A look at some of the configuration issues that containers introduce, and how to avoid or fix them. Discusses immutable infrastructure, the difference between build-time and runtime configuration, scheduler configuration and more.
32. (without introducing more risk)
Given an image
- What machine built this image?
- Are all the licenses compatible?
- Who supports this image?
- Does this image contain malware?
Gareth Rushgrove
33. (without introducing more risk)
Given a running container
- Who built it?
- How was it built?
- What software does it contain?
- Is the software up-to-date?
Gareth Rushgrove
34. (without introducing more risk)
Gareth Rushgrove
FROM ubuntu:16.04
RUN apt-get update &&
apt-get install -y python-pip python-dev build-essent
apt-get clean &&
rm -rf /var/lib/apt/lists/*
RUN pip install flask
COPY . /app
WORKDIR /app
ENTRYPOINT ["python"]
CMD ["app.py"]
35. (without introducing more risk)
Gareth Rushgrove
FROM ubuntu:16.04
RUN apt-get update &&
apt-get install -y python-pip python-dev build-essent
apt-get clean &&
rm -rf /var/lib/apt/lists/*
RUN pip install flask
COPY . /app
WORKDIR /app
ENTRYPOINT ["python"]
CMD ["app.py"]
Where did this base image come from?
36. (without introducing more risk)
Gareth Rushgrove
FROM ubuntu:16.04
RUN apt-get update &&
apt-get install -y python-pip python-dev build-essent
apt-get clean &&
rm -rf /var/lib/apt/lists/*
RUN pip install flask
COPY . /app
WORKDIR /app
ENTRYPOINT ["python"]
CMD ["app.py"]
What packages are installed? At what version?
Where are those packages from?
37. (without introducing more risk)
Gareth Rushgrove
FROM ubuntu:16.04
RUN apt-get update &&
apt-get install -y python-pip python-dev build-essent
apt-get clean &&
rm -rf /var/lib/apt/lists/*
RUN pip install flask
COPY . /app
WORKDIR /app
ENTRYPOINT ["python"]
CMD ["app.py"]
What version of flask is this?
38. (without introducing more risk)
Gareth Rushgrove
FROM ubuntu:16.04
RUN apt-get update &&
apt-get install -y python-pip python-dev build-essent
apt-get clean &&
rm -rf /var/lib/apt/lists/*
RUN pip install flask
COPY . /app
WORKDIR /app
ENTRYPOINT ["python"]
CMD ["app.py"]
What was in this folder at build time?
53. (without introducing more risk)
Gareth Rushgrove
$ docker run -i -t garethr/alpine apk info -vv
musl-1.1.11-r2 - the musl c library (libc) implementation
busybox-1.23.2-r0 - Size optimized toolbox of many common UNIX
alpine-baselayout-2.3.2-r0 - Alpine base dir structure and init
openrc-0.15.1-r3 - OpenRC manages the services, startup and shu
alpine-conf-3.2.1-r6 - Alpine configuration management scripts
56. (without introducing more risk)
Schedulers/orchestrators abstract
you from
- Where individual containers run
- Balancing due to new resources
- Balancing due to failed resources
Gareth Rushgrove
60. (without introducing more risk)
Gareth Rushgrove
$ docker run -d -P
-e constraint:storage==ssd --name db mysql
61. (without introducing more risk)
Gareth Rushgrove
1 template:
2 metadata:
3 labels:
4 app: guestbook
5 tier: frontend
6 spec:
7 containers:
8 - name: php-redis
9 image: gcr.io/google_samples/gb-frontend:v4
10 resources:
11 requests:
12 cpu: 100m
13 memory: 100Mi
14 env:
15 - name: GET_HOSTS_FROM
16 value: dns
17 # If your cluster config does not include a dns service, th
18 # instead access environment variables to find service host
19 # info, comment out the 'value: dns' line above, and uncomm
62. (without introducing more risk)
How do you manage properties
for all of your hosts?
Gareth Rushgrove
63. (without introducing more risk)
Gareth Rushgrove
$ docker daemon
--label com.example.environment="production"
--label com.example.storage="ssd"
Does this machine really have an SSD?
What if someone swaps the drive?
71. (without introducing more risk)
Gareth Rushgrove
$ kubectl get pod mypod -o yaml
| sed 's/(image: myimage):.*$/1:v4/'
| kubectl replace -f -
72. (without introducing more risk)
Gareth Rushgrove
$ docker network create bob
c0a0f4538d259515813b771264688d37aaedb41098379a0d73ec0ca08
$ docker network create bob
Error response from daemon: network with name bob already
74. Code plus data has advantages
over data alone
Gareth Rushgrove
75. The language to represent the data should
be a simple, data-only format such as JSON
or YAML, and programmatic modification of
this data should be done in a real
programming language
Gareth Rushgrove
Borg, Omega, and Kubernetes, ACM Queue,Volume 14, issue 1 http://queue.acm.org/detail.cfm?id=2898444
“
86. (without introducing more risk)
Gareth Rushgrove
controller_service_pair { 'redis-master':
app => 'redis',
role => 'master',
tier => 'backend',
port => 6379,
}
87. (without introducing more risk)
Gareth Rushgrove
apiVersion: v1
kind: Service
metadata:
name: redis-master
labels:
app: redis
tier: backend
role: master
spec:
ports:
# the port that this service should serve on
- port: 6379
targetPort: 6379
selector:
app: redis
tier: backend
role: master
---
apiVersion: v1
kind: ReplicationController
metadata:
name: redis-master
# these labels can be applied automatically
# from the labels in the pod template if not set
labels:
app: redis
role: master
tier: backend
spec:
# this replicas value is default
# modify it according to your case
replicas: 1
# selector can be applied automatically
# from the labels in the pod template if not set
# selector:
# app: guestbook
# role: master
# tier: backend
90. (without introducing more risk)
The difference between how you
think something works and how
it actually works risks
hard-to-debug production issues
Gareth Rushgrove
91. (without introducing more risk)
Containers introduce new and old
configuration problems
Gareth Rushgrove
92. (without introducing more risk)
Configuration management
is the discipline aimed at
minimising those risks
Gareth Rushgrove