docker demo @ iuk seminar
TRANSCRIPT
martin scharmdept. for systems biology and bioinformatics
university of rostock
IuK SeminarRostock, 2016-05-24
disclaimer
most of the stuff was not made by me. follow the links to find the actual creators.
paper: https://dx.doi.org/10.6084/m9.figshare.3397576.v1
https://www.oreilly.com/learning/what-is-docker
https://www.oreilly.com/learning/what-is-docker
https://www.docker.com/what-docker
https://www.oreilly.com/learning/what-is-docker
https://en.wikipedia.org/wiki/Docker_(software)
https://www.docker.com/what-docker
https://www.oreilly.com/learning/what-is-docker
https://en.wikipedia.org/wiki/Docker_(software)
https://www.docker.com/what-docker
some k
ind of
virtu
alisat
ion??
https://www.oreilly.com/learning/what-is-docker
https://en.wikipedia.org/wiki/Docker_(software)
https://www.docker.com/what-docker
some k
ind of
virtu
alisat
ion??
for sure a booster for your applications,proposals, presentations… ;-)
http://www.slideshare.net/dotCloud/why-docker
http://www.slideshare.net/dotCloud/why-docker
FROM debian:stable
RUN apt-get install -y curl
RUN apt-get install -y moon-buggy
RUN apt-get install -y sl
imag
es c
onsi
stof
rea
d-on
ly la
yers
chan
ges
resu
lt in
new
laye
rs
When Docker mounts the rootfs, it starts read-only, as in a traditional Linux boot,but then, instead of changing the file system to read-write mode, it takes advantageof a union mount to add a read-write file system over the read-only file system.In fact there may be multiple read-only file systems stacked on top of each other.We think of each one of these file systems as a layer.
https://docs.docker.com/v1.6/terms/layer/
FROM debian:stable
RUN apt-get install -y curl
RUN apt-get install -y moon-buggy
RUN apt-get install -y sl
imag
es c
onsi
stof
rea
d-on
ly la
yers
chan
ges
resu
lt in
new
laye
rs
FROM debian:stable
RUN apt-get install -y curl
RUN apt-get install -y moon-buggy
RUN apt-get install -y sl RUN apt-get install -y nethack-console
FROM debian:stableRUN apt-get update && apt-get install -y --no-install-recommends curlRUN apt-get install -y --no-install-recommends moon-buggyRUN apt-get install -y --no-install-recommends sl
Dockerfile:
docker buildcreates an image a different image with
similar “dependencies”
anatomy of a dockerized app
● Dockerfile: receipt do build an image● Image: runtime environment● Container: instance of the app● Volume: persistent data● Networks: communication
docker hub
● like github for docker images● pull – push – share your stuff
https://hub.docker.com/
demo time.
get an image from the docker HUB$ docker pull nginx:latestlatest: Pulling from library/nginx3059b4820522: Pull complete ff978d850939: Pull complete 9d1b4547bc10: Pull complete 7bb610d87cee: Pull complete bbd672577eed: Pull complete f4a3cc2c46e0: Pull complete 8f9345da4c7a: Pull complete 72cd8a7c892b: Pull complete Digest: sha256:46a1b05e9ded54272e11b06e13727371a65e2ef8a87f9fb447c64e0607b90340Status: Downloaded newer image for nginx:latest
$ docker imagesREPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZEbinfalse/debian-with-curl-moonbuggy-sl latest 125374f94e47 About an hour ago 149.2 MBnginx latest 72cd8a7c892b 2 weeks ago 182.7 MBbinfalse/skype latest bec4e37e163d 5 weeks ago 565.1 MBbinfalse/deb-skype latest bec4e37e163d 5 weeks ago 565.1 MBdebian stable 82f85996fa28 6 weeks ago 125 MB
run the image
$ docker run --name some-nginx -d -p 2222:80 -v /opt/docker/web:/usr/share/nginx/html:ro -d nginxec0771865e5f03a3f55df3611f15f97a88e6eee2c26802f5f95784ed28116222
$ docker psCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMESec0771865e5f nginx "nginx -g 'daemon off" 25 seconds ago Up 25 seconds 443/tcp, 0.0.0.0:2222->80/tcp some-nginx
$ curl localhost:2222...
$ docker kill some-nginxsome-nginx
$ docker psCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
$ docker ps -aCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMESec0771865e5f nginx "nginx -g 'daemon off" 8 minutes ago Exited (137) 7 seconds ago some-nginx
$ docker rm some-nginxsome-nginx
create an image
$ cat DockerfileFROM debian:stableRUN apt-get update && apt-get install -y --no-install-recommends curlRUN apt-get install -y --no-install-recommends moon-buggyRUN apt-get install -y --no-install-recommends sl
$ docker build -t binfalse/debian-with-curl-moonbuggy-sl .Sending build context to Docker daemon 2.048 kBStep 0 : FROM debian:stable ---> 82f85996fa28Step 1 : RUN apt-get update && apt-get install -y --no-install-recommends curl ---> Running in 16ce78bf2cfaIgn http://httpredir.debian.org stable InReleaseGet:1 http://httpredir.debian.org stable-updates InRelease [142 kB]....Processing triggers for libc-bin (2.19-18+deb8u4) ... ---> c2566a69a8e2Removing intermediate container 16ce78bf2cfaStep 2 : RUN apt-get install -y --no-install-recommends moon-buggy ---> Running in e485857c3881Reading package lists...Building dependency tree...Reading state information...The following NEW packages will be installed: moon-buggy...
$ docker run --rm -it binfalse/debian-with-curl-moonbuggy-sl /usr/games/sl
that’s just for showcase,not best practise!
remove an image
$ docker imagesREPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZEbinfalse/debian-with-curl-moonbuggy-sl latest 711a58dd52d2 18 minutes ago 149.2 MBnginx latest 72cd8a7c892b 2 weeks ago 182.7 MBbinfalse/skype latest bec4e37e163d 5 weeks ago 565.1 MBbinfalse/deb-skype latest bec4e37e163d 5 weeks ago 565.1 MBdebian stable 82f85996fa28 6 weeks ago 125 MB
$ docker rmi binfalse/debian-with-curl-moonbuggy-slUntagged: binfalse/debian-with-curl-moonbuggy-sl:latestDeleted: 711a58dd52d207421124396061d0f505f1e223ae9803c0d6be601cd510a7c50cDeleted: 95df58df3f4b320ecc2cff76746a9576658e26136f124992b8fa176b03678341Deleted: c2566a69a8e2f3f351498cbe3ffe26780b100f3867ce9e2f262b33eed484b640
$ docker imagesREPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZEnginx latest 72cd8a7c892b 2 weeks ago 182.7 MBbinfalse/skype latest bec4e37e163d 5 weeks ago 565.1 MBbinfalse/deb-skype latest bec4e37e163d 5 weeks ago 565.1 MBdebian stable 82f85996fa28 6 weeks ago 125 MB
#app1: wordpress + mysql + some extra security
MySQL
docker pull mysql:latestdocker run -e MYSQL_ROOT_PASSWORD=yourpassword --name db -v /home/mysql/:/var/lib/mysql/ -d mysql
# optionally connect to configure the dbalias dockip="docker inspect --format ’{{ .NetworkSettings.IPAddress }}’"mysql -h$(dockip db) -uroot -pyourpassword
Wordpress
docker pull wordpress:latestdocker run --name my-wordpress --link db:mysql -v /home/wp/:/var/www/html/ -p 80:80 -d wordpress
benefit: isolation● host is safe if hacker breaks into wordpress● plugins won’t be able to see db files● mysql cannot see wp config etc
#app2: jail for skype
https://binfalse.de/2016/01/04/docker-jail-for-skype/
jail that “obfuscated malicious binary blob with network capabilities”
$ docker run -d -p 127.0.0.1:55555:22 --name skype_container binfalse/skype
$ ssh -X -p 55555 [email protected]
The programs included with the Debian GNU/Linux system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extentpermitted by applicable law.Last login: Mon Jan 4 23:07:37 2016 from 172.17.42.1$ skype
#app3: teaching
● let’s assume students are asked to c++-code an std::out for
this is correct
● expected solution:
#include <iostream>
int main(){
std::cout << "this is correct" << std::endl;}
#app3: teaching
● tiny bash script to compile && execute the students’ code: executer.sh
#!/bin/bash# lets assume the submissions are always found in /jobEXECUTABLE=/job/program.outSOURCE=/job/program.cpp
# compile it if it wasn’t compiled yet[ -x $EXECUTABLE ] || g++ -o $EXECUTABLE $SOURCE
# go for it$EXECUTABLE
#app3: teaching
● create a Dockerfile
● create a docker image
# metaFROM centosMAINTAINER martin scharm
# install a c++ compilerRUN yum install -y gcc-c++
# add the executer scriptADD executer.sh /executer.sh
# makes this a binaryENTRYPOINT /executer.sh
$ docker build -t binfalse/tutors-little-helper .Sending build context to Docker daemon 3.072 kBStep 0 : FROM centos ---> 60e65a8e4030...
#app3: teaching● lets say students’ submissions are in
● check submissions using the docker image
$ find /opt/docker/student-submissions/ /opt/docker/student-submissions/1 /opt/docker/student-submissions/1/program.cpp /opt/docker/student-submissions/2 /opt/docker/student-submissions/2/program.cpp /opt/docker/student-submissions/3 /opt/docker/student-submissions/3/program.cpp
$ for i in /opt/docker/student-submissions/*do
echo "checking submission "${i/*\//}docker run --rm -v $i:/job binfalse/tutors-little-helper
done
checking submission 1this is correctchecking submission 2this is correctchecking submission 3this is not correct
submissions 1 & 2 seem to be correct..!?
student #3 is definitely too stupid...
#app3: teaching● but the hell is that:
$ cat /opt/docker/student-submissions/2/program.cpp#include <iostream>#include <fstream>
int main(){
// do something malicious that the tutors won’t recognizestd::ifstream src("/etc/passwd");std::ofstream dst("/tmp/newpasswd");dst << src.rdbuf() <<
"evil:x:1001:1001:Evil User,,,:/home/evil:/bin/bash" <<std::endl;
// pretend being harmless delivering correct resultstd::cout << "this is correct" << std::endl;
}
From http://www.slideshare.net/jpetazzo/introduction-docker-linux-containers-lxc
http://www.slideshare.net/Alshaari/docker-saudi-hpc2016
Passive Benchmarking with docker LXC, KVM & OpenStackHosted @ SoftLayer
Boden Russell ([email protected])IBM Global Technology Services
Advanced Cloud Solutions & Innovation
V2.0
Supporting statis
tics fr
om
http://w
ww.slidesh
are.net/BodenRuss
ell/kvm
-and-docker-lx
c-bench
marking-w
ith-opensta
ck/
Cloudy Performance: Serial VM Reboot
docker KVM0
20
40
60
80
100
120
140
2.58
124.43
Average Server Reboot Time
Tim
e In
Sec
onds
http://www.slideshare.net/BodenRussell/kvm-and-docker-lxc-benchmarking-with-openstack/
Guest Performance: CPU
Bare Metal docker KVM0
2
4
6
8
10
12
14
16
18
15.26 15.22 15.13
Calculate Primes Up To 20000
Seco
nds
http://www.slideshare.net/BodenRussell/kvm-and-docker-lxc-benchmarking-with-openstack/
Cloudy Performance: Steady State Packing
0.00E+00
1.00E+09
2.00E+09
3.00E+09
4.00E+09
5.00E+09
6.00E+09
7.00E+09
Docker: Compute Node Used Memory (full test duration)
Memory
Time
Mem
ory
Used
Delta734 MB
Per VM49 MB
0.00E+00
1.00E+09
2.00E+09
3.00E+09
4.00E+09
5.00E+09
6.00E+09
7.00E+09
KVM: Compute Node Used Memory (full test duration)
Memory
Time
Mem
ory
Used
Delta4387 MB
Per VM292 MB
http://www.slideshare.net/BodenRussell/kvm-and-docker-lxc-benchmarking-with-openstack/
Guest Performance: Network
docker KVM0
100
200
300
400
500
600
700
800
900
1000
940.26 940.56
Network Throughput
Thro
ughp
ut In
10^
6 bi
ts/s
econ
d
http://www.slideshare.net/BodenRussell/kvm-and-docker-lxc-benchmarking-with-openstack/
take home.
● smaller, more understandable apps – do one thing and do it well.
● no/weakened dependency hell● smaller & faster deployment● +reproducibility● don’t ignore traditional controls such as high patch level● docker is not enterprise virtualisation, no cloud platform,
no configuration management, no deployment framework, no development environment
that’s it.
feel free to come around for discussions
on and off docker and/or a beer.
@binfalsehttp://[email protected]
questions? doubts? comments?
room 413ulmencampus54.086325,12.107683