alpine | jq { "com.example.dockerfile": "/Dockerfile" }
$ docker run -it lutter/alpine cat /Dockerfile FROM alpine RUN apk add --update bash && rm -rf /var/cache/apk/* COPY Dockerfile / LABEL com.example.dockerfile="/Dockerfile"
Suggestion Embed your Dockerfile in the image 49
LABEL com.acme.cmd.packages=”apk info -vv”
$ docker run -it lutter/alpine apk info -vv musl-1.1.14-r12 - the musl c library (libc) busybox-1.24.2-r11 - Size optimized toolbox of ... alpine-baselayout-3.0.3-r0 - Alpine base dir ... alpine-keys-1.1-r0 - Public keys for Alpine Linux ... zlib-1.2.8-r2 - A compression/decompression Library bash-4.3.42-r3 - The GNU Bourne Again shell ...
Suggestion Make your images discoverable 52
puppetlabs/puppetlabs-image_build
class { 'nginx': } nginx::resource::vhost { 'default': www_root => '/var/www/html', } file { '/var/www/html/index.html': ensure => present, content => 'Hello Puppet and Docker', } exec { 'Disable Nginx daemon mode': path => '/bin', command => 'echo "daemon off;" >> /etc/nginx/nginx.conf', unless => 'grep "daemon off" /etc/nginx/nginx.conf', }
# metadata.yaml cmd: nginx expose: 80 image_name: puppet/nginx
$ puppet docker build ... $ docker run -d -p 8080:80 acme/nginx-test 83d5fbe370e84d424c71c1c038ad1f5892fec579d28b... $ curl http://127.0.0.1:8080 Hello Puppet and Docker
Who configures the scheduler ?
Schedulers/orchestrators isolate you from ❏ where individual containers run ❏ balancing due to new resources ❏ respawning due to failed resources 58
Schedulers operate on constraints 59
Decisions depend on accurate resource information 60
$ docker daemon --label environment=production --label storage=ssd
$ docker run -d -P --label com.example.environment=production -e constraint:storage==ssd --name db mysql
template: metadata: labels: app: guestbook tier: frontend spec: containers: - name: php-redis image: gcr.io/google-samples/gb-frontend:v4 resources: requests: cpu: 100m memory: 100Mi env: - name: GET_HOSTS_FROM value: dns # If your cluster config does not include a dns service, then to # instead access environment variables to find service host # info, comment out the 'value: dns' line above, and uncomment the # line below. # value: env ports: - containerPort: 80
How do you manage properties for all your hosts ? 64
Suggestion Compute host properties dynamically 65
$ facter -y | head -n 20 aio_agent_version: 1.7.0 augeas: version: 1.4.0 disks: sda: model: SanDisk SDSSDA24 size: 223.57 GiB size_bytes: 240057409536 vendor: ATA ... dmi: bios: ... memory: ...
$ docker daemon --label os=$(facter os.family) --label kernel=$(facter kernelversion) --label memory=$(facter memory.system.total_bytes)
https://forge.puppet.com/puppetlabs/docker_platform
class { 'docker': labels => [ "os=${facts[os][family]", "kernel=${facts[kernelversion]}", "memory=${facts[memory][system][total_bytes]}" ], }
Schedulers introduce higher-level primitives 70
Docker networks Kubernetes services and replication controllers Chronos jobs 71
Many interfaces imperative not declarative 72
$ kubectl get pod mypod -o yaml | sed -e ‘s/(image:myimage):.*$/1:v4/’ | kubectl replace -f -
$ docker network create bob ca7b185775966003d38ccbd9bba822fb570766e4bb $ docker network create bob Error response from daemon: network with name bob ...
docker_network { 'bob': ensure => present, driver => 'overlay', subnet => '192.168.1.0/24', gateway => '192.168.1.1', ip_range => '192.168.1.4/32', }
And everything is in YAML 76
“ The language to represent the data should be a simple, data-only format such as JSON or YAML, and programmatic modification of this data should be done in a real programming language, where there are well-understood semantics, as well as good tooling. Borg, Omega, and Kubernetes, ACM Queue, Volume 14 Issue 1 | http://queue.acm.org/detail.cfm?id=2898444 77
Code plus data has advantages over data alone 78
https://forge.puppet.com/garethr/kubernete s
kubernetes_pod { 'sample-pod': ensure => present, metadata => { namespace => 'default', }, spec => { containers => [{ name => 'container-name', image => 'nginx', }] }, }
controller_service_pair { 'redis-master': app => 'redis', role => 'master', tier => 'backend', port => 6379, }
Conclusions
The difference between how you think a system behaves and how it actually behaves risks hard-to-debug production issues 83
Container use at scale and over time requires meaningful abstraction 84
Configuration management as a discipline provides tools to build those abstractions and thereby minimize risk 85
86 Project Blueshift booth Exhibition Hall Docker, Mesos, Kubernetes and Puppet? Don't Panic ! Deepak Giridharagopal, Thur, 4:45pm Pulling the strings to containerize your life Scott Coulton, Fri, 9:50am Running Puppet software in Docker containers Gareth Rushgrove, Fri, 1:30pm
Challenges of container configuration

Recomendados

Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Ben Hall
 
Running Docker in Development & Production (DevSum 2015)
Running Docker in Development & Production (DevSum 2015)Running Docker in Development & Production (DevSum 2015)
Running Docker in Development & Production (DevSum 2015)Ben Hall
 
Lessons from running potentially malicious code inside Docker containers
Lessons from running potentially malicious code inside Docker containersLessons from running potentially malicious code inside Docker containers
Lessons from running potentially malicious code inside Docker containersBen Hall
 
Docker remote-api
Docker remote-apiDocker remote-api
Docker remote-apiEric Ahn
 
Docker practice
Docker practiceDocker practice
Docker practicewonyong hwang
 
Railsconf2011 deployment tips_for_slideshare
Railsconf2011 deployment tips_for_slideshareRailsconf2011 deployment tips_for_slideshare
Railsconf2011 deployment tips_for_slidesharetomcopeland
 
Docker command
Docker commandDocker command
Docker commandEric Ahn
 
kubernetes practice
kubernetes practicekubernetes practice
kubernetes practicewonyong hwang
 

Recomendados

Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Ben Hall
 
Running Docker in Development & Production (DevSum 2015)
Running Docker in Development & Production (DevSum 2015)Running Docker in Development & Production (DevSum 2015)
Running Docker in Development & Production (DevSum 2015)Ben Hall
 
Lessons from running potentially malicious code inside Docker containers
Lessons from running potentially malicious code inside Docker containersLessons from running potentially malicious code inside Docker containers
Lessons from running potentially malicious code inside Docker containersBen Hall
 
Docker remote-api
Docker remote-apiDocker remote-api
Docker remote-apiEric Ahn
 
Docker practice
Docker practiceDocker practice
Docker practicewonyong hwang
 
Railsconf2011 deployment tips_for_slideshare
Railsconf2011 deployment tips_for_slideshareRailsconf2011 deployment tips_for_slideshare
Railsconf2011 deployment tips_for_slidesharetomcopeland
 
Docker command
Docker commandDocker command
Docker commandEric Ahn
 
kubernetes practice
kubernetes practicekubernetes practice
kubernetes practicewonyong hwang
 
Hyperledger composer
Hyperledger composerHyperledger composer
Hyperledger composerwonyong hwang
 
Tribal Nova Docker workshop
Tribal Nova Docker workshopTribal Nova Docker workshop
Tribal Nova Docker workshopNicolas Degardin
 
Composer, putting dependencies on the score
Composer, putting dependencies on the scoreComposer, putting dependencies on the score
Composer, putting dependencies on the scoreRafael Dohms
 
Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署Bo-Yi Wu
 
Into The Box 2018 Going live with commandbox and docker
Into The Box 2018 Going live with commandbox and dockerInto The Box 2018 Going live with commandbox and docker
Into The Box 2018 Going live with commandbox and dockerOrtus Solutions, Corp
 
MeaNstack on Docker
MeaNstack on DockerMeaNstack on Docker
MeaNstack on DockerDaniel Ku
 
開放運算&GPU技術研究班
開放運算&GPU技術研究班開放運算&GPU技術研究班
開放運算&GPU技術研究班Paul Chao
 
Native Hadoop with prebuilt spark
Native Hadoop with prebuilt sparkNative Hadoop with prebuilt spark
Native Hadoop with prebuilt sparkarunkumar sadhasivam
 
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz LachJDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz LachPROIDEA
 
Using Puppet to Create a Dynamic Network - PuppetConf 2013
Using Puppet to Create a Dynamic Network - PuppetConf 2013Using Puppet to Create a Dynamic Network - PuppetConf 2013
Using Puppet to Create a Dynamic Network - PuppetConf 2013Puppet
 
Programming in Linux Environment
Programming in Linux EnvironmentProgramming in Linux Environment
Programming in Linux EnvironmentDongho Kang
 
Everything as a code
Everything as a codeEverything as a code
Everything as a codeAleksandr Tarasov
 
Hashiconf EU 2019 - A Tour of Terraform 0.12
Hashiconf EU 2019 - A Tour of Terraform 0.12Hashiconf EU 2019 - A Tour of Terraform 0.12
Hashiconf EU 2019 - A Tour of Terraform 0.12Mitchell Pronschinske
 
Configuration Surgery with Augeas
Configuration Surgery with AugeasConfiguration Surgery with Augeas
Configuration Surgery with AugeasPuppet
 
C make tutorial
C make tutorialC make tutorial
C make tutorialInstitute of Computing Technology, Chinese Academy of Sciences
 
Docker, c'est bonheur !
Docker, c'est bonheur !Docker, c'est bonheur !
Docker, c'est bonheur !Alexandre Salomé
 
Vagrant + Rouster at salesforce.com - PuppetConf 2013
Vagrant + Rouster at salesforce.com - PuppetConf 2013Vagrant + Rouster at salesforce.com - PuppetConf 2013
Vagrant + Rouster at salesforce.com - PuppetConf 2013Puppet
 
Docker security
Docker securityDocker security
Docker securityJanos Suto
 
Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)Michele Orselli
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
[EXTENDED] Ceph, Docker, Heroku Slugs, CoreOS and Deis Overview
[EXTENDED] Ceph, Docker, Heroku Slugs, CoreOS and Deis Overview[EXTENDED] Ceph, Docker, Heroku Slugs, CoreOS and Deis Overview
[EXTENDED] Ceph, Docker, Heroku Slugs, CoreOS and Deis OverviewLeo Lorieri
 
Real World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and ProductionReal World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and ProductionBen Hall
 

Más contenido relacionado

La actualidad más candente

Hyperledger composer
Hyperledger composerHyperledger composer
Hyperledger composerwonyong hwang
 
Tribal Nova Docker workshop
Tribal Nova Docker workshopTribal Nova Docker workshop
Tribal Nova Docker workshopNicolas Degardin
 
Composer, putting dependencies on the score
Composer, putting dependencies on the scoreComposer, putting dependencies on the score
Composer, putting dependencies on the scoreRafael Dohms
 
Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署Bo-Yi Wu
 
Into The Box 2018 Going live with commandbox and docker
Into The Box 2018 Going live with commandbox and dockerInto The Box 2018 Going live with commandbox and docker
Into The Box 2018 Going live with commandbox and dockerOrtus Solutions, Corp
 
MeaNstack on Docker
MeaNstack on DockerMeaNstack on Docker
MeaNstack on DockerDaniel Ku
 
開放運算&GPU技術研究班
開放運算&GPU技術研究班開放運算&GPU技術研究班
開放運算&GPU技術研究班Paul Chao
 
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz LachJDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz LachPROIDEA
 
Using Puppet to Create a Dynamic Network - PuppetConf 2013
Using Puppet to Create a Dynamic Network - PuppetConf 2013Using Puppet to Create a Dynamic Network - PuppetConf 2013
Using Puppet to Create a Dynamic Network - PuppetConf 2013Puppet
 
Programming in Linux Environment
Programming in Linux EnvironmentProgramming in Linux Environment
Programming in Linux EnvironmentDongho Kang
 
Hashiconf EU 2019 - A Tour of Terraform 0.12
Hashiconf EU 2019 - A Tour of Terraform 0.12Hashiconf EU 2019 - A Tour of Terraform 0.12
Hashiconf EU 2019 - A Tour of Terraform 0.12Mitchell Pronschinske
 
Configuration Surgery with Augeas
Configuration Surgery with AugeasConfiguration Surgery with Augeas
Configuration Surgery with AugeasPuppet
 
Vagrant + Rouster at salesforce.com - PuppetConf 2013
Vagrant + Rouster at salesforce.com - PuppetConf 2013Vagrant + Rouster at salesforce.com - PuppetConf 2013
Vagrant + Rouster at salesforce.com - PuppetConf 2013Puppet
 
Docker security
Docker securityDocker security
Docker securityJanos Suto
 
Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)Michele Orselli
 

La actualidad más candente (19)

Hyperledger composer
Hyperledger composerHyperledger composer
Hyperledger composer
 
Tribal Nova Docker workshop
Tribal Nova Docker workshopTribal Nova Docker workshop
Tribal Nova Docker workshop
 
Composer, putting dependencies on the score
Composer, putting dependencies on the scoreComposer, putting dependencies on the score
Composer, putting dependencies on the score
 
Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署
 
Into The Box 2018 Going live with commandbox and docker
Into The Box 2018 Going live with commandbox and dockerInto The Box 2018 Going live with commandbox and docker
Into The Box 2018 Going live with commandbox and docker
 
MeaNstack on Docker
MeaNstack on DockerMeaNstack on Docker
MeaNstack on Docker
 
開放運算&GPU技術研究班
開放運算&GPU技術研究班開放運算&GPU技術研究班
開放運算&GPU技術研究班
 
Native Hadoop with prebuilt spark
Native Hadoop with prebuilt sparkNative Hadoop with prebuilt spark
Native Hadoop with prebuilt spark
 
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz LachJDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
 
Using Puppet to Create a Dynamic Network - PuppetConf 2013
Using Puppet to Create a Dynamic Network - PuppetConf 2013Using Puppet to Create a Dynamic Network - PuppetConf 2013
Using Puppet to Create a Dynamic Network - PuppetConf 2013
 
Programming in Linux Environment
Programming in Linux EnvironmentProgramming in Linux Environment
Programming in Linux Environment
 
Everything as a code
Everything as a codeEverything as a code
Everything as a code
 
Hashiconf EU 2019 - A Tour of Terraform 0.12
Hashiconf EU 2019 - A Tour of Terraform 0.12Hashiconf EU 2019 - A Tour of Terraform 0.12
Hashiconf EU 2019 - A Tour of Terraform 0.12
 
Configuration Surgery with Augeas
Configuration Surgery with AugeasConfiguration Surgery with Augeas
Configuration Surgery with Augeas
 
C make tutorial
C make tutorialC make tutorial
C make tutorial
 
Docker, c'est bonheur !
Docker, c'est bonheur !Docker, c'est bonheur !
Docker, c'est bonheur !
 
Vagrant + Rouster at salesforce.com - PuppetConf 2013
Vagrant + Rouster at salesforce.com - PuppetConf 2013Vagrant + Rouster at salesforce.com - PuppetConf 2013
Vagrant + Rouster at salesforce.com - PuppetConf 2013
 
Docker security
Docker securityDocker security
Docker security
 
Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)Vagrant for real (codemotion rome 2016)
Vagrant for real (codemotion rome 2016)
 

Similar a Challenges of container configuration

Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
[EXTENDED] Ceph, Docker, Heroku Slugs, CoreOS and Deis Overview
[EXTENDED] Ceph, Docker, Heroku Slugs, CoreOS and Deis Overview[EXTENDED] Ceph, Docker, Heroku Slugs, CoreOS and Deis Overview
[EXTENDED] Ceph, Docker, Heroku Slugs, CoreOS and Deis OverviewLeo Lorieri
 
Real World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and ProductionReal World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and ProductionBen Hall
 
Docker, the Future of DevOps
Docker, the Future of DevOpsDocker, the Future of DevOps
Docker, the Future of DevOpsandersjanmyr
 
Docker summit 2015: 以 Docker Swarm 打造多主機叢集環境
Docker summit 2015: 以 Docker Swarm 打造多主機叢集環境Docker summit 2015: 以 Docker Swarm 打造多主機叢集環境
Docker summit 2015: 以 Docker Swarm 打造多主機叢集環境謝 宗穎
 
Continuous delivery with docker
Continuous delivery with dockerContinuous delivery with docker
Continuous delivery with dockerJohan Janssen
 
Docker Essentials Workshop— Innovation Labs July 2020
Docker Essentials Workshop— Innovation Labs July 2020Docker Essentials Workshop— Innovation Labs July 2020
Docker Essentials Workshop— Innovation Labs July 2020CloudHero
 
桃園市教育局Docker技術入門與實作
桃園市教育局Docker技術入門與實作桃園市教育局Docker技術入門與實作
桃園市教育局Docker技術入門與實作Philip Zheng
 
Docker for Web Developers: A Sneak Peek
Docker for Web Developers: A Sneak PeekDocker for Web Developers: A Sneak Peek
Docker for Web Developers: A Sneak Peekmsyukor
 
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOpsОмские ИТ-субботники
 
Docker & FieldAware
Docker & FieldAwareDocker & FieldAware
Docker & FieldAwareJakub Jarosz
 
AWS와 Docker Swarm을 이용한 쉽고 빠른 컨테이너 오케스트레이션 - AWS Summit Seoul 2017
AWS와 Docker Swarm을 이용한 쉽고 빠른 컨테이너 오케스트레이션 - AWS Summit Seoul 2017AWS와 Docker Swarm을 이용한 쉽고 빠른 컨테이너 오케스트레이션 - AWS Summit Seoul 2017
AWS와 Docker Swarm을 이용한 쉽고 빠른 컨테이너 오케스트레이션 - AWS Summit Seoul 2017Amazon Web Services Korea
 
Dev-Jam 2019 - Container & OpenNMS
Dev-Jam 2019 - Container & OpenNMSDev-Jam 2019 - Container & OpenNMS
Dev-Jam 2019 - Container & OpenNMSRonny Trommer
 
Things I've learned working with Docker Support
Things I've learned working with Docker SupportThings I've learned working with Docker Support
Things I've learned working with Docker SupportSujay Pillai
 
Docker container management
Docker container managementDocker container management
Docker container managementKarol Kreft
 
DPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabMichelle Holley
 
Docker workshop DevOpsDays Amsterdam 2014
Docker workshop DevOpsDays Amsterdam 2014Docker workshop DevOpsDays Amsterdam 2014
Docker workshop DevOpsDays Amsterdam 2014Pini Reznik
 
手把手帶你學Docker 03042017
手把手帶你學Docker 03042017手把手帶你學Docker 03042017
手把手帶你學Docker 03042017Paul Chao
 

Similar a Challenges of container configuration (20)

Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
[EXTENDED] Ceph, Docker, Heroku Slugs, CoreOS and Deis Overview
[EXTENDED] Ceph, Docker, Heroku Slugs, CoreOS and Deis Overview[EXTENDED] Ceph, Docker, Heroku Slugs, CoreOS and Deis Overview
[EXTENDED] Ceph, Docker, Heroku Slugs, CoreOS and Deis Overview
 
Real World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and ProductionReal World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and Production
 
Docker Compose Explained
Docker Compose ExplainedDocker Compose Explained
Docker Compose Explained
 
Geode on Docker
Geode on DockerGeode on Docker
Geode on Docker
 
Docker, the Future of DevOps
Docker, the Future of DevOpsDocker, the Future of DevOps
Docker, the Future of DevOps
 
Docker summit 2015: 以 Docker Swarm 打造多主機叢集環境
Docker summit 2015: 以 Docker Swarm 打造多主機叢集環境Docker summit 2015: 以 Docker Swarm 打造多主機叢集環境
Docker summit 2015: 以 Docker Swarm 打造多主機叢集環境
 
Continuous delivery with docker
Continuous delivery with dockerContinuous delivery with docker
Continuous delivery with docker
 
Docker Essentials Workshop— Innovation Labs July 2020
Docker Essentials Workshop— Innovation Labs July 2020Docker Essentials Workshop— Innovation Labs July 2020
Docker Essentials Workshop— Innovation Labs July 2020
 
桃園市教育局Docker技術入門與實作
桃園市教育局Docker技術入門與實作桃園市教育局Docker技術入門與實作
桃園市教育局Docker技術入門與實作
 
Docker for Web Developers: A Sneak Peek
Docker for Web Developers: A Sneak PeekDocker for Web Developers: A Sneak Peek
Docker for Web Developers: A Sneak Peek
 
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
 
Docker & FieldAware
Docker & FieldAwareDocker & FieldAware
Docker & FieldAware
 
AWS와 Docker Swarm을 이용한 쉽고 빠른 컨테이너 오케스트레이션 - AWS Summit Seoul 2017
AWS와 Docker Swarm을 이용한 쉽고 빠른 컨테이너 오케스트레이션 - AWS Summit Seoul 2017AWS와 Docker Swarm을 이용한 쉽고 빠른 컨테이너 오케스트레이션 - AWS Summit Seoul 2017
AWS와 Docker Swarm을 이용한 쉽고 빠른 컨테이너 오케스트레이션 - AWS Summit Seoul 2017
 
Dev-Jam 2019 - Container & OpenNMS
Dev-Jam 2019 - Container & OpenNMSDev-Jam 2019 - Container & OpenNMS
Dev-Jam 2019 - Container & OpenNMS
 
Things I've learned working with Docker Support
Things I've learned working with Docker SupportThings I've learned working with Docker Support
Things I've learned working with Docker Support
 
Docker container management
Docker container managementDocker container management
Docker container management
 
DPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on Lab
 
Docker workshop DevOpsDays Amsterdam 2014
Docker workshop DevOpsDays Amsterdam 2014Docker workshop DevOpsDays Amsterdam 2014
Docker workshop DevOpsDays Amsterdam 2014
 
手把手帶你學Docker 03042017
手把手帶你學Docker 03042017手把手帶你學Docker 03042017
手把手帶你學Docker 03042017
 

Más de lutter

Augeas
AugeasAugeas
Augeaslutter
 
Libral - a systems management API for Linux
Libral - a systems management API for LinuxLibral - a systems management API for Linux
Libral - a systems management API for Linuxlutter
 
Orchestration and the New York Subway
Orchestration and the New York SubwayOrchestration and the New York Subway
Orchestration and the New York Subwaylutter
 
Beyond Golden Containers: Complementing Docker with Puppet
Beyond Golden Containers: Complementing Docker with PuppetBeyond Golden Containers: Complementing Docker with Puppet
Beyond Golden Containers: Complementing Docker with Puppetlutter
 
Appmgmt cfgmgmtcamp-2015
Appmgmt cfgmgmtcamp-2015Appmgmt cfgmgmtcamp-2015
Appmgmt cfgmgmtcamp-2015lutter
 
Beyond Golden Containers: Complementing Docker with Puppet
Beyond Golden Containers: Complementing Docker with PuppetBeyond Golden Containers: Complementing Docker with Puppet
Beyond Golden Containers: Complementing Docker with Puppetlutter
 
Razor: provision like a boss (Build-a-cloud edition)
Razor: provision like a boss (Build-a-cloud edition)Razor: provision like a boss (Build-a-cloud edition)
Razor: provision like a boss (Build-a-cloud edition)lutter
 
Puppetconf 2013: Razor - provision like a boss
Puppetconf 2013: Razor - provision like a bossPuppetconf 2013: Razor - provision like a boss
Puppetconf 2013: Razor - provision like a bosslutter
 
Apache Deltacloud: Speaking EC2 and CIMI to Openstack (and others)
Apache Deltacloud: Speaking EC2 and CIMI to Openstack (and others)Apache Deltacloud: Speaking EC2 and CIMI to Openstack (and others)
Apache Deltacloud: Speaking EC2 and CIMI to Openstack (and others)lutter
 
Aeolus - Clouds Flying in Assembly
Aeolus - Clouds Flying in AssemblyAeolus - Clouds Flying in Assembly
Aeolus - Clouds Flying in Assemblylutter
 
Apache Deltacloud (Linuxcon 2010)
Apache Deltacloud (Linuxcon 2010)Apache Deltacloud (Linuxcon 2010)
Apache Deltacloud (Linuxcon 2010)lutter
 

Más de lutter (11)

Augeas
AugeasAugeas
Augeas
 
Libral - a systems management API for Linux
Libral - a systems management API for LinuxLibral - a systems management API for Linux
Libral - a systems management API for Linux
 
Orchestration and the New York Subway
Orchestration and the New York SubwayOrchestration and the New York Subway
Orchestration and the New York Subway
 
Beyond Golden Containers: Complementing Docker with Puppet
Beyond Golden Containers: Complementing Docker with PuppetBeyond Golden Containers: Complementing Docker with Puppet
Beyond Golden Containers: Complementing Docker with Puppet
 
Appmgmt cfgmgmtcamp-2015
Appmgmt cfgmgmtcamp-2015Appmgmt cfgmgmtcamp-2015
Appmgmt cfgmgmtcamp-2015
 
Beyond Golden Containers: Complementing Docker with Puppet
Beyond Golden Containers: Complementing Docker with PuppetBeyond Golden Containers: Complementing Docker with Puppet
Beyond Golden Containers: Complementing Docker with Puppet
 
Razor: provision like a boss (Build-a-cloud edition)
Razor: provision like a boss (Build-a-cloud edition)Razor: provision like a boss (Build-a-cloud edition)
Razor: provision like a boss (Build-a-cloud edition)
 
Puppetconf 2013: Razor - provision like a boss
Puppetconf 2013: Razor - provision like a bossPuppetconf 2013: Razor - provision like a boss
Puppetconf 2013: Razor - provision like a boss
 
Apache Deltacloud: Speaking EC2 and CIMI to Openstack (and others)
Apache Deltacloud: Speaking EC2 and CIMI to Openstack (and others)Apache Deltacloud: Speaking EC2 and CIMI to Openstack (and others)
Apache Deltacloud: Speaking EC2 and CIMI to Openstack (and others)
 
Aeolus - Clouds Flying in Assembly
Aeolus - Clouds Flying in AssemblyAeolus - Clouds Flying in Assembly
Aeolus - Clouds Flying in Assembly
 
Apache Deltacloud (Linuxcon 2010)
Apache Deltacloud (Linuxcon 2010)Apache Deltacloud (Linuxcon 2010)
Apache Deltacloud (Linuxcon 2010)
 

Último

Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendArshad QA
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Clustering techniques data mining book ....
Clustering techniques data mining book ....Clustering techniques data mining book ....
Clustering techniques data mining book ....ShaimaaMohamedGalal
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 

Último (20)

Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and Backend
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Clustering techniques data mining book ....
Clustering techniques data mining book ....Clustering techniques data mining book ....
Clustering techniques data mining book ....
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 

Challenges of container configuration

  • 1.
  • 2. The challenges of container configuration David Lutterkort @lutterkort lutter@puppet.com
  • 3. Overview ● What is configuration ? ● Immutability ● Build vs Run ● Who configures the scheduler ? ● Conclusions 3
  • 5. package/file/service is only one instance of a more general problem 5
  • 6. Configuration is any input into infrastructure It needs to be managed over time and at scale 6
  • 7. Core configuration management features: ❏ describe system aspects in isolation ❏ combine aspects into whole ❏ common format for querying ❏ bridge across entire infrastructure 7
  • 8. $ docker run -d -e MYSQL_HOST=mysql.example.com -e MYSQL_PORT=3306 --health-cmd /usr/bin/check webapp
  • 10. $ docker run --name example fedora:24 /bin/sh -c ‘while true; do cat /etc/system-release; sleep 1; done’
  • 11. $ docker run … Fedora release 24 (Twenty Four) Fedora release 24 (Twenty Four) Fedora release 24 (Twenty Four) Fedora release 24 (Twenty Four) Fedora release 24 (Twenty Four) Fedora release 24 (Twenty Four) Fedora release 24 (Twenty Four) Fedora release 24 (Twenty Four)
  • 12. $ docker exec example /bin/sh -c ‘sed -i -e s/24/25/ /etc/system-release’
  • 13. Fedora release 24 (Twenty Four) Fedora release 24 (Twenty Four) Fedora release 25 (Twenty Four) Fedora release 25 (Twenty Four) Fedora release 25 (Twenty Four) Fedora release 25 (Twenty Four) Fedora release 25 (Twenty Four) Fedora release 25 (Twenty Four) $ docker exec …
  • 14. $ docker diff example C /run A /run/secrets C /etc C /etc/system-release
  • 15. Containers are not immutable by default Only as immutable as packages 15
  • 16. $ docker run --read-only --name example fedora:24 /bin/sh -c ‘while true; do cat /etc/system-release; sleep 1; done’
  • 17. $ docker exec example /bin/sh -c ‘sed -i -e s/24/25/ /etc/system-release’ sed: couldn't open temporary file /etc/sed5OCs5t: Read-only file system
  • 18. $ docker diff example C /run A /run/secrets
  • 20. require 'rubygems' require 'sinatra' require 'haml' # Handle GET-request (Show the upload form) get "/upload" do haml :upload end # Handle POST-request (Receive and save the uploaded file) post "/upload" do File.open('uploads/' + params['myfile'][:filename], "w") do |f| f.write(params['myfile'][:tempfile].read) end return "The file was successfully uploaded!" end
  • 21. $ docker run -d --read-only lutter/lolcat
  • 22. require 'rubygems' require 'sinatra' require 'haml' # Handle GET-request (Show the upload form) get "/upload" do haml :upload end # Handle POST-request (Receive and save the uploaded file) post "/upload" do File.open('uploads/' + params['myfile'][:filename], "w") do |f| f.write(params['myfile'][:tempfile].read) end return "The file was successfully uploaded!" end
  • 23. $ docker run -d --read-only -v /srv/lolcat/uploads:/app/uploads lutter/lolcat
  • 24. require 'rubygems' require 'sinatra' require 'haml' # Handle GET-request (Show the upload form) get "/upload" do haml :upload end # Handle POST-request (Receive and save the uploaded file) post "/upload" do File.open('uploads/' + params['myfile'][:filename], "w") do |f| f.write(params['myfile'][:tempfile].read) end return "The file was successfully uploaded!" end
  • 25. $ docker run -d --read-only -v /srv/lolcat/uploads:/app/uploads --tmpfs /tmp lutter/lolcat
  • 27. Without technical controls you only have social guarantees of immutability 27
  • 28. How do you know the correct invocation for an image ? 28
  • 30. Given an image ❏ What machine built this image ? ❏ How do you run this image ? ❏ Who supports this image ? ❏ Does the image contain malware ? 30
  • 31. Given a container ❏ Who built it ? ❏ How was it built ? ❏ What software does it contain ? ❏ Is the software up-to-date ? 31
  • 32. FROM fedora:24 RUN dnf update -y && dnf install -y ruby rubygem-bundler && dnf clean all COPY . /app RUN cd /app && bundle install --path vendor/bundle WORKDIR /app VOLUME /app/uploads EXPOSE 9292 CMD ["/usr/bin/bundle", "exec", "rackup"]
  • 33. FROM fedora:24 RUN dnf update -y && dnf install -y ruby rubygem-bundler && dnf clean all COPY . /app RUN cd /app && bundle install --path vendor/bundle WORKDIR /app VOLUME /app/uploads EXPOSE 9292 CMD ["/usr/bin/bundle", "exec", "rackup"] Where did the base image come from ?
  • 34. FROM fedora:24 RUN dnf update -y && dnf install -y ruby rubygem-bundler && dnf clean all COPY . /app RUN cd /app && bundle install --path vendor/bundle WORKDIR /app VOLUME /app/uploads EXPOSE 9292 CMD ["/usr/bin/bundle", "exec", "rackup"] What repositories and what package versions ?
  • 35. FROM fedora:24 RUN dnf update -y && dnf install -y ruby rubygem-bundler && dnf clean all COPY . /app RUN cd /app && bundle install --path vendor/bundle WORKDIR /app VOLUME /app/uploads EXPOSE 9292 CMD ["/usr/bin/bundle", "exec", "rackup"] What was in this directory at build time ?
  • 36. Time is your enemy 36
  • 37. When do you rebuild images ? 37
  • 38. Code changes and external factors should trigger rebuild 38
  • 39. Explain yourself with metadata Docker labels are a great way to do that 39
  • 40. Name : glibc Version : 2.23.1 Release : 10.fc24 Architecture: x86_64 License : LGPLv2+ and LGPLv2+ with exceptions and GPLv2+ Signature : RSA/SHA256, Thu 18 Aug 2016 09:27:43 AM PDT, Key ID 73bde98381b46521 Source RPM : glibc-2.23.1-10.fc24.src.rpm Build Date : Thu 18 Aug 2016 06:37:42 AM PDT Build Host : buildvm-16.phx2.fedoraproject.org Packager : Fedora Project Vendor : Fedora Project Summary : The GNU libc libraries
  • 41. $ docker inspect -f "{{json .Config.Volumes}}" lutter/lolcat { "/app/uploads": {} }
  • 42. $ docker inspect -f "{{json .Config.ExposedPorts}}" lutter/lolcat { "9292/tcp": {} }
  • 43. LABEL vendor=”ACME Incorporated” com.acme.release-status=”beta” com.acme.version=”0.1.0-beta” com.acme.git.sha=”f260653a”
  • 44. $ docker inspect -f "{{json .Config.Labels}}" lutter/lolcat | jq { "com.acme.git.sha": "f260653a", "com.acme.release-status": "beta", "com.acme.version": "0.1.0-beta", "vendor": "ACME Incorporated" }
  • 45. Suggestion Decide upon and enforce metadata standards 45
  • 47. $ docker inspect -f "{{json .Config.Labels}}" lutter/alpine | jq { "com.example.dockerfile": "/Dockerfile" }
  • 48. $ docker run -it lutter/alpine cat /Dockerfile FROM alpine RUN apk add --update bash && rm -rf /var/cache/apk/* COPY Dockerfile / LABEL com.example.dockerfile="/Dockerfile"
  • 51. $ docker run -it lutter/alpine apk info -vv musl-1.1.14-r12 - the musl c library (libc) busybox-1.24.2-r11 - Size optimized toolbox of ... alpine-baselayout-3.0.3-r0 - Alpine base dir ... alpine-keys-1.1-r0 - Public keys for Alpine Linux ... zlib-1.2.8-r2 - A compression/decompression Library bash-4.3.42-r3 - The GNU Bourne Again shell ...
  • 52. Suggestion Make your images discoverable 52
  • 54. class { 'nginx': } nginx::resource::vhost { 'default': www_root => '/var/www/html', } file { '/var/www/html/index.html': ensure => present, content => 'Hello Puppet and Docker', } exec { 'Disable Nginx daemon mode': path => '/bin', command => 'echo "daemon off;" >> /etc/nginx/nginx.conf', unless => 'grep "daemon off" /etc/nginx/nginx.conf', }
  • 55. # metadata.yaml cmd: nginx expose: 80 image_name: puppet/nginx
  • 56. $ puppet docker build ... $ docker run -d -p 8080:80 acme/nginx-test 83d5fbe370e84d424c71c1c038ad1f5892fec579d28b... $ curl http://127.0.0.1:8080 Hello Puppet and Docker
  • 57. Who configures the scheduler ?
  • 58. Schedulers/orchestrators isolate you from ❏ where individual containers run ❏ balancing due to new resources ❏ respawning due to failed resources 58
  • 59. Schedulers operate on constraints 59
  • 60. Decisions depend on accurate resource information 60
  • 61. $ docker daemon --label environment=production --label storage=ssd
  • 62. $ docker run -d -P --label com.example.environment=production -e constraint:storage==ssd --name db mysql
  • 63. template: metadata: labels: app: guestbook tier: frontend spec: containers: - name: php-redis image: gcr.io/google-samples/gb-frontend:v4 resources: requests: cpu: 100m memory: 100Mi env: - name: GET_HOSTS_FROM value: dns # If your cluster config does not include a dns service, then to # instead access environment variables to find service host # info, comment out the 'value: dns' line above, and uncomment the # line below. # value: env ports: - containerPort: 80
  • 64. How do you manage properties for all your hosts ? 64
  • 66. $ facter -y | head -n 20 aio_agent_version: 1.7.0 augeas: version: 1.4.0 disks: sda: model: SanDisk SDSSDA24 size: 223.57 GiB size_bytes: 240057409536 vendor: ATA ... dmi: bios: ... memory: ...
  • 67. $ docker daemon --label os=$(facter os.family) --label kernel=$(facter kernelversion) --label memory=$(facter memory.system.total_bytes)
  • 69. class { 'docker': labels => [ "os=${facts[os][family]", "kernel=${facts[kernelversion]}", "memory=${facts[memory][system][total_bytes]}" ], }
  • 71. Docker networks Kubernetes services and replication controllers Chronos jobs 71
  • 72. Many interfaces imperative not declarative 72
  • 73. $ kubectl get pod mypod -o yaml | sed -e ‘s/(image:myimage):.*$/1:v4/’ | kubectl replace -f -
  • 74. $ docker network create bob ca7b185775966003d38ccbd9bba822fb570766e4bb $ docker network create bob Error response from daemon: network with name bob ...
  • 75. docker_network { 'bob': ensure => present, driver => 'overlay', subnet => '192.168.1.0/24', gateway => '192.168.1.1', ip_range => '192.168.1.4/32', }
  • 76. And everything is in YAML 76
  • 77. “ The language to represent the data should be a simple, data-only format such as JSON or YAML, and programmatic modification of this data should be done in a real programming language, where there are well-understood semantics, as well as good tooling. Borg, Omega, and Kubernetes, ACM Queue, Volume 14 Issue 1 | http://queue.acm.org/detail.cfm?id=2898444 77
  • 78. Code plus data has advantages over data alone 78
  • 80. kubernetes_pod { 'sample-pod': ensure => present, metadata => { namespace => 'default', }, spec => { containers => [{ name => 'container-name', image => 'nginx', }] }, }
  • 81. controller_service_pair { 'redis-master': app => 'redis', role => 'master', tier => 'backend', port => 6379, }
  • 83. The difference between how you think a system behaves and how it actually behaves risks hard-to-debug production issues 83
  • 84. Container use at scale and over time requires meaningful abstraction 84
  • 85. Configuration management as a discipline provides tools to build those abstractions and thereby minimize risk 85
  • 86. 86 Project Blueshift booth Exhibition Hall Docker, Mesos, Kubernetes and Puppet? Don't Panic ! Deepak Giridharagopal, Thur, 4:45pm Pulling the strings to containerize your life Scott Coulton, Fri, 9:50am Running Puppet software in Docker containers Gareth Rushgrove, Fri, 1:30pm