Understanding Docker

If you have never supported other people's applications, or even yours, but with such dimensions that they no longer fit in one head, then you should relax, sit back and take what you read as an instructive tale with contrived problems, a funny storyline and an obvious happy one. the end. Otherwise, if you have real combat experience, welcome to hell, but with IDDQD and IDKFA.

For your information! In this article, we look at the phenomenon of docker containers itself, rather than compiling a list of microservices that nest inside. This we will do in the next series, in the name of justice!

UPDATE : I had to replace “docker” with “docker”, otherwise the article is not searched. I apologize in advance for all the “dockers” in the text. Selyavi.

What do we have today

Zoo oak VPS-hosting.
Dear IaaS and PaaS with guaranteed vendor lock in.
Unique server snowflakes.
A bunch of obsolete dependencies on unsupported OSes.
Hidden communications of parts of the application.
An indispensable admin demigod on a skateboard.
A rainbow of environments: development, testing, integration, staging, production.
Configs generation for configs management system.
Feature flagging.

Surprisingly, the root of all these problems is only in one thing: it is expensive to raise the server, and then it is also expensive to put out. The time spent on artistic weaving by configs can be expensive, or the hardware is just starting for a long time, or the servers need to be backed up cleverly and then restored, or simply and quickly, but it works only on some uniquely expensive platform from which you cannot escape.

Of course, this is the captain's entry. And the goal of entry is just in captaincy - to show that these problems are already so trivial that even a simple enumeration makes them in some places hurt.

If we imagine that it takes a minute for the cold start of the application on the new machine, and all the data are safe, then it becomes easier to breathe immediately, and the face appears to write useful code instead of fussing with the server.

If your ears speak English, then please first listen to the enthusiastic Introduction to docker from the founder.

Back to basics

As often happens, at some point the state of a certain system becomes unmanageable and requires new technologies. In programming, however, it often happens the other way around - you need to remember the old technology. Here and in the case of docker, nothing new happened: they took the principles of functional programming (others see OOP ) and microkernels, applied applications (servers, networks, etc.) to the infrastructure layer and got stateless-immune-isolated-microservices. All docker's charms grow from this. As you know, the functional area is not as simple as Rich Hickey would like. So that you can use the wisdom of your ancestors every day, you need to have good tools. Docker is just such a tool.

Here are the basic differences of the docker container (not microservice, see above) from a simple server.

Stateless

The configuration of the container cannot and should not change after launch. All preliminary work is done at the stage of creating an image or starting a container: configs, ports, shared folders, environment variables, all this should be known by the time the container starts. Of course, the docker allows the process running inside the container to do with its memory and file system everything that it pleases, but touching something that could be touched before launch is considered a bad tone.

Pure

The container does not know anything about the host system and can not interfere with other containers: neither get into someone else's file system, nor send a signal to someone else's process, or even knock on a random port. That's what he and the container. By itself, docker will allow containers to communicate, but only in strictly declared ways. You can also run containers endowed with some kind of superpower, for example, access to a real network or physical device.

Lazy

When launched, the container does not copy the file system of the image from which it was created. The container just creates an empty file system on top of the image. In docker, this is called a layer. Images are arranged in the same way. The image consists of a list of (geological) layers overlapping each other. From here such high speed of start of the new container: less than a second.

Declarative

All container properties are stored in a declarative form. The stages of creating an image are also described in strictly separated steps. Network settings, file system contents, memory size, public ports and so on and so forth is set in the Dockerfile or static keys at startup. All this is easy to read on a pair of text screens, even for a very complex system.

Functional

A container does only one thing, but does it well. It is assumed that in the container will live only one process (possible with the family), performing only one function in the application. Due to the fact that the container does not have its own kernel, boot partition, init-process and, more often, even the user is only one (pseudo-root) - that is, there is no full-fledged operating system in the container - due to the lack of all this, the container starts so quickly how your service would start if the operating system was already fully loaded. This narrow specialization makes the function implemented by the container predictable and scalable. Since there is only one process, he has nowhere to wait (if only from the outside) for overflowing of logs, getting into a swap and the like.

Strict

By default, the docker denies the container everything except access to the network (which can also be denied). However, if necessary, it is allowed to break any of these rules, when it is more logical to break the rules. And what is interesting, allowing access is as easy as denying access. Connecting or disconnecting containers in docker with each version becomes easier and simpler, especially pleased with the network distributed across data centers.

What docker is not

Docker is often confused with Vagrant or OpenVZ, or even VirtualBox. Docker is just a user-space daemon in the Go language that skillfully juggles with already existing Linux kernel technologies. I think it is worth explaining in more detail, since I myself began to get acquainted with the topic with the query “docker vs. vagrant.

Non-vagrant

Vagrant is committed to managing virtual machines (or, more closely to the topic of hosting, virtual servers). Just like the docker, the vagrant has a whole library of virtual machine images, and he, like the docker, knows how to snatch, download and upload, configure and run. But again, Vagrant manages full-fledged heavy virtual machines running, for example, in VirtualBox, VMWare, DigitalOcean, AWS, and wherever it does not start them. Gorgeous thing, this vagrant, if you need a full-fledged virtual machine with a state inside.

Non virtual machine

, docker (), KVM/Qemu, VirtualBox/VMWare/Parallels, XEN, etc. Docker- ( docker) ( ) . , , , . OpenVZ Linux Containers , , .

docker?

Docker :

docker daemon — docker'. - , , , ( 0.8 ). , , docker-client.
docker docker- HTTP. . , docker' , . docker : tar.gz docker-daemon, . - .
Docker Hub . docker run ruby docker . , .

docker

, docker'. , ( , , SSH Git ?).

Chef / Puppet / Ansible

— stateful . Dockerfile. docker , , , . . docker' Chef stateless , docker, -, FreeBSD 4.11.

Upstart / SystemD / Supervisor / launchd / God.rb / SysVinit,

, . docker daemon, init- , , , , , , «».

Ubuntu_14.04.iso / AMI-W7FIS1T / apt-get update

, docker , , DVD- ( Dell ), , . , , Docker Hub. apt-get update — .

RUBY_ENV, database.dev.yml, testing vs. staging vs. backup

docker -- , , . , , , . — docker-compose up . docker' 1.10 SHA256 .

Xcode, brew, port install, ./configure && make && sudo make install, mysql --version

, , , . , , … Docker , , . .

SSH (sic!), VPN, Capistrano, Jenkins-slave

root , . docker' , , . docker run docker TLS . : docker exec -it %containername% bash . rsync docker' : rsync -e 'docker exec -i' --blocking-io -rv CONTAINER_NAME:/data ., --blocking-io.

Git (!!!)

Git ? ! Docker Git, . git push ( Github’) docker push. , docker-compose up. . , zero-downtime , . , MAINTENANCE.HTML . , , ( ) , .

Datacenter lock-in

, . , — . , , , .

bundler, rvm, dotenv, /opt

— docker . — bundle exec.

*.log, *.pid

, docker. (kudos ➞ Fesor) . .

useradd www

, - - , . , . , ( , , ) .

chroot, CGroups, LXC

Docker libcontainer, runC, libnetwork. LXC, docker. , docker'.

docker'

Dockerfile

, Dockerfile Chef-, . : — . — . , API , . . , . .

docker , copy-on-write . readonly , , , readonly, . , .

Fesor:

, … … .

, . , , « ».

docker-daemon — HTTP-

, , Single Actor , nginx. docker Go, , docker'.

docker in docker

. , , docker'. :

docker run -v /var/run/docker.sock:/var/run/docker.sock \
       -v $(which docker):/bin/docker \
       -ti ubuntu

docker-in-docker, .

VXLAN

docker' . , . docker' , . , , . docker VXLAN, docker' IP . . , , . NAS , .

?

, docker , docker-in-docker-in-docker. , , docker , .

Swarm? Machine! Compose!!!

docker', docker', : Machine, Compose Swarm. — .

. , , .

VasilioRuzanni:

Phusion baseimage-docker ?

, :

Ubuntu .

docker' init dpkg. , . OpenVZ , , .
init — .

, . fork-, 10 - docker' SSH: can't fork. docker', docker ps , docker kill .

, , - , - . , , . , ? by design, , , , tini.
Syslog?

docker , STDOUT STDERR, syslog . Docker , . , , -, , -, .
Cron?

? ? 2016 ? , - , , , docker . .
SSH?

, docker SSH. , , . scp.
, docker !

, !
docker' OpenVZ.

.