Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)

380 views

Published on

Slides from Borja Burgos' talk "Docker For the Developer" at ContainerDays Boston 2016: http://dynamicinfradays.org/events/2016-boston/programme.html#dockerdev

Published in: Technology
  • Be the first to comment

ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)

  1. 1. DOCKER FOR DEVELOPERS Borja Burgos-Galindo (@borja_burgos) Docker, Inc ContainerDays Boston 2016
  2. 2. OVERVIEW Current state of things (Docker Toolbox) Docker for Mac Virtualization Networking Storage 2 Docker Cloud Docker Security Scanning Automation (CI/CD) Build,Test, Deploy
  3. 3. DOCKER TOOLBOX 3 All the Linux tools collected in one installer: Bundle includes a full VirtualBox installation Boot2Docker Virtual Machine The Kitematic UI controlled these pieces A relatively loose collection of components: Installation and lack of integrated updates caused numerous user issues Performance not ideal due to the layering, especially for file sharing Yet most Docker users use a Mac or Windows host as their development environment
  4. 4. OVERVIEW 4 Current state of things (Docker Toolbox) Docker for Mac Virtualization Networking Storage Docker Cloud Docker Security Scanning Automation (CI/CD) Build,Test, Deploy
  5. 5. DOCKER FOR MAC Easy drag and drop installation, and autoupdates to get latest Docker. Secure, sandboxed virtualisation architecture without elevated privileges. Native networking support, with VPN and network sharing compatibility. File sharing between container and host: uid mapping, inotify events, etc. 5 Aiming for a native OSX experience that works with existing developer workflows.
  6. 6. OVERVIEW 6 Current state of things (Docker Toolbox) Docker for Mac Virtualization Networking Storage Docker Cloud Docker Security Scanning Automation (CI/CD) Build,Test, Deploy
  7. 7. DOCKER FOR MAC > VIRTUALIZATION 7 Uses the new HyperKit framework, which is in turn based on xHyve and FreeBSD's bHyve. Sandbox friendly: processes largely run as non-root, with privileges of the local user. OSX Kernel Hardware virt: VMX, nested paging Userspace User ProcessHypervisor. framework Process Linux Kernel VirtIO IPC VirtIO Block VirtIO Net Alpine Linux Userspace Latest Docker preconfigured Logs redirected to OSX host QCow2 VPNKit
  8. 8. DOCKER FOR MAC > VIRTUALIZATION 8 Embeds Linux: includes an embedded lightweight Alpine Linux distribution optimised for fast boot and stateless operation for containers. $ docker info Containers: 358 Running: 13 Paused: 0 Stopped: 345 Images: 485 Server Version: 1.11.1 Storage Driver: aufs Root Dir: /var/lib/docker/aufs Backing Filesystem: extfs Dirperm1 Supported: true Logging Driver: json-file Cgroup Driver: cgroupfs Plugins: Volume: local Network: bridge null host Kernel Version: 4.4.9-moby Operating System: Alpine Linux v3.3 OSType: linux Architecture: x86_64 CPUs: 2 Total Memory: 3.858 GiB Uses the new HyperKit framework, which is in turn based on xHyve and FreeBSD's bHyve.
  9. 9. DOCKER FOR MAC > VIRTUALIZATION 9 Sandbox friendly: processes largely run as non-root, with privileges of the local user. Embeds Linux: includes an embedded lightweight Alpine Linux distribution optimized for fast boot and stateless operation for containers. Drag 'n drop installation: Docker.app is self-contained, installs symlinks from app bundle into /usr/ local, and autoupdates. Uses the new HyperKit framework, which is in turn based on xHyve and FreeBSD's bHyve.
  10. 10. DEMO DOCKER FOR MAC > VIRTUALIZATION 10
  11. 11. OVERVIEW Current state of things (Docker Toolbox) Docker for Mac Virtualization Networking Storage 11 Docker Cloud Docker Security Scanning Automation (CI/CD) Build,Test, Deploy
  12. 12. DOCKER FOR MAC > NETWORKING Want to hide the gory details of virtualisation from the user. The Linux VM should be "invisible". Not solving this leads to many user complaints: VPN software and corporate installations do not like bridged virtual machines or custom routing.
 Result: container traffic cannot connect to Internet. Services cannot be exposed on localhost or the external interface and are instead on the Linux VM IP address.
 Result: breaks common web oAuth workflows. 12
  13. 13. DOCKER FOR MAC > NETWORKING 13 Challenge #1: Deal with custom VPN software on the host that makes it difficult to bridge. Solution: VPNKit, efficiently reconstructs container traffic into separate TCP/IP flows and translates them into native OSX/Windows sockets. OSX Host Linux Host Container RUN <...>com.docker.hyperkit-net Reconstruct traffic TCP flows Translate to OSX socket calls Ethernet bridge DHCPv4 NTP
  14. 14. DOCKER FOR MAC > NETWORKING 14 Challenge #1: Deal with custom VPN software on the host that makes it difficult to bridge. OSX Host Linux Host Container RUN <...>com.docker.hyperkit-net Reconstruct traffic TCP flows Translate to OSX socket calls Ethernet bridge DHCPv4 NTP Benefit: All network traffic is generated from normal socket calls (e.g. gethostbyaddr) on the Mac, so interacts well with firewalls, VPNs, and any local security policies.
  15. 15. DOCKER FOR MAC > NETWORKING 15 Challenge #2: Challenge: Services publishing ports should be exposed on localhost without needing VM info. Solution: VPNKit forwards container port requests to a OSX service which binds them natively on its external interface. OSX Host Linux Host Privileged Port Service Container EXPOSE Port Service VSock Binder RUN <...> VSock Listener Userland Proxy
  16. 16. DOCKER FOR MAC > NETWORKING 16 Challenge #2: Challenge: Services publishing ports should be exposed on localhost without needing VM info. Benefits: docker run -P on the Mac now works without requiring any knowledge of the VM innards. External oAuth workflows operate with web apps. OSX Host Linux Host Privileged Port Service Container EXPOSE Port Service VSock Binder RUN <...> VSock Listener Userland Proxy
  17. 17. DEMO DOCKER FOR MAC > NETWORKING 17
  18. 18. OVERVIEW 18 Current state of things (Docker Toolbox) Docker for Mac Virtualization Networking Storage Docker Cloud Docker Security Scanning Automation (CI/CD) Build,Test, Deploy
  19. 19. DOCKER FOR MAC > STORAGE 19 Challenge #1: Share arbitrary OSX directory tree into Linux container without requiring extensive modification of either side. Solution: Use a FUSE forwarding layer and translate Linux filesystem calls to OSX equivalents. OSX Host Linux Host Container VOLUMEcom.docker.osxfs Track extra metadata Translate to OSX filesystem calls FUSE
  20. 20. DOCKER FOR MAC > STORAGE 20 Challenge #1: Need filesystem activation so events on the Mac wake up container servers and vice-versa. Solution: osxfs uses FSEvents API and injects inotify activation events into container. OSX Host Linux Host Container VOLUMEcom.docker.osxfs FSEvents watches open files Events from Linux causes OSX apps to wake up FUSE
  21. 21. DOCKER FOR MAC > STORAGE 21 DEMO
  22. 22. DOCKER FOR MAC 22 MULTI-CPU ARCH $ docker run resin/armv7hf-debian uname -a Linux 7ed2fca7a3f0 4.1.12 #1 SMP Tue Jan 12 10:51:00 UTC 2016 armv7l GNU/Linux $ docker run justincormack/ppc64le-debian uname -a Linux edd13885f316 4.1.12 #1 SMP Tue Jan 12 10:51:00 UTC 2016 ppc64le GNU/Linux
  23. 23. OVERVIEW 23 Current state of things (Docker Toolbox) Docker for Mac Virtualization Networking Storage Docker Cloud Docker Security Scanning Automation (CI/CD) Build,Test, Deploy
  24. 24. DOCKER CLOUD: SECURITY SCANNING 24
  25. 25. DOCKER CLOUD: SECURITY SCANNING 25 Deep visibility into security profile Continuous monitoring and notifications Secure across the content lifecycle
  26. 26. DOCKER CLOUD: SECURITY SCANNING 26 DEMO
  27. 27. OVERVIEW 27 Current state of things (Docker Toolbox) Docker for Mac Virtualization Networking Storage Docker Cloud Docker Security Scanning Automation (CI/CD) Build,Test, Deploy
  28. 28. Dev Deploy ManageBuild CI CD Code repo Image repo Monitoring Logging Scaling Deploy Manage DOCKER CLOUD: AUTOMATION
  29. 29. DOCKER CLOUD: AUTOMATION 29 DEMO
  30. 30. THANK YOU!

×