Remain the King in your Container EmpireBernd Fischer
Intro
Remain the King in your Container Empire
King in Container Empire
Passionate Java Developer (especially Spring)Python, Go-Lang
Agile and Devops infectedContainer enthusiast
[email protected]@berndfischer63
JUG Saxony e.V., Docker Community Dresden
CTO MindApproach GmbH, [email protected]
Intro - Who’s that guy?
King in Container EmpireIntro - Who’s that guy?
Disclaimer ….
King in Container EmpireIntro - Objectives
❏ it’s not an intro - you need some knowledge about (Docker) container and linux❏ see: talk/slides JUG Saxony Day 2015
King in Container EmpireIntro - Experience ??? - Projects ???
King in Container EmpireIntro - Experience ??? - Projects ???
https://pixabay.com/en/cloud-weather-forecast-weather-sky-346710/
King in Container EmpireIntro - Experience ??? - Projects ???
https://pixabay.com/en/ship-shipwreck-adventure-setting-1366926/
King in Container EmpireIntro - Experience ??? - Projects ???
https://pixabay.com/en/container-shipping-freight-147973/https://pixabay.com/en/shipwreck-ship-abandoned-carnage-575907/
King in Container EmpireIntro - Objectives
❏ you need some knowledge about (Docker) container and linux - it’s not an intro❏ see: talk/slides JUG Saxony Day 2015
❏ lessons learned since 2015 from and for production
❏ from and for daily business of a Java developer
❏ trouble shooting / debugging
King in Container EmpireIntro - Objectives
https://pixabay.com/en/crown-golden-royal-shining-shiny-312734/
First Lesson
Remain the King in your Container Empire
King in Container EmpireFirst Lesson
http://m.memegen.com/efxili.jpg
Fix issues locally before they hit production
King in Container EmpireFirst Lesson
ContinuousEnvironment
by myself
as possible as identical from dev to prd
Demo Application
Remain the King in your Container Empire
King in Container EmpireDemo Application
Linux (Ubuntu 18.04-LTS/Alpine)
java -jar ...
urlusernamepassword
JVM
Demo-ApplicationSpring Boot Webembedded Tomcat Database
King in Container EmpireDemo Application
King in Container EmpireDemo Application
King in Container EmpireDemo Application
Second LessonAccessing Internal Services
Remain the King in your Container Empire
King in Container EmpireAccess Internal Services
SSH-Server
SSH tunnel
King in Container EmpireAccess Internal Services
# demo-helloworld-web bf$
docker service create --name=sshd --replicas=1 \ --publish="7777:22" \ registry.gitlab.com/aemc/dockerims/sshd:20180927T130729
docker secret create id_rsa_user.pub.v1 $DMO_PUB_KEY
# care about formattingdocker service update \ --secret-add source=id_rsa_user.pub.v1,target= /home/user/.ssh/authorized_keys, mode=0640,uid=1000,gid=1000 \ sshd
King in Container EmpireAccess Internal Services
# demo-helloworld-web bf$
# choose targetexport DMO_SERVICE_NAME=hw_dmo_mysql
# choose network of serviceDMO_NETWORK_ID=\$(docker service inspect $DMO_SERVICE_NAME |\jq -r .[0].Spec.TaskTemplate.Networks[0].Target)
# get name of networkdocker network inspect $DMO_NETWORK_ID | jq -r .[0].Name
docker service update --network-add $DMO_NETWORK_ID sshd
King in Container EmpireAccess Internal Services
King in Container EmpireAccess Internal Services
King in Container EmpireAccess Internal Services
# demo-helloworld-web bf$
...entrypoint: - "java" - "-agentlib:jdwp=transport=dt_socket,server=y, suspend=n,address=*:7777" - "-jar" - "demo-helloworld-web.jar"...
=> service re-creation necessary no change of Docker images necessary
King in Container EmpireAccess Internal Services
# demo-helloworld-web bf$
# check service start commanddocker service inspect hw_dmo_app | jq .[0].Spec.TaskTemplate.ContainerSpec.Command
my-ssh -i $DMO_PRV_KEY [email protected] \ -p 7777 -L 12345:app:7777# stays open ...
King in Container EmpireAccess Internal Services
King in Container EmpireAccess Internal Services
Third LessonAccess Local Services
Remain the King in your Container Empire
King in Container EmpireAccess Local Services
Not in this demo
poor man’s "ngrok"
King in Container EmpireAccess Local Services
# demo-helloworld-web bf$
# additional port to be reachable from "outside world"docker service update sshd --publish-add 2345:2345
# start helloworld-web app in IDE# listen on port 8080
my-ssh -i ~/.ssh/id_rsa_dmo -p 7777 \[email protected] \-R 2345:localhost:8080
# open browser# http d4r-cluster01-m01.aemc.me:2345
King in Container EmpireAccess Local Services
Fourth Lesson"From Scratch" Docker Images
Remain the King in your Container Empire
King in Container EmpireFrom Scratch Docker Images
❏ Docker Image best practice❏ as small as possible to
❏ save bandwidth and storage❏ reduce attack vectors
❏ Result: Docker images ❏ based on “small” linux distributions like Alpine and
similar❏ with static linked binaries and no base linux distro
King in Container EmpireFrom Scratch Docker Images
❏ Consequences:❏ missing tools for debugging ...❏ may not work:
docker container exec …
King in Container EmpireFrom Scratch Docker Images
FROM golang:alpine AS builder
ADD ./whoami.go /go/srcENV GOOS=linuxENV GOARCH=386RUN cd /go/src && go build -o /go/bin/whoamiRUN echo "Hallo from GoWebServer" > /go/bin/index.html
FROM scratch | FROM alpineWORKDIR /appCOPY --from=builder /go/bin/whoami /app/COPY --from=builder /go/bin/index.html /app/src/ENTRYPOINT [ "./whoami" ]
two images
King in Container EmpireFrom Scratch Docker Images
# demo-helloworld-web bf$
docker service create \ --name=whoami-alpine \ --replicas=1 \ --publish="9876:8000" \ --hostname=whoami_alpine \ --constraint "node.role == worker" \ aemc/whoami:alpine
http d4r-cluster01-m01.aemc.me:9876http d4r-cluster01-m01.aemc.me:9876/pinghttp d4r-cluster01-m01.aemc.me:9876/whoami
King in Container EmpireFrom Scratch Docker Images
# demo-helloworld-web bf$
docker service create \ --name=whoami-scratch \ --replicas=1 \ --publish="1234:8000" \ --hostname=whoami_scratch \ --constraint "node.role == worker" \ aemc/whoami:scratch
http d4r-cluster01-m01.aemc.me:1234http d4r-cluster01-m01.aemc.me:1234/pinghttp d4r-cluster01-m01.aemc.me:1234/whoami
King in Container EmpireFrom Scratch Docker Images
# demo-helloworld-web bf$
./get-containerids-of-service.sh whoami-alpine# container runs an node ???
$(setDockerEnv.sh d4r <node>.aemc.me)
docker info | grep -i name
docker container exec -it <container> sh/app # cat src/index.htmlHallo from GoWebServer/app # exit
$(setDockerEnv.sh d4r d4r-cluster01-m01.aemc.me)
King in Container EmpireFrom Scratch Docker Images
# demo-helloworld-web bf$
./get-containerids-of-service.sh whoami-scratch# container runs an node ???export CON_ID=<container>
$(setDockerEnv.sh d4r <node>.aemc.me)
docker info | grep -i name
docker container exec -it $CON_ID sh...
King in Container EmpireFrom Scratch Docker Images
# demo-helloworld-web bf$
# use a second "container" with necessary tools …
docker container run -it --rm \ --net container:$CON_ID \ --pid container:$CON_ID \ alpine sh/ # id/ # ps auxww/ # nc localhost 8000GET / HTTP/1.1host: localhost
King in Container EmpireFrom Scratch Docker Images
# demo-helloworld-web bf$
# use a second "container" with necessary tools …# continue ..
/ # ls -al /proc/1/root// # cat -al /proc/1/root/app/src/index.html/ # echo "Hallo from GoWebServer - Changed1" > \ /proc/1/root/app/src/index.html
# use browser
/ # exit
King in Container EmpireFrom Scratch Docker Images
❏ mission accomplished ;-)❏ able to "enrich" "reduced images" Docker
images with additional functionality❏ right now only for linux container ...
Fifth LessonResource Limits and Container Awarness
Remain the King in your Container Empire
King in Container EmpireResource Limits
❏ Fokus for now: memory❏ Java 8 u131❏ Sources:
❏ docker-java-memory-limits (see links)❏ => Demo
❏ MemoryInfo.java❏ MemoryEater.java
❏ Prepared Docker image❏ registry.gitlab.com/aemc/eval/
docker-java-memory-limits❏ Hint: using VM’s with 2 GB RAM ...
King in Container EmpireResource Limits
# demo-helloworld-web bf$
export IMG=registry.gitlab.com/aemc/eval/ docker-java-memory-limits
docker container run --rm --name=test \ $IMG MemoryTotal
docker container run --rm --name=test --memory 100MB \ $IMG MemoryTotal
King in Container EmpireResource Limits
# demo-helloworld-web bf$
docker container run --name=test --memory 100MB \ $IMG MemoryEater
docker container ls -a --filter="name=test"# exited with 137 -> SIG_KILL
docker container inspect test | jq .[0].State# ExitCode: 137# OOMKilled: true
docker container rm test
King in Container EmpireResource Limits
# demo-helloworld-web bf$
docker container run --rm -m 100MB --name=test \ $IMG -Xmx100M MemoryTotal
# use helper/start script for computation# https://github.com/fabric8io-images/java/blob/master/# images/alpine/openjdk8/jre/run-java.sh
King in Container EmpireResource Limits
# demo-helloworld-web bf$
docker container run --rm --memory 1GB --name=test \ $IMG \ -XX:+UnlockExperimentalVMOptions \ -XX:+UseCGroupMemoryLimitForHeap \ MemoryTotal
Some more lessons ...
Remain the King in your Container Empire
King in Container EmpireSome more lessons ...
❏ Use container together with automation tools like Ansible, Puppet, Salt, … to❏ fill gaps
❏ secret/config handling❏ local volume handling
❏ guarantee reproducibility❏ improve flexibility❏ improve automation
King in Container EmpireSome more lessons ...
❏ Security … ❏ using Docker/K8s/… CLI => root !!!❏ use RBAC mechanism
❏ Docker Auth-Plugins❏ Caspbin (https://github.com/casbin/casbin)❏ Authobot (https://github.com/ndeloof/authobot)
❏ UI❏ Docker EE❏ Portainer❏ ...
King in Container EmpireSome more lesson ...
Questions …?
King in Container EmpireLinks
❏ Source Code❏ https://gitlab.com/aemc
❏ demo/demo-helloworld-web❏ demo/demo-multi-swarm-cluster❏ demo/demo-swarm-cluster❏ aemc/eval/docker-java-memory-limits
❏ Java Resource Limits❏ https://bugs.openjdk.java.net/browse/JDK-8182070❏ https://bugs.openjdk.java.net/browse/JDK-8146115
King in Container Empire
This is the last slide ...