.
...... Introduction to Docker
Travis CardwellTokyo Linux Users Group
2014-01-18 Technical Meeting
Presentation MotivationOS-level virtualization is becoming accessibleDocker makes it very easy to experiment with thetechnologyIf you have not already started learning aboutOS-level virtualization, now is the time!
Travis Cardwell Introduction to Docker 2 / 37
Presentation Outline...1 The Big Picture...2 Underlying Technology...3 Docker...4 Use Cases...5 Demonstration...6 How To Get Started
Travis Cardwell Introduction to Docker 3 / 37
.
...... The Big Picture
Travis Cardwell Introduction to Docker 4 / 37
Virtualization
..
Bare Metal
.
Linux
.
KVM
.
Linux
.
...
.
KVM
.
Linux
.
...
Each virtual machine (VM)runs a full OSVMs require significantresourcesVMs take time to provisionand boot
Travis Cardwell Introduction to Docker 5 / 37
Virtualization
..
Bare Metal
.
Linux
.
KVM
.
Linux
.
...
.
KVM
.
Linux
.
...
1967 first demo @IBM1997 Virtual PC1999 VMware2003 Xen
QEMU2007 KVM
VirtualBox
Travis Cardwell Introduction to Docker 5 / 37
OS-Level Virtualization
..
Bare Metal
.
Linux
.
Container
.
...
.
Container
.
...
.
Container
....
Containers share the hostkernelFilesystem, network, etc. arevirtualizedRequires fewer resourcesA guest OS does not have toboot → starts fast
Travis Cardwell Introduction to Docker 6 / 37
OS-Level Virtualization
..
Bare Metal
.
Linux
.
Container
.
...
.
Container
.
...
.
Container
....
1982 chroot1998 FreeBSD jails2001 Linux VServer
Virtuozzo2005 OpenVZ
Solaris Containers2007 AIX WPARS
HP-UX Containers2008 LXC
Travis Cardwell Introduction to Docker 6 / 37
chroot
# export MY_CHROOT=/tmp/sid# mkdir $MY_CHROOT# debootstrap sid $MY_CHROOT \
http://ftp.jp.debian.org/debian/# mount proc $MY_CHROOT/proc -t proc# mount sysfs $MY_CHROOT/sys -t sysfs# chroot $MY_CHROOT /bin/bash
Travis Cardwell Introduction to Docker 7 / 37
.
...... Underlying Technology
Travis Cardwell Introduction to Docker 8 / 37
Kernel NamespacesNamespaces are used for isolation of:
filesystem - like chroot but more secureUTS (host and domain names)IPC (interprocess communication resources)PIDs (process ID number space)network stack (devices, addresses, routing, ports, etc.)users (user and group IDs)
Travis Cardwell Introduction to Docker 9 / 37
Kernel Control Groupscgroups partition sets of tasks into hierarchical groupsAllows control over system resources:
resource limits (CPU, memory)bandwidth limits (block I/O)prioritizationaccess control (devices)
Provides accounting/metricsAllows management of tasks:
suspend/resume
Travis Cardwell Introduction to Docker 10 / 37
LXC (LinuX Containers)Userspace interface for kernel containment features
lxc-create -t ubuntu -n p1lxc-start -n p1 -dlxc-lslxc-stop -n p1
Travis Cardwell Introduction to Docker 11 / 37
aufsImplements a union mountOverlays filesystems, creating a unified hierarchySmaller size (diffs) allow for faster deployment
# cd /tmp# mkdir aufs-{orig,diff,mount}# debootstrap sid aufs-orig \
http://ftp.jp.debian.org/debian/# mount -t aufs \
-o br=/tmp/aufs-diff:/tmp/aufs-orig \none /tmp/aufs-mount
Travis Cardwell Introduction to Docker 12 / 37
.
...... Docker
Travis Cardwell Introduction to Docker 13 / 37
DockerCreated by dotCloud (now Docker, Inc.), aPlatform-as-a-Service companyCreated to automate the deployment of anyapplicationOpen source, on GitHub, active communityLicense: Apache 2.0
Travis Cardwell Introduction to Docker 14 / 37
Feature: CompiledDocker is written in GoThe executable is statically compiled
Travis Cardwell Introduction to Docker 15 / 37
Feature: LayersThe filesystem is layered using aufsChanges are committed, similar to git commits
Travis Cardwell Introduction to Docker 16 / 37
Feature: DockerfilesConfiguration files that define how to build containersfrom imagesUse configuration tools, build tools, packages, etc.
FROM ubuntuRUN apt-get updateRUN apt-get upgrade -yRUN apt-get install -y build-essential
Travis Cardwell Introduction to Docker 17 / 37
Feature: RegistryA server that stores repositoriesProvides an API for uploading/downloading themThere is a public registry called the indexOpen source, so you can host your own
# docker search ghc# docker pull afriel/ghc-head
# docker login localhost:8080# docker push tcard/gitit
Travis Cardwell Introduction to Docker 18 / 37
Features Coming SoonContainer wiring and service discoveryPlugin APIBroader kernel supportCross-architecture support
Travis Cardwell Introduction to Docker 19 / 37
Development StatusDevelopment is moving quite quicklyA production ready version is coming soon
0.1.0 2013-03-23 8 31 days0.2.0 2013-04-23 2 13 days0.3.0 2013-05-06 4 28 days0.4.0 2013-06-03 8 44 days0.5.0 2013-07-17 3 36 days0.6.0 2013-08-22 7+7 95 days0.7.0 2013-11-25 (6) (54 days)
Travis Cardwell Introduction to Docker 20 / 37
Usage StatusCurrently requires x86_64Currently requires Linux 3.8 or higherCurrently not production readyContainers are not considered secure
Advice: Avoid root access in containersAdvice: Use SELinux if you need more security
Travis Cardwell Introduction to Docker 21 / 37
.
...... Use Cases
Travis Cardwell Introduction to Docker 22 / 37
DeploymentOS is included, so there are fewer parts to breakSame way for development, staging, and productionCan have fast transfer and boot timesScale applications and servicesExamples:
CoreOS is a distro for distributed platformsFlynn is an open source Platform-as-a-ServiceDokku is a mini-Heroku in 100 lines of BASH
Travis Cardwell Introduction to Docker 23 / 37
Test AutomationTest across different distributions and library versionsPerform fast unit and integration testingExamples:
DNT tests code against multiple versions of Node.jssimultaneouslyNodeChecker is a website that tests all NPM modules
Travis Cardwell Introduction to Docker 24 / 37
IsolationRun some services on battle-tested RHEL and otherson bleeding-edge ArchSandbox web applications; example:
JiffyLab is a Python/Unix web-based teaching environmentSandbox local applications; example:
Run Mozilla Firefox in an ephemeral container
Travis Cardwell Introduction to Docker 25 / 37
Lightweight VirtualizationLaunch virtualized environments quicklyReduce resource requirementsUse Xpra (“screen for X”) to manage sessions
Travis Cardwell Introduction to Docker 26 / 37
Share BuildsProvide quick access to difficult buildsProvide easy access to new usersExamples:
ghc-head repository provides latest builds of GHCdocker-selenium-firefox-chrome repository providesSelenium testing of specific browser buttons
Travis Cardwell Introduction to Docker 27 / 37
.
...... Demonstration
Travis Cardwell Introduction to Docker 28 / 37
ContainersSeparate process spaceSeparate filesystemsSeparate networking
Travis Cardwell Introduction to Docker 29 / 37
CommittingThe service listens to virtual port 8888It can be routed that to any portThe service is run in detached mode
Travis Cardwell Introduction to Docker 30 / 37
BusyBoxThe image is small: <5MBRun with the -rm option to automatically remove thecontainer
Travis Cardwell Introduction to Docker 31 / 37
IPython ServiceThe service listens to virtual port 8888It can be routed that to any portBind mount a directory for data
Travis Cardwell Introduction to Docker 32 / 37
Sandboxed FirefoxBind mount /tmp/.X11-unix (X11 unix socket)Bind mount /dev/sndGive access to c 116:* (ALSA)Pass the $DISPLAY environment variableChoose what to do with data:
Ephemeral: delete on closeData on host: bind mount a host directoryData container: use a volume
Travis Cardwell Introduction to Docker 33 / 37
.
...... How To Get Started
Travis Cardwell Introduction to Docker 34 / 37
Linux Beginners: Vagrant...1 Install VirtualBox...2 Install Vagrant...3 Install git...4 Deploy a Docker VM:
git clone https://github.com/dotcloud/docker.gitcd dockervagrant up
...5 Connect to the VM: vagrant ssh
...6 Run Docker in the VM: sudo docker
Travis Cardwell Introduction to Docker 35 / 37
Linux Veterans: DebianWorks painlessly on Jessie (testing)Dependencies are listed in /hack/PACKAGERS.mdYou will need to:
Add some parameters to /etc/default/grubAdd a cgroup mount to /etc/fstabEnable forwarding in /etc/sysctl.conf
All output of lxc-checkconfig should be greenTo install Docker:
wget the binary from the Docker websitewget the SysVinit script from the GitHub repo
Travis Cardwell Introduction to Docker 36 / 37
Tokyo Docker Meetuphttp://www.meetup.com/Docker-Tokyo/First meeting has not been scheduled yet
Travis Cardwell Introduction to Docker 37 / 37