00:00:11.650
hey we're about to begin it's good to see that the room is not
00:00:17.689
you know over booked so no one's getting dragged attitude welcome to Engine Yard sponsored talk
00:00:25.880
deep dive into docker containers for rails developers so that's a mouthful so
00:00:32.419
let's take a look at the title of deep
00:00:37.730
dive it is me and my wife scuba diving in the Philippines where advanced open
00:00:45.440
water is certified and it's beautiful underwater and when you go deeper it's
00:00:52.130
actually even more beautiful so we're going to talk about docker containers
00:00:57.829
who among you have you stalker before it's good it's more than half but who
00:01:06.289
among us use a container but not docker
00:01:11.290
okay we got one two okay so this is not an introduction to the dollar talk but
00:01:18.409
we were we will look into dapper I'm sorry container internals bracelets
00:01:25.010
well what what are containers made off so and then I have to be specific that
00:01:33.080
or as to make sure it's for real developers because when they announced
00:01:39.189
announced Wilcox will be in Phoenix so I was just thinking oh no a lot of Phoenix
00:01:44.420
jokes right so you've probably heard a lot of your strokes already right like so there's seven Phoenix one of the
00:01:50.540
organizers and you know the Phoenix framework some people have move on to other languages or frameworks that's
00:01:57.140
fine you know but we're here you know say that you know we you know we use
00:02:02.420
rails and a lot of people still do this is sponsored by engineers were very work
00:02:08.299
for and we're celebrating our 10 years this year so please join us tonight
00:02:15.499
the there will be a party tonight at 7:00 p.m. so please and we also have a boost tomorrow and on
00:02:23.240
a Thursday so engineer it's a great way to run your rails applications where you
00:02:29.240
can easily scale from one to hundreds of servers right uh we have ten years of
00:02:34.250
Ruby on Rails optimizations on top of AWS and you know we have top-notch 24/7
00:02:40.820
support so but let's get into the talk these are the topics that we're going to
00:02:48.650
talk about the reasons for using containers what are containers made off and how do
00:02:53.930
you run containers in production so
00:02:59.960
there are a lot of uses for containers but here we're going to focus specifically about on deploying your
00:03:07.550
rails apps in a container I remember when I started Ruby of died 2006 or a
00:03:14.420
few years after one of the most popular deployment tool back then was cappuccino
00:03:19.460
and it probably still is in some shape or form we still use that the Capistrano
00:03:27.110
way of doing things at engineered we have deployed a lot of real applications
00:03:32.390
using Capistrano you know big customers big applications and it works and she
00:03:38.180
even still works until now but here I'm going to try to discuss why why you
00:03:44.480
should you know put your rails app in in a container so we've got the channel you
00:03:49.730
SSH into a server if you're using gets they're going to do a git clone it pull
00:03:55.700
install the gem we compile our assets and maybe run migrations and it's fine
00:04:00.800
it works you know we have big apps using that approach and it works so but sometimes
00:04:06.160
when github goes down then no one would be able to deploy right this is not an
00:04:12.170
OP on github we use them it's a great service but when they go down a lot of
00:04:17.810
people notice right because a lot of people use them so we get a lot of tickets actually when you know and it
00:04:25.010
goes down nothing strong with an engineer platform but then get up goes down a lot of our customers can't deploy
00:04:31.690
that's only a small small reason though why you should why
00:04:37.500
you should use the container but let's take a look at what's involved in using a container here you will see that you
00:04:44.790
still need to install Ruby install the packages copier code install the jams
00:04:51.180
quick on Baracus it's very similar to Capistrano rightly so you're not not a
00:04:57.060
silver bullet that would that would remove all these steps right just still
00:05:04.170
doing it but now you're putting it in a container and once you have that container your server needs only to know
00:05:12.480
how to ran that container right it doesn't even know what's inside it just when were in that container and you
00:05:19.290
could run it with other containers it could be another rails app if you have
00:05:24.420
another one you could run it on the same server or it could even be something like Redis or or a database although you
00:05:33.240
know our DBA is here and T you wouldn't like that you shouldn't ruin your database entertainer but it is possible
00:05:39.330
all right whatever you put inside it and your host knows how to run it then it
00:05:46.050
should work then you could also have multiple servers there's no real world
00:05:52.050
analogy to this but you could duplicate a container easily you could run it on multiple servers so now when you try to
00:05:59.610
scale and you know the rails can scale right you just run a lot of different
00:06:05.610
servers and then on those servers you run your containers so containers start
00:06:11.310
faster and you'll be able to easily run
00:06:16.320
your run any code that you could put in a container which makes the whole process faster like your developers will
00:06:22.740
be able to release those faster in staging or in production and you know
00:06:27.990
you get a focus on on your your business problem but what are containers there
00:06:36.300
are a few descriptions that I keep on hearing when people discuss containers
00:06:41.780
when it first is the lightweight VM
00:06:46.830
and a lot of people don't like this description and because it's technically technically a container is not a virtual
00:06:54.630
machine when you have a virtual machine you you you could have a host for
00:07:01.860
example that's using this running Linux and you could have a virtual machine that it's a Windows box right you could
00:07:09.510
have a guest that that is different from your host but with containers when you
00:07:16.080
have a limit so you could only have Linux containers there are windows containers but we're not going to
00:07:22.710
discuss them that's outside the scope of the talk so we're specifically looking at Linux
00:07:28.680
containers but I like this description that it's the lightweight VM because of what I described earlier it is in a
00:07:37.230
container you could put everything on it in fact you need to put Ruby you need to
00:07:42.750
put your packages like if you have my sequel client libraries you need to put
00:07:48.840
those inside your container so for me it's a good description so likely VM
00:07:57.110
next is features on steroids so hatred
00:08:02.510
if you have a directory for example you could make that your your new root you
00:08:09.750
would still be using the same Linux kernel so that means it's technically
00:08:14.760
one OS but if you have different subdirectory ascend you change your routing to that you know you could do a
00:08:21.510
lot of interesting things like let's take a look at this so here I'm going I
00:08:30.240
have a little bloom - of server for able to directory and just pause that and you
00:08:39.210
could see that the directories on on that Ubuntu 1704 word you know they're
00:08:45.720
similar to what you can see in your in your Linux box right but here they're
00:08:51.360
just sub directories and you could run th routes
00:08:58.550
you could run stage so let's just bring it again so you
00:09:04.800
having a bunch of directory you could see sure it into that and now you're
00:09:10.290
inside a different different OS right you think you're you're inside 17:04 so
00:09:17.850
I'll check slash real confident exists it exists on the host but not on the new
00:09:23.910
route so here I also have a Penta 7 sub directories and I could - root into that
00:09:32.040
and now you would see that it in its own if you could see the version of the OS
00:09:38.339
but since it's a pentose root I now have yum inside it so I have a new bundle box
00:09:46.800
but I have young running so it it all shared the same Linux kernel but you
00:09:54.000
could see that you could run whatever Easter oh you want so here at the end I
00:10:00.060
just have another directory give young and you could see their version so now I
00:10:07.320
have one one two I think it's 1604 LTS version but I've showed you see other
00:10:13.339
distros that I could run but using teachers and teachers is the one of the
00:10:20.010
things that the container uses you have file system cloud system isolation where
00:10:26.910
in variant inside it you can't see anything outside of it however it's not
00:10:32.970
built for isolation so you could see you could not see different files outside
00:10:38.579
but you know you could see other processes as I will show you later on but this was now this is a very old
00:10:45.300
technology usually released in 1982 and it was used mainly for testing or for
00:10:52.920
building software where you don't want to use any dependencies so it's like having your pristine OS inside your
00:11:00.870
existing OS so the third description is Ling spaces and see groups and it is the
00:11:09.240
the needs of the topic and what containers really are are paces and see groups these are kernel
00:11:16.350
features so if you've heard about ministries and figures namespaces your when your processes run inside a
00:11:23.010
namespace they think they're on their own system right they don't think that there's another system you know they
00:11:31.650
don't see the host there's there's a they see their their own system so the container you could look at it as a
00:11:37.770
different route the namespace and a see group right so there are tools to create
00:11:44.580
namespaces but we'll look first at a higher level higher level tools of the
00:11:51.210
create namespaces and these are the things that people are familiar with
00:11:56.600
calling the container runtimes LXE for example you know it has been popular and
00:12:04.530
it has subsisted before doctor a doctor at the beginning was using a legacy to create a container so the it was just a
00:12:13.020
wrapper for sure it provides a lot of different advantages but at the
00:12:18.480
beginning it was using Alex C then you also have rocket system B and spawn but
00:12:24.480
the end you're just creating namespaces and C groups so in one of the tools
00:12:30.860
added new features to the kernel they are using implants and C groups so when
00:12:40.020
you're in a container there's an allusion to the user that you are on a
00:12:45.690
different OS as I showed you earlier you know you think the processing fits in in
00:12:52.500
its own OS so then that is the goal for for what we for the containers right so
00:13:00.570
here we'll see the stage root again I'm using Ubuntu 1704 and you would see that
00:13:11.190
inside it I could see all the different processes that are running I just cleared the screen very quickly but I
00:13:17.730
could grab for top I could see that process inside that root and I could
00:13:23.790
kill it right so if someone in the host was running top and I'm inside the new route and I
00:13:29.430
killed it then well I'm sorry to that person running top so what namespace does right namespace
00:13:39.180
is what they do is provide you that isolation so first let's look at the people main space so I'm going to
00:13:47.430
introduce a tool called unshare or a program called and share that would
00:13:53.010
create the namespace so I'm going to combine that with with stage root so I'm
00:13:59.010
going to pay unshare make a new namespace for a big namespace patriot
00:14:07.170
boom to 1704 you can same thing going to mouth the prop file system and after I
00:14:13.500
run PS you would see that I only see the batch process and the actors the PS
00:14:20.519
process so now inside it well it thinks it's kid number one but in fact it's
00:14:28.019
it's not a you know process number one in the host system it's something else
00:14:33.450
so it's just map something else but inside that namespace which we created using and share it thinks it is
00:14:41.360
number one so now you've created a namespace that can't catch kill the
00:14:48.270
processes that are running on the host and why it's important when people run containers that are that were created by
00:14:55.890
someone else you don't want that container to be able to go to the host and just kill any process right so next
00:15:04.529
is the mounting base so when you create a mounting space you you inherit all the
00:15:11.820
amount points off the server of the host but then when you make changes to it the
00:15:18.329
host won't be affected so why is that important so when you create a new container or a new namespace doctor for
00:15:26.399
example changes the amount points for prom seats and death and so the
00:15:31.740
containers won't have access to to the host to the host for example here the
00:15:38.850
container won't have access to the disk like that important well if you have access to the disk then you could
00:15:44.700
corrupt it and everyone running that container or every container running on
00:15:50.010
that host would have a problem so you don't want your containers to be able to access certain amount points and that's
00:15:56.250
where the mounting rates would help another Ling space that we'll look at is
00:16:01.830
user name space and this is actually a relatively new and even dr. only added
00:16:11.700
this maybe a few years ago so but this
00:16:17.070
is like speed mapping wherein when you're running inside a container are you when you're running as a user on a
00:16:26.100
container you you are actually a different user on the host so it's like kidnapping so a lot of containers run
00:16:32.010
its root inside you know you're running as the root user inside a container and
00:16:37.020
that could be a problem because when you're running a screw without user name
00:16:42.060
space you're also running a truth under hood and you know why that that's not
00:16:48.570
good right because if you have privileges on the house then you could do a lot of different things so when you
00:16:54.270
enable user name space you'll have roots inside the containers but you won't be rude outside so you're not you won't be
00:17:02.460
rude on the host next is the network namespace and inside
00:17:09.030
the container you will use your own network interfaces so it won't have any connection but what what a doctor does
00:17:16.920
for example is create these pairs and use a bridge on the host so now you have
00:17:23.189
one pair on the container one pair and the house and so it will be able to
00:17:28.430
you'll be able to have your network connection and we will show later on how
00:17:35.730
how that works and there are seven namespaces right now so we started with
00:17:41.160
Mount and the latest is the C group namespace and this is exactly more than
00:17:47.130
ten years in the making right so Mount was added at the group of kernel 2.4
00:17:54.780
and user for example with that is in 3.8 and C group recently was added in the
00:18:00.120
4.6 kernel so it wasn't you know there wasn't a there wasn't a just one time
00:18:08.910
we're in okay we're releasing containers they're really same spaces and they release it incrementally so let's take a
00:18:16.860
look at how you're going to use everything how you're going to combine everything to create your own container
00:18:22.020
and run rails inside it so we're going back to our same example you know
00:18:31.260
unshare but now we're I'm just showing here that you have a typical rails app
00:18:38.610
on you know on user source app so we're going to create namespaces using on
00:18:44.700
chair but now we're going to pass now UTS IPP Netscape and run state routes so
00:18:53.010
that it's what we've been running this whole talk and you're going to mount the
00:18:58.800
proc and then next I'm going to add a lot of environment variables but these
00:19:03.930
are just needed by by my fail fast like they have database URL and security base
00:19:09.560
I'm going to create just so it it's easier to see and now I'm going to run
00:19:16.920
bundle like that rails server to run my rails app so I'm now inside a container
00:19:25.320
and running a rails app right so I'm going to try to curl and see if I could
00:19:31.380
access that and you would see that it would fail because I haven't set up the
00:19:37.170
network B players that I mentioned you would see here there's only one loop that interface so now I have to create
00:19:44.310
those feeds pairs right so I'm on the second tab on the host and I'm going to create the veep's layers using the IP
00:19:50.730
command you just use H for the host hpid
00:19:56.310
and then see for the other pair so now I have two pairs I I put the C one and put
00:20:06.600
it on the process ID so that's the our part then I put the H five one four
00:20:12.570
zero on the duffer bridge that is running on the house so now you would see that there are two network
00:20:18.210
interfaces right so now I'm going to bring up those interfaces so bring bring
00:20:25.230
up the loopback interface going to bring up the other one pair one end of the
00:20:33.210
pair name is each name it is zero inside the container here I'm just going to add
00:20:40.830
an IP address of course you want to be able to connect to to your container using an IP from the bridge that I just
00:20:50.009
chose randomly and I'm going to add a route to be able to have connection
00:20:56.970
routing in through the bridge and after that I would be able to curl the rails
00:21:04.350
app inside a container but know that I'm using one the localhost or 127.0.0.1
00:21:26.869
that's the default now with five one and you would see that it's paid nine inside
00:21:34.919
the container but it's a different kid out on the host so this is the fit
00:21:40.139
namespace of a word so next is see
00:21:46.200
groups so see groups are used to limit resources like you could you could have
00:21:52.619
you could set a limit a memory limits a CPU limit or even access to devices
00:21:58.999
could also set a limit to the number of processors you can fork because they don't want to exhaust all the you know
00:22:06.269
all the the process the number of process you could run and you know this
00:22:12.779
word see groups were added on the 2.6 kernel so let's take a look at how
00:22:19.919
you're going to set a memory limit so that so at the beginning it's just
00:22:28.200
the same you know we we just create the
00:22:33.539
namespaces so we're we're doing the same thing at the beginning creating the
00:22:39.750
mounds videos namespaces and then I'm
00:22:45.210
going to mount the proc and then the environment variables that we'll need
00:22:52.669
but before running before running the before running Puma we're going to use P
00:23:00.720
groups to set up a memory limit so here
00:23:05.760
I'm using C groups and so here I'm using
00:23:14.340
the seats FSC group memory which is the C group file system it's already mounted
00:23:21.600
on my box I think it was done by system B so unlike main space is wearing you
00:23:27.990
used unshare as the program the creating spaces with see groups you actually just
00:23:33.900
interface with with a file system with with the secret file system so I create
00:23:40.080
a directory create the rails directory and you would see that if you you know I
00:23:47.850
just created a directory but after creating it it creates all this house for me and those are the limits that I
00:23:55.620
could use you would see memory limit there and other other things so what I
00:24:03.330
need to do now is get the process ID of my container so I'll get the process ID
00:24:14.070
of bash so that's one zero four five is there and I'm going to put it inside
00:24:20.450
rails flashbacks and tasks on on C
00:24:28.169
groups are the processes right so I'm saying process one zero four five eight
00:24:33.360
should be under the rail C group I so there's nothing special with it I created the real seeker right and I'm
00:24:41.580
going to pay 40 megabytes we'll go to
00:24:47.280
real memory limit in bytes right so who
00:24:53.250
wants to guess if that's enough for a real publication it's a very basic real
00:24:58.560
application so now I'm back to my container and I'm going to run Puma so
00:25:04.230
I'm going to run bundle exec real server and it says it's killed right so it out
00:25:10.950
I mean we did with a limit of 40 megabytes or Puma process can start so
00:25:18.690
now I'm going to increase that to 80 megabytes and let's see if it works so
00:25:24.480
this is a do rails app so I think this would do this would work right so now
00:25:31.650
you could create a you know could run that process and you would see here that Pumas runnin so that's that's how you
00:25:40.200
use cgroups with with your real cat so
00:25:48.540
next description and the last one and this is the most the the most accurate description is containers for processors
00:25:56.040
so you might have present they're not VM they are processes and this is you know
00:26:01.200
the correct description and if you take away nothing else from this stuff is you
00:26:09.630
know you could lock run a lot of processors as you know but containers make it easier to run those processes
00:26:16.470
together on the same host so let's take a look at this next video you can see
00:26:24.960
that I have a lot of Puma processes right so and then I'm just showing you
00:26:30.390
that the pig I'm not sure if that's easy to read but the pede namespaces so you could check the namespaces on on the
00:26:38.220
profile system they're all different so I'm just showing you that this processes are all in different namespaces right
00:26:47.040
but they are namespaces and what interesting is I have a lot of pluma processes running I don't have even Ruby
00:26:54.660
installed on the hose right so their host does it needs to have anything in
00:27:01.140
fact there's an OS core OS or I think they've renamed it to container Linux
00:27:06.840
that Eva doesn't even have a packed package manager because they want you to
00:27:12.510
run everything in containers so here I'm trying okay run all the promo processes
00:27:18.030
you want I think I'm using the same version so this is same container but you could run whatever Ruby version you
00:27:25.410
want whatever app server you want you could you know mix and match puma
00:27:30.570
unicorn and it it is all containers make it all easier to do all that so you know
00:27:40.440
Oh containers are processes but containers being a new route of having
00:27:48.960
namespace and C groups they're not actually enough we have whenever you
00:27:54.030
create containers you have to make sure you know how to secure them so let's
00:27:59.940
talk about containers security the the
00:28:05.940
way security works with containers if you apply layers of them there's just no one setting that would make all their
00:28:13.170
containers secure like you have to run a number of different things to make sure they are secure for example we have app
00:28:21.480
armor this Linux security module or if your host doesn't support it SP Linux
00:28:28.429
and it limits the actions that a given program can take so it provides a lot of
00:28:34.410
limitations on on the container but
00:28:39.480
actually if you start using the user name spaces a user name space some of
00:28:44.910
these some of these restrictions from up-armored are not needed anymore but
00:28:50.760
you know you still keep them so you just have another layer of security so next
00:28:59.760
is capabilities in the beginning there root and non root so if you're a regular
00:29:06.300
user you you don't have access or you don't have privileges privileges to do a
00:29:12.690
lot of things and later the introduced capabilities so a regular user would be
00:29:19.380
able to do something if it has privileges some privileges some
00:29:25.260
capabilities but not you know but not a full-fledged root user
00:29:31.800
so containers need some capabilities but
00:29:36.960
you don't want to give them all the capabilities so that's why I also
00:29:42.180
shouldn't run your containers of truth and while when limiting capabilities for
00:29:49.500
some containers then you ill limit what what those containers can do however how
00:29:56.220
do you know which capabilities to restrict containers and which capabilities not restrict in fact there
00:30:03.540
when you search github for example on docker you know there's so there's a lot of discussion on what capabilities do to
00:30:12.110
to allow her to deny so if there's no one answer like when you go to when you
00:30:18.990
use the LXE they give you some set of capabilities and when you use docker to give you another set so it's you know
00:30:25.830
it's different and the other is SATCOM
00:30:31.950
so this is a little external feature and it's filter system calls and soccer
00:30:38.670
for example disables for the for system calls out of three hundred plus like one
00:30:44.310
example of a system call it's locks it's open by handle add because when you use
00:30:49.860
that you could escape the container so then the you know the solution is just to disable that system call but again
00:30:57.660
which setting the you know should you blog or should you disable so those four
00:31:03.420
reports you can call how did they arrive at those list it you know it comes from
00:31:09.300
years of running you know the docker project engineer which you know which
00:31:15.570
system calls like at the beginning if there's a vulnerability of you know something some
00:31:23.400
calls will have to be disabled so the
00:31:31.590
last part is running containers in production so I've shown you you know
00:31:37.890
namespaces and C groups so I hope I've convinced you to look at namespace and
00:31:43.860
figure absord containers to run to run your real tab but I hope you don't go
00:31:50.100
you know from this stuff you know creating namespaces and C group on your own like running and share it because
00:31:56.880
more likely that would be not secured
00:32:01.940
and will have a lot of bugs for example I've shown you CH roots but
00:32:07.679
that's not even actually what Java is using they're using pivot roots which is more secure than th groups because I'd
00:32:14.760
say truth wasn't meant for for isolation right so you don't write your own it's
00:32:21.240
like I think it's like cryptography rays you don't write your own juju let the pros do it
00:32:27.770
so you continue a runtime I've shown you
00:32:34.289
a docker and rocket and that's exactly good if you're going to start running containers in production that's a
00:32:41.490
percept because they would create the namespaces see groups and they would
00:32:47.610
have default security for you but then you'll also have other problems
00:32:52.770
right what if the duffer daemon dies and you know I've had to restart Donecker a
00:32:59.610
lot of times and you know all your containers are gone like for what do you do with that which the site would be
00:33:05.669
down you know it'll be bad so you use something on top of it you know an
00:33:11.220
orchestration system and here you would have kubernetes mapper doppler soir you
00:33:19.620
could choose you like kubernetes when you run your containers this system
00:33:25.710
would choose to host with resources right so if you have an server and say I want to run this wheel cap
00:33:33.340
then or this container with a real tap and then kubernetes would choose okay you run it on widows because it has
00:33:40.210
memory then when a host dies when it when a server reboots or you know it
00:33:46.450
becomes unacceptable command it would then all the containers that are running
00:33:51.519
are their coats I'm going to move them to to another hose so with just the
00:33:57.190
darker with just a continual runtime you'd have to manage that yourself right
00:34:03.130
so if that's why even docker has swarmed because they know it's just running docker and its own and one server is not
00:34:10.810
not enough then kubernetes also provides your downtime deploy you know if you
00:34:16.450
have containers then you you want to be able to create new containers and with
00:34:22.270
newer versions but all of this still need an image right which I didn't talk
00:34:30.550
or it gave the the technical details you still have to create that image right I
00:34:35.849
tell you it's all Ruby install the packages copy your code install the gems
00:34:41.679
but you know how do you do that and some people they just don't want to do that of course you could automate this right
00:34:47.770
you know a lot of you are using or board and half or using docker or containers with the Opera so you know you could use
00:34:53.919
dollar bills and there's a lot of autumn automation that you could use you could
00:34:59.740
tie them up with your your CI for example and you could have an image but
00:35:06.490
what if you don't want to you know to think about all this right that's like
00:35:11.589
when you're developer you don't want to think about containers cgroups namespaces then you could actually use a
00:35:20.230
platform right there are a lot of open source projects for this days open ship
00:35:25.510
where you just you don't need an image you just push right you run a command
00:35:30.550
like get push or the Cloud Foundry CF
00:35:37.150
push and your app will be sent to the platform and it would run containers for
00:35:43.300
you but in that case the the containers are just implementation details right like
00:35:49.480
you don't care that they're running containers it I just care that it works and I just care that if I push my app I
00:35:55.870
would you know see it in your version and scale automatically and yeah that is
00:36:01.150
to go so you now know about namespaces and C groups but you don't even have to
00:36:07.350
to use them and in fact of engine yard 30 silk plug anjaneri has a platform
00:36:16.930
that the first batch or will have a platform to this set and there would be a an announcement though we have a
00:36:23.650
keynote on Thursday that where you will hear more about it so we work on that
00:36:30.880
level actually we had a workshop at kubernetes so we could actually also work as a orchestration level but you
00:36:38.110
know most people would just like to push their app and be done with it so yeah in closing and deploy your rails
00:36:48.190
app in a container looking to the technologies it's I mean it's mature
00:36:55.060
enough a lot of people are using containers it's it also has a long way
00:37:01.840
to go like databases I think you should not run your your databases yet in
00:37:09.220
containers it is possible but it's still you know early and that's it