Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Docker Learnings

dbrgn
January 06, 2016

Docker Learnings

This was a company-internal presentation at Webrepublic AG.

dbrgn

January 06, 2016
Tweet

More Decks by dbrgn

Other Decks in Technology

Transcript

  1. 2 Agenda 1. What is Docker? 2. Why the hype?

    3. Docker Security 4. Conclusions 5. Questions
  2. 4 «Docker containers wrap up a piece of software in

    a complete filesystem that contains everything it needs to run: code, runtime, system tools, system libraries – anything you can install on a server. This guarantees that it will always run the same, regardless of the environment it is running in.» www.docker.com
  3. 5 Layer Filesystem - Uses union file system - Multiple

    layers are unified into a single file system - Only the top layer is writeable
  4. 6 Lightweight - Shared kernel - Instant start (in the

    range of milliseconds) - Layers make disk usage and image downloads more efficient
  5. 8 Containers vs VMs - VMs contain the guest OS,

    containers don’t - VMs try to emulate hardware, containers don’t - Makes them faster, smaller, more portable
  6. 9 Terminology - An image is a stack of filesystem

    layers that can be used to launch a container. This is like a class in OOP. - A container is an image instance. This is like an instance in OOP. A container can be started or stopped. - Both images and containers can be tagged. - A docker server runs the containers. - A docker client talks to the server to control containers. - A docker registry can be used to upload and download images. Publically available registries include the DockerHub and Quay. io.
  7. 10 Technologies - Linux namespaces for isolation - Linux cgroups

    for resource management - Union file systems: AUFS, btrfs, vfs, DeviceMapper - Container format: LXC, libcontainer
  8. 11 Possible Uses - Isolate multiple services on the same

    server from each other - Keep code and configuration together - Accelerate developer onboarding - Eliminate environment inconsistencies
  9. 14 Then why the hype? - Easy to get started

    - Nice docs - Great name & cute logo - Rise of cloud computing - Developed by a startup, not by a big enterprise company - Dockerhub - Great adoption, so a lot of hosting options
  10. 16 Things To Note - Members of the docker group

    == root users - Don’t run your containers as root users! - Docker is safe in theory, but still young technology and not battle tested - Isolation through cgroups and namespaces. Shared kernel means that kernel exploits lead to bad consequences. - You should make yourself familiar with how namespaces and cgroups work.
  11. 19 Learnings I - Code and Dockerfile belong together -

    Good for immutable applications - Good for simple deployments - Might be good for testing & integration - Might be good for development
  12. 20 Learnings II - Right now configuration/secrets can be done

    through env variables. In the future through something like Vault. - Jenkins can build images after every successful test. - Jenkins can regularly rebuild images to include security updates in base layers. - We should regularly run the deployment script on moby to pull new images. - Read the docker book!
  13. 21 Resources - “Getting Started” in Docker docs https://docs.docker.com/ -

    “The Docker Book” http://books.linuxfocus. net/books/view/652 - “Docker: Up & Running” by O’Reilly http://shop.oreilly.com/product/0636920036142.do