Post on 11-Apr-2017
Patrick Chanezon, Docker Inc.@chanezon
Container as a Servicewith Docker
February 2017
French
Polyglot
Platforms
Software Plumber
San Francisco
Developer Relations
@chanezon
1995 2015
PublicHybridPrivate
Ops Devops Developers
Linux Container Ecosystem
flockerglusterfs
weavecalicomidokuracisconuage
Cloud
OS
Plugins
Orchestration
Agility
Agile methodologies (circa 1999)
Low MTBIAMSH
MTBIAMSH (Mean Time Between Idea And Making Stuff Happen)
Agility == $$
Devops
25
Mainframe
Client-Server
26
27
Web
28
Cloud - Devops
Devops• Cultural movement • Inspired by agile methods• People, Processes & Tools• Continuous delivery• Infrastructure as code• Cross silo collaboration• Small iterations• Feedback loop, measurement
Image from Patrick Deboishttp://www.slideshare.net/jedi4ever/devops-the-war-is-over-if-you-want-ithttp://www.slideshare.net/jedi4ever/devopsdays-downundervfinal
Devops: singing Kumbaya?
28
http://highscalability.com/blog/2013/11/19/we-finally-cracked-the-10k-problem-this-time-for-managing-se.html
Server/Sysadmin
1999: 5(Windows) - 50 (Linux)2015: 10k-20kx2000
28
https://blog.docker.com/2014/12/dockercon-europe-keynote-continuous-delivery-in-the-enterprise-by-henk-kolk-ing/Henk Kolk, ING, DockerCon EU 2014
People, Processes, Products
deployment time: 9 months -> 15 min1500 deployments/week
Docker
The world needstools of mass innovation
A programmable Internet would be the ultimate tool of mass innovation
A commercial product,
built ona development platform,
built oninfrastructure,
built onstandards.
Docker is building a stack to program the Internet
Isolation using Linux kernel featuresnamespaces pid mnt net uts ipc user
cgroups memory cpu blkio devices
Image layers
Dockerfile
FROM java:8MAINTAINER Patrick Chanezon <patrick@chanezon.com>EXPOSE 8080COPY spring-doge/target/*.jar /usr/src/spring-doge/spring-doge.jarWORKDIR /usr/src/spring-dogeCMD java -Dserver.port=8080 -Dspring.data.mongodb.uri=$MONGODB_URI -jar spring-doge.jarHEALTHCHECK --interval=5m --timeout=3s --retries=3 \ CMD curl -f http://localhost:8080/ || exit 1
Using Docker to compile your jar/war
https://registry.hub.docker.com/_/maven/
docker run -it --rm \-v $PWD:/usr/src/spring-doge \-v maven:/root/.m2 \-w /usr/src/spring-doge \maven:3.3-jdk-8 \mvn package
Build an imagedocker build -t chanezon/spring-doge .FROM java:8MAINTAINER Patrick Chanezon <patrick@chanezon.com>EXPOSE 8080COPY spring-doge/target/*.jar /usr/src/spring-doge/spring-doge.jarWORKDIR /usr/src/spring-dogeCMD java -Dserver.port=8080 -Dspring.data.mongodb.uri=$MONGODB_URI -jar spring-doge.jarHEALTHCHECK --interval=5m --timeout=3s --retries=3 \ CMD curl -f http://localhost:8080/ || exit 1
Analyzing imagesdocker images javadocker history java:8
Run a containerdocker run \—env MONGODB_URI=mongodb://mongo:27017/test \-p 8090:8080 \chanezon/spring-doge
docker-compose: running multiple containers Run your stack with one command: docker-compose
up Describe your stack with one file: docker-compose.ymlversion: '2'services: web: image: chanezon/spring-doge ports: - "8080:8080" links: ["mongo"] environment: - MONGODB_URI=mongodb://mongo:27017/test mongo: image: mongo
docker stack deploy Deploy your stack with one command: docker stack deploy
Describe your stack with one file: docker-compose.ymlversion: '3'services: web: image: chanezon/spring-doge ports: - "8004:8080" environment: - MONGODB_URI=mongodb://mongo:27017/test depends_on: - mongo deploy: replicas: 2 update_config: parallelism: 2 delay: 10s restart_policy: condition: on-failure mongo: image: mongo
Demo
• Spring Boot, Spring Data• AngularJS front-end• docker 1.12• compose 1.8.1
Spring Boot App using MongoDB
https://github.com/joshlong/spring-doge
https://github.com/chanezon/docker-tips/https://github.com/chanezon/spring-doge
Docker Java Labs
https://github.com/docker/labs/tree/master/developer-tools/
• Wildfly and Couchbase J2EE App• Debugging a Java app in Docker using Eclipse
What’s New?
1.
Developer experience
1. Get out of the way
The best tools…
2. Adapt to you
3. Make thepowerful simple
Docker for Mac Docker for Windows
2.
Orchestration
Introducing the best way to orchestrate Docker: Docker.
Docker 1.12: now with orchestration built-in.
Swarm mode
Service API
Cryptographic node identity
Built-in routing mesh
Docker 1.12: now with orchestration built-in.
Using the beta? You already have 1.12 installed.
> docker swarm init> docker service create
3.
Ops experience
Deep integration with native load-balancers, templates,SSH keys, ACLs, scaling groups, firewall rules…
Docker & Microsoft• Build
• Docker Toolbox & Kitematic for Windows• Docker for Windows beta• Docker engine on Windows Server 2016 TP4• yo-docker to dockerize existing projects• Visual Studio Docker Tools
• Ship• VSTS extension for Docker beta
• Run• Azure Docker agent• ACS• Docker datacenter on Azure ARM template• Azure Container Service
Docker Store
What’s New in Docker 1.13• Compose file support for Swarm mode service deployment
• docker stack deploy --compose-file=docker-compose.yml my_stack• System commands
• docker system df• docker system prune
• Monitoring• docker service logs• Prometheus experiment endpoint
• Build• docker build —squash
• CPU management —cpus 2.5• Docker for AWS & Azure GA
Docker CaaS
5
XaaS Pyramid
Platform As A Service
Infrastructure As A Service
SoftwareAs A Service
5
Goldilocks and the 3 XaaS
Just rightToo highToo lowIaaS PaaS CaaS
5
Goldilocks and the 3 XaaS
Platform As A Service
Infrastructure As A Service
SoftwareAs A Service
Too high
Too low
Just right
Container As A Service
Example
“- When do you guys support FORTRAN?- Sorry it’s not supported by Cloud Foundry yet”
Goals
+ +
Agility Portability Control
BUILDDevelopment Environments
SHIPRegistry: Secure Content &
Collaboration
RUNControl Plane: Deploy,
Orchestrate, Manage, Scale
Networking Volumes MonitoringLoggingConfig MgtCI/CD
IT OperationsDevelopers IT Operations
Docker CaaS Workflow
Docker Universal Control Plane
Integrated Security
Docker EngineContainer runtime, orchestration, networking, volumes, plugins
Docker Trusted Registry
Operating Systems Config Mgt Monitoring LoggingCI/CD ..more..Images Networking Volumes
VirtualizationPublic Cloud Physical
Docker Datacenter
Docker Datacenter platform
Usable Security
Secure defaults with tooling that is native to both dev and ops
The Key Components of Container Security
Infrastructure Independent
Trusted Delivery
Safer Apps
Everything needed for a full functioning app is delivered safely and guaranteed to not be tampered with
All of these things in your system are in the app platform and can move across infrastructure without disrupting the app
+
+
=
Usable Security
Integrated Security with Docker Datacenter
Infrastructure Independent
Trusted Delivery
Safer Apps
Image Scanning
TLS EncryptionEncryption at Rest
App Secrets
Image Signing & Verification
Public CloudVirtualizationPhysical
Users & RBAC
Dev/Ops Workflow
+
+
=
Secure by default runtime
Docker Universal Control Plane
UCP Permission Model
What’s New in Docker Datacenter
What’s New in Docker Datacenter on Docker 1.13
Application Services Content Trust and Distribution
Platform Enhancements
• Secrets Management
• HTTP Routing Mesh (GA)
• Docker Compose for Services
• Access control for Secrets and Volumes
• Image Content Cache
• On premises image security scanning and vulnerability monitoring
• Registry Webhooks
• DTR install command from UI
• UI Enhancements
• Additional LDAP configs
• Templates for AWS, Azure
Integrated Secrets Management
WorkerWorker
Manager
Internal Distributed Store
Raft Consensus Group
ManagerManager
Worker
External App
Web UI
• Management– Admins can add/remove/list/update
secrets in the cluster– Exposed to a container via a ”/secrets”
tmpfs volume• Authorization
– Tag secrets to a specific service– Admins can authorize secrets access
to users/teams via RBAC• Rotation
– Use GUI to update a secret to all containers in a service
• Auditing– Each user request for secret access
logged in cluster for auditing
Security Scanning: Get a full BOM for a Docker Image
Security Scanning: Vulnerabilities and Licensing for Each Component
Security Scanning: Set Automated Policy for Scanning
Security Scanning: Online and Offline Updates
Compose for Services
• Deploy stacks (services, volumes, networks, secrets) using new Compose file v3.1 format
• Manage and monitor stacks directly from UCP UI
Built in HTTP Routing Mesh (Now GA!)
• Extend TCP routing mesh to HTTP hostname routing for services
• HTTPS support via SNI protocol
• Support for multiple HRM networks for enhanced app isolation
• External LB routes hostnames to nodes
• Can add hostname routing via UI
• Non-service containers continue to use Interlock ref arch
WorkerWorkerWorker
External Load Balancer
Traffic via DNS (http to port 80 or other)
Foo.com Bar.com Qux.com
R RR
Docker Use Cases
Docker users alreadyrunning in production
60%
Docker in Production
Docker Survey: State of ApplicationsQ1 2016
Cluster HQ: State of Container Usage June 2016
Companies running container technology in production
(500+ employees)
Across the EnterpriseHealthcareMedia Financial Services
…And More
E-commerce / Consumer
Services TechGovernment
Docker Enabling Critical Transformations
80%Docker is central to
cloud strategy
Docker Survey: State of App development : Q1 - 2016
3 out 4 Top initiatives revolve around applications
44%Looking to adopt DevOps
App Modernization
DevOpsCloud
The Data Shows Hybrid Infrastructure and Applications
2016 Docker Use Cases
Docker Survey: State of App development : Q1 - 2016
Docker Workloads
• Spring Boot, MongoDB, compose, swarm, networking• https://github.com/joshlong/spring-doge• https://github.com/chanezon/docker-tips/orchestration-
networking• Java EE 7 / Angular App with Docker Swarm by @mgreau
Compose for build and deploy, Wildfly, Apache, Angular, Mysql, Redis, batch and API apps• https://github.com/mgreau/docker4dev-tennistour-app
• Java EE Docker & Kubernetes by @arun-gupta• https://github.com/javaee-samples/docker-java
Java Examples
THANK YOU