Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Shrinking the container_zurich_july_2018

31 views

Published on

My talk to the Zurich Docker meetup (25/07/18) on microcontainers, smith and crashcart

Published in: Technology
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Shrinking the container_zurich_july_2018

  1. 1. Shrinking the Container @ewanslater
  2. 2. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. 3
  3. 3. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Take - aways • Make smaller things • Only pack what you need • Use the smallest container 4
  4. 4. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 7
  5. 5. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Software 12
  6. 6. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Responsibility 13
  7. 7. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 14
  8. 8. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | When I wrote FORTRAN… 15 £140
  9. 9. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | When I wrote FORTRAN… 16 £140 £40
  10. 10. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | When I wrote FORTRAN… 17 £140 £40 £100
  11. 11. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | The less you care about, The Happier you are 18
  12. 12. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Enterprise Software • Multiple responsibilities • Difficult to deploy • Difficult to scale 19
  13. 13. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Lack of Agility • “too big too fail”  “too difficult to change” – Technical risk – Political risk • “it would take us two years to deploy hello world” – Public sector customer Finland 20
  14. 14. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 21
  15. 15. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 22
  16. 16. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | All the Little Things • Want better apps? • Make smaller things • Have them know as little as possible about each other 24 Talk by Sandi Metz https://youtu.be/8bZh5LMaSmE
  17. 17. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Make smaller things* * Things == Objects || Services || Applications 25
  18. 18. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Small things* are easy to change * Things == Objects || Services || Applications 26
  19. 19. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 27 Monoliths  Microservices
  20. 20. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Microservices • Do one thing well • Loosely coupled • Choreography > Orchestration • Business capabilities not tech layers 28
  21. 21. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Infrastructure 36
  22. 22. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 39
  23. 23. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Diminished Responsibility Server • Hardware • OS • Multiple services and applications VM • OS • Single service or application (typically) Container • Single service or application 43
  24. 24. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | A Case Study 44
  25. 25. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | SaaS Startup • Monolithic Rails app • Running on VMs • Inflexible scaling (whole app only) • Measure inflexibility in $ • Need to – Improve Scalability – Improve Utilisation – Lower Costs 45
  26. 26. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Splitting the Monolith • Refactor app • Set of Microservices • Image per Microservice • Choreography 46
  27. 27. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Result • Fine – grained scalability • Event – driven • Improved utilisation • Lower costs 47
  28. 28. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Houston, we have an opportunity… 48
  29. 29. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | …and a challenge… 49
  30. 30. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | “Docker makes building containers a breeze. Just put a standard Dockerfile into your folder, run the docker ‘build’ command, and shazam! Your container image is built! The downside of this simplicity is that it’s easy to build huge containers full of things you don’t need—including potential security holes.” - Sandeep Dinesh, Google Developer Advocate (see https://goo.gl/76GPcd) 51
  31. 31. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Containers @ Oracle 52
  32. 32. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Operational Differences • Immutability • Rebuild / Redeploy vs Patching • Build toolchain vs Config Management tools 53
  33. 33. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Worst Practices • Developers without operational awareness • Multiple applications per container • Container Bloat • Handling of security vulnerabilities 54
  34. 34. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Security Matters • Privilege escalation – Whole Linux user space  bigger attack surface – Compromise app  expose other vectors • Vulnerability management – Can’t patch a running container – What does the app really need to run? – What do I really need to patch? 55
  35. 35. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Size Matters • Large images – Often > 1GB in size – FROM Debian – Alpine can help, but brings it’s own problems • Bloat – "You wanted a banana but what you got was a gorilla holding the banana and the entire jungle" – Joe Armstrong 57
  36. 36. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Enter Microcontainers 58
  37. 37. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | A Microcontainer • Contains only – Single executable – Dependencies (of the executable) • Runs with a read only root filesystem • Files are all owned and read by a single user 59
  38. 38. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Result • Small image • Fast, easy distribution • Smaller attack surface • Certainty over vulnerabilities 60
  39. 39. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 62
  40. 40. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | containers lean
  41. 41. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Builder Pattern • Development Dockerfile – Creates “fat” development image • Production Dockerfile – Creates “lean” production image • Build script to extract and copy • Difficult to maintain • Messy 64
  42. 42. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Multi Stage Builds • Single Dockerfile • Create successive images – (can use different bases) • Copy from imagen to imagen+1 • Single, final image 65 Since Docker 17.05
  43. 43. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | If I had a hammer… • Single layer • Automatic Dependency Resolution • Enables best practice: – Single user – Idempotent builds – More secure images • No overlayfs 69
  44. 44. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Smith • Open Source – Apache License 2.0 – Universal Permissive License • Command line tool for – Building Microcontainer images • yum repos • rpm files – Shrinking existing containers • Standard image in  Microcontainer image out 71 http://github.com/oracle/smith
  45. 45. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Process • If shrinking – Download image in OCI format – Or point to URL • Define a smith.yaml file • Run smith • Upload in OCI format to Docker repo 72
  46. 46. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | How it works: Packages new OCI image Creates single layer Loads library search paths and recursively copies dependencies Copies out files from paths in smith.yaml Unpacks layers 75
  47. 47. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | For best results • Build a Big Fat Image • Hammer it with Smith • Easier & quicker than Multi Stage Build – YMMV 80 (unless you have a self contained binary)
  48. 48. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | What if…? 81
  49. 49. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Don’t… • Run sshd • Login with ssh • Embed debug tools • Docker exec to get prompt 82
  50. 50. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Challenges • Can’t just mount a directory into the container on the fly – Restart - may be difficult to recreate conditions • Most tools expect to be in their own directory • Paths • Library conflicts 85
  51. 51. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Requirements • Debug tools happy with alternate location • Static library dependencies  avoid conflict with container libraries • Focus on solving problem, not hacking container. 86
  52. 52. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Crashcart • Open Source – Apache License 2.0 – Universal Permissive License • Simple command line tool • “Sideloads” an image with Linux binaries (debug tools) into an existing container 87 http://github.com/oracle/crashcart
  53. 53. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Crashcart • Attach to pid of container • Mounts crashcart image • Run binaries from crashcart image • Detach & unmount 88
  54. 54. Whatever works best for you
  55. 55. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Get involved • Fork Smith and Crashcart on GitHub • Try the labs for Smith and Crashcart • Get in touch via Slack • Contribute 90
  56. 56. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Take - aways • Make smaller things • Only pack what you need • Use the smallest container • Benefits – Simplicity – Agility – Security 92
  57. 57. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 93 ewan.slater@oracle.com @ewanslater https://plus.google.com/+EwanSlater
  58. 58. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Questions? 94
  59. 59. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 95

×