using docker in the real world
TRANSCRIPT
Using Docker in The Real WorldPHP Craft 2015
Tim Haak
[email protected] @tim_haakhttps://github.com/timhaak
Who I am
Tim Haak
What do I do:
Consulting as a developer across the stack Though focusing on php and web and linux side of the world.
[email protected] @tim_haakhttps://github.com/timhaak
So you heard docker was great
Though so many options
Why would you want dockerRepeatability Can allow simpler scaling No difference of libraries between dev and live Shrink wrapping Versioning Simple rollback of libraries programs Multiple version of programs on the same pc Isolation More lightweight that virtualization
What doesn't it solve
Replication/Resiliency Bad code Its a tool that help with specific problems Its not a magic bullet
Part of Dev/Ops
Why Dev/Ops/Automation
Remove the fear of breaking Simple Roll forward or back Free you time for more important things You can't manage what you can't see
But howThe following are tips and methods on how to bring it into your organisation.
Not an exact recipe. Take the bits that make sense for you.
Assumes you already have systems that tend to the monolithic application side.
Start with something simpleDon't start with your biggest critical app
You will fail
Take small steps that keep moving you to a better place
Start with a non critical piece of your architecture
ExamplesLog processing ?
Dashboard ?
Basically something that if its off while your working things out will not be a problem
Run your own registry
https://github.com/docker/distribution/blob/master/docs/deploying.md
Docker images are available
Don't forget to add a ssl cert
Docker Registry
docker run -d -p 443:5000 --restart=always --name registry \ -v `pwd`/auth:/auth \ -e "REGISTRY_AUTH=htpasswd" \ -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ -v `pwd`/certs:/certs \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \ registry:2
mkdir auth
docker run --entrypoint htpasswd registry:2 -Bbn timhaak \ securepass > auth/htpasswd
How to useDocker Registry URL: https://dr.haak.co
docker login dr.haak.co \ --email="[email protected]" \ --password="securepass" \ --username="timhaak"
Put one person on itWho Cares With The Need Skills Not the new intern/junior developer
WhyOnly one person will go through the wrong path pain
Faster iteration while learning
Can back out a wrong path quickly
Rest of the team only see the final simpler path
Store configs externallyWhile your starting mount the configs etc via a volume into the container
Easier debugging You don't have to rebuild the container to update Other members of your team can just edit the file Allows you to use something like Ansible to generate the configs
Known good stateWhen restarting the image. DELETE the previous container then restart.
This way your always starting from a know good state.
The only thing that can change is the config.
Make sure that docker cleans up previous containers and starts new ones on reboot.
That way rebooting always puts you into a good state
docker rm -f image_name docker start -d -v /config/config -p 321:321 timhaak/awesome1
Dev EnvironmentBefore working on your live servers. Start but using docker as you dev environment.
Its safer Faster testing Don't have to worry about testing You can make sure you have all the required packages.
Though we all know exactly whats installed on our servers :)
MongoThis is actually a good candidate for service bring into docker
Add a docker version into a replica set
Make sure it will only be a slave while testing
If you mess something up your can just remove it as the other servers will still have a copy of the data.
Don't for get to store the data in a volume
Add DNS Rest ApiSounds hard but isn't
Allow of adding and removing servers from DNS rotation
You can't get it wrong (Especially when your panicking)
Can eventually be automated
Please secure it
ie https://api.haak.co/dnsapi/mainweb/srv1/enable
Where many people are
Where we want to get to
DockerDocker
Docker Docker
Native Native
HaProxy / Load BalancerThis is actually one of the most important pieces of the system as it allows you to switch out or test underlying application servers.
You don't have to use HaProxy its just one of the more popular ones to use and actually gives very nice reporting. Also its been quiet battle tested.
There are good node and go alternatives.
I would look to setting up an api here to change config. Fairly easy agains haproxy.
SSL Off loader / Load balancerThis is a good place to start bringing docker into your live environment. (Assuming you have a monolithic app)
Fairly simple to test.
Makes your system more resilient.
Allows you to do things like fix cache headers etc.
Once in place can simplify your updates.
Starts you down the path of microservices
Initial testing
Just spin up a temporary server for initial testing.
If you can't do it with your infrastructure look at one of the cloud servers providers that charge for only the time you use.
Locally you can look at cloudafrica.net (R0.09 per hour.)
Setup server and install docker (I hope your using something like Ansible)
Initial testing
Set up your config
Run the docker container
If you change your host file it should all just work
Make it liveWith this you'll have to move the port that your application server listens on.
This is the most dangerous bit.
Especially if you have a single server.
Though once you've got the pieces all working together switching docker images in and out become quiet simple.
Wrap the codeOk so how do you now wrap the actual application server into docker.
You don't want to mess up the current server incase you get something wrong.
Also you want to make sure its using the same files as the current server.
Well you've got the image that you've been testing on your local pc while doing dev?
Wrap the code
Start it up on the live server mounting the current server's web directory as a volume into the docker container running on a new different port.
Don't you have to stop the old server?
No the only problem you may have is with things like cache files or if your using locks.
Wrap the codeTest the server on the new port is it all working. No client will see it as the load balancer not using it. But its on the same server should have access to everything it needs.
If everything is working tell your load balancer to switch to the new server's port.
Check the live site if its all working great. If not switch back. The only delay will be you as you never stopped the old server.
Going forwardYou can now start moving more services into docker.
As you feel secure in that its work start removing the unused programs and cruft from the old server.
This will reduce the chance of problems. Also you are now decreasing the things that need to updated and managed on the base pc.
Future things to look at
The follow are things you may want to start looking at Some are available now some are near future.
Though each does increase the complexity which you may not want to do
VPNSomething that seems to be over looked quiet often as people move to micro service and more servers. Is secure communication.
Main advantage is safe zones so you don't have to wrap everything.
As an example servers talking to a centralised redis cache
Link your servers
docker run -d \ --name tinc \ --net=host \ --device=/dev/net/tun \ --cap-add NET_ADMIN \ --volume /srv/tinc:/etc/tinc \ jenserat/tinc start -D
http://tinc-vpn.org/
Auto Discovery / ConfigEventually your going to want to have your containers auto configure them selves as they start up
There are a couple options here each will depend on your personal preference.
Alternatives
Tools On Top
SkyDNS2 - DNS Discoverycurl -XPUT \ http://etcd1/v2/keys/skydns/local/skydns/dns/ns/ns1 \ -d value='{"host":"192.168.0.1"}'
https://github.com/kelseyhightower/confd
confd - config generation/update
https://github.com/linkorb/etcd-php
$client = new Client($server); $client->set('/foo', 'fooValue'); // Set the ttl $client->set('/foo', 'fooValue', 10); // get key value echo $client->get('/foo');
// Update value with key $client->update('/foo', 'newFooValue');
// Delete key $client->rm('/foo');
// Create a directory $client->mkdir('/fooDir'); // Remove dir $client->rmdir('/fooDir');
Replication
Live migration
http://criu.org/Docker
https://www.youtube.com/watch?v=pwf0-_cs6U4https://runc.io/
https://www.youtube.com/watch?v=mL9AFkJJAq0&feature=youtu.be&t=1653
NetworkingLots of active work here but no clear winner as yet.
Though most only provide a single network.
Still waiting for one that can give you more SDN functionality. Basically single network and ability to move containers in and out easily.
Though if you know what your doing using Pipework and openvswitch you could build your own system.
Though very few people would have this requirement.
[email protected] @tim_haakhttps://github.com/timhaak
Thanks