Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Docker Enterprise Workshop - Technical

315 views

Published on

Docker Enterprise Workshop, more technical presentation:
- Docker 101
- Kubernetes in Docker
- Windows containers

Published in: Software
  • Be the first to comment

Docker Enterprise Workshop - Technical

  1. 1. Patrick Chanezon, @chanezon March 2018 Docker Enterprise Workshop
  2. 2. French Polyglot Platforms Software Plumber San Francisco Developer Relations @chanezon
  3. 3. Docker 101
  4. 4. spring-doge.jar Example: Spring Boot App using MongoDB https://github.com/chanezon/docker-tips/tree/master/java-in-container-dev/spring-doge-workspace spring-doge spring-doge-web spring-doge-photo API: Spring Boot, Spring Data UI: AngularJS Business Logic: java.awt java -Dserver.port=8080 -Dspring.data.mongodb.uri=mongodb://mongo:27017/test -jar spring-doge.jar
  5. 5. Dockerfile for development FROM java:8 MAINTAINER Patrick Chanezon <patrick@chanezon.com> EXPOSE 8080 COPY spring-doge/target/*.jar /usr/src/spring-doge/spring- doge.jar WORKDIR /usr/src/spring-doge CMD java -Dserver.port=8080 - Dspring.data.mongodb.uri=$MONGODB_URI -jar spring-doge.jar
  6. 6. Using Docker to compile your jar/war https://registry.hub.docker.com/_/maven/ docker run -it --rm -v $PWD:/usr/src/spring-doge -v maven:/root/.m2 -w /usr/src/spring-doge maven:3.3-jdk-8 mvn package
  7. 7. Build an image docker build -t chanezon/spring-doge . FROM java:8 MAINTAINER Patrick Chanezon <patrick@chanezon.com> EXPOSE 8080 COPY spring-doge/target/*.jar /usr/src/spring-doge/spring- doge.jar WORKDIR /usr/src/spring-doge CMD java -Dserver.port=8080 - Dspring.data.mongodb.uri=$MONGODB_URI -jar spring-doge.jar
  8. 8. Dockerfile with multi stage build FROM maven:3.5-jdk-8 as builder MAINTAINER Patrick Chanezon <patrick@chanezon.com> COPY . /usr/src WORKDIR /usr/src RUN mvn package FROM openjdk:8u131-jre EXPOSE 8080 COPY --from=builder /usr/src/spring-doge/target/*.jar /usr/app/spring-doge.jar WORKDIR /usr/app CMD java -Dserver.port=8080 -Dspring.data.mongodb.uri=$MONGODB_URI - jar spring-doge.jar HEALTHCHECK --interval=5m --timeout=3s --retries=3
  9. 9. Run a container docker run —env MONGODB_URI=mongodb://mongo:27017/test -p 8090:8080 chanezon/spring-doge
  10. 10. docker-compose: running multiple containers ● Run your stack with one command: docker-compose up ● Describe your stack with one file: docker-compose.yml version: '3.3' services: web: image: chanezon/spring-doge ports: - "8080:8080" environment: - MONGODB_URI=mongodb://mongo:27017/test mongo: image: mongo
  11. 11. docker stack deploy ● Deploy your stack with one command: docker stack deploy ● Describe your stack with one file: docker-compose.yml version: '3' services: web: image: chanezon/spring-doge ports: - "8004:8080" environment: - MONGODB_URI=mongodb://mongo:27017/test depends_on: - mongo deploy: replicas: 2 update_config: parallelism: 2 delay: 10s restart_policy: condition: on-failure mongo: image: mongo
  12. 12. Docker Java Labs https://github.com/docker/labs/tree/master/developer-tools/ • Wildfly and Couchbase J2EE App • Debugging a Java app in Docker using Eclipse
  13. 13. Docker and Microsoft
  14. 14. Microsoft is an Open Source champion
  15. 15. Docker & Microsoft: a great Open Source collaboration
  16. 16. Docker for Windows Docker for Azure
  17. 17. Docker for Azure Making things simple for a great user experience Virtual Network VMSS Blob Storage Azure LB ARM AAD
  18. 18. Docker EE on Azure Free 30 Days Test Drive from Docker Store
  19. 19. Docker & Microsoft: collaboration on all fronts • Build • Docker for Windows • Docker EE for Windows Servers • Visual Studio Tools for Docker • Visual Studio Code Docker extension • Ship • Visual Studio Team Services Docker Integration • Azure Container Registry • Run • Docker EE in Azure MarketPlace • Docker on Azure Stack
  20. 20. Docker with Windows Server 1709 • Docker Linux Containers on Windows • Docker ingress mode service publishing on Windows • Named pipes in Windows containers > docker run -d -p 8080:8080 -v .pipedocker_engine:.pipedocker_engine friism/jenkins • Smaller Windows base images: Nanoserver download 70MB https://blog.docker.com/2017/09/docker-windows-server-1709/
  21. 21. .Net and ASP.NET Docker Images & Samples • Smaller Windows base images • Nanoserver download 70MB • Alpine images • Linux and Windows • Multi stage build • Unit tests at build or runtime https://github.com/dotnet/dotnet-docker/tree/master/samples
  22. 22. Swarm Windows Roadmap for Docker EE 24 Versions Release Date Highlights Docker EE 2.0.0 GA Q1 2018 ● Only Windows Server 2016 (RS1) Supported ○ Easy Image Compatibility: No ○ Ingress Networking: No Docker EE 2.0.x Patches Q2 2018 ● Add Windows Server 1709 (RS3) support with partial features: ○ Easy Image Compatibility: Yes ○ Ingress Networking: No Docker EE 2.1 Q3 2018 ● Full Support for Windows Server 1709 ○ Easy Image Compatibility: Yes ○ Ingress Networking: Yes ● Tentative Considerations: ○ Windows Server 1803 (RS4) support ○ Possible new Windows LTSC version in Q3
  23. 23. Kube Windows Known Timelines (Still assessing for EE Roadmap) 25 Q4’ 2017 Kube 1.9 Beta support for Windows ● Docker 17.06 engine ● Windows Server 1709 Q1’2018 Kube 1.10 Beta Support for Windows ● Docker 17.06 engine ● Windows Server 1709 Q2’2018 Kube 1.11 GA Support for Windows ● Docker 17.06 engine ● Possibly containerd ● Windows Server 1709 (RS3) ● Windows Server 1803 (RS4) H2’ 2018 Kube 1.x? GA Support for Windows ● Possibly containerd ● Windows Server LTS release
  24. 24. Kubernetes in Docker
  25. 25. Lifecycle of a Kubernetes API Request Kubernetes API Server Authentication Authorization Admission Control etcd
  26. 26. Orchestrator: Docker Engine with Swarm-Mode Enabled ● github.com/docker/swarmkit ● Declarative State through the “Service” construct ● Built-in Routing Mesh & Overlay networking ● In-memory Raft Store for all state (persisted to disk) ● Built-in CA, per-node cryptographic node identity, mTLS between all endpoints
  27. 27. Orchestrator: Kubernetes ● github.com/kubernetes/kubernetes ● Scheduling Unit: Pods ● Declarative State through “Controllers”: Deployment, ReplicaSet, DaemonSet … ● Load balancing via Services and Ingresses ● Flat Networking model delegated to plugins
  28. 28. Linuxkit VM Kubernetes CLI Swarm Mode Kubernetes etcd Docker CLI kubeadm Kubernetes in Docker CE (Windows and Mac) Compose CRD Single Docker Engine vpnkitHost fs mounts hyperkit / hyperv
  29. 29. Kubernetes in Docker Desktop
  30. 30. Docker EE now includes Kubernetes Docker Enterprise Edition Production Ready Windows and IBM P/Z Support Pods, batch jobs, blue-green deployments, horizontal pod auto-scaling Docker Swarm Swarm-Mode Kubernetes Private Image Registry Secure Access and User Management App and Cluster Management Image Security Scanning Content Trust and Verification Policy Management
  31. 31. GUI Universal Control Plane Trusted Registry Kubernetes CLI Docker Engine Swarm-Mode Docker Swarm Kubernetes etcd CA OIDC Provider Docker CLI Node Agent Reconciler Kubernetes in Docker EE
  32. 32. Docker EE 2.0: A conformant kubernetes distribution
  33. 33. Docker EE Architectural Highlights ● Conformant Kubernetes components ran as Docker containers ● Swarm Managers are Kubernetes Masters ● Swarmkit node inventory is source of truth ● Cryptographic Node Identity and mTLS used throughout
  34. 34. Uses of Kubernetes Plugin Interfaces
  35. 35. Authentication ● X509 Client Certificates ○ Used for authentication of kubectl and the docker CLI via the “client bundle” feature ● OpenID Connect Identity Provider ○ GUI sessions use a custom identity provider and a token exchange service to authenticate with the OIDC authentication plugin
  36. 36. Authorization ● All requests authorized via the Authorization Webhook plugin ● Custom RBAC system shared between Swarm and Kubernetes: ○ Users, Teams, Organizations, Service Accounts ○ Custom Roles ○ Hierarchical “Grants” ● No support for the rbac.authorization.k8s.io API, future plans for API translation
  37. 37. Admission Control ● Allows plugins to inspect, mutate or reject API requests after authorization ● Used for: ○ Orchestrator Selection ○ Linking nodes to namespaces ○ User Impersonation for Stacks ○ Image Signing policy enforcement
  38. 38. Orchestrator Selection ● Each node is running both kubernetes and swarm system components ● Administrators can toggle between (kubernetes, swarm or mixed) for any given node ● When toggling orchestrators, workloads of the previous orchestrator will be evicted ● An admission controller ensures that kubernetes workloads can only be scheduled on nodes labelled as “kubernetes” nodes. ● Workloads of multiple orchestrators on the same node can lead to resource contention Manager Node (K8s, Swarm) Worker Node (Swarm) Worker Node (Kubernetes) Worker Node (Kubernetes) Kubelet Swarm Agents Kubelet Kubelet Kubelet Swarm Agents Swarm Agents Swarm Agents
  39. 39. Linking Nodes to Namespaces ● Allows users to uniquely assign nodes to namespaces. ● Variation of the PodNodeSelector admission controller integrated with UCP’s RBAC system
  40. 40. Image Signing Policy Enforcement ● Enforces that all workloads deployed in the cluster have a fully qualified image reference ● Resolves image references to always include a digest ● Contacts the registry to ensure that the referenced image has been signed by an authorized user.
  41. 41. Docker Enterprise Workshop
  42. 42. Hybrid App v1 v2
  43. 43. Instructions • Signup: ask karen.bajza@docker.com to plan your workshop and provide you the url. • Instructions: https://github.com/dockersamples/ee-workshop • Code: https://github.com/dockersamples/hybrid-app
  44. 44. Thank You! chanezon @chanezon

×