Introducing containers into your infrastructure brings new capabilities, but also new challenges, in particular around configuration. This talk will take a look under the hood at some of those operational challenges including:
* The difference between runtime and build-time configuration, and the importance of relating the two together.
* Configuration drift, immutable mental models and mutable container file systems.
* Who configures the orchestrators?
* Emergent vs. model driven configuration.
In the process we will identify some common problems and talk about potential solutions.
Talk from PuppetConf 2016
6. Configuration is any input into infrastructure
It needs to be managed
over time and at scale
6
7. Core configuration management features:
❏ describe system aspects in isolation
❏ combine aspects into whole
❏ common format for querying
❏ bridge across entire infrastructure
7
20. require 'rubygems'
require 'sinatra'
require 'haml'
# Handle GET-request (Show the upload form)
get "/upload" do
haml :upload
end
# Handle POST-request (Receive and save the uploaded file)
post "/upload" do
File.open('uploads/' + params['myfile'][:filename], "w") do |f|
f.write(params['myfile'][:tempfile].read)
end
return "The file was successfully uploaded!"
end
22. require 'rubygems'
require 'sinatra'
require 'haml'
# Handle GET-request (Show the upload form)
get "/upload" do
haml :upload
end
# Handle POST-request (Receive and save the uploaded file)
post "/upload" do
File.open('uploads/' + params['myfile'][:filename], "w") do |f|
f.write(params['myfile'][:tempfile].read)
end
return "The file was successfully uploaded!"
end
23. $ docker run -d --read-only
-v /srv/lolcat/uploads:/app/uploads
lutter/lolcat
24. require 'rubygems'
require 'sinatra'
require 'haml'
# Handle GET-request (Show the upload form)
get "/upload" do
haml :upload
end
# Handle POST-request (Receive and save the uploaded file)
post "/upload" do
File.open('uploads/' + params['myfile'][:filename], "w") do |f|
f.write(params['myfile'][:tempfile].read)
end
return "The file was successfully uploaded!"
end
30. Given an image
❏ What machine built this image ?
❏ How do you run this image ?
❏ Who supports this image ?
❏ Does the image contain malware ?
30
31. Given a container
❏ Who built it ?
❏ How was it built ?
❏ What software does it contain ?
❏ Is the software up-to-date ?
31
32. FROM fedora:24
RUN dnf update -y &&
dnf install -y ruby rubygem-bundler &&
dnf clean all
COPY . /app
RUN cd /app && bundle install --path vendor/bundle
WORKDIR /app
VOLUME /app/uploads
EXPOSE 9292
CMD ["/usr/bin/bundle", "exec", "rackup"]
33. FROM fedora:24
RUN dnf update -y &&
dnf install -y ruby rubygem-bundler &&
dnf clean all
COPY . /app
RUN cd /app && bundle install --path vendor/bundle
WORKDIR /app
VOLUME /app/uploads
EXPOSE 9292
CMD ["/usr/bin/bundle", "exec", "rackup"]
Where did the base image come from ?
34. FROM fedora:24
RUN dnf update -y &&
dnf install -y ruby rubygem-bundler &&
dnf clean all
COPY . /app
RUN cd /app && bundle install --path vendor/bundle
WORKDIR /app
VOLUME /app/uploads
EXPOSE 9292
CMD ["/usr/bin/bundle", "exec", "rackup"]
What repositories and what package versions ?
35. FROM fedora:24
RUN dnf update -y &&
dnf install -y ruby rubygem-bundler &&
dnf clean all
COPY . /app
RUN cd /app && bundle install --path vendor/bundle
WORKDIR /app
VOLUME /app/uploads
EXPOSE 9292
CMD ["/usr/bin/bundle", "exec", "rackup"]
What was in this directory at build time ?
51. $ docker run -it lutter/alpine apk info -vv
musl-1.1.14-r12 - the musl c library (libc)
busybox-1.24.2-r11 - Size optimized toolbox of ...
alpine-baselayout-3.0.3-r0 - Alpine base dir ...
alpine-keys-1.1-r0 - Public keys for Alpine Linux ...
zlib-1.2.8-r2 - A compression/decompression Library
bash-4.3.42-r3 - The GNU Bourne Again shell
...
58. Schedulers/orchestrators isolate you from
❏ where individual containers run
❏ balancing due to new resources
❏ respawning due to failed resources
58
62. $ docker run -d -P
--label com.example.environment=production
-e constraint:storage==ssd --name db mysql
63. template:
metadata:
labels:
app: guestbook
tier: frontend
spec:
containers:
- name: php-redis
image: gcr.io/google-samples/gb-frontend:v4
resources:
requests:
cpu: 100m
memory: 100Mi
env:
- name: GET_HOSTS_FROM
value: dns
# If your cluster config does not include a dns service, then to
# instead access environment variables to find service host
# info, comment out the 'value: dns' line above, and uncomment the
# line below.
# value: env
ports:
- containerPort: 80
64. How do you manage properties
for all your hosts ?
64
73. $ kubectl get pod mypod -o yaml
| sed -e ‘s/(image:myimage):.*$/1:v4/’
| kubectl replace -f -
74. $ docker network create bob
ca7b185775966003d38ccbd9bba822fb570766e4bb
$ docker network create bob
Error response from daemon: network with name bob ...
77. “
The language to represent the data should be a simple, data-only
format such as JSON or YAML, and programmatic modification of
this data should be done in a real programming language, where
there are well-understood semantics, as well as good tooling.
Borg, Omega, and Kubernetes, ACM Queue, Volume 14 Issue 1 | http://queue.acm.org/detail.cfm?id=2898444
77
83. The difference between how you think a
system behaves and how it actually behaves
risks hard-to-debug production issues
83
84. Container use at scale and over time
requires meaningful abstraction
84
85. Configuration management as a discipline
provides tools to build those abstractions and
thereby minimize risk
85
86. 86
Project Blueshift booth
Exhibition Hall
Docker, Mesos, Kubernetes and Puppet? Don't Panic !
Deepak Giridharagopal, Thur, 4:45pm
Pulling the strings to containerize your life
Scott Coulton, Fri, 9:50am
Running Puppet software in Docker containers
Gareth Rushgrove, Fri, 1:30pm