Book Review: Docker Containers: Build and Deploy with Kubernetes, Flannel, Cockpit, and Atomic

April 11th, 2016

I’m slowly working my way through the list of Docker publications that I stacked my tablet with when IBM restarted its subscription to Safari Books Online. One of these was Docker Containers: Build and Deploy with Kubernetes, Flannel, Cockpit, and Atomic by Christopher Negus. The last two projects in the title are a clue to the underlying theme of the book. Cockpit and Atomic being Red Hat projects, this is really a guide to doing containers the Red Hat way. This I was expecting – they do employ the author after all. What really disappointed me was that the four technologies cited in the title occupied so little of the book’s content. Of the 18 chapters, there was one on Super Privileged Containers (an Atomic concept), one on Cockpit, two on Kubernetes, and one paragraph on Flannel. Hardly comprehensive coverage!

The first part of the book covers the basic concepts, setting up an OS and a private registry. This reminded me of one key fact that I’d forgotten: that Red Hat ships its own Docker distribution. One of the Red Hat specific features is the ability to specify multiple default registries (with Red Hat placing their own registry ahead of Docker Hub in the default search order). This is at odds with Docker’s view that the image name (including registry host) should be a unique identifier. Personally, I would side with Red Hat on this one. I suspect many customers will be using their own private registries and would prefer to be able to specify ‘myimage’ and have it resolve against the correct image in the local registry for the environment.

The bulk of the content is in the second part that covers building, running and working with individual containers. There were a few errors that crept in to this section. For example, the author suggests that setting the environment variable HOST on a container somehow magically mount the host filesystem (it’s actually used to tell Atomic where the host filesystem is mounted). He also states incorrectly more than once that removing files introduced in one layer in a subsequent layer will reduce the size of the image. In general though, it provides a good coverage of working with containers. I picked up a few interesting command options that I wasn’t aware of. For example, ‘-a’ on a ‘pull’ to retrieve all of the images for a repository, the fact that you can use ‘inspect’ on images as well as containers, and a couple of commands that had previously escaped me completely: ‘rename’ and ‘wait’. There was also some useful information on the use of Docker with SELinux.

The third part covers Super Privileged Containers in Atomic (the way in which Atomic extends the basic capability of the OS via containerized tools) and management of Docker hosts and containers through the Cockpit browser based administration tool. The fourth part then covers the basic concepts of Kubernetes and the steps for setting up an ‘all-in-one’ environment and a cluster. These steps seem destined to be out-of-date before the ink is dried and the space would have been better spent covering the concepts in more depth and talking about usage scenarios.

The final part seems a little out of place. One chapter covers best practices for developing containers. The cynic in me suspects this may have just been an opportunity to introduce some OpenShift content. It certainly glosses over the entirety of Machine, Compose and Swarm in just a single section. Then there is a closing chapter looking at some example Dockerfiles.

All-in-all, the book offers a good introduction to the topic of Docker, particularly if you are looking to deploy on Fedora, RHEL or CentOS. Look elsewhere though if you really want to get to grips with Kubernetes.

Docker for Mac Beta

April 10th, 2016

I was excited to see Docker announce a beta for ‘native’ support for Docker on Windows and Mac where ‘native’ means that Docker appears as a native application utilising built-in virtualisation technology (Hyper-V on Windows and a project called xhyve on Mac) rather than requiring Virtual Box. Sadly this isn’t much use to me at work where I run the corporate standard Windows 7 on my laptop and Linux on my desktop. (The Register had an article indicating that, although Windows 7 is declining in the enterprise, its market share is still 45%+ so I hope Docker don’t do anything rash like ceasing to develop Docker Toolbox.) I do have a Mac at home though so I signed up for an invite.

The install went very smoothly although the promised migration of images and containers from my existing default Docker Toolbox image failed to happen. My best guess was that this was because the VM was back-level from the version of the client that the native app had installed although I’m only guessing. Docker Machine and the native app sit happily alongside one another although obviously I then needed to upgrade the VM to match the newer client version.

Needless to say, the first thing I tried to run was the websphere-liberty image. This started flawlessly and, having mapped port 9080 to 9080, I was then able to access the Liberty welcome page at docker.local:9080. So far so good.

WebSphere Liberty under Docker for Mac Beta

Having been out on vacation at the time, I went back and listened to the online meetup covering the beta. Given that we have websphere-liberty images for PPC and z/Linux, I was particularly intrigued to see that it promised the ability to run images for multiple architectures. The example given in the meetup worked like a charm:

Unfortunately trying to run anything against other images such as ppc64le/ubuntu resulted in a ‘command not found’ from Docker so I need to do some more digging to see what’s going on here.

Whilst browsing the beta forums, a common complaint was the speed of the file system mounts which has also been a problem with the Virtual Box approach. I decided to test this out by trying to use the maven image to compile our DayTrader sample. To keep things ‘fair’, my maven cache was pre-populated and, when running the image, I mounted the cache.

Natively on the host a ‘mvn compile’ takes around 12 seconds. With Docker running in a Docker Machine VM using the following command, the time was surprisingly close, typically of the order of 14 seconds.

Running the same command against the beta unfortunately took over 30 seconds. Whether that’s down to the file system driver I can’t say. It’s certainly an appreciable difference but, hey, this is a beta so there’s still plenty of hope for the future!

One tip that I picked up on the way: ‘docker-machine env’ has an  ‘–unset’ option which means that, if you want to switch back to the native Docker install after using Machine, then you can use the following command:

Start of Summer Series

April 9th, 2016

Emma finishing at Fleming ParkToday was the start of SOC’s Summer Series of events at Fleming Park. Christine cycled down early to spectate the parkrun (her calf is currently knackered) and then the rest of us joined her.

Duncan declined to start so Emma went round the yellow with Christine in tow. She was really pleased with her second place so will hopefully be a bit more enthusiastic before the next event. I enjoyed my subsequent run round the light green although could have done without the cold showers (it was lovely sunny day when we arrived). I was in first place when I finished although, to be fair, both Rob and Roger had done the parkrun beforehand. Most importantly, there was a great turnout. Let’s hope it continues for the rest of the series.

It’s a Hard life

April 7th, 2016

Buckler's Hard
I was on child minding duty today. We had to pick up a parcel from the UPS depot in Southampton so decided to carry on to Buckler’s Hard, the maritime museum and old ship-building hamlet on the Beaulieu estuary; somewhere I haven’t previously been in my 17+ years in Southampton.

We started out in the museum which the children quite enjoyed despite (or maybe because of) missing out on the children’s quiz (the cashier was on the phone when we arrived). The contents is fairly eclectic, covering life in Buckler’s Hard over the centuries including naval ship building and the involvement of the area in preparation for Operation Overlord in WWII, Sir Francis Chichester’s circumnavigation in Gipsy Moth and the sinking of the SS Persia. We then wandered down the ‘street’ to the river where the ship-building would have once taken place. There was, unfortunately, a cold breeze blowing in off the water and we quickly repaired to the tearoom for lunch.

After lunch I attempted to persuade the children to do the woodland walk but instead we returned to the museum to let the rain pass. When I eventually succeeded in getting them to the woods it took us less than five minutes to get round!

My recommendation would be to make sure it’s a warm, sunny day if you’re planning a trip so you can enjoy the wide open spaces and the vista. The latter you can, however, get from the public footpath that runs along the foreshore so, having ticked it off the list, I’m not sure we’ll be rushing back.

Back to the Brecons

April 3rd, 2016

Pen y FanFor the first week of the Easter holidays we returned to the same cottage that we stayed at two years ago for the JK (having decided not to go up to the JK in Yorkshire this year). It was an action packed week with walking, running, cycling, swimming, canoeing and climbing, with a fair amount of dodging showers thrown in for good measure!

Here’s a quick run down of the week:
Friday: Arrived early evening having spent rather too much of a beautifully sunny day sat on the M4!
Saturday: Managed a quick walk down to the canal before the rain arrived. Headed to Brecon to stock up on supplies.
Sunday:pen-y-fan-2016-2.jpg Made the most of all the rain by going to visit the waterfalls above the Talybont Reservoir. Made it back from our walk just as the hail descended. I managed to time my run in the evening for the return of the sunshine.
Monday: We returned to the scene of the JK relays (Pwll Du) for the Rogue Runs ‘Gilwern Grunt’ race. The children were marshalling with their grandparents which meant both Christine and I could run. The hail ceased just in time for the start. Running through the mine workings was fun although my progress on the ascents/descents was pretty poor. Christine bagged a prize for third lady. We headed to Big Pit afterwards although sadly they weren’t running underground tours that day.
Tuesday: Gerry and Sue took the children climbing at Llangorse and Christine and I headed out on our bikes. We took the Taff Trail up to the top of Talybont Forest and then had a quick walk up Craif y Fan Ddu before heading for the tea shop. It began to snow heavily whilst we were sat there which wasn’t so much of a problem as the freezing cold rain it became as dropped altitude on our way back to the cottage.
Wednesday:pen-y-fan-2016-7.jpg The weather finally took a turn for the better and we spent a fun few hours paddling along the canal from Brecon (trying to catch the electric hire boats!).
Thursday: With a clear day forecast we finally took to the hills, climbing Pen y Fan and Cribyn via the Corn Du ridge. The snow on the way up certainly added to the excitement for the children. Most memorable for the adults was the orderly queue to take your photo at the summit of Pen y Fan!
Friday: Time to pack our bags and make our way back to Southampton via a night in Monmouth.

Docker London December

December 4th, 2015

Last night I headed up to London for the December meetup of Docker London. The evening didn’t get off to a great start as I managed to cycle over a screw on the way to the station. Despite this, and the subsequent efforts of the Jubilee Line, I did just make the start in time.

The evening kicked off with Chad Metcalf from Docker demoing Tutum. It was just a slight variant of one of the demos from DockerCon so nothing really new for me here although he did talk a little about the extensions to the Compose syntax that Tutum uses. The HIGH_AVAILABILITY strategy being something that’s obviously missing from Compose/Swarm today.

Next up was Alois Mayr, a Developer Advocate at Ruxit, who did a nice job of not explicitly pushing his company’s offering but instead talked more generally about some issues experienced by a Brazillian customer of theirs that has a large deployment of Docker running on Mesos. The underlying theme was undoubtedly that, in a large microservices based architecture, you need to have a good understanding of the relationships between your services and their dependencies in order to be able to track problems back to the root cause.

Last up was an entertaining pitch by Chris Urwin, an engineering lead at HSCIC (part of the NHS) and consultant Ed Marshall. They talked about a project to move from a Microsoft VMM (and Excel spreadsheet) based setup to one using Docker and Rancher for container management. They were undoubtedly pleased with the outcomes in terms of developer productivity and the manageability of the deployed environment, not to mention reduction in cost and complexity. Although the system is not live in production yet, it is live in an environment that they share with partners that is subject to SLAs etc. Particularly striking for me was the reduction in the amount of disk space and memory that the new solution entailed.

DockerCon Europe 2015: Day 2

November 26th, 2015

DockerCon logoIt was another early start on Day 2 of the conference. It’s not often I leave the hotel before breakfast starts, but fortunately breakfast was being served in the expo hall so I could refuel whilst on duty.

The morning’s general session focussed on the solutions part of the stack that Soloman had introduced the previous day. VP for Engineering, Marianna Tessel, introduced Project Nautilus which, as with the vulnerability scanner in IBM’s Bluemix offering, aims to identify issues with image content held in the registry. This was of interest to me as they have been scanning the official repository images for several months now, presumably including the websphere-liberty image for which I am a maintainer. There was also a demo of the enhancements to auto-builds in Docker Hub and the use of Tutum, Docker’s recent Docker hosting acquisition.

Particularly interesting was Docker’s announcement of the beta of Docker Universal Control Plane. This product offers on-premise management of local and/or cloud-based Docker deployments with enterprise features such as secret management and LDAP support for authentication. Although Docker were at pains to point out that there will still be integrations for monitoring vendors and plugins for alternative volume and network drivers, this announcement, combined with the acquisition of Tutum, puts Docker in competition with a significant portion of its ecosystem.

CodeRally @ DockerConAfter lunch I went to sessions on Docker monitoring (didn’t learn much) and on Official Repos. In the latter, Krish Garimella expanded on Project Nautilus and described how the hope is that this will allow them to dramatically scale-out the number of official repositories whilst still ensuring the quality of the content. We also handed out the Raspberry Pis to our Code Rally winners. I was pleased that they all went to attendees who’d spent significant time perfect their cars.

The closing session was also well worth staying for. Of particular note was the hack to manage unikernels using the Docker APIs. If Docker can do for unikernels what it did for containers, this is certainly a project to watch!

DockerCon Europe 2015: Day 1

November 25th, 2015

Moby DockI was lucky enough to be a part of the IBM contingent attending last week’s DockerCon Europe in Barcelona. I had to earn my keep by manning the Code Rally game on the IBM booth (not to mention lugging a suitcase full of laptops to the event and porting the server-side of the game to run on IBM Containers). I did get to attend the sessions though and soak up the atmosphere.

The conference opened with a moving remembrance for those who had died in the Paris attacks the proceeding week led by Docker CTO and former Parisian Hykes. He chose to play Carl Sagan reading from Pale Blue Dot which is a though-provoking listen in its own right.

After a somewhat flat opening demo, Soloman return to the stage to introduce the Docker stack: Standards, Infrastructure, Dev Tools and Solutions. He then went on talk about the themes of quality, usability and security. The last of these was accompanied by a great demo of the Yubikey 4 for creating (and revoking) certificates for Docker Content Trust. This was given by Aanand Prasad acting as hapless developer, with Diogo Monica in the role of ops. In a nice touch, everyone in the audience found a Yubikey taped to the side of their seat (although perhaps less interesting for my children than the Lego Moby Dock!). There was also a tip of the hat to the work that my colleague Phil Estes has been leading in the community around user namespace support. The session concluded with a powerful demo of using Docker Swarm to provision 50,000 containers to 10,000 nodes running in AWS.

DockerCon Party @ Maritime MuseumAfter racing back to the expo hall to cover the next break, I went to an “Introduction to the Docker Project” which covered how to get involved with contributing (I submitted my first PR the week before, if only to the docs). It finished early so I could also catch a glimpse of the inimitable Jessie Frazzelle doing what she does best: running random stuff under Docker (a Tor relay this time). After lunch Jessie was on again, this time with Arnaud Porterie, to provide a round-up of the latest updates to the Docker engine.

I spent the remainder of the day watching the lightning talk sessions before heading back to the booth for Happy Hour followed by the IBM sponsored conference party at the impressive maritime museum.