Using Docker in Cloud Networks - QCon London 2020 · Docker provides a ‘shipping container’ for...
Transcript of Using Docker in Cloud Networks - QCon London 2020 · Docker provides a ‘shipping container’ for...
copyright 2014
Using Dockerin Cloud NetworksChris Swan, CTO@cpswan
1
the original cloud networking company
Friday, 28 February 14
copyright 2014
Agenda
2
Docker OverviewDockerfile and DevOpsDocker in Cloud NetworksSome Trip Hazards My Docker Wish List
Friday, 28 February 14
copyright 2014
Docker overview
3
Friday, 28 February 14
copyright 2014
Open source project released in March 2013
background
4
Image Credit: Docker..io
Docker is a Container System for Code
Friday, 28 February 14
copyright 2014
A different granularity of virtualisation
5
Image Credit: Docker..io
Friday, 28 February 14
copyright 2014
Continuing the container analogy
6
Image Credit: Docker..io
Friday, 28 February 14
copyright 2014
What’s outside the box?
7
Linux containers (LXC)
Similar to Solaris zones, FreeBSD jails, IBM LPAR etc.
> chroot
< any hardware (VT) protected hypervisor
A union file system (e.g. AUFS)
Containers are made up out of layers
May also use ZFS or BTRFS
Docker command line tool to manage lifecycle of containers
run, start, stop, ps, import, export etc.
Friday, 28 February 14
copyright 2014
Going inside the box - Hello World
8
Friday, 28 February 14
copyright 2014
Stacking containers
9
Image Credit: Docker..io
Friday, 28 February 14
copyright 2014
Containers and Images
10
Image Credit: Docker..io
Friday, 28 February 14
copyright 2014
Hello World from Dockerfile
11
Friday, 28 February 14
copyright 2014
A real example of Dockerfile
12
Friday, 28 February 14
copyright 2014
Dockerfile and DevOps
13
Friday, 28 February 14
copyright 2014
John Boyd’s OODA loop
14
Friday, 28 February 14
copyright 2014
Dockerfile makes mistakes very cheap
15
Friday, 28 February 14
copyright 2014
Docker and networking
16
Friday, 28 February 14
copyright 2014
When the Docker daemon starts
17
Creates a docker0 bridge if not presentOther bridges can be manually configured
Searches for an IP address range which doesn’t overlap with an existing route
Default is 172.17.0.0/16
Picks an IP in the selected range and assigns it to the docker0 bridge
Default is 172.17.42.1
Containers get a virtual interface that’s bonded to the docker0 bridge
Starting with 172.17.0.2
Friday, 28 February 14
copyright 2014
Port mapping
18
Map a random host port to a container portsudo docker run -d -p 1234 \cpswan/demoapp
Map a specific host port to a container portsudo docker run -d -p 1234:1234 \cpswan/demoapp
Friday, 28 February 14
copyright 2014
Container linking
19
Docker takes named links to other containers to populate env variables:# start the databasesudo docker run -d -p 3306:3306 -name todomvc_db \-v /data/mysql:/var/lib/mysql cpswan/todomvc.mysql
# start the app serversudo docker run -d -p 4567:4567 -name todomvc_app \-link todomvc_db:db cpswan/todomvc.sinatra
# start the web serversudo docker run -d -p 443:443 -name todomvc_ssl \-link todomvc_app:app cpswan/todomvc.ssl
Use the env variable in the app server:dburl = 'mysql://root:pa55Word@' + ENV['DB_PORT_3306_TCP_ADDR'] + '/todomvc'DataMapper.setup(:default, dburl)
Friday, 28 February 14
copyright 2014
Docker in cloud networks
20
Friday, 28 February 14
copyright 2014
Before DockerVNS3 is a virtual appliance Swiss Army Knife for networking
VNS3
Tool for building secure
networks in virtual
infrastructures, private &
public cloud
21
Firewall
Dynamic & Scriptable SDN
Protocol Redistributor
IPsec/SSL VPN concentrator
Router Switch
Friday, 28 February 14
copyright 2014
A typical customer use case
22
On-Site Hardware
VNS3
IPsec Tunnel
Firewall / VPN
Data Center Servers
Public Cloud
Web App
Friday, 28 February 14
copyright 2014
That annoying extra VM
23
On-Site Hardware
VNS3
IPsec Tunnel
Firewall / VPN
Data Center Servers
Public Cloud
Web App
Internet traffic
Friday, 28 February 14
copyright 2014
VNS3
Router Switch Firewall IPsec/SSL VPNConcentrator
ProtocolRedistributor
Dynamic & Scriptable
SDN
LoadBalancing
(Reverse)Proxy
SSLTermination
ContentCaching
IntrusionDetection More....
With DockerVNS3 3.5 allows customers to embed features and functions provided by other vendors - or developed in house, safely and securely into their Cloud Network.
Customer controlled, & co-created,
for best hybrid cloud experience
24
Friday, 28 February 14
copyright 2014
Getting rid of that annoying extra VM
25
On-Site Hardware
VNS3Firewall / VPN
Data Center Servers
Public Cloud
Web App
Internet traffic
IPsec Tunnel
Friday, 28 February 14
copyright 2014
Seeding the ecosystem
26
Friday, 28 February 14
copyright 2014
and on github
27
Friday, 28 February 14
copyright 2014
as Dockerfile doesn’t stand alone
28
Friday, 28 February 14
copyright 2014
Some trip hazards
29
Friday, 28 February 14
copyright 2014
Inconsistent package repos
30
Friday, 28 February 14
copyright 2014
Beware apt-get upgrade
31
Not a problem in the official Docker.io images
But... if you’re using images from somewhere elsethen it’s not good when they try to build an initramfs
Friday, 28 February 14
copyright 2014
Non deterministic actions
32
apt-get install whatever -y
You want this to be cached in the short term
You might not want it to be cached long term(I’m not going to wade into the security tar pit right now)
Friday, 28 February 14
copyright 2014
Local vs Global image namespace
33
sudo docker build -t cpswan/haproxy .sudo docker run -d cpswan/haproxy
!=
sudo docker run -d cpswan/haproxy
Nothing there to make you pull before you push
Global namespace is managed, local namespace isn’t
Intermediate/private repositories for extra fun :-0
Friday, 28 February 14
copyright 2014
This can happen ‘docker ps’:
34
Friday, 28 February 14
copyright 2014
and also this ‘docker ps --all’:
35
Friday, 28 February 14
copyright 2014
My Docker wish list
36
Friday, 28 February 14
copyright 2014
If only it would...
37
Docker CLI
Disk quotas
Route propagation
Friday, 28 February 14
copyright 2014
At least one of those wishes might be granted...
38
Friday, 28 February 14
copyright 2014
Summary
39
Friday, 28 February 14
copyright 2014
Summary
40
Docker provides a ‘shipping container’ for apps
Dockerfile tightens the DevOps OODA loop
Docker has given us a way to move from closed platform to open platform (and be part of an ecosystem)
It’s not perfect yet, but it’s not finished yet (and software rarely is anyway)
Friday, 28 February 14
copyright 2014
Paddington, London, UK [email protected] +44 20 8144 0156@CohesiveFT
Questions?
41
Friday, 28 February 14