SlideShare a Scribd company logo

The Challenges of Container Configuration

Gareth Rushgrove
Gareth Rushgrove

A look at some of the configuration issues that containers introduce, and how to avoid or fix them. Discusses immutable infrastructure, the difference between build-time and runtime configuration, scheduler configuration and more.

Technology
1 of 96
Download to read offline
(without introducing more risk) The Challenges of Container Configuration Puppet Gareth Rushgrove New capabilities and associated problems
(without introducing more risk) Gareth Rushgrove @garethr
(without introducing more risk) Gareth Rushgrove
(without introducing more risk) Configuration What is it and why should I care
(without introducing more risk) Gareth Rushgrove
(without introducing more risk) synonyms: design, grouping, marshalling Gareth Rushgrove
(without introducing more risk) Marshalling your containers Gareth Rushgrove
(without introducing more risk) - Immutability and containers - Runtime vs build time - Who configures the orchestrator? Gareth Rushgrove
(without introducing more risk) Mainly Docker and Kubernetes examples, but should be generally applicable Gareth Rushgrove
(without introducing more risk) Everything is immutable now? Assumptions vs reality
(without introducing more risk) Gareth Rushgrove
(without introducing more risk) Gareth Rushgrove ker run -d ubuntu:16.04 /bin/sh c "while true; do echo hello world; sleep 1; done"
(without introducing more risk) Gareth Rushgrove $ docker exec a7a01beb14de touch /tmp/surprise
(without introducing more risk) Gareth Rushgrove $ docker diff a7a01beb14de C /tmp A /tmp/surprise
(without introducing more risk) Containers are not immutable by default Gareth Rushgrove
(without introducing more risk) Containers are not immutable by default Gareth Rushgrove
(without introducing more risk) Gareth Rushgrove $ docker run --read-only -d ubuntu:16.04 /bin/sh -c "while true; do echo hello world; sleep 1; done"
(without introducing more risk) Gareth Rushgrove $ docker exec 379150b2cf05 touch /tmp/surprise touch: cannot touch '/tmp/surprise': Read-only file syste
(without introducing more risk) Suggestion Enable read-only where possible Gareth Rushgrove
(without introducing more risk) Many applications won’t start with a read-only filesystem Gareth Rushgrove
(without introducing more risk) Gareth Rushgrove 1 import logging 2 from logging.handlers import RotatingFileHandler 3 4 from flask import Flask 5 6 app = Flask(__name__) 7 8 @app.route('/') 9 def home(): 10 app.logger.info('log request') 11 return "We'll never get to here" 12 13 if __name__ == '__main__': 14 handler = RotatingFileHandler('app.log', maxBytes=10000, backupCount 15 handler.setLevel(logging.INFO) 16 app.logger.addHandler(handler) 17 app.run(debug=True, host='0.0.0.0')
(without introducing more risk) Gareth Rushgrove 1 import logging 2 from logging.handlers import RotatingFileHandler 3 4 from flask import Flask 5 6 app = Flask(__name__) 7 8 @app.route('/') 9 def home(): 10 app.logger.info('log request') 11 return "We'll never get to here" 12 13 if __name__ == '__main__': 14 handler = RotatingFileHandler('app.log', maxBytes=10000, backupCount 15 handler.setLevel(logging.INFO) 16 app.logger.addHandler(handler) 17 app.run(debug=True, host='0.0.0.0')
(without introducing more risk) Gareth Rushgrove $ docker run --read-only -p 5000:5000 garethr/flaskapp Traceback (most recent call last): File "app.py", line 14, in <module> handler = RotatingFileHandler('app.log', maxBytes=10000, backupCount=1) File "/usr/lib/python2.7/logging/handlers.py", line 117, in __init__ BaseRotatingHandler.__init__(self, filename, mode, encoding, delay) File "/usr/lib/python2.7/logging/handlers.py", line 64, in __init__ logging.FileHandler.__init__(self, filename, mode, encoding, delay) File "/usr/lib/python2.7/logging/__init__.py", line 913, in __init__ StreamHandler.__init__(self, self._open()) File "/usr/lib/python2.7/logging/__init__.py", line 943, in _open stream = open(self.baseFilename, self.mode) IOError: [Errno 30] Read-only file system: '/app/app.log'
(without introducing more risk) tmpfs support added in Docker 1.10 Gareth Rushgrove
(without introducing more risk) Gareth Rushgrove $ docker run --read-only --tmpfs /tmp -d ubuntu:16.04 /bin/sh -c "while true; do echo hello world; sleep 1; done"
(without introducing more risk) Gareth Rushgrove $ docker exec 222331443d28 touch /tmp/surprise
(without introducing more risk) Gareth Rushgrove $ docker diff 222331443d28
(without introducing more risk) Gareth Rushgrove $ docker exec 222331443d28 ls /tmp surprise
(without introducing more risk) Suggestion Use tmpfs only where needed Gareth Rushgrove
(without introducing more risk) Remember Without technical controls you only have social guarantees of immutability Gareth Rushgrove
(without introducing more risk) Build vs Run And the relationship between them
(without introducing more risk) Given an image - What machine built this image? - Are all the licenses compatible? - Who supports this image? - Does this image contain malware? Gareth Rushgrove
(without introducing more risk) Given a running container - Who built it? - How was it built? - What software does it contain? - Is the software up-to-date? Gareth Rushgrove
(without introducing more risk) Gareth Rushgrove FROM ubuntu:16.04 RUN apt-get update && apt-get install -y python-pip python-dev build-essent apt-get clean && rm -rf /var/lib/apt/lists/* RUN pip install flask COPY . /app WORKDIR /app ENTRYPOINT ["python"] CMD ["app.py"]
(without introducing more risk) Gareth Rushgrove FROM ubuntu:16.04 RUN apt-get update && apt-get install -y python-pip python-dev build-essent apt-get clean && rm -rf /var/lib/apt/lists/* RUN pip install flask COPY . /app WORKDIR /app ENTRYPOINT ["python"] CMD ["app.py"] Where did this base image come from?
(without introducing more risk) Gareth Rushgrove FROM ubuntu:16.04 RUN apt-get update && apt-get install -y python-pip python-dev build-essent apt-get clean && rm -rf /var/lib/apt/lists/* RUN pip install flask COPY . /app WORKDIR /app ENTRYPOINT ["python"] CMD ["app.py"] What packages are installed? At what version? Where are those packages from?
(without introducing more risk) Gareth Rushgrove FROM ubuntu:16.04 RUN apt-get update && apt-get install -y python-pip python-dev build-essent apt-get clean && rm -rf /var/lib/apt/lists/* RUN pip install flask COPY . /app WORKDIR /app ENTRYPOINT ["python"] CMD ["app.py"] What version of flask is this?
(without introducing more risk) Gareth Rushgrove FROM ubuntu:16.04 RUN apt-get update && apt-get install -y python-pip python-dev build-essent apt-get clean && rm -rf /var/lib/apt/lists/* RUN pip install flask COPY . /app WORKDIR /app ENTRYPOINT ["python"] CMD ["app.py"] What was in this folder at build time?
(without introducing more risk) The importance of time Gareth Rushgrove
(without introducing more risk) How often are images rebuilt? Gareth Rushgrove
(without introducing more risk) Rebuilding only on code change ignores environmental factors Gareth Rushgrove
(without introducing more risk) Versioning and metadata Gareth Rushgrove
(without introducing more risk) Gareth Rushgrove LABEL vendor="ACME Incorporated" com.example.is-beta com.example.version="0.0.1-beta" com.example.release-date="2015-02-12"
(without introducing more risk) Gareth Rushgrove LABEL vendor="ACME Incorporated" com.example.is-beta com.example.version="0.0.1-beta" com.example.release-date="2015-02-12" What time? What timezone?
(without introducing more risk) Gareth Rushgrove $ docker inspect -f "{{json .Config.Labels }}" 4fa6e0f0c678 | jq { "vendor": "ACME Incorporated", "com.example.is-beta": "", "com.example.version": "0.0.1-beta", "com.example.release-date": "2015-02-12" }
(without introducing more risk) Suggestion Decide upon and enforce metadata standards Gareth Rushgrove
(without introducing more risk) Gareth Rushgrove LABEL com.example.git.repository="https://github.com/pupp com.example.git.sha="dc123cfb5ed4dca43a84be34a99d7c com.example.build.time="2016-04-24T15:43:05+00:00" com.example.build.builder=“jenkins1.example.com" com.example.docs="https://github.com/puppetlabs/doc ...
(without introducing more risk) Suggestion Embed Dockerfiles in images Gareth Rushgrove
(without introducing more risk) Gareth Rushgrove $ docker inspect -f "{{json .Config.Labels }}" garethr/alpine | jq { "net.morethanseven.dockerfile": "/Dockerfile", }
(without introducing more risk) Gareth Rushgrove $ docker run -i -t garethr/alpine cat /Dockerfile FROM alpine LABEL net.morethanseven.dockerfile="/Dockerfile" RUN apk add --update bash && rm -rf /var/cache/apk/* COPY Dockerfile /
(without introducing more risk) Suggestion Provide an API for your containers Gareth Rushgrove
(without introducing more risk) Gareth Rushgrove $ docker inspect -f "{{json .Config.Labels }}" garethr/alpine | jq { "com.example.api.packages": "apk info -vv" }
(without introducing more risk) Gareth Rushgrove $ docker run -i -t garethr/alpine apk info -vv musl-1.1.11-r2 - the musl c library (libc) implementation busybox-1.23.2-r0 - Size optimized toolbox of many common UNIX alpine-baselayout-2.3.2-r0 - Alpine base dir structure and init openrc-0.15.1-r3 - OpenRC manages the services, startup and shu alpine-conf-3.2.1-r6 - Alpine configuration management scripts
(without introducing more risk)DEMO
(without introducing more risk) Who configures the scheduler? Higher level configuration
(without introducing more risk) Schedulers/orchestrators abstract you from - Where individual containers run - Balancing due to new resources - Balancing due to failed resources Gareth Rushgrove
(without introducing more risk) This results in a constraints based system Gareth Rushgrove
(without introducing more risk) Which means those constraints need to be explicit and correct Gareth Rushgrove
(without introducing more risk) Gareth Rushgrove $ docker daemon --label com.example.environment="production" --label com.example.storage="ssd"
(without introducing more risk) Gareth Rushgrove $ docker run -d -P -e constraint:storage==ssd --name db mysql
(without introducing more risk) Gareth Rushgrove 1 template: 2 metadata: 3 labels: 4 app: guestbook 5 tier: frontend 6 spec: 7 containers: 8 - name: php-redis 9 image: gcr.io/google_samples/gb-frontend:v4 10 resources: 11 requests: 12 cpu: 100m 13 memory: 100Mi 14 env: 15 - name: GET_HOSTS_FROM 16 value: dns 17 # If your cluster config does not include a dns service, th 18 # instead access environment variables to find service host 19 # info, comment out the 'value: dns' line above, and uncomm
(without introducing more risk) How do you manage properties for all of your hosts? Gareth Rushgrove
(without introducing more risk) Gareth Rushgrove $ docker daemon --label com.example.environment="production" --label com.example.storage="ssd" Does this machine really have an SSD? What if someone swaps the drive?
(without introducing more risk) Suggestion Use properties of hosts as labels Gareth Rushgrove
(without introducing more risk) Gareth Rushgrove $ facter | head -n 20 architecture => x86_64 domain => local facterversion => 2.4.6 fqdn => Pro.local gid => staff hardwareisa => i386 hardwaremodel => x86_64 hostname => Pro id => garethr interfaces => lo0,gif0,stf0,en0,p2p0,awdl0,en1,en2,bridge0,vboxnet0,vboxnet1,v ipaddress => 192.168.0.5 ipaddress_en0 => 192.168.0.5
(without introducing more risk) Gareth Rushgrove $ facter -j os | jq { "os": { "name": "Darwin", "family": "Darwin", "release": { "major": "14", "minor": "5", "full": "14.5.0" } } }
(without introducing more risk) Gareth Rushgrove $ docker daemon --label net.example.os=`facter operatingsystem` --label net.example.virtual=`facter is_virtual` --label net.example.kernel=`facter kernelversion` ...
(without introducing more risk) Orchestrators also tend to introduce new higher-level primitives Gareth Rushgrove
(without introducing more risk) Docker Networks, Kubernetes Services, ReplicationControllers, Chronos Jobs Gareth Rushgrove
(without introducing more risk) Many with imperative interfaces Gareth Rushgrove
(without introducing more risk) Gareth Rushgrove $ kubectl get pod mypod -o yaml | sed 's/(image: myimage):.*$/1:v4/' | kubectl replace -f -
(without introducing more risk) Gareth Rushgrove $ docker network create bob c0a0f4538d259515813b771264688d37aaedb41098379a0d73ec0ca08 $ docker network create bob Error response from daemon: network with name bob already
And everything configured in YAML Gareth Rushgrove
Code plus data has advantages over data alone Gareth Rushgrove
The language to represent the data should be a simple, data-only format such as JSON or YAML, and programmatic modification of this data should be done in a real programming language Gareth Rushgrove Borg, Omega, and Kubernetes, ACM Queue,Volume 14, issue 1 http://queue.acm.org/detail.cfm?id=2898444 “
Avoid repetition Combine external inputs Correctness Abstractions Gareth Rushgrove - - - -
Suggestion Use a higher level programming tool for generating config data Gareth Rushgrove
(without introducing more risk) Gareth Rushgrove jsonnet.org
(without introducing more risk) Gareth Rushgrove $ cat test.jsonnet // Example jsonnet file { person1: { name: "Alice", welcome: "Hello " + self.name + "!", }, person2: self.person1 { name: "Bob" }, }
(without introducing more risk) Gareth Rushgrove $ jsonnet test.jsonnet | jq { "person1": { "name": "Alice", "welcome": "Hello Alice!" }, "person2": { "name": "Bob", "welcome": "Hello Bob!" } }
(without introducing more risk) Gareth Rushgrove $ jsonnet test.jsonnet | json2yaml --- person1: name: "Alice" welcome: "Hello Alice!" person2: name: "Bob" welcome: "Hello Bob!"
(without introducing more risk)DEMO
(without introducing more risk) Gareth Rushgrove garethr/kubernetes
(without introducing more risk) Gareth Rushgrove kubernetes_pod { 'sample-pod': ensure => present, metadata => { namespace => 'default', }, spec => { containers => [{ name => 'container-name', image => 'nginx', }] }, }
(without introducing more risk) Gareth Rushgrove apiVersion: v1 kind: Pod metadata: namespace: default name: sample-pod spec: container: - image: nginx name: container-name
(without introducing more risk) Gareth Rushgrove controller_service_pair { 'redis-master': app => 'redis', role => 'master', tier => 'backend', port => 6379, }
(without introducing more risk) Gareth Rushgrove apiVersion: v1 kind: Service metadata: name: redis-master labels: app: redis tier: backend role: master spec: ports: # the port that this service should serve on - port: 6379 targetPort: 6379 selector: app: redis tier: backend role: master --- apiVersion: v1 kind: ReplicationController metadata: name: redis-master # these labels can be applied automatically # from the labels in the pod template if not set labels: app: redis role: master tier: backend spec: # this replicas value is default # modify it according to your case replicas: 1 # selector can be applied automatically # from the labels in the pod template if not set # selector: # app: guestbook # role: master # tier: backend
(without introducing more risk)DEMO
(without introducing more risk) Conclusions New technology means old problems
(without introducing more risk) The difference between how you think something works and how it actually works risks hard-to-debug production issues Gareth Rushgrove
(without introducing more risk) Containers introduce new and old configuration problems Gareth Rushgrove
(without introducing more risk) Configuration management is the discipline aimed at minimising those risks Gareth Rushgrove
(without introducing more risk) Start with principles Gareth Rushgrove
(without introducing more risk) - Identification - Control - Status accounting - Verification Gareth Rushgrove Military Handbook Configuration Management Guidance MIL-HDBK-61B
(without introducing more risk) Apply them to your container based infrastructure today Gareth Rushgrove
(without introducing more risk) Questions? And thanks for listening

Recommended

Test Driven Development with Puppet - PuppetConf 2014
Test Driven Development with Puppet - PuppetConf 2014Test Driven Development with Puppet - PuppetConf 2014
Test Driven Development with Puppet - PuppetConf 2014
Puppet
 
Hiveminder - Everything but the Secret Sauce
Hiveminder - Everything but the Secret SauceHiveminder - Everything but the Secret Sauce
Hiveminder - Everything but the Secret Sauce
Jesse Vincent
 
Build microservice with gRPC in golang
Build microservice with gRPC in golangBuild microservice with gRPC in golang
Build microservice with gRPC in golang
Ting-Li Chou
 
Beaker: Automated, Cloud-Based Acceptance Testing - PuppetConf 2014
Beaker: Automated, Cloud-Based Acceptance Testing - PuppetConf 2014Beaker: Automated, Cloud-Based Acceptance Testing - PuppetConf 2014
Beaker: Automated, Cloud-Based Acceptance Testing - PuppetConf 2014
Puppet
 
Orchestrated Functional Testing with Puppet-spec and Mspectator - PuppetConf ...
Orchestrated Functional Testing with Puppet-spec and Mspectator - PuppetConf ...Orchestrated Functional Testing with Puppet-spec and Mspectator - PuppetConf ...
Orchestrated Functional Testing with Puppet-spec and Mspectator - PuppetConf ...
Puppet
 
PyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsPyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web Applications
Graham Dumpleton
 
GDG Devfest 2019 - Build go kit microservices at kubernetes with ease
GDG Devfest 2019 - Build go kit microservices at kubernetes with easeGDG Devfest 2019 - Build go kit microservices at kubernetes with ease
GDG Devfest 2019 - Build go kit microservices at kubernetes with ease
KAI CHU CHUNG
 
Job Queue in Golang
Job Queue in GolangJob Queue in Golang
Job Queue in Golang
Bo-Yi Wu
 

Recommended

Test Driven Development with Puppet - PuppetConf 2014
Test Driven Development with Puppet - PuppetConf 2014Test Driven Development with Puppet - PuppetConf 2014
Test Driven Development with Puppet - PuppetConf 2014
Puppet
 
Hiveminder - Everything but the Secret Sauce
Hiveminder - Everything but the Secret SauceHiveminder - Everything but the Secret Sauce
Hiveminder - Everything but the Secret Sauce
Jesse Vincent
 
Build microservice with gRPC in golang
Build microservice with gRPC in golangBuild microservice with gRPC in golang
Build microservice with gRPC in golang
Ting-Li Chou
 
Beaker: Automated, Cloud-Based Acceptance Testing - PuppetConf 2014
Beaker: Automated, Cloud-Based Acceptance Testing - PuppetConf 2014Beaker: Automated, Cloud-Based Acceptance Testing - PuppetConf 2014
Beaker: Automated, Cloud-Based Acceptance Testing - PuppetConf 2014
Puppet
 
Orchestrated Functional Testing with Puppet-spec and Mspectator - PuppetConf ...
Orchestrated Functional Testing with Puppet-spec and Mspectator - PuppetConf ...Orchestrated Functional Testing with Puppet-spec and Mspectator - PuppetConf ...
Orchestrated Functional Testing with Puppet-spec and Mspectator - PuppetConf ...
Puppet
 
PyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsPyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web Applications
Graham Dumpleton
 
GDG Devfest 2019 - Build go kit microservices at kubernetes with ease
GDG Devfest 2019 - Build go kit microservices at kubernetes with easeGDG Devfest 2019 - Build go kit microservices at kubernetes with ease
GDG Devfest 2019 - Build go kit microservices at kubernetes with ease
KAI CHU CHUNG
 
Job Queue in Golang
Job Queue in GolangJob Queue in Golang
Job Queue in Golang
Bo-Yi Wu
 
用 Go 語言打造多台機器 Scale 架構
用 Go 語言打造多台機器 Scale 架構用 Go 語言打造多台機器 Scale 架構
用 Go 語言打造多台機器 Scale 架構
Bo-Yi Wu
 
Node.js cluster
Node.js clusterNode.js cluster
Node.js cluster
Derek Willian Stavis
 
Continuously Testing Infrastructure - Beyond Module Testing - PuppetConf 2014
Continuously Testing Infrastructure - Beyond Module Testing - PuppetConf 2014Continuously Testing Infrastructure - Beyond Module Testing - PuppetConf 2014
Continuously Testing Infrastructure - Beyond Module Testing - PuppetConf 2014
Puppet
 
The Gradle in Ratpack: Dissected
The Gradle in Ratpack: DissectedThe Gradle in Ratpack: Dissected
The Gradle in Ratpack: Dissected
David Carr
 
Big query - Command line tools and Tips - (MOSG)
Big query - Command line tools and Tips - (MOSG)Big query - Command line tools and Tips - (MOSG)
Big query - Command line tools and Tips - (MOSG)
Soshi Nemoto
 
Gradle Introduction
Gradle IntroductionGradle Introduction
Gradle IntroductionDmitry Buzdin
 
Rest, sockets em golang
Rest, sockets em golangRest, sockets em golang
Rest, sockets em golang
jefferson Otoni Lima
 
Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署
Bo-Yi Wu
 
Real-Time Web Apps & Symfony. What are your options?
Real-Time Web Apps & Symfony. What are your options?Real-Time Web Apps & Symfony. What are your options?
Real-Time Web Apps & Symfony. What are your options?
Phil Leggetter
 
Global Interpreter Lock: Episode III - cat &lt; /dev/zero > GIL;
Global Interpreter Lock: Episode III - cat &lt; /dev/zero > GIL;Global Interpreter Lock: Episode III - cat &lt; /dev/zero > GIL;
Global Interpreter Lock: Episode III - cat &lt; /dev/zero > GIL;
Tzung-Bi Shih
 
Gradle build tool that rocks with DSL JavaOne India 4th May 2012
Gradle build tool that rocks with DSL JavaOne India 4th May 2012Gradle build tool that rocks with DSL JavaOne India 4th May 2012
Gradle build tool that rocks with DSL JavaOne India 4th May 2012
Rajmahendra Hegde
 
Puppet Continuous Integration with PE and GitLab
Puppet Continuous Integration with PE and GitLabPuppet Continuous Integration with PE and GitLab
Puppet Continuous Integration with PE and GitLab
Alessandro Franceschi
 
Gradle in 45min
Gradle in 45minGradle in 45min
Gradle in 45min
Schalk Cronjé
 
10 Cool Facts about Gradle
10 Cool Facts about Gradle10 Cool Facts about Gradle
10 Cool Facts about GradleEvgeny Goldin
 
Managing dependencies with gradle
Managing dependencies with gradleManaging dependencies with gradle
Managing dependencies with gradle
Liviu Tudor
 
Using the Groovy Ecosystem for Rapid JVM Development
Using the Groovy Ecosystem for Rapid JVM DevelopmentUsing the Groovy Ecosystem for Rapid JVM Development
Using the Groovy Ecosystem for Rapid JVM Development
Schalk Cronjé
 
Large scale machine learning projects with r suite
Large scale machine learning projects with r suiteLarge scale machine learning projects with r suite
Large scale machine learning projects with r suite
Wit Jakuczun
 
[Image Results] Java Build Tools: Part 2 - A Decision Maker's Guide Compariso...
[Image Results] Java Build Tools: Part 2 - A Decision Maker's Guide Compariso...[Image Results] Java Build Tools: Part 2 - A Decision Maker's Guide Compariso...
[Image Results] Java Build Tools: Part 2 - A Decision Maker's Guide Compariso...
ZeroTurnaround
 
Groovy & Grails: Scripting for Modern Web Applications
Groovy & Grails: Scripting for Modern Web ApplicationsGroovy & Grails: Scripting for Modern Web Applications
Groovy & Grails: Scripting for Modern Web Applications
rohitnayak
 
GraphQL IN Golang
GraphQL IN GolangGraphQL IN Golang
GraphQL IN Golang
Bo-Yi Wu
 
Communications Between Tribes
Communications Between TribesCommunications Between Tribes
Communications Between Tribes
Gareth Rushgrove
 
Puppet and Openshift
Puppet and OpenshiftPuppet and Openshift
Puppet and Openshift
Gareth Rushgrove
 

More Related Content

What's hot

用 Go 語言打造多台機器 Scale 架構
用 Go 語言打造多台機器 Scale 架構用 Go 語言打造多台機器 Scale 架構
用 Go 語言打造多台機器 Scale 架構
Bo-Yi Wu
 
Node.js cluster
Node.js clusterNode.js cluster
Node.js cluster
Derek Willian Stavis
 
Continuously Testing Infrastructure - Beyond Module Testing - PuppetConf 2014
Continuously Testing Infrastructure - Beyond Module Testing - PuppetConf 2014Continuously Testing Infrastructure - Beyond Module Testing - PuppetConf 2014
Continuously Testing Infrastructure - Beyond Module Testing - PuppetConf 2014
Puppet
 
The Gradle in Ratpack: Dissected
The Gradle in Ratpack: DissectedThe Gradle in Ratpack: Dissected
The Gradle in Ratpack: Dissected
David Carr
 
Big query - Command line tools and Tips - (MOSG)
Big query - Command line tools and Tips - (MOSG)Big query - Command line tools and Tips - (MOSG)
Big query - Command line tools and Tips - (MOSG)
Soshi Nemoto
 
Rest, sockets em golang
Rest, sockets em golangRest, sockets em golang
Rest, sockets em golang
jefferson Otoni Lima
 
Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署
Bo-Yi Wu
 
Real-Time Web Apps & Symfony. What are your options?
Real-Time Web Apps & Symfony. What are your options?Real-Time Web Apps & Symfony. What are your options?
Real-Time Web Apps & Symfony. What are your options?
Phil Leggetter
 
Global Interpreter Lock: Episode III - cat &lt; /dev/zero > GIL;
Global Interpreter Lock: Episode III - cat &lt; /dev/zero > GIL;Global Interpreter Lock: Episode III - cat &lt; /dev/zero > GIL;
Global Interpreter Lock: Episode III - cat &lt; /dev/zero > GIL;
Tzung-Bi Shih
 
Gradle build tool that rocks with DSL JavaOne India 4th May 2012
Gradle build tool that rocks with DSL JavaOne India 4th May 2012Gradle build tool that rocks with DSL JavaOne India 4th May 2012
Gradle build tool that rocks with DSL JavaOne India 4th May 2012
Rajmahendra Hegde
 
Puppet Continuous Integration with PE and GitLab
Puppet Continuous Integration with PE and GitLabPuppet Continuous Integration with PE and GitLab
Puppet Continuous Integration with PE and GitLab
Alessandro Franceschi
 
Gradle in 45min
Gradle in 45minGradle in 45min
Gradle in 45min
Schalk Cronjé
 
10 Cool Facts about Gradle
10 Cool Facts about Gradle10 Cool Facts about Gradle
10 Cool Facts about GradleEvgeny Goldin
 
Managing dependencies with gradle
Managing dependencies with gradleManaging dependencies with gradle
Managing dependencies with gradle
Liviu Tudor
 
Using the Groovy Ecosystem for Rapid JVM Development
Using the Groovy Ecosystem for Rapid JVM DevelopmentUsing the Groovy Ecosystem for Rapid JVM Development
Using the Groovy Ecosystem for Rapid JVM Development
Schalk Cronjé
 
Large scale machine learning projects with r suite
Large scale machine learning projects with r suiteLarge scale machine learning projects with r suite
Large scale machine learning projects with r suite
Wit Jakuczun
 
[Image Results] Java Build Tools: Part 2 - A Decision Maker's Guide Compariso...
[Image Results] Java Build Tools: Part 2 - A Decision Maker's Guide Compariso...[Image Results] Java Build Tools: Part 2 - A Decision Maker's Guide Compariso...
[Image Results] Java Build Tools: Part 2 - A Decision Maker's Guide Compariso...
ZeroTurnaround
 
Groovy & Grails: Scripting for Modern Web Applications
Groovy & Grails: Scripting for Modern Web ApplicationsGroovy & Grails: Scripting for Modern Web Applications
Groovy & Grails: Scripting for Modern Web Applications
rohitnayak
 
GraphQL IN Golang
GraphQL IN GolangGraphQL IN Golang
GraphQL IN Golang
Bo-Yi Wu
 

What's hot (20)

用 Go 語言打造多台機器 Scale 架構
用 Go 語言打造多台機器 Scale 架構用 Go 語言打造多台機器 Scale 架構
用 Go 語言打造多台機器 Scale 架構
 
Node.js cluster
Node.js clusterNode.js cluster
Node.js cluster
 
Continuously Testing Infrastructure - Beyond Module Testing - PuppetConf 2014
Continuously Testing Infrastructure - Beyond Module Testing - PuppetConf 2014Continuously Testing Infrastructure - Beyond Module Testing - PuppetConf 2014
Continuously Testing Infrastructure - Beyond Module Testing - PuppetConf 2014
 
The Gradle in Ratpack: Dissected
The Gradle in Ratpack: DissectedThe Gradle in Ratpack: Dissected
The Gradle in Ratpack: Dissected
 
Big query - Command line tools and Tips - (MOSG)
Big query - Command line tools and Tips - (MOSG)Big query - Command line tools and Tips - (MOSG)
Big query - Command line tools and Tips - (MOSG)
 
Gradle Introduction
Gradle IntroductionGradle Introduction
Gradle Introduction
 
Rest, sockets em golang
Rest, sockets em golangRest, sockets em golang
Rest, sockets em golang
 
Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署
 
Real-Time Web Apps & Symfony. What are your options?
Real-Time Web Apps & Symfony. What are your options?Real-Time Web Apps & Symfony. What are your options?
Real-Time Web Apps & Symfony. What are your options?
 
Global Interpreter Lock: Episode III - cat &lt; /dev/zero > GIL;
Global Interpreter Lock: Episode III - cat &lt; /dev/zero > GIL;Global Interpreter Lock: Episode III - cat &lt; /dev/zero > GIL;
Global Interpreter Lock: Episode III - cat &lt; /dev/zero > GIL;
 
Gradle build tool that rocks with DSL JavaOne India 4th May 2012
Gradle build tool that rocks with DSL JavaOne India 4th May 2012Gradle build tool that rocks with DSL JavaOne India 4th May 2012
Gradle build tool that rocks with DSL JavaOne India 4th May 2012
 
Puppet Continuous Integration with PE and GitLab
Puppet Continuous Integration with PE and GitLabPuppet Continuous Integration with PE and GitLab
Puppet Continuous Integration with PE and GitLab
 
Gradle in 45min
Gradle in 45minGradle in 45min
Gradle in 45min
 
10 Cool Facts about Gradle
10 Cool Facts about Gradle10 Cool Facts about Gradle
10 Cool Facts about Gradle
 
Managing dependencies with gradle
Managing dependencies with gradleManaging dependencies with gradle
Managing dependencies with gradle
 
Using the Groovy Ecosystem for Rapid JVM Development
Using the Groovy Ecosystem for Rapid JVM DevelopmentUsing the Groovy Ecosystem for Rapid JVM Development
Using the Groovy Ecosystem for Rapid JVM Development
 
Large scale machine learning projects with r suite
Large scale machine learning projects with r suiteLarge scale machine learning projects with r suite
Large scale machine learning projects with r suite
 
[Image Results] Java Build Tools: Part 2 - A Decision Maker's Guide Compariso...
[Image Results] Java Build Tools: Part 2 - A Decision Maker's Guide Compariso...[Image Results] Java Build Tools: Part 2 - A Decision Maker's Guide Compariso...
[Image Results] Java Build Tools: Part 2 - A Decision Maker's Guide Compariso...
 
Groovy & Grails: Scripting for Modern Web Applications
Groovy & Grails: Scripting for Modern Web ApplicationsGroovy & Grails: Scripting for Modern Web Applications
Groovy & Grails: Scripting for Modern Web Applications
 
GraphQL IN Golang
GraphQL IN GolangGraphQL IN Golang
GraphQL IN Golang
 

Viewers also liked

Communications Between Tribes
Communications Between TribesCommunications Between Tribes
Communications Between Tribes
Gareth Rushgrove
 
Puppet and Openshift
Puppet and OpenshiftPuppet and Openshift
Puppet and Openshift
Gareth Rushgrove
 
Thinking Evil Thoughts
Thinking Evil ThoughtsThinking Evil Thoughts
Thinking Evil Thoughts
Gareth Rushgrove
 
Two Sides of Google Infrastructure for Everyone Else
Two Sides of Google Infrastructure for Everyone ElseTwo Sides of Google Infrastructure for Everyone Else
Two Sides of Google Infrastructure for Everyone Else
Gareth Rushgrove
 
Puppet Data Mining
Puppet Data MiningPuppet Data Mining
Puppet Data Mining
Gareth Rushgrove
 
OlinData Puppet Presentation for MOSC 2012
OlinData Puppet Presentation for MOSC 2012OlinData Puppet Presentation for MOSC 2012
OlinData Puppet Presentation for MOSC 2012
Walter Heck
 
Puppet User Group Presentation - 15 March 2012
Puppet User Group Presentation - 15 March 2012Puppet User Group Presentation - 15 March 2012
Puppet User Group Presentation - 15 March 2012
Walter Heck
 
PuppetConf 2016: Device-Based Modules: Making Them as Simple as a Light Switc...
PuppetConf 2016: Device-Based Modules: Making Them as Simple as a Light Switc...PuppetConf 2016: Device-Based Modules: Making Them as Simple as a Light Switc...
PuppetConf 2016: Device-Based Modules: Making Them as Simple as a Light Switc...
Puppet
 
Introduction to Puppet Enterprise
Introduction to Puppet EnterpriseIntroduction to Puppet Enterprise
Introduction to Puppet Enterprise
Puppet
 
Adopting Kubernetes with Puppet
Adopting Kubernetes with PuppetAdopting Kubernetes with Puppet
Adopting Kubernetes with Puppet
Puppet
 
What to Build with Google App Engine
What to Build with Google App EngineWhat to Build with Google App Engine
What to Build with Google App Engine
Gareth Rushgrove
 
Config managament for development environments ii
Config managament for development environments iiConfig managament for development environments ii
Config managament for development environments ii
Gareth Rushgrove
 
Social Media Risk and Reputation Management
Social Media Risk and Reputation ManagementSocial Media Risk and Reputation Management
Social Media Risk and Reputation Management
Claudiu Popa
 
Dev opsdays scriptcode
Dev opsdays scriptcodeDev opsdays scriptcode
Dev opsdays scriptcode
Devopsdays
 
Developing IoT devices. Creating wearables with the new LinkIt™ 2523 HDK by SAC
Developing IoT devices. Creating wearables with the new LinkIt™ 2523 HDK by SACDeveloping IoT devices. Creating wearables with the new LinkIt™ 2523 HDK by SAC
Developing IoT devices. Creating wearables with the new LinkIt™ 2523 HDK by SAC
MediaTek Labs
 
introduction to python
introduction to pythonintroduction to python
introduction to python
Sardar Alam
 
DevOps at DreamLab
DevOps at DreamLabDevOps at DreamLab
DevOps at DreamLab
DreamLab
 
OlinData Puppet Presentation for DevOps Singapore meet-up
OlinData Puppet Presentation for DevOps Singapore meet-upOlinData Puppet Presentation for DevOps Singapore meet-up
OlinData Puppet Presentation for DevOps Singapore meet-up
Walter Heck
 
Getting Started With Puppet - Chad Metcalf
Getting Started With Puppet - Chad MetcalfGetting Started With Puppet - Chad Metcalf
Getting Started With Puppet - Chad Metcalf
Puppet
 

Viewers also liked (20)

Communications Between Tribes
Communications Between TribesCommunications Between Tribes
Communications Between Tribes
 
Puppet and Openshift
Puppet and OpenshiftPuppet and Openshift
Puppet and Openshift
 
Thinking Evil Thoughts
Thinking Evil ThoughtsThinking Evil Thoughts
Thinking Evil Thoughts
 
Two Sides of Google Infrastructure for Everyone Else
Two Sides of Google Infrastructure for Everyone ElseTwo Sides of Google Infrastructure for Everyone Else
Two Sides of Google Infrastructure for Everyone Else
 
Puppet Data Mining
Puppet Data MiningPuppet Data Mining
Puppet Data Mining
 
OlinData Puppet Presentation for MOSC 2012
OlinData Puppet Presentation for MOSC 2012OlinData Puppet Presentation for MOSC 2012
OlinData Puppet Presentation for MOSC 2012
 
Puppet User Group Presentation - 15 March 2012
Puppet User Group Presentation - 15 March 2012Puppet User Group Presentation - 15 March 2012
Puppet User Group Presentation - 15 March 2012
 
PuppetConf 2016: Device-Based Modules: Making Them as Simple as a Light Switc...
PuppetConf 2016: Device-Based Modules: Making Them as Simple as a Light Switc...PuppetConf 2016: Device-Based Modules: Making Them as Simple as a Light Switc...
PuppetConf 2016: Device-Based Modules: Making Them as Simple as a Light Switc...
 
Introduction to Puppet Enterprise
Introduction to Puppet EnterpriseIntroduction to Puppet Enterprise
Introduction to Puppet Enterprise
 
Adopting Kubernetes with Puppet
Adopting Kubernetes with PuppetAdopting Kubernetes with Puppet
Adopting Kubernetes with Puppet
 
What to Build with Google App Engine
What to Build with Google App EngineWhat to Build with Google App Engine
What to Build with Google App Engine
 
Config managament for development environments ii
Config managament for development environments iiConfig managament for development environments ii
Config managament for development environments ii
 
Social Media Risk and Reputation Management
Social Media Risk and Reputation ManagementSocial Media Risk and Reputation Management
Social Media Risk and Reputation Management
 
Dev opsdays scriptcode
Dev opsdays scriptcodeDev opsdays scriptcode
Dev opsdays scriptcode
 
Developing IoT devices. Creating wearables with the new LinkIt™ 2523 HDK by SAC
Developing IoT devices. Creating wearables with the new LinkIt™ 2523 HDK by SACDeveloping IoT devices. Creating wearables with the new LinkIt™ 2523 HDK by SAC
Developing IoT devices. Creating wearables with the new LinkIt™ 2523 HDK by SAC
 
Ruby
RubyRuby
Ruby
 
introduction to python
introduction to pythonintroduction to python
introduction to python
 
DevOps at DreamLab
DevOps at DreamLabDevOps at DreamLab
DevOps at DreamLab
 
OlinData Puppet Presentation for DevOps Singapore meet-up
OlinData Puppet Presentation for DevOps Singapore meet-upOlinData Puppet Presentation for DevOps Singapore meet-up
OlinData Puppet Presentation for DevOps Singapore meet-up
 
Getting Started With Puppet - Chad Metcalf
Getting Started With Puppet - Chad MetcalfGetting Started With Puppet - Chad Metcalf
Getting Started With Puppet - Chad Metcalf
 

Similar to The Challenges of Container Configuration

PuppetConf 2016: Running Puppet Software in Docker Containers – Gareth Rushgr...
PuppetConf 2016: Running Puppet Software in Docker Containers – Gareth Rushgr...PuppetConf 2016: Running Puppet Software in Docker Containers – Gareth Rushgr...
PuppetConf 2016: Running Puppet Software in Docker Containers – Gareth Rushgr...
Puppet
 
Container (Docker) Orchestration Tools
Container (Docker) Orchestration ToolsContainer (Docker) Orchestration Tools
Container (Docker) Orchestration Tools
Dhilipsiva DS
 
Zero Downtime Deployment with Ansible
Zero Downtime Deployment with AnsibleZero Downtime Deployment with Ansible
Zero Downtime Deployment with Ansible
Stein Inge Morisbak
 
KubeCon EU 2016: Kubernetes and the Potential for Higher Level Interfaces
KubeCon EU 2016: Kubernetes and the Potential for Higher Level InterfacesKubeCon EU 2016: Kubernetes and the Potential for Higher Level Interfaces
KubeCon EU 2016: Kubernetes and the Potential for Higher Level Interfaces
KubeAcademy
 
Gdg cloud taipei ddt meetup #53 buildpack
Gdg cloud taipei ddt meetup #53 buildpackGdg cloud taipei ddt meetup #53 buildpack
Gdg cloud taipei ddt meetup #53 buildpack
KAI CHU CHUNG
 
DevOps(4) : Ansible(2) - (MOSG)
DevOps(4) : Ansible(2) - (MOSG)DevOps(4) : Ansible(2) - (MOSG)
DevOps(4) : Ansible(2) - (MOSG)
Soshi Nemoto
 
Tensorflow in Docker
Tensorflow in DockerTensorflow in Docker
Tensorflow in Docker
Eric Ahn
 
Swift Cloud Workshop - Swift Microservices
Swift Cloud Workshop - Swift MicroservicesSwift Cloud Workshop - Swift Microservices
Swift Cloud Workshop - Swift Microservices
Chris Bailey
 
Docker for Ruby Developers
Docker for Ruby DevelopersDocker for Ruby Developers
Docker for Ruby Developers
Aptible
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
皓鈞 張
 
Greach - The Groovy Ecosystem
Greach - The Groovy EcosystemGreach - The Groovy Ecosystem
Greach - The Groovy Ecosystem
Andres Almiray
 
Bare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefBare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and Chef
Matt Ray
 
How to go the extra mile on monitoring
How to go the extra mile on monitoringHow to go the extra mile on monitoring
How to go the extra mile on monitoring
Tiago Simões
 
How to lock a Python in a cage? Managing Python environment inside an R project
How to lock a Python in a cage? Managing Python environment inside an R projectHow to lock a Python in a cage? Managing Python environment inside an R project
How to lock a Python in a cage? Managing Python environment inside an R project
WLOG Solutions
 
Docker practice
Docker practiceDocker practice
Docker practice
wonyong hwang
 
Control your deployments with Capistrano
Control your deployments with CapistranoControl your deployments with Capistrano
Control your deployments with Capistrano
Ramazan K
 
RichFaces - Testing on Mobile Devices
RichFaces - Testing on Mobile DevicesRichFaces - Testing on Mobile Devices
RichFaces - Testing on Mobile Devices
Pavol Pitoňák
 
Guide to Node.js: Basic to Advanced
Guide to Node.js: Basic to AdvancedGuide to Node.js: Basic to Advanced
Guide to Node.js: Basic to Advanced
Espeo Software
 
The 2016 Android Developer Toolbox [NANTES]
The 2016 Android Developer Toolbox [NANTES]The 2016 Android Developer Toolbox [NANTES]
The 2016 Android Developer Toolbox [NANTES]
Nilhcem
 
Toolbox of a Ruby Team
Toolbox of a Ruby TeamToolbox of a Ruby Team
Toolbox of a Ruby Team
Arto Artnik
 

Similar to The Challenges of Container Configuration (20)

PuppetConf 2016: Running Puppet Software in Docker Containers – Gareth Rushgr...
PuppetConf 2016: Running Puppet Software in Docker Containers – Gareth Rushgr...PuppetConf 2016: Running Puppet Software in Docker Containers – Gareth Rushgr...
PuppetConf 2016: Running Puppet Software in Docker Containers – Gareth Rushgr...
 
Container (Docker) Orchestration Tools
Container (Docker) Orchestration ToolsContainer (Docker) Orchestration Tools
Container (Docker) Orchestration Tools
 
Zero Downtime Deployment with Ansible
Zero Downtime Deployment with AnsibleZero Downtime Deployment with Ansible
Zero Downtime Deployment with Ansible
 
KubeCon EU 2016: Kubernetes and the Potential for Higher Level Interfaces
KubeCon EU 2016: Kubernetes and the Potential for Higher Level InterfacesKubeCon EU 2016: Kubernetes and the Potential for Higher Level Interfaces
KubeCon EU 2016: Kubernetes and the Potential for Higher Level Interfaces
 
Gdg cloud taipei ddt meetup #53 buildpack
Gdg cloud taipei ddt meetup #53 buildpackGdg cloud taipei ddt meetup #53 buildpack
Gdg cloud taipei ddt meetup #53 buildpack
 
DevOps(4) : Ansible(2) - (MOSG)
DevOps(4) : Ansible(2) - (MOSG)DevOps(4) : Ansible(2) - (MOSG)
DevOps(4) : Ansible(2) - (MOSG)
 
Tensorflow in Docker
Tensorflow in DockerTensorflow in Docker
Tensorflow in Docker
 
Swift Cloud Workshop - Swift Microservices
Swift Cloud Workshop - Swift MicroservicesSwift Cloud Workshop - Swift Microservices
Swift Cloud Workshop - Swift Microservices
 
Docker for Ruby Developers
Docker for Ruby DevelopersDocker for Ruby Developers
Docker for Ruby Developers
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
 
Greach - The Groovy Ecosystem
Greach - The Groovy EcosystemGreach - The Groovy Ecosystem
Greach - The Groovy Ecosystem
 
Bare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefBare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and Chef
 
How to go the extra mile on monitoring
How to go the extra mile on monitoringHow to go the extra mile on monitoring
How to go the extra mile on monitoring
 
How to lock a Python in a cage? Managing Python environment inside an R project
How to lock a Python in a cage? Managing Python environment inside an R projectHow to lock a Python in a cage? Managing Python environment inside an R project
How to lock a Python in a cage? Managing Python environment inside an R project
 
Docker practice
Docker practiceDocker practice
Docker practice
 
Control your deployments with Capistrano
Control your deployments with CapistranoControl your deployments with Capistrano
Control your deployments with Capistrano
 
RichFaces - Testing on Mobile Devices
RichFaces - Testing on Mobile DevicesRichFaces - Testing on Mobile Devices
RichFaces - Testing on Mobile Devices
 
Guide to Node.js: Basic to Advanced
Guide to Node.js: Basic to AdvancedGuide to Node.js: Basic to Advanced
Guide to Node.js: Basic to Advanced
 
The 2016 Android Developer Toolbox [NANTES]
The 2016 Android Developer Toolbox [NANTES]The 2016 Android Developer Toolbox [NANTES]
The 2016 Android Developer Toolbox [NANTES]
 
Toolbox of a Ruby Team
Toolbox of a Ruby TeamToolbox of a Ruby Team
Toolbox of a Ruby Team
 

More from Gareth Rushgrove

Web operations
Web operationsWeb operations
Web operations
Gareth Rushgrove
 
Learnings from govuk
Learnings from govukLearnings from govuk
Learnings from govuk
Gareth Rushgrove
 
Varnish Caching
Varnish CachingVarnish Caching
Varnish Caching
Gareth Rushgrove
 
Vagrant and Configuration Management
Vagrant and Configuration ManagementVagrant and Configuration Management
Vagrant and Configuration Management
Gareth Rushgrove
 
Metrics with Ganglia
Metrics with GangliaMetrics with Ganglia
Metrics with Ganglia
Gareth Rushgrove
 
You're Going To Need A Bigger Toolbox
You're Going To Need A Bigger ToolboxYou're Going To Need A Bigger Toolbox
You're Going To Need A Bigger Toolbox
Gareth Rushgrove
 
Devops
DevopsDevops
Devops
Gareth Rushgrove
 
Automating web site deployment
Automating web site deploymentAutomating web site deployment
Automating web site deployment
Gareth Rushgrove
 
Message Queues for Web Applications
Message Queues for Web ApplicationsMessage Queues for Web Applications
Message Queues for Web Applications
Gareth Rushgrove
 
Beyond basic web development
Beyond basic web developmentBeyond basic web development
Beyond basic web development
Gareth Rushgrove
 
Self Education for Web Professionals
Self Education for Web ProfessionalsSelf Education for Web Professionals
Self Education for Web Professionals
Gareth Rushgrove
 
App Engine for Python Developers
App Engine for Python DevelopersApp Engine for Python Developers
App Engine for Python Developers
Gareth Rushgrove
 
Testing Django Applications
Testing Django ApplicationsTesting Django Applications
Testing Django Applications
Gareth Rushgrove
 
Design Strategies for a Distributed Web
Design Strategies for a Distributed WebDesign Strategies for a Distributed Web
Design Strategies for a Distributed Web
Gareth Rushgrove
 
A First Class Web Citizen
A First Class Web CitizenA First Class Web Citizen
A First Class Web Citizen
Gareth Rushgrove
 
Parsing Microformats
Parsing MicroformatsParsing Microformats
Parsing Microformats
Gareth Rushgrove
 
Things you probably don't do (or tying to make project automation sexy)
Things you probably don't do (or tying to make project automation sexy)Things you probably don't do (or tying to make project automation sexy)
Things you probably don't do (or tying to make project automation sexy)
Gareth Rushgrove
 
Notes from (Web 2.0) Revolution
Notes from (Web 2.0) RevolutionNotes from (Web 2.0) Revolution
Notes from (Web 2.0) Revolution
Gareth Rushgrove
 
Rails flavoured OpenId
Rails flavoured OpenIdRails flavoured OpenId
Rails flavoured OpenId
Gareth Rushgrove
 
Shiny Content Management with Radiant
Shiny Content Management with RadiantShiny Content Management with Radiant
Shiny Content Management with Radiant
Gareth Rushgrove
 

More from Gareth Rushgrove (20)

Web operations
Web operationsWeb operations
Web operations
 
Learnings from govuk
Learnings from govukLearnings from govuk
Learnings from govuk
 
Varnish Caching
Varnish CachingVarnish Caching
Varnish Caching
 
Vagrant and Configuration Management
Vagrant and Configuration ManagementVagrant and Configuration Management
Vagrant and Configuration Management
 
Metrics with Ganglia
Metrics with GangliaMetrics with Ganglia
Metrics with Ganglia
 
You're Going To Need A Bigger Toolbox
You're Going To Need A Bigger ToolboxYou're Going To Need A Bigger Toolbox
You're Going To Need A Bigger Toolbox
 
Devops
DevopsDevops
Devops
 
Automating web site deployment
Automating web site deploymentAutomating web site deployment
Automating web site deployment
 
Message Queues for Web Applications
Message Queues for Web ApplicationsMessage Queues for Web Applications
Message Queues for Web Applications
 
Beyond basic web development
Beyond basic web developmentBeyond basic web development
Beyond basic web development
 
Self Education for Web Professionals
Self Education for Web ProfessionalsSelf Education for Web Professionals
Self Education for Web Professionals
 
App Engine for Python Developers
App Engine for Python DevelopersApp Engine for Python Developers
App Engine for Python Developers
 
Testing Django Applications
Testing Django ApplicationsTesting Django Applications
Testing Django Applications
 
Design Strategies for a Distributed Web
Design Strategies for a Distributed WebDesign Strategies for a Distributed Web
Design Strategies for a Distributed Web
 
A First Class Web Citizen
A First Class Web CitizenA First Class Web Citizen
A First Class Web Citizen
 
Parsing Microformats
Parsing MicroformatsParsing Microformats
Parsing Microformats
 
Things you probably don't do (or tying to make project automation sexy)
Things you probably don't do (or tying to make project automation sexy)Things you probably don't do (or tying to make project automation sexy)
Things you probably don't do (or tying to make project automation sexy)
 
Notes from (Web 2.0) Revolution
Notes from (Web 2.0) RevolutionNotes from (Web 2.0) Revolution
Notes from (Web 2.0) Revolution
 
Rails flavoured OpenId
Rails flavoured OpenIdRails flavoured OpenId
Rails flavoured OpenId
 
Shiny Content Management with Radiant
Shiny Content Management with RadiantShiny Content Management with Radiant
Shiny Content Management with Radiant
 

Recently uploaded

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 

Recently uploaded (20)

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 

The Challenges of Container Configuration

  • 1. (without introducing more risk) The Challenges of Container Configuration Puppet Gareth Rushgrove New capabilities and associated problems
  • 2. (without introducing more risk) Gareth Rushgrove @garethr
  • 3. (without introducing more risk) Gareth Rushgrove
  • 4. (without introducing more risk) Configuration What is it and why should I care
  • 5. (without introducing more risk) Gareth Rushgrove
  • 6. (without introducing more risk) synonyms: design, grouping, marshalling Gareth Rushgrove
  • 7. (without introducing more risk) Marshalling your containers Gareth Rushgrove
  • 8. (without introducing more risk) - Immutability and containers - Runtime vs build time - Who configures the orchestrator? Gareth Rushgrove
  • 9. (without introducing more risk) Mainly Docker and Kubernetes examples, but should be generally applicable Gareth Rushgrove
  • 10. (without introducing more risk) Everything is immutable now? Assumptions vs reality
  • 11. (without introducing more risk) Gareth Rushgrove
  • 12. (without introducing more risk) Gareth Rushgrove ker run -d ubuntu:16.04 /bin/sh c "while true; do echo hello world; sleep 1; done"
  • 13. (without introducing more risk) Gareth Rushgrove $ docker exec a7a01beb14de touch /tmp/surprise
  • 14. (without introducing more risk) Gareth Rushgrove $ docker diff a7a01beb14de C /tmp A /tmp/surprise
  • 15. (without introducing more risk) Containers are not immutable by default Gareth Rushgrove
  • 16. (without introducing more risk) Containers are not immutable by default Gareth Rushgrove
  • 17. (without introducing more risk) Gareth Rushgrove $ docker run --read-only -d ubuntu:16.04 /bin/sh -c "while true; do echo hello world; sleep 1; done"
  • 18. (without introducing more risk) Gareth Rushgrove $ docker exec 379150b2cf05 touch /tmp/surprise touch: cannot touch '/tmp/surprise': Read-only file syste
  • 19. (without introducing more risk) Suggestion Enable read-only where possible Gareth Rushgrove
  • 20. (without introducing more risk) Many applications won’t start with a read-only filesystem Gareth Rushgrove
  • 21. (without introducing more risk) Gareth Rushgrove 1 import logging 2 from logging.handlers import RotatingFileHandler 3 4 from flask import Flask 5 6 app = Flask(__name__) 7 8 @app.route('/') 9 def home(): 10 app.logger.info('log request') 11 return "We'll never get to here" 12 13 if __name__ == '__main__': 14 handler = RotatingFileHandler('app.log', maxBytes=10000, backupCount 15 handler.setLevel(logging.INFO) 16 app.logger.addHandler(handler) 17 app.run(debug=True, host='0.0.0.0')
  • 22. (without introducing more risk) Gareth Rushgrove 1 import logging 2 from logging.handlers import RotatingFileHandler 3 4 from flask import Flask 5 6 app = Flask(__name__) 7 8 @app.route('/') 9 def home(): 10 app.logger.info('log request') 11 return "We'll never get to here" 12 13 if __name__ == '__main__': 14 handler = RotatingFileHandler('app.log', maxBytes=10000, backupCount 15 handler.setLevel(logging.INFO) 16 app.logger.addHandler(handler) 17 app.run(debug=True, host='0.0.0.0')
  • 23. (without introducing more risk) Gareth Rushgrove $ docker run --read-only -p 5000:5000 garethr/flaskapp Traceback (most recent call last): File "app.py", line 14, in <module> handler = RotatingFileHandler('app.log', maxBytes=10000, backupCount=1) File "/usr/lib/python2.7/logging/handlers.py", line 117, in __init__ BaseRotatingHandler.__init__(self, filename, mode, encoding, delay) File "/usr/lib/python2.7/logging/handlers.py", line 64, in __init__ logging.FileHandler.__init__(self, filename, mode, encoding, delay) File "/usr/lib/python2.7/logging/__init__.py", line 913, in __init__ StreamHandler.__init__(self, self._open()) File "/usr/lib/python2.7/logging/__init__.py", line 943, in _open stream = open(self.baseFilename, self.mode) IOError: [Errno 30] Read-only file system: '/app/app.log'
  • 24. (without introducing more risk) tmpfs support added in Docker 1.10 Gareth Rushgrove
  • 25. (without introducing more risk) Gareth Rushgrove $ docker run --read-only --tmpfs /tmp -d ubuntu:16.04 /bin/sh -c "while true; do echo hello world; sleep 1; done"
  • 26. (without introducing more risk) Gareth Rushgrove $ docker exec 222331443d28 touch /tmp/surprise
  • 27. (without introducing more risk) Gareth Rushgrove $ docker diff 222331443d28
  • 28. (without introducing more risk) Gareth Rushgrove $ docker exec 222331443d28 ls /tmp surprise
  • 29. (without introducing more risk) Suggestion Use tmpfs only where needed Gareth Rushgrove
  • 30. (without introducing more risk) Remember Without technical controls you only have social guarantees of immutability Gareth Rushgrove
  • 31. (without introducing more risk) Build vs Run And the relationship between them
  • 32. (without introducing more risk) Given an image - What machine built this image? - Are all the licenses compatible? - Who supports this image? - Does this image contain malware? Gareth Rushgrove
  • 33. (without introducing more risk) Given a running container - Who built it? - How was it built? - What software does it contain? - Is the software up-to-date? Gareth Rushgrove
  • 34. (without introducing more risk) Gareth Rushgrove FROM ubuntu:16.04 RUN apt-get update && apt-get install -y python-pip python-dev build-essent apt-get clean && rm -rf /var/lib/apt/lists/* RUN pip install flask COPY . /app WORKDIR /app ENTRYPOINT ["python"] CMD ["app.py"]
  • 35. (without introducing more risk) Gareth Rushgrove FROM ubuntu:16.04 RUN apt-get update && apt-get install -y python-pip python-dev build-essent apt-get clean && rm -rf /var/lib/apt/lists/* RUN pip install flask COPY . /app WORKDIR /app ENTRYPOINT ["python"] CMD ["app.py"] Where did this base image come from?
  • 36. (without introducing more risk) Gareth Rushgrove FROM ubuntu:16.04 RUN apt-get update && apt-get install -y python-pip python-dev build-essent apt-get clean && rm -rf /var/lib/apt/lists/* RUN pip install flask COPY . /app WORKDIR /app ENTRYPOINT ["python"] CMD ["app.py"] What packages are installed? At what version? Where are those packages from?
  • 37. (without introducing more risk) Gareth Rushgrove FROM ubuntu:16.04 RUN apt-get update && apt-get install -y python-pip python-dev build-essent apt-get clean && rm -rf /var/lib/apt/lists/* RUN pip install flask COPY . /app WORKDIR /app ENTRYPOINT ["python"] CMD ["app.py"] What version of flask is this?
  • 38. (without introducing more risk) Gareth Rushgrove FROM ubuntu:16.04 RUN apt-get update && apt-get install -y python-pip python-dev build-essent apt-get clean && rm -rf /var/lib/apt/lists/* RUN pip install flask COPY . /app WORKDIR /app ENTRYPOINT ["python"] CMD ["app.py"] What was in this folder at build time?
  • 39. (without introducing more risk) The importance of time Gareth Rushgrove
  • 40. (without introducing more risk) How often are images rebuilt? Gareth Rushgrove
  • 41. (without introducing more risk) Rebuilding only on code change ignores environmental factors Gareth Rushgrove
  • 42. (without introducing more risk) Versioning and metadata Gareth Rushgrove
  • 43. (without introducing more risk) Gareth Rushgrove LABEL vendor="ACME Incorporated" com.example.is-beta com.example.version="0.0.1-beta" com.example.release-date="2015-02-12"
  • 44. (without introducing more risk) Gareth Rushgrove LABEL vendor="ACME Incorporated" com.example.is-beta com.example.version="0.0.1-beta" com.example.release-date="2015-02-12" What time? What timezone?
  • 45. (without introducing more risk) Gareth Rushgrove $ docker inspect -f "{{json .Config.Labels }}" 4fa6e0f0c678 | jq { "vendor": "ACME Incorporated", "com.example.is-beta": "", "com.example.version": "0.0.1-beta", "com.example.release-date": "2015-02-12" }
  • 46. (without introducing more risk) Suggestion Decide upon and enforce metadata standards Gareth Rushgrove
  • 47. (without introducing more risk) Gareth Rushgrove LABEL com.example.git.repository="https://github.com/pupp com.example.git.sha="dc123cfb5ed4dca43a84be34a99d7c com.example.build.time="2016-04-24T15:43:05+00:00" com.example.build.builder=“jenkins1.example.com" com.example.docs="https://github.com/puppetlabs/doc ...
  • 48. (without introducing more risk) Suggestion Embed Dockerfiles in images Gareth Rushgrove
  • 49. (without introducing more risk) Gareth Rushgrove $ docker inspect -f "{{json .Config.Labels }}" garethr/alpine | jq { "net.morethanseven.dockerfile": "/Dockerfile", }
  • 50. (without introducing more risk) Gareth Rushgrove $ docker run -i -t garethr/alpine cat /Dockerfile FROM alpine LABEL net.morethanseven.dockerfile="/Dockerfile" RUN apk add --update bash && rm -rf /var/cache/apk/* COPY Dockerfile /
  • 51. (without introducing more risk) Suggestion Provide an API for your containers Gareth Rushgrove
  • 52. (without introducing more risk) Gareth Rushgrove $ docker inspect -f "{{json .Config.Labels }}" garethr/alpine | jq { "com.example.api.packages": "apk info -vv" }
  • 53. (without introducing more risk) Gareth Rushgrove $ docker run -i -t garethr/alpine apk info -vv musl-1.1.11-r2 - the musl c library (libc) implementation busybox-1.23.2-r0 - Size optimized toolbox of many common UNIX alpine-baselayout-2.3.2-r0 - Alpine base dir structure and init openrc-0.15.1-r3 - OpenRC manages the services, startup and shu alpine-conf-3.2.1-r6 - Alpine configuration management scripts
  • 55. (without introducing more risk) Who configures the scheduler? Higher level configuration
  • 56. (without introducing more risk) Schedulers/orchestrators abstract you from - Where individual containers run - Balancing due to new resources - Balancing due to failed resources Gareth Rushgrove
  • 57. (without introducing more risk) This results in a constraints based system Gareth Rushgrove
  • 58. (without introducing more risk) Which means those constraints need to be explicit and correct Gareth Rushgrove
  • 59. (without introducing more risk) Gareth Rushgrove $ docker daemon --label com.example.environment="production" --label com.example.storage="ssd"
  • 60. (without introducing more risk) Gareth Rushgrove $ docker run -d -P -e constraint:storage==ssd --name db mysql
  • 61. (without introducing more risk) Gareth Rushgrove 1 template: 2 metadata: 3 labels: 4 app: guestbook 5 tier: frontend 6 spec: 7 containers: 8 - name: php-redis 9 image: gcr.io/google_samples/gb-frontend:v4 10 resources: 11 requests: 12 cpu: 100m 13 memory: 100Mi 14 env: 15 - name: GET_HOSTS_FROM 16 value: dns 17 # If your cluster config does not include a dns service, th 18 # instead access environment variables to find service host 19 # info, comment out the 'value: dns' line above, and uncomm
  • 62. (without introducing more risk) How do you manage properties for all of your hosts? Gareth Rushgrove
  • 63. (without introducing more risk) Gareth Rushgrove $ docker daemon --label com.example.environment="production" --label com.example.storage="ssd" Does this machine really have an SSD? What if someone swaps the drive?
  • 64. (without introducing more risk) Suggestion Use properties of hosts as labels Gareth Rushgrove
  • 65. (without introducing more risk) Gareth Rushgrove $ facter | head -n 20 architecture => x86_64 domain => local facterversion => 2.4.6 fqdn => Pro.local gid => staff hardwareisa => i386 hardwaremodel => x86_64 hostname => Pro id => garethr interfaces => lo0,gif0,stf0,en0,p2p0,awdl0,en1,en2,bridge0,vboxnet0,vboxnet1,v ipaddress => 192.168.0.5 ipaddress_en0 => 192.168.0.5
  • 66. (without introducing more risk) Gareth Rushgrove $ facter -j os | jq { "os": { "name": "Darwin", "family": "Darwin", "release": { "major": "14", "minor": "5", "full": "14.5.0" } } }
  • 67. (without introducing more risk) Gareth Rushgrove $ docker daemon --label net.example.os=`facter operatingsystem` --label net.example.virtual=`facter is_virtual` --label net.example.kernel=`facter kernelversion` ...
  • 68. (without introducing more risk) Orchestrators also tend to introduce new higher-level primitives Gareth Rushgrove
  • 69. (without introducing more risk) Docker Networks, Kubernetes Services, ReplicationControllers, Chronos Jobs Gareth Rushgrove
  • 70. (without introducing more risk) Many with imperative interfaces Gareth Rushgrove
  • 71. (without introducing more risk) Gareth Rushgrove $ kubectl get pod mypod -o yaml | sed 's/(image: myimage):.*$/1:v4/' | kubectl replace -f -
  • 72. (without introducing more risk) Gareth Rushgrove $ docker network create bob c0a0f4538d259515813b771264688d37aaedb41098379a0d73ec0ca08 $ docker network create bob Error response from daemon: network with name bob already
  • 73. And everything configured in YAML Gareth Rushgrove
  • 74. Code plus data has advantages over data alone Gareth Rushgrove
  • 75. The language to represent the data should be a simple, data-only format such as JSON or YAML, and programmatic modification of this data should be done in a real programming language Gareth Rushgrove Borg, Omega, and Kubernetes, ACM Queue,Volume 14, issue 1 http://queue.acm.org/detail.cfm?id=2898444 “
  • 76. Avoid repetition Combine external inputs Correctness Abstractions Gareth Rushgrove - - - -
  • 77. Suggestion Use a higher level programming tool for generating config data Gareth Rushgrove
  • 78. (without introducing more risk) Gareth Rushgrove jsonnet.org
  • 79. (without introducing more risk) Gareth Rushgrove $ cat test.jsonnet // Example jsonnet file { person1: { name: "Alice", welcome: "Hello " + self.name + "!", }, person2: self.person1 { name: "Bob" }, }
  • 80. (without introducing more risk) Gareth Rushgrove $ jsonnet test.jsonnet | jq { "person1": { "name": "Alice", "welcome": "Hello Alice!" }, "person2": { "name": "Bob", "welcome": "Hello Bob!" } }
  • 81. (without introducing more risk) Gareth Rushgrove $ jsonnet test.jsonnet | json2yaml --- person1: name: "Alice" welcome: "Hello Alice!" person2: name: "Bob" welcome: "Hello Bob!"
  • 83. (without introducing more risk) Gareth Rushgrove garethr/kubernetes
  • 84. (without introducing more risk) Gareth Rushgrove kubernetes_pod { 'sample-pod': ensure => present, metadata => { namespace => 'default', }, spec => { containers => [{ name => 'container-name', image => 'nginx', }] }, }
  • 85. (without introducing more risk) Gareth Rushgrove apiVersion: v1 kind: Pod metadata: namespace: default name: sample-pod spec: container: - image: nginx name: container-name
  • 86. (without introducing more risk) Gareth Rushgrove controller_service_pair { 'redis-master': app => 'redis', role => 'master', tier => 'backend', port => 6379, }
  • 87. (without introducing more risk) Gareth Rushgrove apiVersion: v1 kind: Service metadata: name: redis-master labels: app: redis tier: backend role: master spec: ports: # the port that this service should serve on - port: 6379 targetPort: 6379 selector: app: redis tier: backend role: master --- apiVersion: v1 kind: ReplicationController metadata: name: redis-master # these labels can be applied automatically # from the labels in the pod template if not set labels: app: redis role: master tier: backend spec: # this replicas value is default # modify it according to your case replicas: 1 # selector can be applied automatically # from the labels in the pod template if not set # selector: # app: guestbook # role: master # tier: backend
  • 89. (without introducing more risk) Conclusions New technology means old problems
  • 90. (without introducing more risk) The difference between how you think something works and how it actually works risks hard-to-debug production issues Gareth Rushgrove
  • 91. (without introducing more risk) Containers introduce new and old configuration problems Gareth Rushgrove
  • 92. (without introducing more risk) Configuration management is the discipline aimed at minimising those risks Gareth Rushgrove
  • 93. (without introducing more risk) Start with principles Gareth Rushgrove
  • 94. (without introducing more risk) - Identification - Control - Status accounting - Verification Gareth Rushgrove Military Handbook Configuration Management Guidance MIL-HDBK-61B
  • 95. (without introducing more risk) Apply them to your container based infrastructure today Gareth Rushgrove
  • 96. (without introducing more risk) Questions? And thanks for listening