Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Containerize Everything!
@oscarrenalias github.com/oscarrenalias oscar.renalias@accenture.com oscar@renalias.net www.linkedin.com/oscarrenalias www...
This is going to be opinionated
Old-fashioned clients can run containers too!
Architecture nginx Tomcat TomcatTomcatTomcat PostgreSQL Solr
Architecture services Rundeck Yum repo & mirror Reverse proxy Docker Registry
Why containerize everything?
Simplified packaging, deployment and execution
Flexibly provision components on inflexible infrastructure
Better resource utilization
Anyone can have a production-like environment on their local workstation…
…or any other server
Our container principles
One single logical service per container
Containers are cattle, not pets
No SSH in containers
Try not to persist state in the container
Containers are independent (and unaware!) of where they’re running
Host port forwarding for network communication
How?
Container hierarchies base java tomcat service nginx postgres centos:6 frontend database Infra 1 Infra N
Building containers
Building containers automatically Publish artifacts Integration Test Build & unit test
Testing containers Container under test Test container: • Ruby • ServersSpec • ServerSpec Tests FROM …
Testing containers Container under test Test container
Storing containers Registry 2.0
Deploying and running containers Registry Container host Build & Publish Pull docker run
supervisor is your friend, if you need it
Application and container configuration Application container confd
Host Application and container configuration Application (container) Application configuration
Security
Run containers with their own user USER <user>
Keeping containers up-to- date base java tomcat service nginx postgres centos:6 frontend database Infra 1 Infra N OpenSSL ...
Be mindful of SELinux
Operating containers
Container state Real world: don’t keep it in the container if you can avoid it Ideal world: containers don’t have state vs
Logging • Write to host (and use external aggregator) • Log to standard output (< 1.6) • Standard output + syslog logging ...
Monitoring Container processes are just like any other process and service – use existing tools
The darker side of Docke
Immutable containers are fun… until there’s an urgent security update
Docker will keep evolving
Sooner or later you will be bitten by a weird interaction between Docker or kernel or PAM or SElinux/AppArmor, and a conta...
No version pinning in the registry: “centos:6, is that you? You looked different yesterday!”
Docker security needs attention from implementers https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=d...
Our lessons learned
Docker as a container engine *is* ready for production workloads
Docker works well as a convenient way of packaging, deploying and running applications
Containerizing everything does give you more flexibility…
…but be pragmatic
Dockerfiles are all you could possibly need to build containers
Start small – containerizing everything is a fair goal but takes time
Containerize everything - Wildcardconf 2015
Upcoming SlideShare
Loading in …5
×

Containerize everything - Wildcardconf 2015

1,138 views

Published on

Docker is definitely one of the hottest technologies at the moment and one that is already dramatically changing the way we build, package and deploy applications. In this session we’ll have a look at how a project got into a quest for containerizing most of their components and services while increasing the value delivered.

This presentation was delivered at Wildcard Conference 2015, on 16th of May 2015 in Riga

Published in: Technology
no profile picture user

  • Be the first to comment

Containerize everything - Wildcardconf 2015

  1. 1. Containerize Everything!
  2. 2. @oscarrenalias github.com/oscarrenalias oscar.renalias@accenture.com oscar@renalias.net www.linkedin.com/oscarrenalias www.slideshare.net/oscarrenalias
  3. 3. This is going to be opinionated
  4. 4. Old-fashioned clients can run containers too!
  5. 5. Architecture nginx Tomcat TomcatTomcatTomcat PostgreSQL Solr
  6. 6. Architecture services Rundeck Yum repo & mirror Reverse proxy Docker Registry
  7. 7. Why containerize everything?
  8. 8. Simplified packaging, deployment and execution
  9. 9. Flexibly provision components on inflexible infrastructure
  10. 10. Better resource utilization
  11. 11. Anyone can have a production-like environment on their local workstation…
  12. 12. …or any other server
  13. 13. Our container principles
  14. 14. One single logical service per container
  15. 15. Containers are cattle, not pets
  16. 16. No SSH in containers
  17. 17. Try not to persist state in the container
  18. 18. Containers are independent (and unaware!) of where they’re running
  19. 19. Host port forwarding for network communication
  20. 20. How?
  21. 21. Container hierarchies base java tomcat service nginx postgres centos:6 frontend database Infra 1 Infra N
  22. 22. Building containers
  23. 23. Building containers automatically Publish artifacts Integration Test Build & unit test
  24. 24. Testing containers Container under test Test container: • Ruby • ServersSpec • ServerSpec Tests FROM …
  25. 25. Testing containers Container under test Test container
  26. 26. Storing containers Registry 2.0
  27. 27. Deploying and running containers Registry Container host Build & Publish Pull docker run
  28. 28. supervisor is your friend, if you need it
  29. 29. Application and container configuration Application container confd
  30. 30. Host Application and container configuration Application (container) Application configuration
  31. 31. Security
  32. 32. Run containers with their own user USER <user>
  33. 33. Keeping containers up-to- date base java tomcat service nginx postgres centos:6 frontend database Infra 1 Infra N OpenSSL Bug! base java tomcat service nginx postgres frontend database Infra 1 Infra N
  34. 34. Be mindful of SELinux
  35. 35. Operating containers
  36. 36. Container state Real world: don’t keep it in the container if you can avoid it Ideal world: containers don’t have state vs
  37. 37. Logging • Write to host (and use external aggregator) • Log to standard output (< 1.6) • Standard output + syslog logging driver (>= 1.6)
  38. 38. Monitoring Container processes are just like any other process and service – use existing tools
  39. 39. The darker side of Docke
  40. 40. Immutable containers are fun… until there’s an urgent security update
  41. 41. Docker will keep evolving
  42. 42. Sooner or later you will be bitten by a weird interaction between Docker or kernel or PAM or SElinux/AppArmor, and a container
  43. 43. No version pinning in the registry: “centos:6, is that you? You looked different yesterday!”
  44. 44. Docker security needs attention from implementers https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=docker16.100
  45. 45. Our lessons learned
  46. 46. Docker as a container engine *is* ready for production workloads
  47. 47. Docker works well as a convenient way of packaging, deploying and running applications
  48. 48. Containerizing everything does give you more flexibility…
  49. 49. …but be pragmatic
  50. 50. Dockerfiles are all you could possibly need to build containers
  51. 51. Start small – containerizing everything is a fair goal but takes time

×