5. 5
A brief explanation of Containers
An image is a lightweight, stand-alone, executable package that includes
everything needed to run a piece of software
• Contains the application executable and their dependencies
• Built with instructions from a Dockerfile
A container is a runtime instance of an image – what the image becomes
in memory when actually executed
• Run apps natively on the host machine’s kernel
• Running in a discrete process (isolated environment)
• Containers on the same machine share a single kernel
7. 7
Container vs VM - Performance Benchmark
(Just for reference)
On a modest Intel server (16GB Ram)
• 536 Linux Containers
• 37 KVM Virtual Machines
Reference: https://insights.ubuntu.com/2015/06/11/how-many-containers-can-you-run-on-your-machine/
10. 10
Benefits of Containers
• More efficient in resource utilization
− The same computing resources can run more containers than VMs
− Containers organically consume the resources they need (bound by the
maximum value assigned). For VM, it will take up all the resources
assigned when startup
• Better for cloud deployment (Microservices and Devops)
− It’s a general practice to have separate images for difference components
for the same application (e.g. DB, App Server, Web Server)
− More easy to deploy/upgrade/scale an individual component, without
impacting others
17. 17
Multi-Stage Builds
Traditional Dockerfile that includes build tools:
➜ Target is to reduce the size of Docker image
FROM alpine
RUN apk add make g++
ADD . /src
RUN cd /src && make
EXPOSE 80
ENTRYPOINT /usr/local/bin/app
18. 18
Multi-Stage Builds
A Dockerfile that use multi-stage build:
➮ Final image will not include the build tools and libraries
FROM alpine AS build-env
RUN apk add make g++
ADD . /src
RUN cd /src && make
FROM busybox
COPY --from=build-env /src/build/app /usr/local/bin/app
EXPOSE 80
ENTRYPOINT /usr/local/bin/app
24. 24
Introduction to Service Orchestration
• Management
− Need a manager to maintain the cluster state, and serve requests for
container management (schedule/stop/scale up/scale down)
• Security
− All nodes within the cluster should be able to communicate securely
• Service Discovery
− Need to be able to identify and locate a container service by using DNS
• Load Balancing
− Need to be able to scale up/down containers with auto load balancing
• Networking
− Able to segregate the network for different scenarios
• Update/Rollback
− Support update and rollback of container services across the cluster
⌘ Container Services need Orchestration
29. 29
Docker’s answer to Service Orchestration
Load Balancing - Service to Service Communication
30. 30
Introduction to Service Orchestration
• A DNS server was embedded in a Swarm cluster
• Swarm mode has an internal DNS component that
automatically assigns each service in the swarm a DNS
entry
• The swarm manager uses internal load balancing to
distribute requests among services within the cluster based
upon the DNS name of the service
Service Discovery with DNS
32. 32
Service Rollback on Failure
“rollback” action added to --update-failure-action
(in addition to “pause” and “continue”)
with all the associated flags
--rollback-delay
--rollback-failure-action
--rollback-max-failure-ratio
--rollback-monitor
--rollback-parallelism
swarm mode improvement
37. 37
Securely Distributing Passwords
● Service often require sensitive information (like passwords, keys, etc.)
● Need a way to securely distribute such information across the cluster
38. 38
Securely Distributing Passwords
The Old Way
Pass as environment:
$ docker service create -e password=TOTALLYSECURE dockercon
Password is stored on host and mount by container as volume:
$ docker service create -v some/host/dir:/password dockercon
39. 39
Securely Distributing Passwords
The Old Way > Pass as environment > Problem
A developer need to debug the service, and the environment is dump into a debug log file.
40. 40
Securely Distributing Passwords
The Old Way > Save Secret in Volume > Problem
Volume must exist on every node that service needs to run on.
When service is rescheduled, secret stay on the host!
42. 42
Docker Secrets
Secrets are stored in the Raft Store
The encryption key of the Raft log can be further encrypted for added security
$ docker swarm update --autolock=true
51. 51
Compose to Swarm
It is now possible to deploy services using compose files directly from docker
➜ docker stack sub-command added
● docker stack deploy --compose-file docker-compose.yml <my_stack>
● docker stack list
● docker stack rm <my_stack>
52. 52
Compose Format Version 3
Main differences from v2 are:
docker-compose.yml improvements
● Removed the non-portable options
○ build
○ volume-from
○ …
● Added Swarm specific options
○ replicas
○ mode
○ ...
53. 53
Long Syntax for Ports
docker-compose.yml improvement
ports:
- 3000
- 3000-3005
- 49100:22
- 9090-9091:8080-8081
- 127.0.0.1:8001:8001
- 127.0.0.1:5005-5010:5005-5010
- 6060:7060/udp
Old Format (for port publishing):
54. 54
Long Syntax for Ports
docker-compose.yml improvement
ports:
- target: 6060
published: 7060
protocol: udp
New Format (for port publishing):
55. 55
Long Syntax for Volumes
docker-compose.yml improvement
volumes:
- /var/lib/mysql
- /opt/data:/var/lib/mysql
- ./cache:/tmp/cache
- datavolume:/var/lib/mysql
- ~/configs:/etc/configs/:ro
Old Format (for volume mounting):
56. 56
Long Syntax for Volumes
docker-compose.yml improvement
volumes:
- type: bind
source: ~/configs
target: /etc/configs
read_only: true
New Format (for volume mounting):
62. 62
Docker on Windows Server 2016
● Now 98% of enterprise workloads supported by Docker
● Proven benefits of Docker on Linux available to Windows Server
developers and IT Pros
● One Docker platform and one adoption journey for all enterprise
applications and infrastructure
● Docker CS Engine with Windows Server 2016 at no additional cost
63. 63
Docker on Windows Server 2016
Docker EE is free and support by Microsoft directly
76. 76
Image2Docker - Linux
make prepare
make build
make builtin-prep
sudo bin/v2c-darwin64 build -n img.vmdk
https://github.com/docker/communitytools-image2docker-linux
96. 96
Docker Cloud
• Manage Build and Images
− Provides a hosted registry service
− Link to your source code repository
• Swarm Mode (Beta)
− Provision swarms or register existing swarms to popular cloud providers
− Support multiple providers in a single user interface
− Use your Docker ID to authenticate and securely access personal or team
swarms
• Standard Mode
− Link to your hosts, upgrade the Docker Cloud agent, and manage
container distribution
− Deploy and manage nodes, services, and applications in Docker Cloud
• Pricing
− Contact Docker
100. 100
Docker Cloud vs Enterprise Edition
Feature Docker EE Docker Cloud
Docker Engine Version Docker EE Docker CE, Docker EE (Basic)
Private Image Registry Your own registry Host by Docker
User Interface Docker UCP
(Universal Control Plane)
Docker Cloud UI
Image Security Scan Support Support
User Security Create your own user/group,
Role based access control
Docker ID
Docker Datacenter Included (Standard, Advance) Not included
Automated Development Pipelines Included Not included
Private Cloud Full Support Partially Support (Bring your own Swarm)
Pricing Visit Docker site Contact Docker
✦ Contact Docker for latest information
107. 107
Let’s Keep the Meetup Running
• Let’s work together to keep the meetup active
• Speakers WANTED
• Share with each other about your Docker journey
• Reach out for venues for deep dive
− Workshops
− The best way to learn is to do some real stuff
• Containerize your application
• Setup a Docker Swarm cluster
• Use Docker Compose to deploy your stack
Hey, I need HELP!!!