DockerIntroduction / Ansible

About Me

2

• Have worked

• Iteration through L1/2/3 SysOps

• Mostly german automotive sector

• 01/2013 -> 10/2014 R&D @Bull SAS

• Now

• independent R&D / Freelancing

• DevOps Eng. at Locafox (scale online)

• Hot topics • Containerization

• Log / Performance Management

• GO-Lang

• HPC Cluster Software Stack / Interconnect

• (chroot)2 != Virtual Machine

Docker in a (Coco-)Nutshell

3

Traditional vs. Lightweight Layers

4

SERVER

HOST KERNEL

HYPERVISOR

KERNEL

Userland (OS)

KERNEL KERNEL

Userland (OS)Userland (OS) Userland (OS)

SERVER

HOST KERNEL

Userland (OS)

Userland (OS)Userland (OS) Userland (OS)

Traditional Virtualisation Docker Containerisation

InitSystem

InitSystem InitSystem InitSystem

InitSystem

SERVICE

SERVICE SERVICE SERVICE

SERVICE SERVICE

• (chroot)2 != Virtual Machine

• Builds on-top LinuX Containers (LXC)

• Kernel namespaces (isolation)

Docker in a (Coco-)Nutshell

5

Process Namespace

6

$ docker run -ti --rm ubuntu:14.04 ps -efUID PID PPID C STIME TTY TIME CMDroot 1 0 0 10:24 ? 00:00:00 ps -ef$

Containers are not able to see processes outside of their scope.

Network Namespace

7

$ docker run -ti --rm ubuntu:14.04 ip -4 -o addr1: lo inet 127.0.0.1/8 scope host lo10: eth0 inet 172.17.0.4/16 scope global eth0$

Each container got it’s own network stack (by default, configureable).

Namespace• Mount (do not mess with other file systems) • User (users are only valid within one container) • IPC (Interprocess communication only within) • UTS (hostname / domain name is unique)

8

Docker in a (Coco-)Nutshell

9

• (chroot)2 != Virtual Machine

• Builds on-top LinuX Containers (LXC)

• Kernel namespaces (isolation)

• intuitive build system

• cgroups (resource mgmt)

Dockerfile

10

$ cat Dockerfile# From which image to start fromFROM fedora:20# Who is in chargeMAINTAINER "Christian Kniep <christian@qnib.org>"# Execute bash commandRUN yum install -y stress# if no command is given, this command will be # executed at runtime (within a bash).CMD ["stress", "-c", "4"]

Build Dockerfile

11

$ docker build -q -t locafox/stress .Step 0 : FROM fedora:20 ---> 7d3f07f8de5fStep 1 : RUN yum install -y stress ---> Running in 43fcf8d8393a ---> f1d0c1455565Removing intermediate container 43fcf8d8393aStep 2 : CMD stress -c 4 ---> Running in bd6536dfabed ---> 24b99ee707feRemoving intermediate container bd6536dfabedSuccessfully built 24b99ee707fe$

Cached Builds

12

$ docker build -q -t locafox/stress .Step 0 : FROM fedora:20 ---> 7d3f07f8de5fStep 1 : RUN yum install -y stress ---> Using cache ---> f1d0c1455565Step 2 : CMD stress -c 4 ---> Using cache ---> 24b99ee707feSuccessfully built 24b99ee707fe$

If the build step is already executed, it will be cached.

• cgroups (resource mgmt)

• (chroot)2 != Virtual Machine

• Builds on-top LinuX Containers (LXC)

• Kernel namespaces (isolation)

• intuitive build system

• cgroups (resource mgmt)

Docker in a (Coco-)Nutshell

13

cgroups

14

4 CPU stress processesare bound to Core 0

cgroups [cont]

15

4 CPU stress processesare bound to Core 0 & 3

• (chroot)2 != Virtual Machine

• Builds on-top LinuX Containers (LXC)

• Kernel namespaces (isolation)

• cgroups (resource mgmt)

• intuitive build system

• repositories public/private/certified

• RedHat, Microsoft, Community backed

Docker in a (Coco-)Nutshell

16

• (chroot)2 != Virtual Machine

Docker details

17

Docker != VM (srsly!)

http://en.wikipedia.org/wiki/Systemd

Virtual Machine• Kicks off a complete Machine, hence the name!

• EveryoneTM disables security

• Hard to strip down

18

Docker• Only spawns one process (in theory, at least)

• Easy to understand (theory, old friend)

Single Purpose

19

Single Process• Make SELinux useable?

• one process

• limited interactions

• just simpler

20

https://www.youtube.com/watch?v=zWGFqMuEHdw

• (chroot)2 != Virtual Machine

• Images and CoW

Docker details

21

Images and CoW• An image is an immutable layer

• A container is the RW layer, which is executed on-top

22

Fedora

qnib/fd20

qnib/supervisor

qnib/terminal

qnib/build

qnib/of_build

qnib/IB_build

qnib/slurm_build

qnib/master

qnib/gapi

qnib/carbon

qnib/elk

copy-on-write

/slurm

qnib/slave

FROM points to the parent-image and this

relationship sticks. If the parent is changed, the child has to be rebuild.

• (chroot)2 != Virtual Machine

• Images and CoW

• Ports

• docker exec (since 1.3)

Docker details

23

Network Port

24

The internal port 80 is exposed to the docker-

host’s port 8080

• (chroot)2 != Virtual Machine

• Images and CoW

• Ports

• docker exec (since 1.3)

Docker details

25

docker exec

26

Inject a new process into an already running

container.

Ansible + Docker• Purpose of Config-Mgmt

• Provisioning

• Orchestration

• Validation

• Ansible

• docker module

• docker inventory

• docker facts

27

Config Mgmt• Provisioning

• Bootstrap DOCKER_HOST

• Dockerfile vs. playbooks?

• Orchestration

• Multiple other project in the woods (Docker Swarm, Kubernetes, Apache Mesos[?], …)

• Validation

• Is the configuration within still valid?

28

Ansible + Docker• Purpose of Config-Mgmt

• Provisioning

• Orchestration

• Validation

• Ansible

• docker module

• docker inventory

• docker facts

29

Ansible• docker module

• Start/Stop Container

• docker inventory

• provide dynamic inventory by fetching info about running containers

• docker facts

• Use information about containers within Ansible

30

Thoughts• Containers mostly do not provide an SSH daemon

• Connecting via

• Docker is a nice way to check out playbook

• Otherwise playbooks shouldn’t be used inside of Dockerfiles [IMHO]

• Use Ansible to check configuration within container?

• Setup SELinux rules using Ansible

• Vagrant vs. Docker

31

docker exec <container> bash