Docker Enterprise Workshop - Technical
Download as PPTX, PDF1 like813 views
The document outlines a Docker Enterprise workshop led by Patrick Chanezon, covering the development of a Spring Boot application with MongoDB, Dockerfile examples, multi-stage builds, and using Docker Compose for orchestration. It also highlights Docker's collaboration with Microsoft for various tools and features, including support for Kubernetes and deployment strategies on Windows. Additional resources and instructions for conducting hybrid app workshops are provided at the end.
Docker Enterprise Workshop - Technical
- 1. Patrick Chanezon, @chanezon March 2018 Docker Enterprise Workshop
- 2. French Polyglot Platforms Software Plumber San Francisco Developer Relations @chanezon
- 3. Docker 101
- 4. spring-doge.jar Example: Spring Boot App using MongoDB https://github.com/chanezon/docker-tips/tree/master/java-in-container-dev/spring-doge-workspace spring-doge spring-doge-web spring-doge-photo API: Spring Boot, Spring Data UI: AngularJS Business Logic: java.awt java -Dserver.port=8080 -Dspring.data.mongodb.uri=mongodb://mongo:27017/test -jar spring-doge.jar
- 5. Dockerfile for development FROM java:8 MAINTAINER Patrick Chanezon <patrick@chanezon.com> EXPOSE 8080 COPY spring-doge/target/*.jar /usr/src/spring-doge/spring- doge.jar WORKDIR /usr/src/spring-doge CMD java -Dserver.port=8080 - Dspring.data.mongodb.uri=$MONGODB_URI -jar spring-doge.jar
- 6. Using Docker to compile your jar/war https://registry.hub.docker.com/_/maven/ docker run -it --rm -v $PWD:/usr/src/spring-doge -v maven:/root/.m2 -w /usr/src/spring-doge maven:3.3-jdk-8 mvn package
- 7. Build an image docker build -t chanezon/spring-doge . FROM java:8 MAINTAINER Patrick Chanezon <patrick@chanezon.com> EXPOSE 8080 COPY spring-doge/target/*.jar /usr/src/spring-doge/spring- doge.jar WORKDIR /usr/src/spring-doge CMD java -Dserver.port=8080 - Dspring.data.mongodb.uri=$MONGODB_URI -jar spring-doge.jar
- 8. Dockerfile with multi stage build FROM maven:3.5-jdk-8 as builder MAINTAINER Patrick Chanezon <patrick@chanezon.com> COPY . /usr/src WORKDIR /usr/src RUN mvn package FROM openjdk:8u131-jre EXPOSE 8080 COPY --from=builder /usr/src/spring-doge/target/*.jar /usr/app/spring-doge.jar WORKDIR /usr/app CMD java -Dserver.port=8080 -Dspring.data.mongodb.uri=$MONGODB_URI - jar spring-doge.jar HEALTHCHECK --interval=5m --timeout=3s --retries=3
- 9. Run a container docker run —env MONGODB_URI=mongodb://mongo:27017/test -p 8090:8080 chanezon/spring-doge
- 10. docker-compose: running multiple containers ● Run your stack with one command: docker-compose up ● Describe your stack with one file: docker-compose.yml version: '3.3' services: web: image: chanezon/spring-doge ports: - "8080:8080" environment: - MONGODB_URI=mongodb://mongo:27017/test mongo: image: mongo
- 11. docker stack deploy ● Deploy your stack with one command: docker stack deploy ● Describe your stack with one file: docker-compose.yml version: '3' services: web: image: chanezon/spring-doge ports: - "8004:8080" environment: - MONGODB_URI=mongodb://mongo:27017/test depends_on: - mongo deploy: replicas: 2 update_config: parallelism: 2 delay: 10s restart_policy: condition: on-failure mongo: image: mongo
- 12. Docker Java Labs https://github.com/docker/labs/tree/master/developer-tools/ • Wildfly and Couchbase J2EE App • Debugging a Java app in Docker using Eclipse
- 14. Microsoft is an Open Source champion
- 15. Docker & Microsoft: a great Open Source collaboration
- 18. Docker for Windows Docker for Azure
- 19. Docker for Azure Making things simple for a great user experience Virtual Network VMSS Blob Storage Azure LB ARM AAD
- 20. Docker EE on Azure Free 30 Days Test Drive from Docker Store
- 21. Docker & Microsoft: collaboration on all fronts • Build • Docker for Windows • Docker EE for Windows Servers • Visual Studio Tools for Docker • Visual Studio Code Docker extension • Ship • Visual Studio Team Services Docker Integration • Azure Container Registry • Run • Docker EE in Azure MarketPlace • Docker on Azure Stack
- 22. Docker with Windows Server 1709 • Docker Linux Containers on Windows • Docker ingress mode service publishing on Windows • Named pipes in Windows containers > docker run -d -p 8080:8080 -v .pipedocker_engine:.pipedocker_engine friism/jenkins • Smaller Windows base images: Nanoserver download 70MB https://blog.docker.com/2017/09/docker-windows-server-1709/
- 23. .Net and ASP.NET Docker Images & Samples • Smaller Windows base images • Nanoserver download 70MB • Alpine images • Linux and Windows • Multi stage build • Unit tests at build or runtime https://github.com/dotnet/dotnet-docker/tree/master/samples
- 24. Swarm Windows Roadmap for Docker EE 24 Versions Release Date Highlights Docker EE 2.0.0 GA Q1 2018 ● Only Windows Server 2016 (RS1) Supported ○ Easy Image Compatibility: No ○ Ingress Networking: No Docker EE 2.0.x Patches Q2 2018 ● Add Windows Server 1709 (RS3) support with partial features: ○ Easy Image Compatibility: Yes ○ Ingress Networking: No Docker EE 2.1 Q3 2018 ● Full Support for Windows Server 1709 ○ Easy Image Compatibility: Yes ○ Ingress Networking: Yes ● Tentative Considerations: ○ Windows Server 1803 (RS4) support ○ Possible new Windows LTSC version in Q3
- 25. Kube Windows Known Timelines (Still assessing for EE Roadmap) 25 Q4’ 2017 Kube 1.9 Beta support for Windows ● Docker 17.06 engine ● Windows Server 1709 Q1’2018 Kube 1.10 Beta Support for Windows ● Docker 17.06 engine ● Windows Server 1709 Q2’2018 Kube 1.11 GA Support for Windows ● Docker 17.06 engine ● Possibly containerd ● Windows Server 1709 (RS3) ● Windows Server 1803 (RS4) H2’ 2018 Kube 1.x? GA Support for Windows ● Possibly containerd ● Windows Server LTS release
- 27. Lifecycle of a Kubernetes API Request Kubernetes API Server Authentication Authorization Admission Control etcd
- 28. Orchestrator: Docker Engine with Swarm-Mode Enabled ● github.com/docker/swarmkit ● Declarative State through the “Service” construct ● Built-in Routing Mesh & Overlay networking ● In-memory Raft Store for all state (persisted to disk) ● Built-in CA, per-node cryptographic node identity, mTLS between all endpoints
- 29. Orchestrator: Kubernetes ● github.com/kubernetes/kubernetes ● Scheduling Unit: Pods ● Declarative State through “Controllers”: Deployment, ReplicaSet, DaemonSet … ● Load balancing via Services and Ingresses ● Flat Networking model delegated to plugins
- 30. Linuxkit VM Kubernetes CLI Swarm Mode Kubernetes etcd Docker CLI kubeadm Kubernetes in Docker CE (Windows and Mac) Compose CRD Single Docker Engine vpnkitHost fs mounts hyperkit / hyperv
- 31. Kubernetes in Docker Desktop
- 32. Docker EE now includes Kubernetes Docker Enterprise Edition Production Ready Windows and IBM P/Z Support Pods, batch jobs, blue-green deployments, horizontal pod auto-scaling Docker Swarm Swarm-Mode Kubernetes Private Image Registry Secure Access and User Management App and Cluster Management Image Security Scanning Content Trust and Verification Policy Management
- 33. GUI Universal Control Plane Trusted Registry Kubernetes CLI Docker Engine Swarm-Mode Docker Swarm Kubernetes etcd CA OIDC Provider Docker CLI Node Agent Reconciler Kubernetes in Docker EE
- 34. Docker EE 2.0: A conformant kubernetes distribution
- 35. Docker EE Architectural Highlights ● Conformant Kubernetes components ran as Docker containers ● Swarm Managers are Kubernetes Masters ● Swarmkit node inventory is source of truth ● Cryptographic Node Identity and mTLS used throughout
- 36. Uses of Kubernetes Plugin Interfaces
- 37. Authentication ● X509 Client Certificates ○ Used for authentication of kubectl and the docker CLI via the “client bundle” feature ● OpenID Connect Identity Provider ○ GUI sessions use a custom identity provider and a token exchange service to authenticate with the OIDC authentication plugin
- 38. Authorization ● All requests authorized via the Authorization Webhook plugin ● Custom RBAC system shared between Swarm and Kubernetes: ○ Users, Teams, Organizations, Service Accounts ○ Custom Roles ○ Hierarchical “Grants” ● No support for the rbac.authorization.k8s.io API, future plans for API translation
- 39. Admission Control ● Allows plugins to inspect, mutate or reject API requests after authorization ● Used for: ○ Orchestrator Selection ○ Linking nodes to namespaces ○ User Impersonation for Stacks ○ Image Signing policy enforcement
- 40. Orchestrator Selection ● Each node is running both kubernetes and swarm system components ● Administrators can toggle between (kubernetes, swarm or mixed) for any given node ● When toggling orchestrators, workloads of the previous orchestrator will be evicted ● An admission controller ensures that kubernetes workloads can only be scheduled on nodes labelled as “kubernetes” nodes. ● Workloads of multiple orchestrators on the same node can lead to resource contention Manager Node (K8s, Swarm) Worker Node (Swarm) Worker Node (Kubernetes) Worker Node (Kubernetes) Kubelet Swarm Agents Kubelet Kubelet Kubelet Swarm Agents Swarm Agents Swarm Agents
- 41. Linking Nodes to Namespaces ● Allows users to uniquely assign nodes to namespaces. ● Variation of the PodNodeSelector admission controller integrated with UCP’s RBAC system
- 42. Image Signing Policy Enforcement ● Enforces that all workloads deployed in the cluster have a fully qualified image reference ● Resolves image references to always include a digest ● Contacts the registry to ensure that the referenced image has been signed by an authorized user.
- 44. Hybrid App v1 v2
- 45. Instructions • Signup: ask karen.bajza@docker.com to plan your workshop and provide you the url. • Instructions: https://github.com/dockersamples/ee-workshop • Code: https://github.com/dockersamples/hybrid-app
Editor's Notes
- #21: Build each point so the final slide has all 3 points. Safer apps mean that when you build and deploy your app in docker, it is intrinsicly more secure TD is everything is needed for the full fucntioning of your app is delivered in a secure and trusted manner All of these things in your system are in the app platform itself and move across = usable = people are not leaning in to security Secrets enable: secure API handshakes, encrypted communication what else? Assign secrets to services when they are ready to run and need to connect to other services (both internal and external)
- #32: Windows containers are different
- #35: Runs on Docker EE engine Swarm-mode Managers are Kubernetes Masters Swarm-modet node inventory is source of truth Cryptographic Node Identity and mTLS used throughout Unmodified Kubernetes components run as Docker containers UCP Agent/Reconciler manages component lifecycle Manager / Worker states Certificate validity Patching and upgrades Leverage Kubernetes extension model (webhooks, initializers, flexvolume, CNI, etc.) We will submit the product and aim to pass the Certified Kubernetes Conformance program
- #39: Requests arriving to the UCP controller against the kubernetes API will have their session token exchanged for a long-lived identity token. The request is then forwarded to the kubernetes API server which is configured to trust UCP’s identity tokens.
- #40: A Grant is either a RoleBinding or a ClusterRoleBinding
- #41: Grant creation is UCP-specific