99cloud Docker Training module 2
0 likes1,079 views
This document provides an overview and agenda for a two day Docker training course. Day one covers Docker introduction, installation, working with containers and images, building images with Dockerfiles, OpenStack integration, and Kubernetes introduction. Day two covers Docker cluster, Kubernetes in more depth, Docker networking, DockerHub, Docker use cases, and developing platforms with Docker. The document also includes sections on Docker basics, proposed cluster implementation strategies, and Kubernetes concepts and design principles.
![Port mapping
For0the0new0nginx20container,0we0show0network0
settings0below
# docker inspect+nginx2
"NetworkSettings":'{
"Bridge":'"docker0",
"Gateway":'"172.17.42.1",
"IPAddress":'"172.17.0.19",
"IPPrefixLen":'16,
"MacAddress":'"02:42:ac:11:00:0f",
"PortMapping":'null,
"Ports":'{
"443/tcp":'[
{
"HostIp":'"0.0.0.0",
"HostPort":'"49157"
}],
"80/tcp":'[
{
"HostIp":'"0.0.0.0",
"HostPort":'"49158"
}]
}}
Advanced:
• It is possible to restrict the port
mapping to listen on specific host IPaddress
and/or a specific host port number
• Use -p option as follows
#+docker run+
–p+host_IP:host_port:container_port
–d+–i –t+nginx](https://image.slidesharecdn.com/dockermodule2-151023184209-lva1-app6891/85/99cloud-Docker-Training-module-2-37-320.jpg)
![What is dockerfile
• A definition of image
• FROM – base imagefrom
• RUN – initializesomething
• CMD – run after container created
• EXPOSE – port
• MAINTAINER – notification email send to
• ADD– pass start.sh into container
• VOLUME – path mapping
• WORKDIR
#example'dockerfile D redis
FROM ubuntu
MAINTAINER ruifengyun "ruifengyun@qq.com"
ADD ./start.sh /root/start.sh
RUN aptDget update
RUN aptDget install Dy redisDserver
RUN aptDget install Dy opensshDserver
#CMD redisD
server /etc/redis/redis.conf && /usr/sbin/sshd
DD
CMD ["redisDserver","/etc/redis/redis.conf"]
EXPOSE 6379
EXPOSE 22
# docker build Dt'trystack/redis](https://image.slidesharecdn.com/dockermodule2-151023184209-lva1-app6891/85/99cloud-Docker-Training-module-2-42-320.jpg)
![Demo page3
# Install Wordpress
ADD http://wordpress.org/latest.tar.gz /usr/share/nginx/latest.tar.gz
RUN cd /usr/share/nginx/ && tar xvf latest.tar.gz && rm latest.tar.gz
RUN mv /usr/share/nginx/html/5* /usr/share/nginx/wordpress
RUN rm Drf /usr/share/nginx/www
RUN mv /usr/share/nginx/wordpress /usr/share/nginx/www
RUN chown DR wwwDdata:wwwDdata /usr/share/nginx/www
# Wordpress Initialization and Startup Script
ADD ./start.sh /start.sh
RUN chmod 755 /start.sh
# private expose
EXPOSE 3306
EXPOSE 80
CMD ["/bin/bash", "/start.sh"]](https://image.slidesharecdn.com/dockermodule2-151023184209-lva1-app6891/85/99cloud-Docker-Training-module-2-45-320.jpg)
99cloud Docker Training module 2
- 1. Docker Training 02 liangbo@trystack.cn Docker Introduction & WORKSHOP
- 2. COURSE INTRODUCTION DAY 01 • Docker Introduction • Installation of Docker • Working with Containers • Working with Images • Building image with Dockerfiles • OpenStack Integration • OpenStack Introduction • Nova Driver (Docker as Compute Service) • Glance as Docker image registry DAY 02 • DockerCluster • Kubernetes Introduction • DockerNetworking • DockerHub • DockerCases • DockerSource Code • Development Platform With Docker • Hadoopon Docker
- 4. Docker Basic
- 5. Now that we have containers • Isolation: Keep jobs from interfering with each other • Scheduling: Where should my job be run? • Lifecycle: Keep my job running • Discovery: Where is my job now? • Constituency: Who is part of my job? • Scale-up: Making my jobs bigger or smaller • Auth{n,z}: Who can do things to my job? • Monitoring: What happening with my job? • Health: How is my job feeling?
- 7. Cluster • Management Layer • Zookeeper • etcd • Storage • Btrfs • Ceph • ZFS • Networking • Open vSwitch • Live Migration
- 8. Kubernetes
- 9. Manage a cluster of Linux containers as a single system to accelerate Dev and simplify Ops
- 10. What is Kubernetes Kubernetes is anopen source orchestration system for Docker containers.It handles scheduling onto nodes in a compute cluster and actively manages workloadsto ensure that their state matches the users declared intentions. Using the concepts of "labels" and "pods", it groups the containerswhich make up an application into logical units for easy managementand discovery.
- 11. Enter Kubernetes • Container orchestrator • Runs Docker containers • Supports multiple cloud and bare-metal environments • Inspired and informed by Google’sexperiences and internal systems • Open Source, written in Go • Manage applications, not machines.
- 12. Kubernetes Origins • Runs hundreds of thousands of jobs • For manythousands of different applications (YouTube, SearchIndex, Maps, etc.)… • Acrossa number of clusters (hundreds) • Borg managesmany millions of physical servers. • In production since 2004
- 13. Kubernetes Design principles • Declarative > imperative: State your desired results, let the system actuate • Control loops: Observe, rectify, repeat • Simple > Complex: Tryto do as little as possible. • Modularity: Components, interfaces, & plugins. • Network-centric: IP addresses are cheap • No grouping: Label are the onlygroups. • Bulk > hand-crafted: cattle vs pets • Open > Closed: Open Source, Standards, REST, JSON, etc.
- 14. Concept • Container: A sealed application package(Docker) • Pod: A small group of tightly couple Containers • Controller: A loop that drives currentstate towards desired state. • Service: A set of running pods that work together. • Labels: Identifying metadata attachedto other objects. • Selector: A query against labels.
- 16. Pod • Small group of containers& volumes Tightly coupled • same node The atom of cluster scheduling & • placement Shared namespace • share IP address & localhost Ephemeral • can die and be replaced Example: data puller & web server
- 17. Pod Networking • Pod IPs are routable • Docker default is private IP • Pods canreach eachother without NAT • even acrossnodes • No brokering of port numbers • This is a fundamental requirement • several SDNsolutions
- 18. Pod Networking • Arbitrary metadata • Attached to any API object • Generally represent identity • Queryable by selectors • think SQL ‘select ... where ...’ • The only grouping mechanism • pods under a ReplicationController • pods in a Service • capabilities of a node (constraints) • Example: “phase: canary”
- 19. Replication Controllers f0180 node1 b3112 node2 c1209 node3 a65321 node4 Replication Controller - Desired= 4 - Current = 4
- 20. Replication Controllers f0180 node1 b3112 node2 c1209 node3 a65321 node4 Replication Controller - Desired= 4 - Current = 4
- 21. Replication Controllers f0180 node1 b3112 node2 a65321 node4 Replication Controller - Desired= 4 - Current = 3
- 22. Replication Controllers f0180 node1 b3112 node2 a65321 node4 Replication Controller - Desired= 4 - Current = 4 c1209
- 23. Services • A group of pods that act as one == Service • group ==selector • Defines access policy • only“load balanced” for now • Gets a stable virtual IP and port • called the service portal • also a DNS name • VIP is captured by kube-proxy • watches the service constituency • updates when backendschange • Hide complexity - ideal fornon-nativeapps
- 25. How to deploy • Prerequisites • The minion nodes have installeddocker 1.2+ • Allmachines can communicate with each other • Dependences: etcd-2.0.0, flannel-0.4.0, k8s-0.15.0 • Allthe remote serverscan be ssh loggedin
- 26. Main Steps • Make kubernetes, etcd and flanneld • First clone the kubernetes github repo, • $ git clone https://github.com/GoogleCloudPlatform/kubernetes.gitthen $ cd kubernetes/cluster/ubuntu. • Then run$ ./build.sh, this will download all the needed binaries into ./binaries.
- 27. Configure Cluster • export nodes="vcap@10.10.103.250 vcap@10.10.103.162 vcap@10.10.103.223" • export roles=("ai" "i" "i") • export NUM_MINIONS=${NUM_MINIONS:-3} • export PORTAL_NET=11.1.1.0/24 • export FLANNEL_NET=172.16.0.0/16 • KUBERNETES_PROVIDER=ubuntu./kube-up.sh
- 28. Trouble shooting • Generally, what this approach did is quite simple: • Download and copy binaries and configurationfiles to proper dirctories on every node • Configure etcd using IPs based on input from user • Create and start flannel network • So, if you see a problem, check etcd configurationfirst
- 30. Key Takeaways • Docker networking is in earlystage • Application must choosewhat networking is right for their needs. It is possible to use same principles as VMs • Open vSwitch brings powerful networking capabilities • User spacevs Kernel spacepacket processingis an importantdesign choice
- 31. High-level concepts Namespace Containerized0networking0at0the0process0level0managed0at0/proc Linux0Bridge L2/MAC0learning0switch0built0into0the0Kernel0to0use0for0forwarding OpenvSwitch Advanced0bridge0that0is0programmable and0supports0 tunneling NAT Network0address0translators are0intermediate0entities0that0 translate0IP0address0+0Ports0(Types:0SNAT,0DNAT) iptables Policy0engine0in0kernel0that0is0used0for0managing0packet0 forwarding,0 firewall,0NAT0features Unix domain0 sockets File0descriptor0based0communication0that0is0restricted0to0a0single0 host.0Works0like0a0FIFO0pipe. UserRspace vs0 KernelRspace Application0domain0that0regulates0access0to0resources0and0 performance0possible.0 • Container0applications0run0in0userRspace • Typically0network0forwarding0runs0in0kernel0space
- 32. Docker Networking Options • Bridge – docker0 • Open vSwitch • Port Mapping • Unix sockets/ pipe
- 33. Many ways Host Container C Container D Container E Container FContainer A Container B Direct Host network Unix-domain sockets and other IPC Docker0 Linux bridge Docker proxy (usingiptables) Open vSwitch Port mapping
- 34. Option: Docker0 bridge • Default network automaticallycreated when no additional options“-net” or “-P” are specified • Each container is addressed by a static IP address assigned by Docker • Similar to what we have as default with KVM or VirtualBox • Host can reach container with IP on the bridge • But, outside traffic cannot reach the container Nginx1 172.17.0.18 C1 172.17.0.19 C2 172.17.0.20 172.17.42.1 Docker0 bridge eth0 eth0 eth0 veth002aa7a veth6df8377 veth7b0e4c6 eth0192.168.50.16
- 35. Docker0 bridge CheckLinux bridge ports and NAT rules underthe hood # iptables –L+–t+nat -n ... Chain'POSTROUTING'(policy'ACCEPT) target'''''prot opt'source'''''''''''''''destination MASQUERADE''all''DD 172.17.0.0/16''''''''anywhere # sudo brctl show bridge'name'''''bridge'id'''''''''''STP'enabled'''''interfaces docker0'''''''''8000.56847afe9799'''no''''''''''''''veth002aa7a veth6df8377 veth7b0e4c6 # docker inspect+--format='{{.NetworkSettings}}'+nginx1+ (See'for'yourself)
- 36. Port mapping • Provide access to the container from outside by allocating a DNAT port in the range 49153-65535 • Still uses Linux bridge docker0, but addsiptablesrules for the DNAT • In our example,nginx2container is reachable by accessing 192.168.50.16:49155 # docker+run+-P+-d+-i+--name=nginx2+-t+nginx # iptables+–L+–t+nat+-n ... Chain'DOCKER'(2'references) target'prot'opt'source'''''destination DNAT'''tcp''DD anywhere'''anywhere'''tcp'dpt:49155'to:172.17.0.19:80 DNAT'''tcp''DD anywhere'''anywhere'''tcp'dpt:49156'to:172.17.0.19:443 ... Host nginx2 c1 172.17.42.1 Docker00bridge eth0 eth0 veth79ed06d veth6df8377 eth0192.168.50.16
- 37. Port mapping For0the0new0nginx20container,0we0show0network0 settings0below # docker inspect+nginx2 "NetworkSettings":'{ "Bridge":'"docker0", "Gateway":'"172.17.42.1", "IPAddress":'"172.17.0.19", "IPPrefixLen":'16, "MacAddress":'"02:42:ac:11:00:0f", "PortMapping":'null, "Ports":'{ "443/tcp":'[ { "HostIp":'"0.0.0.0", "HostPort":'"49157" }], "80/tcp":'[ { "HostIp":'"0.0.0.0", "HostPort":'"49158" }] }} Advanced: • It is possible to restrict the port mapping to listen on specific host IPaddress and/or a specific host port number • Use -p option as follows #+docker run+ –p+host_IP:host_port:container_port –d+–i –t+nginx
- 38. Host Give fullaccess of thehost network tothecontainer using-- net=host option # docker run--net=host --name=c3 -i –d –tbase /bin/bash Check network withincontainerusingifconfigcommand throughexec # docker exec c3 ifconfigeth0 eth0 Link encap:Ethernet HWaddr 52:54:00:0d:3c:9f inet addr:192.168.50.16 Bcast:192.168.50.255 Host can talk tocontainer usinglo (localhost)interface Containerscan listen onprivileged ports(i.e., port numbers < 1024) of host Give fullaccess to network of a containerXX to the new containerYY using--net=container:XX option # docker run--net=container:nginx1 --name=c4 -i –d –tbase /bin/bash Check network withincontainerusingifconfigcommand throughexec # docker exec c4 ifconfigeth0 eth0 Link encap:Ethernet HWaddr 02:42:ac:11:00:12 inet addr:172.17.0.18 Bcast:0.0.0.0 ContainerXX can talk to containerYY usinglo (localhost) interface Container
- 39. Option: Open vSwitch • Similar to Linux bridge, but different technology • Today, this is not the default with Docker • Allowsprogramming with OVSDB and OpenFlow protocols • Why? OpenvSwitch has many useful features! • VxLAN,GRE, VLAN based encapsulation and L2 forwarding • Encapsulation allowscontainers to pick any MAC/IP they want • Also possible to do L3routing, ARP proxy etc, load-balancing • Access control, traffic rate limiting and prioritization • 10G/s or more packetprocessing throughput possible • 1) kernel, or 2) userspace, with optionally DPDK acceleration
- 40. Open vSwitch A softwarevirtual switch • Overlay Network • VxLan, GRE • Openflow
- 41. Dockerfile
- 42. What is dockerfile • A definition of image • FROM – base imagefrom • RUN – initializesomething • CMD – run after container created • EXPOSE – port • MAINTAINER – notification email send to • ADD– pass start.sh into container • VOLUME – path mapping • WORKDIR #example'dockerfile D redis FROM ubuntu MAINTAINER ruifengyun "ruifengyun@qq.com" ADD ./start.sh /root/start.sh RUN aptDget update RUN aptDget install Dy redisDserver RUN aptDget install Dy opensshDserver #CMD redisD server /etc/redis/redis.conf && /usr/sbin/sshd DD CMD ["redisDserver","/etc/redis/redis.conf"] EXPOSE 6379 EXPOSE 22 # docker build Dt'trystack/redis
- 43. Demo page1 FROM ubuntu:14.04 MAINTAINER yourname@youraddress.com # Keep upstart from complaining RUN dpkgDdivert DDlocal DDrename DDadd /sbin/initctl RUN ln Dsf /bin/true /sbin/initctl # Let the conatiner know that there is no tty ENV DEBIAN_FRONTEND noninteractive RUN aptDget update RUN aptDget Dy upgrade # Basic Requirements RUN aptDget Dy install mysqlDserver mysqlDclient nginx php5Dfpm php5Dmysql phpDapc pwgen pythonD setuptools curl git unzip # Wordpress Requirements RUN aptDget Dy install php5Dcurl php5Dgd php5Dintl phpDpear php5Dimagick php5Dimap php5Dmcrypt php5D memcache php5Dming php5Dps php5Dpspell php5Drecode php5Dsqlite php5Dtidy php5Dxmlrpc php5Dxsl # mysql config RUN sed Di De"s/^bindDaddresss*=s*127.0.0.1/bindDaddress = 0.0.0.0/" /etc/mysql/my.cnf
- 44. Demo page2 # nginx config RUN sed Di De"s/keepalive_timeouts*65/keepalive_timeout 2/" /etc/nginx/nginx.conf RUN sed Di D e"s/keepalive_timeout 2/keepalive_timeout 2;ntclient_max_body_size 100m/" /etc/nginx/nginx.conf RUN echo "daemon off;" >> /etc/nginx/nginx.conf # phpDfpm config RUN sed Di De "s/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g" /etc/php5/fpm/php.ini RUN sed Di De "s/upload_max_filesizes*=s*2M/upload_max_filesize = 100M/g" /etc/php5/fpm/php.ini RUN sed Di De "s/post_max_sizes*=s*8M/post_max_size = 100M/g" /etc/php5/fpm/php.ini RUN sed Di De "s/;daemonizes*=s*yes/daemonize = no/g" /etc/php5/fpm/phpDfpm.conf RUN sed Di D e "s/;catch_workers_outputs*=s*yes/catch_workers_output = yes/g" /etc/php5/fpm/pool.d/www.conf RUN find /etc/php5/cli/conf.d/ Dname "*.ini" Dexec sed Di Dre 's/^(s*)#(.*)/1;2/g' {} ; # nginx site conf ADD ./nginxDsite.conf /etc/nginx/sitesDavailable/default # Supervisor Config RUN /usr/bin/easy_install supervisor RUN /usr/bin/easy_install supervisorDstdout ADD ./supervisord.conf /etc/supervisord.conf
- 45. Demo page3 # Install Wordpress ADD http://wordpress.org/latest.tar.gz /usr/share/nginx/latest.tar.gz RUN cd /usr/share/nginx/ && tar xvf latest.tar.gz && rm latest.tar.gz RUN mv /usr/share/nginx/html/5* /usr/share/nginx/wordpress RUN rm Drf /usr/share/nginx/www RUN mv /usr/share/nginx/wordpress /usr/share/nginx/www RUN chown DR wwwDdata:wwwDdata /usr/share/nginx/www # Wordpress Initialization and Startup Script ADD ./start.sh /start.sh RUN chmod 755 /start.sh # private expose EXPOSE 3306 EXPOSE 80 CMD ["/bin/bash", "/start.sh"]
- 46. Docker Registry
- 47. Step 1 – Install Prerequisites • Docker registry is a python application • Need some python libs $ sudo apt-get update $ sudo apt-get -y install build-essential python-dev libevent-dev python-pip liblzma-dev
- 48. Step 2 – Install and Configure Docker Registry sudo pip install docker-registry gunicorn --access-logfile - --debug -k gevent -b 0.0.0.0:5000 -w 1 docker_registry.wsgi:application cd /usr/local/lib/python2.7/dist-packages/docker_registry/lib/../../config/ sudo cp config_sample.yml config.yml sudo mkdir /var/docker-registry