ADITYA HARITAKSHAY V. BHANDIWAD

SHWETA IYER

INTRODUCTION

CONTAINERS

● Standardized packaging for software and dependencies

● Isolate apps from each other

● Share the same OS kernel

● Decouple the applications from the environment that they run in

● Containerization is a type of virtualization but...

VIRTUAL MACHINES v/s CONTAINERS

VMs

● Emulation of a computer system -hardware level virtualization

● Each VM runs its own OS● Heavy weight● Limited performance

CONTAINERS

● OS alone is virtualized

● All containers share an OS● Lightweight● Native performance

● Docker Inc. was founded by Solomon Hykes and Sebastien Pahl during the Y Combinator Summer 2010

startup incubator group and launched in 2011

● Docker is a tool designed to make it easier to create, deploy, and run applications by using containers.

● Docker separates the application code from infrastructure requirements and needs. It does this by running each

application in an isolated environment i.e a container.

● Developers can concentrate on the actual code to run in the Docker container without worrying about the

system it will ultimately run on

● DevOps can focus on ensuring the right programs are installed in the Docker container, and reduce the number

of systems needed and complexity of maintaining said systems after deployment.

What is Docker?

ARCHITECTURE

Brief history of runtimes:● chroot was the original container. (chroot jail - blocks outside access

for files). Introduced in 1979! Added to BSD in 1982.● Solaris Zones circa 2004, Meiosys - MetaClusters with

Checkpoint/Restore 2004-05, Linux OpenVZ circa 2005 (not in mainstream Linux), AIX WPARs circa 2007

● Official support in Linux, chosen by Torvalds: LXC - chroot with complete isolation, not only file system based. (Uses POSIX file capabilities). Early versions of docker used this.

● Next generation: LXD. REST APIs over a local unix socket, and network if enabled. (uses LXC under the hood through liblxc and its Go binding to create and manage the containers)

● Even more containers, inspired by docker: AppC(Core OS), Containerd, OCI.

CONTAINER ARCHITECTURES (in linux kernels)

A container is not a physical entity in the kernel, but rather a combination of different elements. These are:● Namespaces: pid, net, mnt, ipcs● Control groups - limits and

metering: fs, dev, mem, cpu, i/o.

Main components of a container ecosystem include:

● Runtime● Image distribution● Tooling

Reference talks:https://containersummit.io/events/nyc-2016/videos/building-containers-in-pure-bash-and-chttps://www.youtube.com/watch?v=sK5i-N34im8

DOCKER ARCHITECTURE

● Written in golang● 3 components:

○ Docker’s Client○ Docker Host (Daemon)

■ Manages docker objects such as images, containers, networks, and volumes.

○ Docker Registry/Hub

Unlike LXC, docker now uses Copy-On-Write,which reduces space and time required to start a container.

Image from: https://docs.docker.com/get-started/overview/

DOCKER CLIENT

Client makes API calls to the daemon:● Common calls like start, run, stop, kill.● Library bindings for different

languages as well.● Version can differ.

API calls are in red boxes.

https://docs.docker.com/engine/api/v1.40 for API references.

Pause vs stop/kill:SIGSTOP vs SIGTERM/SIGKILL

DOCKER HOST

Host is the meat of docker:● Contains the actual daemon

which listens for API requests from client

● Also manages docker objects.

Docker objects:1. Images: Template for creating docker processes. Dockerfiles are used

to create images. Can also be built on top of pre-defined images(layering). Instruction in dockerfile -> Layer in image.

2. Container: (Not the generic container) Instance of image. Image -> recipe of cake, container -> actual cake. Containers can be started, paused, stopped, etc. (Don’t modify image when shut down).

3. Volumes: Store the persistent data generated by docker containers. Volume content exist outside the lifecycle of a container.

4. Network: Like volumes, attached to a container. Depending on the network driver, network isolation policies are defined. 5 main drivers:

a. Bridge: Default. Multiple containers talking with same docker host.

b. Host: No network isolation between host and container.c. Overlay: For swarm services.d. None: Disables all networking.e. Macvlan: Assigns mac id to containers. (For treating them like

physical devices).

DOCKER REGISTRY

Registries are where docker images are stored (kind of like git repositories for code). Can both download and upload images to registries. There are 3 main types:

1. Public, cloud hosted: (Analogous to github) The Docker Hub (https://hub.docker.com/) is the default registry. Others like Google Container Registry, and https://quay.io/ also exist.

2. On-premise registry: Docker Trusted Registry (DTR); enterprise solution. Provides advanced configuration options, image scanning, secure signing.

3. Self-hosted registry: Based on open source Docker Registry. Kind of like On-premise registry, but not with advanced features. Requires manual maintanence.

Docker and Middleware:DOCKER SWARM

Docker Swarm

● Docker swarm is a recent addition to Docker (from version 1.12).● Each member of a docker swarm is called a node.● It's designed to easily manage container scheduling over multiple hosts, using Docker

CLI.● It allows to connect multiple hosts running Docker, together. These hosts can be

physical machines or VMs● One or more nodes can run on each host machine.

Nodes in a Docker SwarmA node is an instance of the Docker engine participating in the swarm. There are two types of nodes:

1. Manager node● The manager node dispatches units of work called tasks to worker nodes.● Docker recommends a maximum of seven manager nodes for a swarm.● Manager nodes use the Raft Consensus Algorithm to internally manage the cluster state. This is to

ensure that all manager nodes that are scheduling and controlling tasks in the cluster maintain/store consistent state.

● The managers elect a single leader among them using the Raft algorithm1. Worker node

● They receive and execute tasks dispatched from manager nodes.● By default, manager nodes also run as worker nodes

Docker Swarm Features

High availability - If current leader fails, another manager will become leader. If worker host fails, all containers will be rescheduled to other nodes.

Desired state reconciliation: The swarm manager node constantly monitors the cluster state and reconciles any differences between the actual state and your expressed desired state. For example, if you set up a service to run 10 replicas of a container, and a worker machine hosting two of those replicas crashes, the manager creates two new replicas to replace the replicas that crashed. The swarm manager assigns the new replicas to workers that are running and available.

Rolling updates - At rollout time you can apply service updates to nodes incrementally. The swarm manager lets you control the delay between service deployment to different sets of nodes. If anything goes wrong, you can roll back to a previous version of the service.

Docker Swarm Features (contd)

Load balancing: There are basically two types of load balancing: internal and external. Internal is all about load balancing requests that are made from within the Swarm cluster (from other containers), whereas external load balancing targets ingress traffic that enters a cluster. Both of these functionalities are provided by the Docker Engine itself.

Docker Swarm Features (contd)

Service discovery: Swarm manager nodes assign each service in the swarm a unique DNS name and load balances running containers. You can query every container running in the swarm through a DNS server embedded in the swarm.

Secure by default: All the control plane traffic between nodes is secured through TLS. All managers and nodes have signed certificates in them, which are created automatically by Swarm. For data plane traffic, all traffic is encrypted using IPSec tunnels when leaving the source container, and it is decrypted once it arrives to the destination container.

THANK YOU !!

What docker users think will happen:

What actually happens:

Taken from http://commitstrip.com/