baking docker using chef
TRANSCRIPT
BAKING DOCKER USING CHEFMukta Aphale
ChefConf 2015
WHO AM I? Ruby, Java, C Developer turned into DevOps Architect
Contributed to Chef development Chef azure extension Knife plugins: knife-azure, knife-ec2, knife-openstack Knife WinRM, knife windows listener
Working with iHealth Technologies
Technology, innovation and the thirst to keep learning are what define me
Love to travel, read, write
Above all, I am a mother to two boys!
@muktaa
AGENDADockerChef + DockerCD pipeline that uses knife-sshPush JobsChef CookbookChef Containers Our Story
DOCKER
A Quick Introduction
WHAT IS DOCKER?Linux
Container
3 Components:Docker Engine
Docker HubDocker Images
Benefits:Speed
PortabilityDensity
Open Source
“Can create lightweight, self
sufficient containers from any application”
DOCKER IS NOT A VMVirtual Machine Docker
FROM ubuntu:14.04
RUN apt-get updateRUN apt-get install libfuse-dev
ADD dev.conf/etc/myapp-config/
DOCKERFILESCodify your configuration
Set of bash commandsExample:
HelloScalaDockerfiledev.conf
Docker build HelloScala
USE CASES OF DOCKER
Shared Hosting – PaaSMicroservicesLightweight Testing
CHEF AND DOCKER
Getting the best of both worlds!
THE CHALLENGE
Automate Make Whole Enchilada
Deliver!
CONFIG MANAGEMENT VS GOLDEN IMAGESControl the environment Vs System Image / Runtime image
Tradeoff between flexibility and manageability
CM is the vein of DevOpsShell scripts -> Chef
Immutable Infrastructure
Docker
Chef
Awesomeness
CHEF AND DOCKERReplaces Human Tasks,
Idempotence,Thick client - thin
servers,Order Matters,
Huge Community Support
An improved Robot,Fast,Easy,
Fresh fish in the market, ready to be
baked!
SIMPLE CD PIPELINE
Because simple things can bring the most happiness!
SIMPLE CI/CD PIPELINE
•git push•Triggers Build
Code
•Build tools have docker support
•Build tools generate a docker image
Build Process Save imageDocker
Image Unique tagDocker Registry
•docker pull •docker stop•docker run
Deploy using
knife-ssh or Push
Jobs
CI Server
THE SIMPLE STEPS git push to https://github.com/muktaa/HelloScala Triggers a build on your CI server
sbt docker docker push muktaa/hello-scala knife ssh 'role:test' 'deploy.sh' -x ssh-user -i ssh-key -c knife.rb
Build tools offer docker integration Eg: Maven has docker-maven-plugin
https://github.com/spotify/docker-maven-plugin mvn clean package docker:build -DpushImage
~/github/HelloScala > sbt docker
[info] Loading project definition from /Users/muktaaphale/github/HelloScala/project
[info] Set current project to hello-scala (in build file:/Users/muktaaphale/github/HelloScala/)
[info] Creating docker image with name: 'muktaa/hello-scala'
:
[info] Sending build context to Docker daemon
[info] Step 0 : FROM dockerfile/java
[info] ---> 1126c85d8a06
[info] Step 1 : ADD /app/hello-scala_2.11-1.4-one-jar.jar /app/hello-scala_2.11-1.4-one-jar.jar
[info] ---> Using cache
[info] ---> 61871958f108
[info] Step 2 : ENTRYPOINT java -jar /app/hello-scala_2.11-1.4-one-jar.jar
[info] ---> Using cache
[info] ---> a8005b32ddc4
[info] Successfully built a8005b32ddc4
[info] Successfully built Docker image: muktaa/hello-scala
[success] Total time: 1 s, completed Mar 3, 2015 2:10:04 PM
~/github/HelloScala > docker images | grep hello-scala
muktaa/hello-scala latest a8005b32ddc4 12 hours ago 715 MB
~/github/HelloScala > docker run muktaa/hello-scala
Hello, world! #1
Hello, world! #2
Hello, world! #3
DOCKER REGISTRY
Docker Hub
Link: https://registry.hub.docker.com/u/muktaa/hello-scala
Automated Build in Docker: https://registry.hub.docker.com/u/muktaa/helloscala-automated-build/
PUSH JOBS
Do you need to push harder?
PUSH JOBSKnife-ssh works like “push”. Almost. Journey from pull to push“Chef push jobs is an extension of the Chef server that allows jobs to be run against nodes independently of a chef-client run”
Job: set of commands to be run on node Docker pull Docker stop Docker run
HOW ARE PUSH JOBS DIFFERENT FROM KNIFE-SSH?Push Jobs
Use message bus (zeromq) Claims to attack the scalability issue
Deployment status is relayed back
New born baby Complex at the moment, ready with just the basic foundation
Knife SSH
Parallel ssh SSH Protocol is slow and CPU hungry at scale
Feedback on deployment status is not as easy
Been in the market for long Easy to use
CHEF PUSH JOBS SERVEREnterprise Chef 11 or Chef server 12Standalone or HARun the commands on Chef Server:
chef-server-ctl install opscode-push-jobs-server
opscode-push-jobs-server-ctl reconfigurechef-server-ctl reconfigure
SETUP WORKSTATION Install knife push plugin
Gem install knife-jobs
Knife cookbook site download push-jobs Extract and save to your cookbook path Edit the attributes file (push-jobs/attributes/default.rb)
default['push_jobs']['package_url'] = 'https://opscode-private-chef.s3.amazonaws.com/ubuntu/12.04/x86_64/opscode-push-jobs-client_1.1.5-1_amd64.deb'
default['push_jobs']['package_checksum'] = 'd659c06c72397ed2bc6cd88488349857f1958538‘
Upload the push-jobs cookbook to your ChefServer
CREATE GROUPS & SETUP NODECreate 2 groups
Pushy_job_writers Pushy_job_readers
Add user to the groups
Sudo chef-client –r “recipe[push-jobs]”From Workstation:
Knife node status Knife node status <node-name>
RUN knife job start ‘chef-client –r recipe[run-docker]’ <node-name>
knife job start ‘docker.sh’ my_nodeWhere docker.sh:
Docker pull muktaa/hello-scala docker ps | grep muktaa/hello-scala| awk -F" " '{print $1}‘ Docker run muktaa/hello-scala
RETROSPECT
WHEN REALITY STRIKES…
If only applications were Hello World programs!
DOCKER IMAGE
Application Configuration
Docker Image
WHAT IS CONFIGURATION?
Packages Custom SetupsCredential
s
Softwares
Database
FilesEnvironment Specific Configuration
Ports
ENVIRONMENTS
DEV
Docker Container
Docker Container
Docker Container
PRE PRO
D
Docker Container
Docker Container
Docker Container
PROD
Docker Container
Docker Container
Docker Container
SECURE CREDENTIAL MANAGEMENT
Unsolved problem with Docker today
Credentials inside docker containersHard codesSet environment variables
WORKAROUND?Create Base Image
Manually, with configuration embedded
Build Tool uses the custom Base Image
Deploy using knife-ssh
DOCKER CHEF COOKBOOK
To manage docker images and deployment
DOCKER COOKBOOK Available in Supermarket: https://supermarket.chef.io/cookbooks/docker
Install docker
Build docker image
Pull image and run container
Push docker image to registry
LWRPs Docker_container Docker_image Docker_registry
https://github.com/bflad/chef-docker/blob/master/README.md
CREDENTIAL MANAGEMENTsecret = Chef::EncryptedDataBagItem.load_secret
@docker_cred = Chef::EncryptedDataBagItem.load(
node['docker']['creds']['databag'],
node['docker']['user'],
secret
)
docker_registry ‘https://registry.hub.docker.com/u/muktaa/hello-scala/’ do
email docker_cred['email']
username docker_cred['username']
password docker_cred['password']
end
DOCKER_IMAGE
# Build a docker image using docker_image resource
docker_image node['docker']['image'] do
tag node['docker']['image']['tag']
source '/var/docker'
action :build
end
# Push the image to docker registery
docker_image node['docker']['image'] do
action :push
end
# Delete the image from the machine
docker_image node['docker']['image'] do
action :remove
end
DOCKER_CONTAINER# Run Container
docker_container ‘muktaa/hello-scala’
detach true
port ‘8081:8081’, ‘8085:8085’
env ‘ENVIRONMENT=pre-prod’
volume ‘/mnt/docker/docker-storage’
action :run
end
GENERATE DOCKERFILE# Generate a docker file using template.
template "#{node['docker']['directory']}/Dockerfile" do
source 'dockerfile.erb'
variables image: node['docker']['base']['image']['name'],
maintainer: @docker_cred['maintainer'],
email: docker_cred['email'],
build_cmd: node['docker']['build']['commands'],
entry_point: node['docker']['build']['entry_point']
action :create
end
WORKFLOW
Build Applicatio
n
• Save the Artifact to a Repository Manager
Build Docker Image
• Docker cookbook would build and save the docker image
Deploy• Docker cookbook runs
the container on the nodes
CHEF CONTAINERS
Contains Awesome.
WHAT IS A CHEF CONTAINER?
PackageProvides Configuration Management for containers
CHEF CONTAINER COMPONENTS
chef-client
runit
chef-init
WHY CHEF CONTAINERS?Bootstrap chef-client without SSH connection
Manage multiple services inside your container
Manage running state of your containerConsistency across ArchitecturesMixed Architecture Applications
BEST SUITED FORTransitioning traditional architecture to containers
Handling last mile configuration when container boots
Getting the best of two worlds without complexity
KNIFE CONTAINER DOCKER INITGem install knife-containerknife container docker init NAMESPACE/IMAGE_NAME [options] -f base docker image (default is ubuntu 12.04) - chef container should be already installed on it
-r runlist -z chef client local mode -b use berkshelf
EXAMPLE$ sudo knife container docker init muktaa/hello-scala-cc Compiling Cookbooks...Recipe: knife_container::docker_init * directory[/home/ubuntu/chef-repo/dockerfiles/muktaa/hello-scala-cc] action create * template[/home/ubuntu/chef-repo/dockerfiles/muktaa/hello-scala-cc/Dockerfile] action create- update content in file /home/ubuntu/chef-repo/dockerfiles/muktaa/hello-
scala-cc/Dockerfile from none to 943017- * template[/home/ubuntu/chef-repo/dockerfiles/muktaa/hello-scala-
cc/.dockerignore] action create - create new file /home/ubuntu/chef-repo/dockerfiles/muktaa/hello-scala-cc/.dockerignore - update content in file /home/ubuntu/chef-repo/dockerfiles/muktaa/hello-scala-cc/.dockerignore from none to e3b0c4 * directory[/home/ubuntu/chef-repo/dockerfiles/muktaa/hello-scala-cc/chef] action create - create new directory /home/ubuntu/chef-repo/dockerfiles/muktaa/hello-scala-cc/chef * template[/home/ubuntu/chef-repo/dockerfiles/muktaa/hello-scala-cc/chef/client.rb] action create - create new file /home/ubuntu/chef-repo/dockerfiles/muktaa/hello-scala-cc/chef/client.rb - update content in file /home/ubuntu/chef-repo/dockerfiles/muktaa/hello-scala-cc/chef/client.rb from none to 7de61f * file[/home/ubuntu/chef-repo/dockerfiles/muktaa/hello-scala-cc/chef/first-boot.json] action create - create new file /home/ubuntu/chef-repo/dockerfiles/muktaa/hello-scala-
cc/chef/first-boot.json - update content in file /home/ubuntu/chef-repo/dockerfiles/muktaa/hello-scala-cc/chef/first-boot.json from none to 5269ef * template[/home/ubuntu/chef-repo/dockerfiles/muktaa/hello-scala-cc/chef/.node_name] action create - create new file /home/ubuntu/chef-repo/dockerfiles/muktaa/hello-scala-cc/chef/.node_name - update content in file /home/ubuntu/chef-repo/dockerfiles/muktaa/hello-scala-cc/chef/.node_name from none to 4764d2 * template[/home/ubuntu/chef-repo/dockerfiles/muktaa/hello-scala-cc/Berksfile] action create (skipped due to only_if) * directory[/home/ubuntu/chef-repo/dockerfiles/muktaa/hello-scala-cc/chef/secure] action create - create new directory /home/ubuntu/chef-repo/dockerfiles/muktaa/hello-scala-cc/chef/secure * file[/home/ubuntu/chef-repo/dockerfiles/muktaa/hello-scala-cc/chef/secure/validation.pem] action create - create new file /home/ubuntu/chef-repo/dockerfiles/muktaa/hello-scala-cc/chef/secure/validation.pem - update content in file /home/ubuntu/chef-repo/dockerfiles/muktaa/hello-scala-cc/chef/secure/validation.pem from none to ec1f3e- change mode from '' to '0600'Downloading base image: chef/ubuntu-12.04:latest. This process may take awhile...Tagging base image chef/ubuntu-12.04 as muktaa/hello-scala-cc
Context Created: /home/ubuntu/chef-repo/dockerfiles/muktaa/hello-scala-cc
KNIFE CONTAINER DOCKER BUILDrun command docker images
knife container docker buildresolve docker dependenciesbuild docker imagecleanup chef artifacts
EXAMPLE$ sudo knife container docker build muktaa/hello-scala-cc
Sending build context to Docker daemon 9.728 kB
Sending build context to Docker daemon
Step 0 : FROM muktaa/hello-scala-cc
---> 50d3c5c9e133
Step 1 : ADD chef/ /etc/chef/
---> 4933cc9e13e0
Removing intermediate container da0a08413a91
Step 2 : RUN chef-init --bootstrap
---> Running in add27db609cc
[2015-03-31T21:44:44+00:00] INFO: Starting Supervisor...
[2015-03-31T21:44:44+00:00] INFO: Supervisor pid: 9
[2015-03-31T21:44:49+00:00] INFO: Starting chef-client run...
[2015-03-31T21:44:50+00:00] INFO: Forking chef instance to converge...
[2015-03-31T21:44:50+00:00] INFO: *** Chef 11.16.2 ***
[2015-03-31T21:44:50+00:00] INFO: Chef-client pid: 16
[2015-03-31T21:44:53+00:00] INFO: Client key /etc/chef/secure/client.pem is not present - registering
[2015-03-31T21:44:53+00:00] INFO: HTTP Request Returned 404 Object Not Found: error
[2015-03-31T21:44:54+00:00] INFO: Setting the run_list to [] from CLI options
[2015-03-31T21:44:54+00:00] INFO: Run List is []
[2015-03-31T21:44:54+00:00] INFO: Run List expands to []
[2015-03-31T21:44:54+00:00] INFO: Starting Chef Run for muktaa-hello-scala-cc-build
[2015-03-31T21:44:54+00:00] INFO: Running start handlers
[2015-03-31T21:44:54+00:00] INFO: Start handlers complete.
[2015-03-31T21:44:55+00:00] INFO: Loading cookbooks []
[2015-03-31T21:44:55+00:00] WARN: Node muktaa-hello-scala-cc-build has an empty run list.
[2015-03-31T21:44:55+00:00] INFO: Chef Run complete in 1.121705004 seconds
[2015-03-31T21:44:55+00:00] INFO: Running report handlers
[2015-03-31T21:44:55+00:00] INFO: Report handlers complete
[2015-03-31T21:44:55+00:00] INFO: Sending resource update report (run-id: 6f637baf-18cc-4620-b3e2-9afc90e8cd6b)
---> 2c2ec6fab1ef
Removing intermediate container add27db609cc
Step 3 : RUN rm -rf /etc/chef/secure/*
---> Running in 30a3611b083f
---> cab28d6eed90
Removing intermediate container 30a3611b083f
Step 4 : ENTRYPOINT ["chef-init"]
---> Running in 0a9f4e96bbf7
---> a8577b66b103
Removing intermediate container 0a9f4e96bbf7
Step 5 : CMD ["--onboot"]
---> Running in f9a444817229
---> 21b3800bc9b3
Removing intermediate container f9a444817229
Successfully built 21b3800bc9b3
DOCKER IMAGES$ sudo docker images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
muktaa/hello-scala-cc latest 21b3800bc9b3 2 hours ago 311.9 MB
<none> <none> b343c8301cc8 2 hours ago 311.9 MB
chef/ubuntu-12.04 latest 50d3c5c9e133 6 months ago 311.9 MB
$ sudo docker push muktaa/hello-scala-cc
$ sudo docker –d run muktaa/hello-scala-cc
OUR STORY
Product under Development. Super Cool DevOps Culture.
LESSONS LEARNTRunning apps in containers is easyDebugging apps in containers is difficultYou can very well run multiple services inside a docker container
Ah the woes of Docker networking!Sequential ProgressionBake carefully… Happy Baking!
THANK YOU!Questions?