Taking Docker to Production: What You Need to Know and Decide
7 likes1,064 views
This document provides advice on taking Docker to production. It recommends starting simply by focusing on Dockerfiles and containerizing existing applications before complex orchestration. It also warns against common anti-patterns like using the "latest" tag or trapping data in containers. The document outlines sample swarm architectures and tech stacks and notes that outsourcing non-critical components can simplify operations. It closes by suggesting that an orchestrator may not always be needed and that running one container per VM is a valid approach.
Taking Docker to Production: What You Need to Know and Decide
- 1. Taking Docker to Production Bret Fisher DevOps Consultant Docker Captain Author of Udemy Docker Mastery Add picture here
- 2. Why Are We Here? ● Want Docker in production ● Want to orchestrate containers ● Need to make educated project decisions ● Learn which requirements could be optional ● Learn 80's/90's video games ● Hear bad analogies relating retro games to Docker
- 3. A Bit About Me ●Geek since 5th Grade ●IT Sysadmin+Dev since 1994 ●Owned *REAL* Atari 2600, NES, SNES, Sega Genesis, Sinclair, TRS-80, Packard Bell 386 ●Like Geek Trivia. Lets Have Some!
- 7. Project Docker Super Project Advice Special Turbo Champion Edition
- 8. Limit Your Simultaneous Innovation ● Many initial container projects are too big in scope ● Solutions you maybe don't need day one: ○ Fully automatic CI/CD ○ Dynamic performance scaling ○ Containerizing all or nothing ○ Starting with persistent data
- 9. Legacy Apps Work In Containers Too ● Microservice conversion isn't required ● 12 Factor is a horizon we're always chasing ● Don't let these ideals delay containerization
- 11. What To Focus On First: Dockerfiles ●More important than fancy orchestration ●It's your new build and environment documentation ●Study Dockerfile/ENTRYPOINT of Hub Officials ●FROM Official distros that are most familiar
- 12. Dockerfile Maturity Model ●Make it start ●Make it log all things to stdout/stderr ●Make it documented in file ●Make it work for others ●Make it lean ●Make it scale
- 17. Dockerfile Anti-pattern: Trapping Data ● Problem: Storing unique data in container ● Solution: Define VOLUME for each location
- 18. Dockerfile Anti-pattern: Using Latest ● Latest = Image builds will be ¯_(ツ)_/¯ ● Problem: Image builds pull FROM latest ● Solution: Use specific FROM tags ● Problem: Image builds install latest packages ● Solution: Specify version for critical apt/yum/apk packages
- 19. Dockerfile Anti-pattern: Leaving Default Config ● Problem: Not changing app defaults, or blindly copying VM conf ○ e.g. php.ini, mysql.conf.d, java memory ● Solution: Update default configs via ENV, RUN, and ENTRYPOINT
- 20. Dockerfile Anti-pattern: Environment Specific ● Problem: Copy in environment config at image build ● Solution: Single Dockerfile with default ENV's, and overwrite per-environment with ENTRYPOINT script
- 24. Lets Slay Some Infrastructure Dragons The Big 3 Decisions
- 25. Containers-on-VM or Container-on-Bare-Metal ●Do either, or both. Lots of pros/cons to either ●Stick with what you know at first ●Do some basic performance testing. You will learn lots! ●2017 Docker Inc. and HPE whitepaper on MySQL benchmark ○(authored by yours truly, and others) ○bretfisher.com/dockercon17eu
- 26. OS Linux Distribution/Kernel Matters ● Docker is very kernel and storage driver dependent ● Innovations/fixes are still happening here ● "Minimum" version != "best" version ● No pre-existing opinion? Ubuntu 16.04 LTS ○ Popular, well-tested with Docker ○ 4.x Kernel and wide storage driver support ● Or InfraKit and LinuxKit! ● Get correct Docker for your distro from store.docker.com
- 27. Container Base Distribution: Which One? ● Which FROM image should you use? ● Don't make a decision based on image size (remember it's Single Instance Storage) ● At first: match your existing deployment process ● Consider changing to Alpine later, maybe much later
- 29. Build Your Empire Swarm
- 30. Good Defaults: Swarm Architectures ● Simple sizing guidelines based off: ○ Docker internal testing ○ Docker reference architectures ○ Real world deployments ○ Swarm3k lessons learned
- 31. Baby Swarm: 1-Node ●"docker swarm init" done! ●Solo VM's do it, so can Swarm ●Gives you more features then docker run
- 32. HA Swarm: 3-Node ●Minimum for HA ●All Managers ●One node can fail ●Use when very small budget ●Pet projects or Test/CI
- 33. Biz Swarm: 5-Node ●Better high-availability ●All Managers ●Two nodes can fail ●My minimum for uptime that affects $$$
- 34. Flexy Swarm: 10+ Nodes ●5 dedicated Managers ●Workers in DMZ ●Anything beyond 5 nodes, stick with 5 Managers and rest Workers ●Control container placement with labels + constraints
- 35. Swole Swarm: 100+ Nodes ●5 dedicated managers ●Resize Managers as you grow ●Multiple Worker subnets on Private/DMZ ●Control container placement with labels + constraints
- 36. Don't Turn Cattle into Pets ● Assume nodes will be replaced ● Assume containers will be recreated ● Docker for (AWS/Azure) does this ● LinuxKit and InfraKit expect it
- 37. Reasons for Multiple Swarms Bad Reasons ● Different hardware configurations (or OS!) ● Different subnets or security groups ● Different availability zones ●Security boundaries for compliance Good Reasons ● Learning: Run Stuff on Test Swarm ● Geographical boundaries ● Management boundaries using Docker API (or Docker EE RBAC, or other auth plugin)
- 38. What About Windows Server 2016 Swarm? ●Hard to be "Windows Only Swarm", mix with Linux nodes ●Much of those tools are Linux only ●Windows = Less choice, but easier path ●My recommendation: ○Managers on Linux ○Reserve Windows for Windows-exclusive workloads
- 42. Outsource Well-Defined Plumbing ● Beware the "not implemented here" syndrome ● If challenge to implement and maintain ● + SaaS/commercial market is mature ● = Opportunities for outsourcing
- 43. Outsourcing: For Your Consideration ●Image registry ●Logs ●Monitoring and alerting ● Tools/Projects: https://github.com/cncf/landscape
- 44. Tech Stacks Designs for a full-featured cluster
- 45. Pure Open Source Self-Hosted Tech Stack Swarm GUI Portainer Central Monitoring Prometheus + Grafana Central Logging ELK Layer 7 Proxy Flow-Proxy Traefik Registry Docker Distribution + Portus CI/CD Jenkins Storage REX-Ray Networking Docker Swarm Orchestration Docker Swarm Runtime Docker HW / OS InfraKit Terraform Also Functions As A Service: OpenFaaS
- 46. Docker for X: Cheap and Easy Tech Stack Swarm GUI Portainer Central Monitoring Librato Sysdig Central Logging Docker for AWS/Azure Layer 7 Proxy Flow-Proxy Traefik Registry Docker Hub Quay CI/CD Codeship TravisCI Storage Docker for AWS/Azure Networking Docker Swarm Orchestration Docker Swarm Runtime Docker HW / OS Docker for AWS/Azure
- 47. Docker Enterprise Edition + Docker for X Swarm GUI Docker EE (UCP) Central Monitoring Librato Sysdig Central Logging Docker for AWS/Azure Layer 7 Proxy Docker EE (UCP) Registry Docker EE (DTR) CI/CD Codeship TravisCI Storage Docker for AWS/Azure Networking Docker Swarm Orchestration Docker Swarm Runtime Docker EE HW / OS Docker for AWS/Azure Also Image Security Scanning Role-Based Access Cont Image Promotion Content Trust
- 52. 4 Can Co-Op, But 1 Plays Just Fine
- 53. Must We Have An Orchestrator? ● Let's accelerate your docker migration even more ● Already have good infrastructure automation? ● Maybe you have great VM autoscale? ● Like the security boundary of the VM OS?
- 54. One Container Per VM ● Why don't we talk about this more? ● Least amount of infrastructure change but also: ○ Run on Dockerfiles recipes rather then Puppet etc. ○ Improve your Docker management skills ○ Simplify your VM OS build
- 55. One Container Per VM: Not New ● Windows is doing it with Hyper-V Containers ● Linux is doing it with Intel Clear Containers ● LinuxKit will make this easier: Immutable OS ● Watch out for Windows "LCOW" using LinuxKit
- 59. Summary ●Trim the optional requirements at first ●First, focus on Dockerfile/docker-compose.yml ●Watch out for Dockerfile anti-patterns ●Stick with familiar OS and FROM images ●Grow Swarm as you grow ●Find ways to outsource plumbing ●Realize parts of your tech stack may change, stay flexible
- 60. Give Session Feedback in App! ● Help me come back next year 😬
- 61. Thank You! Slides: bretfisher.com/dockercon17eu ●My Bestselling Docker Mastery Video Course ○90% off for DockerCon ○bretfisher.com/dockermastery
- 62. Honorable Mentions ●Metroid ('83 NES) ●Mega Man ('87 NES) ●Wolfenstein 3D ('92 PC) ●Homeworld ('99 PC) ●Legend Of Zelda ('86 NES) ●Mortal Kombat ('92) ●Doom/Quake ('93 PC) ●Contra/Castlevania ('86 NES) ● Hitchhiker's GTTG ('84 TRS-80) ●Zenophobe ('87 Arcade) ●Battlezone ('80 Arcade)