Era dockera#1 best practices & anti-patterns
-
Upload
piotr-kieszczynski -
Category
Technology
-
view
113 -
download
0
Transcript of Era dockera#1 best practices & anti-patterns
![Page 1: Era dockera#1 best practices & anti-patterns](https://reader034.fdocuments.us/reader034/viewer/2022042706/587e40101a28ab9f5d8b6fbd/html5/thumbnails/1.jpg)
Docker Era #1 - Best practices & anti-patterns
![Page 2: Era dockera#1 best practices & anti-patterns](https://reader034.fdocuments.us/reader034/viewer/2022042706/587e40101a28ab9f5d8b6fbd/html5/thumbnails/2.jpg)
Who is this guy?Who got 2 thumbs and doesn't give a crap?
1
![Page 3: Era dockera#1 best practices & anti-patterns](https://reader034.fdocuments.us/reader034/viewer/2022042706/587e40101a28ab9f5d8b6fbd/html5/thumbnails/3.jpg)
Hello!I am Piotr KieszczynskiI am here because I love to give presentations. I am “The guy” who actually...
You can find me at @pkieszcz
![Page 4: Era dockera#1 best practices & anti-patterns](https://reader034.fdocuments.us/reader034/viewer/2022042706/587e40101a28ab9f5d8b6fbd/html5/thumbnails/4.jpg)
Docker? What’s that?2
![Page 5: Era dockera#1 best practices & anti-patterns](https://reader034.fdocuments.us/reader034/viewer/2022042706/587e40101a28ab9f5d8b6fbd/html5/thumbnails/5.jpg)
Living under the rock
![Page 6: Era dockera#1 best practices & anti-patterns](https://reader034.fdocuments.us/reader034/viewer/2022042706/587e40101a28ab9f5d8b6fbd/html5/thumbnails/6.jpg)
“Docker containers wrap up a piece of software in a complete filesystem that contains everything it needs to run: code, runtime, system tools, system libraries – anything you can install on a server. This guarantees that it will always run the same, regardless of the environment it is running in.
![Page 7: Era dockera#1 best practices & anti-patterns](https://reader034.fdocuments.us/reader034/viewer/2022042706/587e40101a28ab9f5d8b6fbd/html5/thumbnails/7.jpg)
One thing at the time1. Misconception2. Dockerfile3. SSHD in Docker4. “Production” Docker issues
![Page 8: Era dockera#1 best practices & anti-patterns](https://reader034.fdocuments.us/reader034/viewer/2022042706/587e40101a28ab9f5d8b6fbd/html5/thumbnails/8.jpg)
MisconceptionYou should have only one process per Docker container!If I use Docker then I don't need a configuration management (CM) tool!I have to use Docker in order to get these speed and consistency advantages! (CM / Cloud Images / Version Pinning / Version Control Deploys)I should use Docker right now!
![Page 9: Era dockera#1 best practices & anti-patterns](https://reader034.fdocuments.us/reader034/viewer/2022042706/587e40101a28ab9f5d8b6fbd/html5/thumbnails/9.jpg)
I should use Docker right now!Your current systems should have:
◇ secured least-privilege access (key based logins, firewalls, fail2ban, etc)
◇ restorable secure off-site database backups ◇ automated system setup (using Ansible, Puppet, etc)◇ automated deploys automated provisioning ◇ monitoring of all critical services ◇ and more (documentation, etc)
![Page 10: Era dockera#1 best practices & anti-patterns](https://reader034.fdocuments.us/reader034/viewer/2022042706/587e40101a28ab9f5d8b6fbd/html5/thumbnails/10.jpg)
Then what?You don't need to Dockerize everythingUse role based Docker images (www/db vs nginx/mysql)Be explicit (avoid magic) as long as possibleDon't store data in containersUse a private index providerBuild on the expertise of others
![Page 11: Era dockera#1 best practices & anti-patterns](https://reader034.fdocuments.us/reader034/viewer/2022042706/587e40101a28ab9f5d8b6fbd/html5/thumbnails/11.jpg)
Dockerfile1: Use the cache (Keep common instructions at the top of the Dockerfile to utilize the cache.)
FROM ubuntu
MAINTAINER Piotr Kieszczynski <[email protected]>
RUN echo "deb http://archive.ubuntu.com/ubuntu precise main universe" >
/etc/apt/sources.list
RUN apt-get update
RUN apt-get upgrade -y
![Page 12: Era dockera#1 best practices & anti-patterns](https://reader034.fdocuments.us/reader034/viewer/2022042706/587e40101a28ab9f5d8b6fbd/html5/thumbnails/12.jpg)
Dockerfile2: Use tagsdocker build -t="pkieszcz/rpi-mumble" .
3: EXPOSE-ing ports
# private and public mapping
EXPOSE 80:8080
# private only
EXPOSE 80
![Page 13: Era dockera#1 best practices & anti-patterns](https://reader034.fdocuments.us/reader034/viewer/2022042706/587e40101a28ab9f5d8b6fbd/html5/thumbnails/13.jpg)
Dockerfile4: CMD and ENTRYPOINT syntax ( /bin/sh -c )
CMD /bin/echo
# or
CMD ["/bin/echo"]
![Page 14: Era dockera#1 best practices & anti-patterns](https://reader034.fdocuments.us/reader034/viewer/2022042706/587e40101a28ab9f5d8b6fbd/html5/thumbnails/14.jpg)
Dockerfile5. CMD and ENTRYPOINT better together
ENTRYPOINT ["/usr/bin/rethinkdb"]
CMD ["--help"]
docker run crosbymichael/rethinkdbdocker run crosbymichael/rethinkdb --bind all
![Page 15: Era dockera#1 best practices & anti-patterns](https://reader034.fdocuments.us/reader034/viewer/2022042706/587e40101a28ab9f5d8b6fbd/html5/thumbnails/15.jpg)
Dockerfile6: Trusted builds7: Don't upgrade in builds (?)8: Use small base images9: Use specific tagsFROM debian
FROM debian:jessie
10: Group common operationsRUN apt-get update RUN apt-get upgrade -y
RUN apt-get update && apt-get upgrade -y
![Page 16: Era dockera#1 best practices & anti-patterns](https://reader034.fdocuments.us/reader034/viewer/2022042706/587e40101a28ab9f5d8b6fbd/html5/thumbnails/16.jpg)
SSHD in Docker◇ What do you need SSH for?◇ How will you manage keys and passwords?◇ How will you manage security upgrades?◇ Do you need to “just add the SSH server” to make it
work?◇ You are in charge of putting the app inside a
container, but are you also in charge of access policies and security compliance!
![Page 17: Era dockera#1 best practices & anti-patterns](https://reader034.fdocuments.us/reader034/viewer/2022042706/587e40101a28ab9f5d8b6fbd/html5/thumbnails/17.jpg)
But how do I ...◇ Backup my data?◇ Check logs?◇ Restart my service?◇ Edit my configuration?◇ Debug my service?
◇ nsenter ( or docker exec <id> /bin/bash )
![Page 18: Era dockera#1 best practices & anti-patterns](https://reader034.fdocuments.us/reader034/viewer/2022042706/587e40101a28ab9f5d8b6fbd/html5/thumbnails/18.jpg)
“Production” Docker issues◇ Image building◇ Garbage collection◇ Iteration speed and state of core◇ Logging◇ Secrets◇ Filesystems◇ Reliance on edgy kernel features◇ Security◇ Image layers and transportation
◇ Storage (flocker), networking (SDN?), Orchestration (Swarm vs “prod-6-months-ready”), Service Discovery
![Page 19: Era dockera#1 best practices & anti-patterns](https://reader034.fdocuments.us/reader034/viewer/2022042706/587e40101a28ab9f5d8b6fbd/html5/thumbnails/19.jpg)
“Production” Docker issuesOut-of-band caching for particularly heavy-weight and application-specific dependencies Accessing secrets at build time without committing them to the image Full control over layers in the final image Parallelization of building layers
![Page 20: Era dockera#1 best practices & anti-patterns](https://reader034.fdocuments.us/reader034/viewer/2022042706/587e40101a28ab9f5d8b6fbd/html5/thumbnails/20.jpg)
“Production” Docker issueshttps://github.com/spotify/docker-gcClean up Registry/Distribution - GLHF (but I’ve made it!)Plumbing core featuresLogging into mount -> fluentdSecrets - https://www.shopify.com/technology/26892292-secrets-at-shopify-introducing-ejsonAUFS vs BTRFS vs OverlayFSContainers on VMs ?
![Page 21: Era dockera#1 best practices & anti-patterns](https://reader034.fdocuments.us/reader034/viewer/2022042706/587e40101a28ab9f5d8b6fbd/html5/thumbnails/21.jpg)
Thanks!Any questions?You can find me at @pkieszcz