scugbe_lowlands_unite_2017_managing windows containers with docker
TRANSCRIPT
Managing Windows Containers with DockerELS PUTZEYS
Containers - Introduction▪ Computing is based on a set of physical resources• Processor
• Memory
• Disk
• Network
▪ Physical resources became more and more powerful• Applications will use only a fraction of resources from physical machine
▪ Virtual resources• Simulate underlying physical hardware
• Allow multiple applications to run concurrently
Containers - Introduction▪ Virtualization• Virtual machines
• Virtual memory
• Containers
▪ Containers• Perception of fully isolated and independent OS
• Local disk
▪ Clean copy of OS files
• Memory
▪ Appears to hold only files and data from fresh OS
Containers versus Virtual Machines▪ Virtual Machines• For complete isolation, every VM has its own copies of
▪ OS files
▪ Libraries
▪ Application code
• Full in-memory instance of OS
• Limits number of application instances (VMs) that can run on host
Containers versus Virtual Machines▪ Containers• Share host OS
▪ Kernel – libraries
• No need to boot OS, load libraries, use memory for OS files
• Only need memory and disk space for application to run
▪ Feels like dedicated OS
▪ App starts in seconds
▪ Many more instances can run on same host
Container Benefits▪ Namespace isolation• Host assigns virtualized namespace to container
▪ Restricted view
▪ Container can only access files in namespace
▪ Container cannot see or interact with apps not part of the container
▪ OS files, directories, running services• Shared between containers
▪ Efficiency
• Distinct copies are made
▪ When container makes change to a file or service
Container Benefits▪ Resource governance• Control how much of host resources container can use
▪ CPU
▪ RAM
▪ Network bandwidth
• Container gets resources it expects
• Container cannot impact performance of other containers
Container Benefits▪ Instant startup• OS virtualization
▪ Reliable execution• Namespace isolation
• Resource governance
▪ Usage scenarios• Application development and testing
▪ Containerized apps will work the same on any system
• Cloud scenarios
▪ Instant-start
▪ Small footprint
▪ More applications on 1 machine compared to VMs
Container Types▪ Windows Server Containers
▪ Hyper-V Containers
Windows Server Containers▪ Share OS with the host and each other• May not provide enough isolation
▪ Dependency on host OS version and patch level
▪ OS must trust applications hosted on it
▪ All applications must trust each other
Hyper-V Containers▪ Have their own copy of Windows kernel
▪ Have memory assigned directly to them
▪ Hyper-V is used for CPU, memory and IO isolation• Same level of isolation as for VMs
▪ Can be deployed with same packages as Windows containers
▪ Uses Windows containers running inside a VM• Kernel isolation
• Separation of host patch/version level
• Slower startup times
▪ Great for multi-tenancy scenarios
Windows versus Hyper-V Containers▪ Application is containerized using Windows containers
▪ At deployment time, you pick the level of isolation by choosing a • Windows container
• Hyper-V container
Container Fundamentals▪ Container Host• Physical or virtual computer configured with Windows Container feature
• Can run one or more Windows containers
▪ Container OS Image• Containers are deployed from images
• OS image is first layer in potentially many image layers that make up a container
• Provides the OS environment
• Is immutable
▪ Sandbox• All write actions to a container are captured in a ‘sandbox’ layer
▪ File system modifications
▪ Registry modifications
▪ Software installations
Container Fundamentals▪ Container Image• Capture the container state
• Convert the sandbox into a new container image
• Layer on top of container OS image
• New containers can be created based on this image
▪ Container Repository• Local repository on container host that stores all images and their dependencies
▪ Container Management Technology• Docker
• PowerShell
▪ New module that can be used as alternative to the docker cmd-line interface
▪ In development
Container Fundamentals
Windows Container OS Images▪ Windows Server 2016 has 2 container OS Images• Windows Server Core
• Nano Server
Deploy Container Host▪ Install Windows Server 2016
▪ Configure nested virtualization• Enable nested virtualization
▪ Set-VMProcessor -VMName ContainerHost -ExposeVirtualizationExtensions $true
• Host must have at least 4 GB RAM and disable dynamic memory
▪ Set-VMMemory -VMName ContainerHost -DynamicMemoryEnabled $false -StartupBytes 4GB
• Configure MAC address spoofing
▪ Get-VMNetworkAdapter -VMName CHost | Set-VMNetworkAdapter -MacAddressSpoofing On
▪ Enable Hyper-V role• Install-WindowsFeature Hyper-V
• Restart-Computer
Deploy Container Host▪ Install Docker • Docker Daemon and CLI do not ship with Windows
• Must be installed separately
▪ Install Docker with OneGet PowerShell module• Installs containers feature
• Installs docker
• Creates virtual switch (NAT mode)
• Starts docker service
Install Docker▪ PowerShell• Install-Module –Name DockerMsftProvider –Repository PSGallery –Force
• Install-Package –Name docker –ProviderName DockerMsftProvider
• Restart-Computer –Force
Container Images▪ Install container OS images• Search for images in Docker hub
▪ docker search
▪ docker search microsoft
• Download and install a container image
▪ docker pull Microsoft/windowsservercore
▪ docker pull Microsoft/nanoserver
• Verify that images were installed
▪ docker images
Create and Start a Container▪ Download IIS image from docker hub• docker pull microsoft/iis
▪ Create and start container based on Server Core image in interactive mode – start cmd• docker run --name iisbase -it microsoft/windowsservercore cmd
▪ Create and start container based on IIS image in the background – map port 80 – keep the container running• docker run -d -p 80:80 microsoft/iis ping -t localhost
▪ Get list of running containers• docker ps
Stop or Remove a Container▪ Docker• Stop a container / stop all running containers
▪ docker stop iisbase
▪ docker stop (docker ps –q)
• Remove a container / remove all containers
▪ docker rm iisbase
▪ docker rm (docker ps –a –q)
Hyper-V Container▪ Create Hyper-V container• Docker
▪ docker run -it --isolation=hyperv nanoserver cmd
Container Images▪ Used to deploy containers
▪ Can include• Operating system
• Applications
• All application dependencies
▪ Can be stored in container registry for later use
▪ Can be deployed on any Windows container host
▪ Can be used as base for new images
Container Images▪ Docker• List Images
▪ docker images
• Install base OS Images
▪ docker search
▪ docker pull microsoft/nanoserver
• Create new image
▪ docker commit <containername> <imagename>
▪ docker build –t user/dockerfile c:\Build
• Remove image
▪ docker rmi <imagename>
Container Images▪ Docker Hub• Registry that contains pre-built images that can be downloaded to a container host
• List of images available from Docker Hub
▪ docker search *
• Download image from Docker Hub
▪ docker pull microsoft/aspnet
Container Networking▪ Each container has a virtual network adapter• Connected to a virtual switch
• Forwards inbound and outbound traffic for container
▪Types of network configuration• Network Address Translation (NAT) Mode
• Transparent Mode
• L2 Bridge Mode
• L2 Tunnel Mode
NAT Networking Mode▪ Network address translation• Internal network switch with type of NAT
• Container host has external IP address
• All containers get internal IP address
• External port of host must be mapped to internal port of container
NAT Networking Mode▪ Host configuration• NAT network is automatically created by Docker daemon
• List networks
▪ docker network ls
• Create NAT network
▪ docker network create -d nat mynatnet [--subnet=<string[]>] [--gateway=<string[]>]
▪ Container configuration• Create container connected to NAT switch
▪ docker run -it --net=mynatnet windowsservercore cmd
NAT Networking Mode▪ Port mapping• Mapping between port 80 of the host and port 80 of the container with IP address
172.16.0.2
▪ docker run -it --name=DemoNat -p 80:80 windowsservercore cmd
▪ Container application is accessible through IP address of container host and external port
Transparent Networking Mode▪ Transparent Networking• External network switch
• Each container receives IP address from DHCP server
• Each container is accessible
• No port mapping table required
Transparent Networking Mode▪ Host configuration• Create virtual switch connected to physical or virtual network adapter
▪ docker network create -d transparent mytransparentnet
• Enable MAC address spoofing (if container host is VM)
▪ Get-VMNetworkAdapter -VMName DemoVM | Set-VMNetworkAdapter -MacAddressSpoofing On
▪ Container configuration• Create container connected to external switch
▪ docker run -it --net=mytransparentnet windowsservercore cmd
Thanks to our event sponsors
Silver
Gold