martin scharmdept. for systems biology and bioinformatics

university of rostock

IuK SeminarRostock, 2016-05-24

disclaimer

most of the stuff was not made by me. follow the links to find the actual creators.

paper: https://dx.doi.org/10.6084/m9.figshare.3397576.v1

https://www.oreilly.com/learning/what-is-docker

https://www.oreilly.com/learning/what-is-docker

https://www.docker.com/what-docker

https://www.oreilly.com/learning/what-is-docker

https://en.wikipedia.org/wiki/Docker_(software)

https://www.docker.com/what-docker

https://www.oreilly.com/learning/what-is-docker

https://en.wikipedia.org/wiki/Docker_(software)

https://www.docker.com/what-docker

some k

ind of

virtu

alisat

ion??

https://www.oreilly.com/learning/what-is-docker

https://en.wikipedia.org/wiki/Docker_(software)

https://www.docker.com/what-docker

some k

ind of

virtu

alisat

ion??

for sure a booster for your applications,proposals, presentations… ;-)

http://www.slideshare.net/dotCloud/why-docker

http://www.slideshare.net/dotCloud/why-docker

FROM debian:stable

RUN apt-get install -y curl

RUN apt-get install -y moon-buggy

RUN apt-get install -y sl

imag

es c

onsi

stof

rea

d-on

ly la

yers

chan

ges

resu

lt in

new

laye

rs

When Docker mounts the rootfs, it starts read-only, as in a traditional Linux boot,but then, instead of changing the file system to read-write mode, it takes advantageof a union mount to add a read-write file system over the read-only file system.In fact there may be multiple read-only file systems stacked on top of each other.We think of each one of these file systems as a layer.

https://docs.docker.com/v1.6/terms/layer/

FROM debian:stable

RUN apt-get install -y curl

RUN apt-get install -y moon-buggy

RUN apt-get install -y sl

imag

es c

onsi

stof

rea

d-on

ly la

yers

chan

ges

resu

lt in

new

laye

rs

FROM debian:stable

RUN apt-get install -y curl

RUN apt-get install -y moon-buggy

RUN apt-get install -y sl RUN apt-get install -y nethack-console

FROM debian:stableRUN apt-get update && apt-get install -y --no-install-recommends curlRUN apt-get install -y --no-install-recommends moon-buggyRUN apt-get install -y --no-install-recommends sl

Dockerfile:

docker buildcreates an image a different image with

similar “dependencies”

anatomy of a dockerized app

● Dockerfile: receipt do build an image● Image: runtime environment● Container: instance of the app● Volume: persistent data● Networks: communication

docker hub

● like github for docker images● pull – push – share your stuff

https://hub.docker.com/

demo time.

get an image from the docker HUB$ docker pull nginx:latestlatest: Pulling from library/nginx3059b4820522: Pull complete ff978d850939: Pull complete 9d1b4547bc10: Pull complete 7bb610d87cee: Pull complete bbd672577eed: Pull complete f4a3cc2c46e0: Pull complete 8f9345da4c7a: Pull complete 72cd8a7c892b: Pull complete Digest: sha256:46a1b05e9ded54272e11b06e13727371a65e2ef8a87f9fb447c64e0607b90340Status: Downloaded newer image for nginx:latest

$ docker imagesREPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZEbinfalse/debian-with-curl-moonbuggy-sl latest 125374f94e47 About an hour ago 149.2 MBnginx latest 72cd8a7c892b 2 weeks ago 182.7 MBbinfalse/skype latest bec4e37e163d 5 weeks ago 565.1 MBbinfalse/deb-skype latest bec4e37e163d 5 weeks ago 565.1 MBdebian stable 82f85996fa28 6 weeks ago 125 MB

run the image

$ docker run --name some-nginx -d -p 2222:80 -v /opt/docker/web:/usr/share/nginx/html:ro -d nginxec0771865e5f03a3f55df3611f15f97a88e6eee2c26802f5f95784ed28116222

$ docker psCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMESec0771865e5f nginx "nginx -g 'daemon off" 25 seconds ago Up 25 seconds 443/tcp, 0.0.0.0:2222->80/tcp some-nginx

$ curl localhost:2222...

$ docker kill some-nginxsome-nginx

$ docker psCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES

$ docker ps -aCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMESec0771865e5f nginx "nginx -g 'daemon off" 8 minutes ago Exited (137) 7 seconds ago some-nginx

$ docker rm some-nginxsome-nginx

create an image

$ cat DockerfileFROM debian:stableRUN apt-get update && apt-get install -y --no-install-recommends curlRUN apt-get install -y --no-install-recommends moon-buggyRUN apt-get install -y --no-install-recommends sl

$ docker build -t binfalse/debian-with-curl-moonbuggy-sl .Sending build context to Docker daemon 2.048 kBStep 0 : FROM debian:stable ---> 82f85996fa28Step 1 : RUN apt-get update && apt-get install -y --no-install-recommends curl ---> Running in 16ce78bf2cfaIgn http://httpredir.debian.org stable InReleaseGet:1 http://httpredir.debian.org stable-updates InRelease [142 kB]....Processing triggers for libc-bin (2.19-18+deb8u4) ... ---> c2566a69a8e2Removing intermediate container 16ce78bf2cfaStep 2 : RUN apt-get install -y --no-install-recommends moon-buggy ---> Running in e485857c3881Reading package lists...Building dependency tree...Reading state information...The following NEW packages will be installed: moon-buggy...

$ docker run --rm -it binfalse/debian-with-curl-moonbuggy-sl /usr/games/sl

that’s just for showcase,not best practise!

remove an image

$ docker imagesREPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZEbinfalse/debian-with-curl-moonbuggy-sl latest 711a58dd52d2 18 minutes ago 149.2 MBnginx latest 72cd8a7c892b 2 weeks ago 182.7 MBbinfalse/skype latest bec4e37e163d 5 weeks ago 565.1 MBbinfalse/deb-skype latest bec4e37e163d 5 weeks ago 565.1 MBdebian stable 82f85996fa28 6 weeks ago 125 MB

$ docker rmi binfalse/debian-with-curl-moonbuggy-slUntagged: binfalse/debian-with-curl-moonbuggy-sl:latestDeleted: 711a58dd52d207421124396061d0f505f1e223ae9803c0d6be601cd510a7c50cDeleted: 95df58df3f4b320ecc2cff76746a9576658e26136f124992b8fa176b03678341Deleted: c2566a69a8e2f3f351498cbe3ffe26780b100f3867ce9e2f262b33eed484b640

$ docker imagesREPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZEnginx latest 72cd8a7c892b 2 weeks ago 182.7 MBbinfalse/skype latest bec4e37e163d 5 weeks ago 565.1 MBbinfalse/deb-skype latest bec4e37e163d 5 weeks ago 565.1 MBdebian stable 82f85996fa28 6 weeks ago 125 MB

#app1: wordpress + mysql + some extra security

MySQL

docker pull mysql:latestdocker run -e MYSQL_ROOT_PASSWORD=yourpassword --name db -v /home/mysql/:/var/lib/mysql/ -d mysql

# optionally connect to configure the dbalias dockip="docker inspect --format ’{{ .NetworkSettings.IPAddress }}’"mysql -h$(dockip db) -uroot -pyourpassword

Wordpress

docker pull wordpress:latestdocker run --name my-wordpress --link db:mysql -v /home/wp/:/var/www/html/ -p 80:80 -d wordpress

benefit: isolation● host is safe if hacker breaks into wordpress● plugins won’t be able to see db files● mysql cannot see wp config etc

#app2: jail for skype

https://binfalse.de/2016/01/04/docker-jail-for-skype/

jail that “obfuscated malicious binary blob with network capabilities”

$ docker run -d -p 127.0.0.1:55555:22 --name skype_container binfalse/skype

$ ssh -X -p 55555 docker@127.0.0.1

The programs included with the Debian GNU/Linux system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extentpermitted by applicable law.Last login: Mon Jan 4 23:07:37 2016 from 172.17.42.1$ skype

#app3: teaching

● let’s assume students are asked to c++-code an std::out for

this is correct

● expected solution:

#include <iostream>

int main(){

std::cout << "this is correct" << std::endl;}

#app3: teaching

● tiny bash script to compile && execute the students’ code: executer.sh

#!/bin/bash# lets assume the submissions are always found in /jobEXECUTABLE=/job/program.outSOURCE=/job/program.cpp

# compile it if it wasn’t compiled yet[ -x $EXECUTABLE ] || g++ -o $EXECUTABLE $SOURCE

# go for it$EXECUTABLE

#app3: teaching

● create a Dockerfile

● create a docker image

# metaFROM centosMAINTAINER martin scharm

# install a c++ compilerRUN yum install -y gcc-c++

# add the executer scriptADD executer.sh /executer.sh

# makes this a binaryENTRYPOINT /executer.sh

$ docker build -t binfalse/tutors-little-helper .Sending build context to Docker daemon 3.072 kBStep 0 : FROM centos ---> 60e65a8e4030...

#app3: teaching● lets say students’ submissions are in

● check submissions using the docker image

$ find /opt/docker/student-submissions/ /opt/docker/student-submissions/1 /opt/docker/student-submissions/1/program.cpp /opt/docker/student-submissions/2 /opt/docker/student-submissions/2/program.cpp /opt/docker/student-submissions/3 /opt/docker/student-submissions/3/program.cpp

$ for i in /opt/docker/student-submissions/*do

echo "checking submission "${i/*\//}docker run --rm -v $i:/job binfalse/tutors-little-helper

done

checking submission 1this is correctchecking submission 2this is correctchecking submission 3this is not correct

submissions 1 & 2 seem to be correct..!?

student #3 is definitely too stupid...

#app3: teaching● but the hell is that:

$ cat /opt/docker/student-submissions/2/program.cpp#include <iostream>#include <fstream>

int main(){

// do something malicious that the tutors won’t recognizestd::ifstream src("/etc/passwd");std::ofstream dst("/tmp/newpasswd");dst << src.rdbuf() <<

"evil:x:1001:1001:Evil User,,,:/home/evil:/bin/bash" <<std::endl;

// pretend being harmless delivering correct resultstd::cout << "this is correct" << std::endl;

}

From http://www.slideshare.net/jpetazzo/introduction-docker-linux-containers-lxc

http://www.slideshare.net/Alshaari/docker-saudi-hpc2016

Passive Benchmarking with docker LXC, KVM & OpenStackHosted @ SoftLayer

Boden Russell (brussell@us.ibm.com)IBM Global Technology Services

Advanced Cloud Solutions & Innovation

V2.0

Supporting statis

tics fr

om

http://w

ww.slidesh

are.net/BodenRuss

ell/kvm

-and-docker-lx

c-bench

marking-w

ith-opensta

ck/

Cloudy Performance: Serial VM Reboot

docker KVM0

20

40

60

80

100

120

140

2.58

124.43

Average Server Reboot Time

Tim

e In

Sec

onds

http://www.slideshare.net/BodenRussell/kvm-and-docker-lxc-benchmarking-with-openstack/

Guest Performance: CPU

Bare Metal docker KVM0

2

4

6

8

10

12

14

16

18

15.26 15.22 15.13

Calculate Primes Up To 20000

Seco

nds

http://www.slideshare.net/BodenRussell/kvm-and-docker-lxc-benchmarking-with-openstack/

Cloudy Performance: Steady State Packing

0.00E+00

1.00E+09

2.00E+09

3.00E+09

4.00E+09

5.00E+09

6.00E+09

7.00E+09

Docker: Compute Node Used Memory (full test duration)

Memory

Time

Mem

ory

Used

Delta734 MB

Per VM49 MB

0.00E+00

1.00E+09

2.00E+09

3.00E+09

4.00E+09

5.00E+09

6.00E+09

7.00E+09

KVM: Compute Node Used Memory (full test duration)

Memory

Time

Mem

ory

Used

Delta4387 MB

Per VM292 MB

http://www.slideshare.net/BodenRussell/kvm-and-docker-lxc-benchmarking-with-openstack/

Guest Performance: Network

docker KVM0

100

200

300

400

500

600

700

800

900

1000

940.26 940.56

Network Throughput

Thro

ughp

ut In

10^

6 bi

ts/s

econ

d

http://www.slideshare.net/BodenRussell/kvm-and-docker-lxc-benchmarking-with-openstack/

take home.

● smaller, more understandable apps – do one thing and do it well.

● no/weakened dependency hell● smaller & faster deployment● +reproducibility● don’t ignore traditional controls such as high patch level● docker is not enterprise virtualisation, no cloud platform,

no configuration management, no deployment framework, no development environment

that’s it.

feel free to come around for discussions

on and off docker and/or a beer.

@binfalsehttp://binfalse.demartin@jabber.lesscomplex.org

questions? doubts? comments?

room 413ulmencampus54.086325,12.107683