ansible docker
Post on 16-Jul-2015
1.649 Views
Preview:
TRANSCRIPT
About Me
2
• Have worked
• Iteration through L1/2/3 SysOps
• Mostly german automotive sector
• 01/2013 -> 10/2014 R&D @Bull SAS
• Now
• independent R&D / Freelancing
• DevOps Eng. at Locafox (scale online)
• Hot topics • Containerization
• Log / Performance Management
• GO-Lang
• HPC Cluster Software Stack / Interconnect
Traditional vs. Lightweight Layers
4
SERVER
HOST KERNEL
HYPERVISOR
KERNEL
Userland (OS)
KERNEL KERNEL
Userland (OS)Userland (OS) Userland (OS)
SERVER
HOST KERNEL
Userland (OS)
Userland (OS)Userland (OS) Userland (OS)
Traditional Virtualisation Docker Containerisation
InitSystem
InitSystem InitSystem InitSystem
InitSystem
SERVICE
SERVICE SERVICE SERVICE
SERVICE SERVICE
• (chroot)2 != Virtual Machine
• Builds on-top LinuX Containers (LXC)
• Kernel namespaces (isolation)
Docker in a (Coco-)Nutshell
5
Process Namespace
6
$ docker run -ti --rm ubuntu:14.04 ps -efUID PID PPID C STIME TTY TIME CMDroot 1 0 0 10:24 ? 00:00:00 ps -ef$
Containers are not able to see processes outside of their scope.
Network Namespace
7
$ docker run -ti --rm ubuntu:14.04 ip -4 -o addr1: lo inet 127.0.0.1/8 scope host lo10: eth0 inet 172.17.0.4/16 scope global eth0$
Each container got it’s own network stack (by default, configureable).
Namespace• Mount (do not mess with other file systems) • User (users are only valid within one container) • IPC (Interprocess communication only within) • UTS (hostname / domain name is unique)
8
Docker in a (Coco-)Nutshell
9
• (chroot)2 != Virtual Machine
• Builds on-top LinuX Containers (LXC)
• Kernel namespaces (isolation)
• intuitive build system
• cgroups (resource mgmt)
Dockerfile
10
$ cat Dockerfile# From which image to start fromFROM fedora:20# Who is in chargeMAINTAINER "Christian Kniep <christian@qnib.org>"# Execute bash commandRUN yum install -y stress# if no command is given, this command will be # executed at runtime (within a bash).CMD ["stress", "-c", "4"]
Build Dockerfile
11
$ docker build -q -t locafox/stress .Step 0 : FROM fedora:20 ---> 7d3f07f8de5fStep 1 : RUN yum install -y stress ---> Running in 43fcf8d8393a ---> f1d0c1455565Removing intermediate container 43fcf8d8393aStep 2 : CMD stress -c 4 ---> Running in bd6536dfabed ---> 24b99ee707feRemoving intermediate container bd6536dfabedSuccessfully built 24b99ee707fe$
Cached Builds
12
$ docker build -q -t locafox/stress .Step 0 : FROM fedora:20 ---> 7d3f07f8de5fStep 1 : RUN yum install -y stress ---> Using cache ---> f1d0c1455565Step 2 : CMD stress -c 4 ---> Using cache ---> 24b99ee707feSuccessfully built 24b99ee707fe$
If the build step is already executed, it will be cached.
• cgroups (resource mgmt)
• (chroot)2 != Virtual Machine
• Builds on-top LinuX Containers (LXC)
• Kernel namespaces (isolation)
• intuitive build system
• cgroups (resource mgmt)
Docker in a (Coco-)Nutshell
13
• (chroot)2 != Virtual Machine
• Builds on-top LinuX Containers (LXC)
• Kernel namespaces (isolation)
• cgroups (resource mgmt)
• intuitive build system
• repositories public/private/certified
• RedHat, Microsoft, Community backed
Docker in a (Coco-)Nutshell
16
Docker != VM (srsly!)
http://en.wikipedia.org/wiki/Systemd
Virtual Machine• Kicks off a complete Machine, hence the name!
• EveryoneTM disables security
• Hard to strip down
18
Docker• Only spawns one process (in theory, at least)
• Easy to understand (theory, old friend)
Single Process• Make SELinux useable?
• one process
• limited interactions
• just simpler
20
https://www.youtube.com/watch?v=zWGFqMuEHdw
Images and CoW• An image is an immutable layer
• A container is the RW layer, which is executed on-top
22
Fedora
qnib/fd20
qnib/supervisor
qnib/terminal
qnib/build
qnib/of_build
qnib/IB_build
qnib/slurm_build
qnib/master
qnib/gapi
qnib/carbon
qnib/elk
copy-on-write
/slurm
qnib/slave
FROM points to the parent-image and this
relationship sticks. If the parent is changed, the child has to be rebuild.
Ansible + Docker• Purpose of Config-Mgmt
• Provisioning
• Orchestration
• Validation
• Ansible
• docker module
• docker inventory
• docker facts
27
Config Mgmt• Provisioning
• Bootstrap DOCKER_HOST
• Dockerfile vs. playbooks?
• Orchestration
• Multiple other project in the woods (Docker Swarm, Kubernetes, Apache Mesos[?], …)
• Validation
• Is the configuration within still valid?
28
Ansible + Docker• Purpose of Config-Mgmt
• Provisioning
• Orchestration
• Validation
• Ansible
• docker module
• docker inventory
• docker facts
29
Ansible• docker module
• Start/Stop Container
• docker inventory
• provide dynamic inventory by fetching info about running containers
• docker facts
• Use information about containers within Ansible
30
Thoughts• Containers mostly do not provide an SSH daemon
• Connecting via
• Docker is a nice way to check out playbook
• Otherwise playbooks shouldn’t be used inside of Dockerfiles [IMHO]
• Use Ansible to check configuration within container?
• Setup SELinux rules using Ansible
• Vagrant vs. Docker
31
docker exec <container> bash
top related