![@bridgetkromhout
2014/10/30 21:35:31 Error getting container init rootfs
b528d54a0458a8cd8a798309930adb45cb5e1a7430e98
1e0f3108f86386aab67 from driver devicemapper: open
/dev/mapper/docker-9:127-14024705-
b528d54a0458a8cd8a798309930adb45cb5e1a7430e98
1e0f3108f86386aab67-init: no such file or directory
make: *** [build-django] Error 1
Build step 'Execute shell' marked build as failure
breaking builds](https://image.slidesharecdn.com/oscon-docker-in-production-150722184320-lva1-app6892/85/Docker-in-production-reality-not-hype-OSCON-2015-26-320.jpg)
![@bridgetkromhout
#!/bin/bash
cat <<EOF > /etc/init/django.conf
description "Run Django containers for www"
start on started docker-reg
stop on runlevel [!2345] or stopped docker
respawn limit 5 30
[...]
replacing 100s of lines of userdata...](https://image.slidesharecdn.com/oscon-docker-in-production-150722184320-lva1-app6892/85/Docker-in-production-reality-not-hype-OSCON-2015-36-320.jpg)
![@bridgetkromhout
...with a chef-client run & packer build.
#!/bin/bash
# upstart configs are now created by chef
rm /etc/chef/client.pem
mkdir -p /var/log/chef
chef-client -r 'role[rolename]' -E
'environment' -L /var/log/chef/chef-client.
log](https://image.slidesharecdn.com/oscon-docker-in-production-150722184320-lva1-app6892/85/Docker-in-production-reality-not-hype-OSCON-2015-37-320.jpg)
![@bridgetkromhout
using attributes
attribute :command, :kind_of => String, :required => true
attribute :env, :kind_of => Hash, :default => {}
attribute :port, :kind_of => Array, :default => []
attribute :volume, :kind_of => Array, :default =>
['/var/log/containers:/var/log']
attribute :rm, :kind_of => [TrueClass, FalseClass], :default => false
attribute :image, :kind_of => String, :required => true
attribute :tag, :kind_of => String, :required => true
attribute :type, :kind_of => String, :required => true
attribute :cron, :kind_of => [TrueClass, FalseClass], :default => false](https://image.slidesharecdn.com/oscon-docker-in-production-150722184320-lva1-app6892/85/Docker-in-production-reality-not-hype-OSCON-2015-41-320.jpg)
![@bridgetkromhout
recipe using LWRP
base_docker node['www']['django']['name'] do
command node['www']['django']['command']
env node['www'][service]['django'][env]['env']
image node['www']['django']['image']
port node['www'][service]['django'][env]['port']
tag node['www'][service]['django'][env]['tag']
type node['www']['django']['type']
end](https://image.slidesharecdn.com/oscon-docker-in-production-150722184320-lva1-app6892/85/Docker-in-production-reality-not-hype-OSCON-2015-42-320.jpg)
![@bridgetkromhout
packer for ami building
{
"type": "chef-client",
"server_url": "https://api.opscode.com/organizations/dramafever",
"run_list": [ "base::ami" ],
"validation_key_path": "{{user `chef_validation`}}",
"validation_client_name": "dramafever-validator",
"node_name": "packer-ami"
}](https://image.slidesharecdn.com/oscon-docker-in-production-150722184320-lva1-app6892/85/Docker-in-production-reality-not-hype-OSCON-2015-43-320.jpg)
![@bridgetkromhout
limiting packer IAM permissions
"Action":[
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:DeleteSnapshot",
"ec2:DetachVolume",
"ec2:DeleteVolume",
"ec2:ModifyImageAttribute"
],
"Effect":"Allow",
"Resource":"*",
"Condition":{
"StringEquals":{ "ec2:
ResourceTag/name":"Packer Builder"
}
}](https://image.slidesharecdn.com/oscon-docker-in-production-150722184320-lva1-app6892/85/Docker-in-production-reality-not-hype-OSCON-2015-45-320.jpg)
Docker in production: reality, not hype (OSCON 2015)
- 1. Reality, Not Hype Docker in Production
- 3. @bridgetkromhout DramaFever. com Streaming international content starting in 2009 Docker in production since October 2013
- 6. @bridgetkromhout 15K 70 15 20M Peak load: tens of thousands of requests per second Traffic variance: swings 10-20x throughout the week
- 7. @bridgetkromhout autoscaling in AWS streaming delivery via Akamai
- 8. @bridgetkromhout Architecture Python/Django Upstreams routed via nginx Go microservices state in RDS, DynamoDB, Elasticache API endpoints for native clients Celery/SQS for async tasks
- 9. @bridgetkromhout consistent development repeatable deployment Why Docker?
- 10. @bridgetkromhout one year ago... Vagrant for local development chef-solo provisioner 17 minutes to install everything
- 11. @bridgetkromhout images built on jenkins mysql image built with fixtures can run master or qa image (or even prod) can build new local images from Dockerfiles a year of boot2docker
- 12. @bridgetkromhout docker in production: in theory
- 13. @bridgetkromhout docker in production: in practice
- 14. @bridgetkromhout Distributed private S3-backed Docker registry: registry container on each ec2 instance more effective scaling Post by Tim Gross: http://0x74696d.com/posts/host- local-docker-registry/
- 15. @bridgetkromhout docker options # goes in /etc/default/docker to control docker's upstart DOCKER_OPTS="--graph=/mnt/docker --insecure- registry=localhost-alias.com:5000" localhost-alias.com in DNS with A record to 127.0.0.1 OS X /etc/hosts: use the boot2docker host-only network IP
- 16. @bridgetkromhout registry upstart docker pull public_registry_image docker run -p 5000:5000 --name registry -v /etc/docker-reg:/registry-conf -e DOCKER_REGISTRY_CONFIG=/registry-conf/config.yml public_registry_image
- 17. @bridgetkromhout config.yml s3_region: us-east-1 s3_access_key: <aws-accesskey> s3_secret_key: <aws-secretkey> s3_bucket: <bucketname> standalone: true storage: s3 storage_path: /registry
- 18. @bridgetkromhout docker run -d -p 5000:5000 --name docker-reg -v ${DFHOME}:${DFHOME} -e DOCKER_REGISTRY_CONFIG=${DFHOME}/config/registry/config.yml public_registry_image private registry for dev
- 19. @bridgetkromhout S3 requires clock sync $ docker pull local-repo-alias.com:5000/mysql Pulling repository local-repo-alias.com:5000/mysql 2014/11/24 19:44:31 HTTP code: 500 $ boot2docker ssh sudo date --set "$(env TZ=UTC date '+%F %H:%M:%S')"
- 21. @bridgetkromhout weekly base builds FROM local-repo-alias.com:5000/www-base ● include infrequently-changing dependencies ○ ubuntu packages ○ pip requirements ○ wheels ● other builds can start from these images (so they’re faster):
- 22. @bridgetkromhout www-master build sudo docker build -t="a12fbdc" . sudo docker run -i -t -w /var/www -e DJANGO_TEST=1 --name test.a12fbdc a12fbdc py.test -s sudo docker tag a12fbdc local-repo-alias.com:5000/www:'dev' sudo docker push local-repo-alias.com:5000/www:'dev'
- 23. @bridgetkromhout container-building containers easier with statically linked binaries Go microservices Android APK
- 24. @bridgetkromhout $ docker images REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE local-repo-alias.com:5000/mysql dev b0dc5885f767 2 days ago 905.9 MB local-repo-alias.com:5000/www dev 82cda604a4f1 2 days ago 1.092 GB local-repo-alias.com:5000/micro local bed20dc84ea1 4 days ago 10.08 MB google/golang 1.3 e3934c44b8e4 2 weeks ago 514.3 MB public_registry_image 0.6.9 11299d377a9e 6 months ago 454.5 MB scratch latest 511136ea3c5a 18 months ago 0 B $ ever-smaller images
- 25. @bridgetkromhout a cautionary word on storage drivers
- 26. @bridgetkromhout 2014/10/30 21:35:31 Error getting container init rootfs b528d54a0458a8cd8a798309930adb45cb5e1a7430e98 1e0f3108f86386aab67 from driver devicemapper: open /dev/mapper/docker-9:127-14024705- b528d54a0458a8cd8a798309930adb45cb5e1a7430e98 1e0f3108f86386aab67-init: no such file or directory make: *** [build-django] Error 1 Build step 'Execute shell' marked build as failure breaking builds
- 27. @bridgetkromhout
- 28. @bridgetkromhout useful for unattended base builds, but... ...seeing this in Slack got old
- 29. @bridgetkromhout DOCKER_OPTS="--graph=/mnt/docker --insecure-registry=local-repo- alias.com:5000 --storage- driver=aufs" replace storage driver for jenkins instance
- 30. @bridgetkromhout bash 'install kernel extras for aufs' do code <<-EOH apt-get -y install linux-image- extra-$(uname -r) EOH end ubuntu 14.04: aufs in kernel extras
- 31. @bridgetkromhout (yes, modulo what’s available for your kernel)
- 32. @bridgetkromhout for persistent instances # remove stopped containers @daily docker rm `docker ps -aq` # remove images tagged "none" @daily docker rmi `sudo docker images | grep none | awk -F' +' '{print $3}'`
- 33. @bridgetkromhout deploys using fabric tag for staging tag for prod out of ELB restart upstart back in ELB
- 34. @bridgetkromhout
- 36. @bridgetkromhout #!/bin/bash cat <<EOF > /etc/init/django.conf description "Run Django containers for www" start on started docker-reg stop on runlevel [!2345] or stopped docker respawn limit 5 30 [...] replacing 100s of lines of userdata...
- 37. @bridgetkromhout ...with a chef-client run & packer build. #!/bin/bash # upstart configs are now created by chef rm /etc/chef/client.pem mkdir -p /var/log/chef chef-client -r 'role[rolename]' -E 'environment' -L /var/log/chef/chef-client. log
- 38. @bridgetkromhout upstart config docker run -e DJANGO_ENVIRON=PROD -e HAPROXY=df/haproxy-prod.cfg -p 8000:8000 -v /var/log/containers:/var/log --name django localhost-alias.com:5000/www:prod /var/www/bin/start-django
- 39. @bridgetkromhout docker run <% if @docker_rm == true -%> --rm <% end %> <% @docker_env.each do |k, v| -%> -e <%= k %>=<%= v %> <% end %> <% @docker_port.each do |p| -%> -p <%= p %> <% end %> upstart template
- 40. @bridgetkromhout <% @docker_volume.each do |v| -%> -v <%= v %> <% end %> --name <%= @application_name %> localhost-alias.com:<%= @registry_port %>/<%= @docker_image %>:<%= @docker_tag %> <%= @docker_command %> upstart template (cont)
- 41. @bridgetkromhout using attributes attribute :command, :kind_of => String, :required => true attribute :env, :kind_of => Hash, :default => {} attribute :port, :kind_of => Array, :default => [] attribute :volume, :kind_of => Array, :default => ['/var/log/containers:/var/log'] attribute :rm, :kind_of => [TrueClass, FalseClass], :default => false attribute :image, :kind_of => String, :required => true attribute :tag, :kind_of => String, :required => true attribute :type, :kind_of => String, :required => true attribute :cron, :kind_of => [TrueClass, FalseClass], :default => false
- 42. @bridgetkromhout recipe using LWRP base_docker node['www']['django']['name'] do command node['www']['django']['command'] env node['www'][service]['django'][env]['env'] image node['www']['django']['image'] port node['www'][service]['django'][env]['port'] tag node['www'][service]['django'][env]['tag'] type node['www']['django']['type'] end
- 43. @bridgetkromhout packer for ami building { "type": "chef-client", "server_url": "https://api.opscode.com/organizations/dramafever", "run_list": [ "base::ami" ], "validation_key_path": "{{user `chef_validation`}}", "validation_client_name": "dramafever-validator", "node_name": "packer-ami" }
- 44. @bridgetkromhout packer run $HOME/packer/packer build -var "account_id=$AWS_ACCOUNT_ID" -var "aws_access_key_id=$AWS_ACCESS_KEY_ID" -var "aws_secret_key=$AWS_SECRET_ACCESS_KEY" -var "x509_cert_path=$AWS_X509_CERT_PATH" -var "x509_key_path=$AWS_X509_KEY_PATH" -var "s3_bucket=bucketname" -var "ami_name=$AMI_NAME" -var "source_ami=$SOURCE_AMI" -var "chef_validation=$CHEF_VAL" -var "chef_client=$HOME/packer/client.rb" -only=amazon-instance $HOME/packer/prod.json
- 45. @bridgetkromhout limiting packer IAM permissions "Action":[ "ec2:TerminateInstances", "ec2:StopInstances", "ec2:DeleteSnapshot", "ec2:DetachVolume", "ec2:DeleteVolume", "ec2:ModifyImageAttribute" ], "Effect":"Allow", "Resource":"*", "Condition":{ "StringEquals":{ "ec2: ResourceTag/name":"Packer Builder" } }
- 46. @bridgetkromhout and now you have a new problem...
- 47. @bridgetkromhout container clustering evaluating Mesos/Marathon +/- autoscaling +/- discovery
- 48. @bridgetkromhout obligatory container disaster protip: does not represent reality tl;dr: containers aren’t going to solve all your problems… ...but they aren’t actually all that hard to use, either.
- 49. @bridgetkromhout security (we focus on host-level security, not isolation… ...and we don’t run arbitrary images from the internets.)
- 50. @bridgetkromhout logs -v /var/log/containers:/var/log <Input containers_in> Module im_file Recursive False File '/var/log/containers/*.log' Exec $FileName = file_name(); Exec $raw_event = $FileName + ' ' + $raw_event ; Exec $Message = $raw_event ; </Input>
- 52. @bridgetkromhout Docker in production: honestly, it’s pretty awesome.
- 53. @bridgetkromhout Thank you! (and we’re hiring!) dramafever.com/company/careers.html