docker demo @ iuk seminar
TRANSCRIPT
![Page 1: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/1.jpg)
martin scharmdept. for systems biology and bioinformatics
university of rostock
IuK SeminarRostock, 2016-05-24
![Page 2: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/2.jpg)
disclaimer
most of the stuff was not made by me. follow the links to find the actual creators.
paper: https://dx.doi.org/10.6084/m9.figshare.3397576.v1
![Page 3: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/3.jpg)
https://www.oreilly.com/learning/what-is-docker
![Page 4: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/4.jpg)
https://www.oreilly.com/learning/what-is-docker
https://www.docker.com/what-docker
![Page 5: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/5.jpg)
https://www.oreilly.com/learning/what-is-docker
https://en.wikipedia.org/wiki/Docker_(software)
https://www.docker.com/what-docker
![Page 6: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/6.jpg)
https://www.oreilly.com/learning/what-is-docker
https://en.wikipedia.org/wiki/Docker_(software)
https://www.docker.com/what-docker
some k
ind of
virtu
alisat
ion??
![Page 7: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/7.jpg)
https://www.oreilly.com/learning/what-is-docker
https://en.wikipedia.org/wiki/Docker_(software)
https://www.docker.com/what-docker
some k
ind of
virtu
alisat
ion??
for sure a booster for your applications,proposals, presentations… ;-)
![Page 8: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/8.jpg)
http://www.slideshare.net/dotCloud/why-docker
![Page 9: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/9.jpg)
http://www.slideshare.net/dotCloud/why-docker
![Page 10: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/10.jpg)
FROM debian:stable
RUN apt-get install -y curl
RUN apt-get install -y moon-buggy
RUN apt-get install -y sl
imag
es c
onsi
stof
rea
d-on
ly la
yers
chan
ges
resu
lt in
new
laye
rs
When Docker mounts the rootfs, it starts read-only, as in a traditional Linux boot,but then, instead of changing the file system to read-write mode, it takes advantageof a union mount to add a read-write file system over the read-only file system.In fact there may be multiple read-only file systems stacked on top of each other.We think of each one of these file systems as a layer.
https://docs.docker.com/v1.6/terms/layer/
![Page 11: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/11.jpg)
FROM debian:stable
RUN apt-get install -y curl
RUN apt-get install -y moon-buggy
RUN apt-get install -y sl
imag
es c
onsi
stof
rea
d-on
ly la
yers
chan
ges
resu
lt in
new
laye
rs
![Page 12: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/12.jpg)
FROM debian:stable
RUN apt-get install -y curl
RUN apt-get install -y moon-buggy
RUN apt-get install -y sl RUN apt-get install -y nethack-console
FROM debian:stableRUN apt-get update && apt-get install -y --no-install-recommends curlRUN apt-get install -y --no-install-recommends moon-buggyRUN apt-get install -y --no-install-recommends sl
Dockerfile:
docker buildcreates an image a different image with
similar “dependencies”
![Page 13: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/13.jpg)
anatomy of a dockerized app
● Dockerfile: receipt do build an image● Image: runtime environment● Container: instance of the app● Volume: persistent data● Networks: communication
![Page 14: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/14.jpg)
docker hub
● like github for docker images● pull – push – share your stuff
https://hub.docker.com/
![Page 15: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/15.jpg)
demo time.
![Page 16: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/16.jpg)
get an image from the docker HUB$ docker pull nginx:latestlatest: Pulling from library/nginx3059b4820522: Pull complete ff978d850939: Pull complete 9d1b4547bc10: Pull complete 7bb610d87cee: Pull complete bbd672577eed: Pull complete f4a3cc2c46e0: Pull complete 8f9345da4c7a: Pull complete 72cd8a7c892b: Pull complete Digest: sha256:46a1b05e9ded54272e11b06e13727371a65e2ef8a87f9fb447c64e0607b90340Status: Downloaded newer image for nginx:latest
$ docker imagesREPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZEbinfalse/debian-with-curl-moonbuggy-sl latest 125374f94e47 About an hour ago 149.2 MBnginx latest 72cd8a7c892b 2 weeks ago 182.7 MBbinfalse/skype latest bec4e37e163d 5 weeks ago 565.1 MBbinfalse/deb-skype latest bec4e37e163d 5 weeks ago 565.1 MBdebian stable 82f85996fa28 6 weeks ago 125 MB
![Page 17: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/17.jpg)
run the image
$ docker run --name some-nginx -d -p 2222:80 -v /opt/docker/web:/usr/share/nginx/html:ro -d nginxec0771865e5f03a3f55df3611f15f97a88e6eee2c26802f5f95784ed28116222
$ docker psCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMESec0771865e5f nginx "nginx -g 'daemon off" 25 seconds ago Up 25 seconds 443/tcp, 0.0.0.0:2222->80/tcp some-nginx
$ curl localhost:2222...
$ docker kill some-nginxsome-nginx
$ docker psCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
$ docker ps -aCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMESec0771865e5f nginx "nginx -g 'daemon off" 8 minutes ago Exited (137) 7 seconds ago some-nginx
$ docker rm some-nginxsome-nginx
![Page 18: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/18.jpg)
create an image
$ cat DockerfileFROM debian:stableRUN apt-get update && apt-get install -y --no-install-recommends curlRUN apt-get install -y --no-install-recommends moon-buggyRUN apt-get install -y --no-install-recommends sl
$ docker build -t binfalse/debian-with-curl-moonbuggy-sl .Sending build context to Docker daemon 2.048 kBStep 0 : FROM debian:stable ---> 82f85996fa28Step 1 : RUN apt-get update && apt-get install -y --no-install-recommends curl ---> Running in 16ce78bf2cfaIgn http://httpredir.debian.org stable InReleaseGet:1 http://httpredir.debian.org stable-updates InRelease [142 kB]....Processing triggers for libc-bin (2.19-18+deb8u4) ... ---> c2566a69a8e2Removing intermediate container 16ce78bf2cfaStep 2 : RUN apt-get install -y --no-install-recommends moon-buggy ---> Running in e485857c3881Reading package lists...Building dependency tree...Reading state information...The following NEW packages will be installed: moon-buggy...
$ docker run --rm -it binfalse/debian-with-curl-moonbuggy-sl /usr/games/sl
that’s just for showcase,not best practise!
![Page 19: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/19.jpg)
remove an image
$ docker imagesREPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZEbinfalse/debian-with-curl-moonbuggy-sl latest 711a58dd52d2 18 minutes ago 149.2 MBnginx latest 72cd8a7c892b 2 weeks ago 182.7 MBbinfalse/skype latest bec4e37e163d 5 weeks ago 565.1 MBbinfalse/deb-skype latest bec4e37e163d 5 weeks ago 565.1 MBdebian stable 82f85996fa28 6 weeks ago 125 MB
$ docker rmi binfalse/debian-with-curl-moonbuggy-slUntagged: binfalse/debian-with-curl-moonbuggy-sl:latestDeleted: 711a58dd52d207421124396061d0f505f1e223ae9803c0d6be601cd510a7c50cDeleted: 95df58df3f4b320ecc2cff76746a9576658e26136f124992b8fa176b03678341Deleted: c2566a69a8e2f3f351498cbe3ffe26780b100f3867ce9e2f262b33eed484b640
$ docker imagesREPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZEnginx latest 72cd8a7c892b 2 weeks ago 182.7 MBbinfalse/skype latest bec4e37e163d 5 weeks ago 565.1 MBbinfalse/deb-skype latest bec4e37e163d 5 weeks ago 565.1 MBdebian stable 82f85996fa28 6 weeks ago 125 MB
![Page 20: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/20.jpg)
#app1: wordpress + mysql + some extra security
MySQL
docker pull mysql:latestdocker run -e MYSQL_ROOT_PASSWORD=yourpassword --name db -v /home/mysql/:/var/lib/mysql/ -d mysql
# optionally connect to configure the dbalias dockip="docker inspect --format ’{{ .NetworkSettings.IPAddress }}’"mysql -h$(dockip db) -uroot -pyourpassword
Wordpress
docker pull wordpress:latestdocker run --name my-wordpress --link db:mysql -v /home/wp/:/var/www/html/ -p 80:80 -d wordpress
benefit: isolation● host is safe if hacker breaks into wordpress● plugins won’t be able to see db files● mysql cannot see wp config etc
![Page 21: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/21.jpg)
#app2: jail for skype
https://binfalse.de/2016/01/04/docker-jail-for-skype/
jail that “obfuscated malicious binary blob with network capabilities”
$ docker run -d -p 127.0.0.1:55555:22 --name skype_container binfalse/skype
$ ssh -X -p 55555 [email protected]
The programs included with the Debian GNU/Linux system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extentpermitted by applicable law.Last login: Mon Jan 4 23:07:37 2016 from 172.17.42.1$ skype
![Page 22: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/22.jpg)
#app3: teaching
● let’s assume students are asked to c++-code an std::out for
this is correct
● expected solution:
#include <iostream>
int main(){
std::cout << "this is correct" << std::endl;}
![Page 23: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/23.jpg)
#app3: teaching
● tiny bash script to compile && execute the students’ code: executer.sh
#!/bin/bash# lets assume the submissions are always found in /jobEXECUTABLE=/job/program.outSOURCE=/job/program.cpp
# compile it if it wasn’t compiled yet[ -x $EXECUTABLE ] || g++ -o $EXECUTABLE $SOURCE
# go for it$EXECUTABLE
![Page 24: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/24.jpg)
#app3: teaching
● create a Dockerfile
● create a docker image
# metaFROM centosMAINTAINER martin scharm
# install a c++ compilerRUN yum install -y gcc-c++
# add the executer scriptADD executer.sh /executer.sh
# makes this a binaryENTRYPOINT /executer.sh
$ docker build -t binfalse/tutors-little-helper .Sending build context to Docker daemon 3.072 kBStep 0 : FROM centos ---> 60e65a8e4030...
![Page 25: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/25.jpg)
#app3: teaching● lets say students’ submissions are in
● check submissions using the docker image
$ find /opt/docker/student-submissions/ /opt/docker/student-submissions/1 /opt/docker/student-submissions/1/program.cpp /opt/docker/student-submissions/2 /opt/docker/student-submissions/2/program.cpp /opt/docker/student-submissions/3 /opt/docker/student-submissions/3/program.cpp
$ for i in /opt/docker/student-submissions/*do
echo "checking submission "${i/*\//}docker run --rm -v $i:/job binfalse/tutors-little-helper
done
checking submission 1this is correctchecking submission 2this is correctchecking submission 3this is not correct
submissions 1 & 2 seem to be correct..!?
student #3 is definitely too stupid...
![Page 26: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/26.jpg)
#app3: teaching● but the hell is that:
$ cat /opt/docker/student-submissions/2/program.cpp#include <iostream>#include <fstream>
int main(){
// do something malicious that the tutors won’t recognizestd::ifstream src("/etc/passwd");std::ofstream dst("/tmp/newpasswd");dst << src.rdbuf() <<
"evil:x:1001:1001:Evil User,,,:/home/evil:/bin/bash" <<std::endl;
// pretend being harmless delivering correct resultstd::cout << "this is correct" << std::endl;
}
![Page 27: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/27.jpg)
From http://www.slideshare.net/jpetazzo/introduction-docker-linux-containers-lxc
![Page 28: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/28.jpg)
http://www.slideshare.net/Alshaari/docker-saudi-hpc2016
![Page 29: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/29.jpg)
Passive Benchmarking with docker LXC, KVM & OpenStackHosted @ SoftLayer
Boden Russell ([email protected])IBM Global Technology Services
Advanced Cloud Solutions & Innovation
V2.0
Supporting statis
tics fr
om
http://w
ww.slidesh
are.net/BodenRuss
ell/kvm
-and-docker-lx
c-bench
marking-w
ith-opensta
ck/
![Page 30: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/30.jpg)
Cloudy Performance: Serial VM Reboot
docker KVM0
20
40
60
80
100
120
140
2.58
124.43
Average Server Reboot Time
Tim
e In
Sec
onds
http://www.slideshare.net/BodenRussell/kvm-and-docker-lxc-benchmarking-with-openstack/
![Page 31: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/31.jpg)
Guest Performance: CPU
Bare Metal docker KVM0
2
4
6
8
10
12
14
16
18
15.26 15.22 15.13
Calculate Primes Up To 20000
Seco
nds
http://www.slideshare.net/BodenRussell/kvm-and-docker-lxc-benchmarking-with-openstack/
![Page 32: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/32.jpg)
Cloudy Performance: Steady State Packing
0.00E+00
1.00E+09
2.00E+09
3.00E+09
4.00E+09
5.00E+09
6.00E+09
7.00E+09
Docker: Compute Node Used Memory (full test duration)
Memory
Time
Mem
ory
Used
Delta734 MB
Per VM49 MB
0.00E+00
1.00E+09
2.00E+09
3.00E+09
4.00E+09
5.00E+09
6.00E+09
7.00E+09
KVM: Compute Node Used Memory (full test duration)
Memory
Time
Mem
ory
Used
Delta4387 MB
Per VM292 MB
http://www.slideshare.net/BodenRussell/kvm-and-docker-lxc-benchmarking-with-openstack/
![Page 33: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/33.jpg)
Guest Performance: Network
docker KVM0
100
200
300
400
500
600
700
800
900
1000
940.26 940.56
Network Throughput
Thro
ughp
ut In
10^
6 bi
ts/s
econ
d
http://www.slideshare.net/BodenRussell/kvm-and-docker-lxc-benchmarking-with-openstack/
![Page 34: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/34.jpg)
take home.
● smaller, more understandable apps – do one thing and do it well.
● no/weakened dependency hell● smaller & faster deployment● +reproducibility● don’t ignore traditional controls such as high patch level● docker is not enterprise virtualisation, no cloud platform,
no configuration management, no deployment framework, no development environment
![Page 35: Docker Demo @ IuK Seminar](https://reader031.vdocuments.mx/reader031/viewer/2022021815/5876e9e31a28ab046d8b6dd9/html5/thumbnails/35.jpg)
that’s it.
feel free to come around for discussions
on and off docker and/or a beer.
@binfalsehttp://[email protected]
questions? doubts? comments?
room 413ulmencampus54.086325,12.107683