Successfully reported this slideshow.
Your SlideShare is downloading. ×

Docker in the Oracle Universe / WebLogic 12c / OFM 12c

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad

Check these out next

1 of 70 Ad
Advertisement

More Related Content

Slideshows for you (20)

Advertisement
Advertisement

Docker in the Oracle Universe / WebLogic 12c / OFM 12c

  1. 1. munz & more Docker In the ORACLE Universe OTN Tour APAC / South America / 2016 Dr. Frank Munz
  2. 2. 2 •Frank Munz •Founded munz & more in 2007 •15 years Oracle Middleware, Cloud, and Distributed Computing •Consulting and High-End Training •Wrote two Oracle and one Cloud book
  3. 3. Docker
  4. 4. ... some basics
  5. 5. “Docker wasn’t on anyone’s agenda for 2014. It’s on every ones roadmap for 2015.” Adrian Cockroft Netflix
  6. 6. #OOW2014 ”... Docker?”
  7. 7. Docker • Open Source (evolving), written in Go • Container technology • Portable standard • Runs on Linux (Microsoft, MacOS, Solaris) Google starts 2.000.000.000 containers per week!
  8. 8. Virtualization vs. Isolation munz & more #8 Linux + Docker Hardware a.war Docker container in Linux with own FS, network stack / IP address, process space and resource limits -> Isolation Hardware OVM / VmWare ESX / Xen Application 1 Solaris Application 2 Linux Application 3 Win Server Virtualization type 1 hypervisor = on bare metal Hardware Mac OS / Win Desktop Virtualization: type 2 hypervisor = with host OS ejb.jar y.jar x.py JDK WebLogic tools Jython VirtualBox Application1 Linux Application2 Win
  9. 9. Docker munz & more #9 Linux + Docker Hardware a.war ejb.jar y.jar x.py JDK WebLogic tools Jython Docker is not a lightweight VirtualBox - it's about isolation. Containers run on Linux kernel of host -> Containers are visible on host
  10. 10. Docker Images • Package format • Layered incremental, copy on write file system • “Application with all dependencies” • Create image yourself or get it from Docker Hub docker images munz & more #10 Example Layers: - WLS Domain - WebLogic - Java - Base Image
  11. 11. Docker Container • Isolated runtime of Docker image • Starts up in milliseconds • Sandboxing uses Linux namespaces and cgroups (RAM, CPU, filesystem) -> isolated part of your Linux • Open Container Standard / Linux Foundation docker run -d –p 3333:9999 fmunz/micro munz & more #11
  12. 12. Solves the “Worked For Me!” issue munz & more #12 OS tools, JDK, patches, database driver, libs, appserver, domain, deployment, tools, scripts Docker OS utils, JDK, patches, database driver, libs, appserver, domain, deployment, tools, scripts Integration, Performance, Acceptance Testing Production dockerize it! You can pass environment variables for specific settings e.g. in prod Docker Registry
  13. 13. And Now Automate • Build Docker images for testing in continuous delivery pipeline • Use Jenkins / Hudson hooks or a maven plugin to create / start / stop /delete Docker containers munz & more #13
  14. 14. … automate, automate, automate Various maven plugins available, e.g. R. Huss (Jolokia REST-JMX bridge): https://github.com/rhuss/docker-maven-plugin munz & more #14
  15. 15. Dockerfile Manually create container with docker buildDockerfile Docker Image Automatic build +
  16. 16. Dockerfile munz & more #16 Manually create container: docker build –t name .
  17. 17. the registry
  18. 18. Registry Public Hosted registry: • Docker image is not found? pulled from registry • Push your image to registry docker push yourname/newimage • Free account includes 1 private registry Private On Premise Registry: containerized registry for download with fs and optional in-memory, S3, or Azure data store munz & more #18
  19. 19. what could be your biggest nightmare: unknown and unofficial images (>14000) Docker Registry
  20. 20. Automated Builds • Automatically build your images: GitHub account with Dockerfile • Registry uses GitHub directory structure as build context • Image is uploaded automatically to Docker hub -> Trust, up to date, and transparent
  21. 21. clouds
  22. 22. Docker in the Cloud? Supported by every major cloud provider: munz & more #22 On premise -> all clouds Docker Registry Docker Container Service EC2 Container Service Google Container Engine Azure Container Service Bluemix Containers
  23. 23. Oracle Cloud and Docker Oracle Container Cloud Service (announced) • You can run your Docker containers and orchestrate them • This will work with a public registry Application Container Cloud Service • Uses Docker containers to run your Java or JavaScript application Compute Cloud Service • Manually run your containers munz & more #23
  24. 24. munz & more #24
  25. 25. OCCS Preview @ OOW 2016 munz & more #25
  26. 26. OCCS @ OOW 2016 We run the first public Docker image (mine!) on OCCS at OOW 2016. munz & more #26
  27. 27. munz & more #27
  28. 28. demo?
  29. 29. Small Images / Microservices You can have a real service in ... Possible Options: busybox and static binary munz & more #29
  30. 30. Simple Life Inside Container munz & more #30 processes FS mounts
  31. 31. #3 Security
  32. 32. $ docker run -d –p 8080:9999 fmunz/micro
  33. 33. vs.
  34. 34. Mistery Box A stranger gives you a box at night and asks you to connect it to your company network. Would you do it?
  35. 35. Suggestions • Use trusted images / with known Dockerfile • Kernel features are well established – cgroups (2006, merged into 2.6.24 kernel) – namespaces (initial kernel patch 2.4.19) • Docker can use TLS (client to daemon) • Docker images can be signed • Think (twice) about pulling images from public repos / Docker hub munz & more #35
  36. 36. FUD "Docker is like chroot() on steroids." Yes: It's easy to escape chroot() environment No: Docker does not use chroot() -> it uses namespaces munz & more #36
  37. 37. Linux Capabilities • Privileged container: like having root on host • Capabilities -> Break down power of root • Examine PID 1 capabilities with getpcaps: munz & more #37
  38. 38. "Containers don't contain!" Quote by D. Walsh, Mr. SE Linux <- !! SELinux = what a process is able to do based on rules. Enforcement: containerProcessType can only read/exec /user files and only write to containerFilesType munz & more #38 A really bad idea: setenforce 0
  39. 39. … more Suggestions • Drop privileges as quickly as possible • Treat root in container as root outside (although it isn't) • No secrets in images • Combine Docker with SELinux, AppArmor and / or virtualization • Host can always access container Note: Public PaaS do not simply spin up Docker containers! munz & more #39
  40. 40. Cheat Sheet munz & more Source: Container-Solutions.com
  41. 41. Conclusion • You have to deal with Docker security depending on your use case • Note: Public PaaS are not just spinning up Docker containers they use SELinux, VMs,… • Docker is not a risk per se but new technology with different challenges. munz & more #41
  42. 42. Docker in Production?
  43. 43. WebLogic in a Docker Container!
  44. 44. Docker Style • Independent appserver in container • Microservices style architecture • Just add your favorite Docker cluster manager munz & more #44 OS tools, JDK, database driver, libs, appserver, single / selfcontained domain, deployment, tools, scripts
  45. 45. JDK, WLS, Domain createServer.sh: creates machine/NM, starts NM, creates manServ, starts manServ Links (OLD): WebLogic Example munz & more #45 $docker run -d --link wlsadmin:wlsadmin fmdom1 createServer.sh $docker run -d -p 8001:8001 --name=wlsadmin fmdom1 startWebLogic.sh JDK, WLS, Domain startWebLogic.sh starts AdminServer wlsadmin JDK, WLS, Domain createServer.sh: creates machine/NM, starts NM, creates manServ, starts manServ connect to admin due to --link: /etc/hosts 172.17.1.99 wlsadmin 31a1baaf OLD STYLE! Use Networks now…port 8001 IP:port 7001 Managed Servers --link
  46. 46. Docker in the Oracle Universe
  47. 47. Oracle Product in Docker Official Support? GlassFish MySQL yes NoSQL OpenJDK Oracle Linux yes OracleCoherence yes OracleDatabase Dockerfile avail OracleHTTPServer yes OracleJDK yes OracleTuxedo yes OracleWebLogic yes #47^ Oracle support does not require you to use the provided Docker files!
  48. 48. https://github.com/oracle/docker-images munz & more #48
  49. 49. WebLogic: What Do You Get? • NOT WebLogic from Docker registry • NO automatic build via github • Github repo with scripts to set up WebLogic on Oracle Linux in Docker • Generic distribution • Docker is a supported environment for WebLogic 12.1.3+ munz & more #49
  50. 50. Just Drop Server JRE and WLS Installer munz & more #50 $ cd java-8 $ docker build -t oracle/jdk:8 . Sending build context to Docker daemon 4.096 kB Step 1 : FROM oraclelinux:latest latest: Pulling from library/oraclelinux 10ec637c060c: Downloading 4.865 MB/97.84 MB ... $ sh buildDockerImage.sh -g -v 12.2.1.1 ...
  51. 51. Dockerfile $docker build -t wls:latest . Dockerfile and Scripts (from Oracle github) WebLogic Docker Image (no domain)
  52. 52. Extend the WLS-only image Sample script provided: • Dockerfile to extend WLS image • Run WLST script to create domain • Create boot.properties • Expose NM, Server ports munz & more #52 Linux Base Image JDK Image WebLogic Image WLS Domain Image
  53. 53. Docker Compose munz & more #53 docker-compose.yml With –f you can have multiple Docker Compose YAML files
  54. 54. Docker Networking
  55. 55. Networking: Facts to Know • Docker --link only works on single host -> regarded as deprecated now • Networking supported since Docker 1.9 • SDN network that spans hosts: Libnetwork implements Container Networking Model (CNM): Endpoint / Network / Sandbox munz & more #55
  56. 56. Overlay Network munz & more #56
  57. 57. munz & more #57 OracleWebLogic/samples/1221-multihost:
  58. 58. Orchestration / Cluster Manager
  59. 59. Setup Swarm and Machine 1. Create Swarm ID 2. Create Machine with Swarm master 3. Create Machine with Swarm agent01 / 02 4. Set Docker env for Swarm master munz & more #59
  60. 60. Docker Swarm • Native Docker cluster -> same API as a single engine • Fast provisioning, about 500 msec • Scheduling Algo: spread, binpack, rand • Features are optional, you can continue use Kubernetes etc. • There is NO insecure mode J munz & more #60
  61. 61. Docker Swarm Since Docker 1.12 • Swarm is merged with Docker engine: – Load balancer included – Service discovery – Cluster scheduler • Swarm has many features like Google's Kubernetes - easier to get started munz & more #61
  62. 62. Docker Machine • Provision Docker in VirtualBox, Vmware, GCE, AWS, DigitalOcean etc. docker-machine create -d=virtualbox default • Mac OS's boot2docker is replaced by Docker Machine, which again is replaced by native Docker on Mac now munz & more #62
  63. 63. Updates Images? You could use Docker copy command – yet it’s not hip in the cloud to update. Just rebuild the container. munz & more #63 “Servers are cattle. Not pets.” -> immutable server
  64. 64. My Predictions • Swarm will take its share from Kubernetes. • You will not dockerize 90% of your enterprise IT in the next 18 months. • Docker is the new Linux. Be ready to experience that feeling we had with Linux 13 years ago J munz & more #64
  65. 65. Conclusion • Docker is ready for prime time! • Docker itself, but more so cluster managers are still evolving • Docker is not a security risk, but make sure to tick off the security checklist • Oracle caught the trend early – good! • Many products supported, more to come? munz & more #65
  66. 66. http://www.oracle.com/us/pro ducts/middleware/cloud-app- foundation/weblogic/weblogic -server-on-docker-wp- 2742665.pdf Oracle Whitepaper WebLogic on Docker
  67. 67. munz & more #67 Good Docker book by J. Turnbull (covering Docker 1.12)
  68. 68. Thank You!
  69. 69. tweet to win! #otntour AND @soacommunity @frankmunz +picture?
  70. 70. www.munzandmore.com/blog facebook.com/cloudcomputingbook facebook.com/weblogicbook @frankmunz youtube.com/weblogicbook -> more than 50 web casts Don’t be shy J

×