docker orchestration beyond the basics
play

Docker Orchestration: Beyond the Basics Aaron Lehmann Software - PowerPoint PPT Presentation

Apr 02, 2023 •653 likes •1.29k views

Docker Orchestration: Beyond the Basics Aaron Lehmann Software Engineer, Docker About me Software engineer at Docker Maintainer on SwarmKit and Docker Engine open source projects Focusing on distributed state, task scheduling,

  1. Docker Orchestration: Beyond the Basics Aaron Lehmann Software Engineer, Docker

  2. About me • Software engineer at Docker • Maintainer on SwarmKit and Docker Engine open source projects • Focusing on distributed state, task scheduling, and rolling updates 2

  3. Swarm mode

  4. Swarm mode is Docker’s built in orchestration • Docker can orchestrate containers over multiple machines without extra software • Example: running a instances of a web service on several machines 4

  5. Getting started with swarm mode • Initialize a new swarm: mgr-1$ docker swarm init • Join an existing swarm: worker-1$ docker swarm join --token <token> 
 192.168.65.2:2377 5

  6. Swarm mode: Services • Swarm mode deals with services , not individual containers • Each service creates one or more replica tasks , which are run as containers • On manager, create a new service for a search microservice application: mgr-1$ docker service create -p 8080:8080 --name search \ --replicas 4 searchsvc:v1.0 mgr-1$ docker service ls ID NAME REPLICAS IMAGE COMMAND 2xtw9qipmbe9 search 4/4 searchsvc:v1.0 6

  7. Swarm mode: Nodes • Worker nodes just run service tasks • Manager nodes manage the swarm mgr-1$ docker node ls ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS drwxwi4h2fb0tcrwgmpmma2x0 * mgr-1 Ready Active Leader 1mhtdwhvsgr3c26xxbnzdc3yp mgr-2 Ready Active Reachable 516pacagkqp2xc3fk9t1dhjor mgr-3 Ready Active Reachable 9j68exjopxe7wfl6yuxml7a7j worker-1 Ready Active 03g1y59jwfg7cf99w4lt0f662 worker-2 Ready Active dxn1zf6l61qsb1josjja83ngz worker-3 Ready Active 7

  8. Swarm mode topology Manager Manager Manager Worker Worker Worker Worker Worker Worker Search Billing Search Search Search Billing service service service service service service container container container container container container 8

  9. Swarm mode topology Manager Manager Manager Worker Worker Worker Worker Worker Worker Search Billing Search Search Search Billing service service service service service service container container container container container container 9

  10. Swarm mode topology Manager Manager Manager Worker Worker Worker Worker Worker Search Billing Search Search Search Billing service service service service service service container container container container container container 10

  11. High availability

  12. High availability • Survive failures of some portion of workers and managers • If a worker fails, its assigned tasks are rescheduled elsewhere 12

  13. High availability • What about manager failures? • Managers are part of a Raft cluster that replicates the state of the swarm 13

  14. Raft • Raft is a protocol for maintaining a strongly consistent distributed log • Way to avoid a single point of failure 14

  15. Raft concepts • Quorum : A majority of managers • Leader : Randomly chosen manager that can add information to the distributed log • Election : The process of choosing a new leader 15

  16. High availability • The leader is the manager that: • Makes the scheduling decisions • Keeps track of node health • Handles API calls 16

  17. High availability • If the leader fails, another manager is elected in its place • For Raft to function, more than half the managers (a quorum ) must be reachable 17

  18. How many managers for a swarm? • A single manager is fine in some scenarios • Any swarm meant to survive a manager failure should have 3 or 5 managers • No scaling benefit to adding additional managers • Each one replicates a full copy of the swarm's state 18

  19. Manager fault tolerance Number of managers Majority Tolerated Failures 1 1 0 2 2 0 19

  20. Manager fault tolerance Number of managers Majority Tolerated Failures 1 1 0 2 2 0 20

  21. Manager fault tolerance Number of managers Majority Tolerated Failures 1 1 0 2 2 0 3 2 1 4 3 1 21

  22. Manager fault tolerance Number of managers Majority Tolerated Failures 1 1 0 2 2 0 3 2 1 4 3 1 22

  23. Manager fault tolerance Number of managers Majority Tolerated Failures 1 1 0 2 2 0 3 2 1 4 3 1 5 3 2 6 4 2 23

  24. Manager fault tolerance Number of managers Majority Tolerated Failures 1 1 0 2 2 0 3 2 1 4 3 1 5 3 2 6 4 2 24

  25. Manager fault tolerance Number of managers Majority Tolerated Failures 1 1 0 2 2 0 3 2 1 4 3 1 5 3 2 6 4 2 7 4 3 8 5 3 9 5 4 25

  26. Where to deploy the managers • Managers must have static IP addresses • Managers should have very reliable connectivity to each other • Swarms that span a big geographic area aren't recommended • Looking at federation as an eventual solution for multi- region • Spreading managers across a cloud provider's "availability zones" in one region may make sense 26

  27. Advertised IP addresses • All managers must be reachable by all other managers • Managers need to know their own IP addresses so they can tell other managers how to reach them • The address is autodetected if there is only one network device, or in the process of joining an existing swarm 27

  28. Advertised IP addresses • If the address can't be autodetected, provide 
 --advertise-addr when running 
 docker swarm init • Many swarm instability issues are actually caused by managers not being able to communicate 28

  29. What to do if quorum is lost • Suppose two out of three managers fail • The swarm won't be able to schedule tasks or perform administrative functions • You will see timeouts from commands like 
 docker node ls if this happens 29

  30. What to do if quorum is lost • What if these managers are gone forever? • docker swarm init --force-new-cluster on the surviving manager recovers from this state • This modifies the swarm so that it only has a single manager • From that point, new managers can be added 30

  31. Protecting managers from accidental overloading • By default, managers will be assigned tasks just like workers • This makes sense on a laptop-scale deployment • Best practice for serious deployments: avoid running container workloads on managers 31

  32. Protecting managers from accidental overloading • Drain the managers to prevent them from running service tasks: mgr-1$ docker node update --availability=drain <manager id> • Alternatively, set the node.role == worker constraint on all services 32

  33. Rolling updates • Important to avoid downtime during updates • docker service update is a rolling update by default • Parameters: • Update delay ( --update-delay ) • Update failure action: pause or continue 
 ( --update-failure-action ) • Parallelism ( --update-parallelism ) 33

  34. Rolling updates { Prepare Health Update Prepare Start new new checks delay new Stop old Stop old parallelism Update Prepare Start Health Update Prepare new new checks delay new Stop old Stop old Time 34

  35. Security

  36. Security model • All swarm connections are encrypted and authenticated with mutual TLS • Each node is identified by its certificate (CN = node ID) • The certificate authorizes the node to act as either a worker or manager (OU = swarm-manager or OU = swarm-worker ) • By default, each manager operates as a certificate authority with the same CA key 36

  37. Security around adding nodes • How does a new node authenticate itself before having a certificate? • It presents a join token which is provided to 
 docker swarm join 37

  38. Security around adding nodes • The join token contains a secret that authorizes the new node to receive either a worker or manager certificate • It also contains a digest of the root CA certificate, for protection against man-in-the-middle attacks • The node does not use or store the join token after joining 38

  39. Node joining example: adding a new worker • On a manager, retrieve the join token: mgr-1$ docker swarm join-token worker To add a worker to this swarm, run the following command: docker swarm join \ 
 --token SWMTKN-1-5f7umqonkff6je2l1kqpxdsok3bwipn73hlr5dxtvx4lusy809 -5yn6jy5zqqq3tnummvq365y7m \ 
 172.17.0.2:2377 39

  40. Node joining example: adding a new worker • Run the command on the new worker: worker-1$ docker swarm join --token \ SWMTKN-1-5f7umqonkff6je2l1kqpxdsok3bwipn73hlr5dxtvx4lusy809 -5yn6jy5zqqq3tnummvq365y7m \ 
 172.17.0.2:2377 This node joined a swarm as a worker. 40

  41. Node joining flow Join token, certificate request Signed certificate Joining node Manager Node registration Task assignments = TLS with no client certificate = Mutually authenticated TLS 41

  42. Rotating join tokens • The join tokens remain valid until they are rotated • It is good practice to periodically rotate them • docker swarm join-token --rotate worker generates a new worker token to replace the old one • docker swarm join-token --rotate manager generates a new manager token to replace the old one 42

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The age of orchestration From Docker basics to cluster management NICOLA PAOLUCCI DEVELOPER

The age of orchestration From Docker basics to cluster management NICOLA PAOLUCCI DEVELOPER

The age of orchestration From Docker basics to cluster management NICOLA PAOLUCCI DEVELOPER INSTIGATOR ATLASSIAN @DURDN Three minute Docker intro? Time me and ring a bell if I am over it. Just kidding Ill be over by a bit

504 views • 38 slides
Orchestration in Docker Swarm mode, Docker services and declarative application deployment Mike

Orchestration in Docker Swarm mode, Docker services and declarative application deployment Mike

Orchestration in Docker Swarm mode, Docker services and declarative application deployment Mike Goelzer &amp; Victor Vieux Docker Orchestration Overview Mike Goelzer / mgoelzer@docker.com / gh: mgoelzer Orchestration in Docker Orchestration

599 views • 39 slides
CONTAINER ORCHESTRATION WITH SWARM MODE, MESOS/MARATHON AND KUBERNETES ADRIAN MOUAT WHO AM I?

CONTAINER ORCHESTRATION WITH SWARM MODE, MESOS/MARATHON AND KUBERNETES ADRIAN MOUAT WHO AM I?

CONTAINER ORCHESTRATION WITH SWARM MODE, MESOS/MARATHON AND KUBERNETES ADRIAN MOUAT WHO AM I? Chief Scientist at Container Solutions Wrote &quot;Using Docker&quot; for O'Reilly 40% discount with code AUTHD Docker Captain @adrianmouat WHAT

1.4k views • 59 slides
Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y

Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y

Setup docker rm $(docker ps -aq) docker network rm my_net Demo - Install and activate yum -y install docker s ystemctl start docker systemctl enable docker docker images - Launch pre-canned container: hello-world (busybox is another good

480 views • 4 slides
docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer /

docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer /

docker service is the new docker run Getting Started with Docker Clustering Mike Goelzer / mgoelzer@docker.com / @mgoelzer Docker Inc. docker service is the new docker run docker run nginx 2013-14 docker run -p 3375:2375 swarm ; 2014-15

688 views • 34 slides
DOING BIG DATA FOR REAL WITH DOCKER MESOSPHERE DCOS Elizabeth Lingg elizabeth@mesosphere.io

DOING BIG DATA FOR REAL WITH DOCKER MESOSPHERE DCOS Elizabeth Lingg elizabeth@mesosphere.io

DOING BIG DATA FOR REAL WITH DOCKER MESOSPHERE DCOS Elizabeth Lingg elizabeth@mesosphere.io AGENDA 1. Intro 2. Mesosphere, Docker, and DCOS Overview 3. Big Data Container Orchestration using DCOS and Docker 4. Demo 5. Q &amp; A INTRO

535 views • 30 slides
INTRODUCTION TO DOCKER ADRIAN MOUAT SO WHAT IS DOCKER? SIMILAR TO A LIGHTWEIGHT VM Both

INTRODUCTION TO DOCKER ADRIAN MOUAT SO WHAT IS DOCKER? SIMILAR TO A LIGHTWEIGHT VM Both

INTRODUCTION TO DOCKER ADRIAN MOUAT SO WHAT IS DOCKER? SIMILAR TO A LIGHTWEIGHT VM Both provide isolated environments Docker is much more efficient 64-bit Linux only (currently) CONTAINERIZATION A Docker container is a portable store for a

674 views • 29 slides
Docker Provider The Docker provider is used to interact with Docker containers and images. It uses

Docker Provider The Docker provider is used to interact with Docker containers and images. It uses

Docker Provider The Docker provider is used to interact with Docker containers and images. It uses the Docker API to manage the lifecycle of Docker containers. Because the Docker provider uses the Docker API, it is immediately compatible not only

553 views • 34 slides
Docker: Testing the Waters LA-UR 15-25901 1 LA-UR 15-25901 Docker: Theres No Containing

Docker: Testing the Waters LA-UR 15-25901 1 LA-UR 15-25901 Docker: Theres No Containing

Eric Holm Skyler Manzanares Yuxin (Kelly) Wang http://gerardable.com/wp-content/uploads/2014/12/docker-whale-home-logo.png Docker: Testing the Waters LA-UR 15-25901 1 LA-UR 15-25901 Docker: Theres No Containing this Whale! Free,

997 views • 28 slides
Docker meets Python A look on the Docker SDK for Python pip install docker Jan Wagner

Docker meets Python A look on the Docker SDK for Python pip install docker Jan Wagner

Docker meets Python A look on the Docker SDK for Python pip install docker Jan Wagner Data Science Consultant accantec group | Alstertor 17 | 20095 Hamburg | Tel.: +49 (40) 67 59 59 0 | Fax.: +49 (40) 67 59 59 29 | www.accantec.de |

664 views • 29 slides
Docker Review Basic Commands docker image ls # list images currently present locally docker

Docker Review Basic Commands docker image ls # list images currently present locally docker

Docker Review Basic Commands docker image ls # list images currently present locally docker container ls # list running containers docker run &lt;image_name&gt; # run an image as a container docker exec &lt;container&gt; &lt;command&gt; # run a

1.1k views • 6 slides
AI Driven Orchestration, Challenges &amp; Opportunities Openstack Summit 2018 Sana Tariq (Ph.D.)

AI Driven Orchestration, Challenges &amp; Opportunities Openstack Summit 2018 Sana Tariq (Ph.D.)

AI Driven Orchestration, Challenges &amp; Opportunities Openstack Summit 2018 Sana Tariq (Ph.D.) TELUS Communication Agenda Service Orchestration Journey Service Orchestration Operational Challenges Closed Loop Orchestration and Dynamic

222 views • 19 slides
Docker in the EGI Docker in the EGI Federated Cloud Federated Cloud Carlos Gimeno

Docker in the EGI Docker in the EGI Federated Cloud Federated Cloud Carlos Gimeno

Docker in the EGI Docker in the EGI Federated Cloud Federated Cloud Carlos Gimeno cgimeno@bifi.es Instituto de Biocomputacin y Fsica de Sistemas Complejos info@bifi.es http://bifi.es 0. Index Introduction What is Docker? A

401 views • 14 slides
Deploying to the cloud with golden images, Heat and Docker Steve Baker / sbaker@redhat.com

Deploying to the cloud with golden images, Heat and Docker Steve Baker / sbaker@redhat.com

Deploying to the cloud with golden images, Heat and Docker Steve Baker / sbaker@redhat.com @stevebake / Declarative vs Procedural Orchestration Procedural/Imperative describes a list of instructions to execute Declarative describes the

687 views • 27 slides
Docker for fun and profit Solomon Hykes* about Docker: &quot;It uses Linux containers and the

Docker for fun and profit Solomon Hykes* about Docker: &quot;It uses Linux containers and the

Docker for fun and profit Solomon Hykes* about Docker: &quot;It uses Linux containers and the Internet won't shut up about it.&quot; (LinuxCon 2014 keynote) *Founder of dotcloud and creator of the Docker project What are Linux containers or

206 views • 19 slides
Smart Space Orchestration Orchestration The Internet of Things Cyber-Physical Systems Pervasive

Smart Space Orchestration Orchestration The Internet of Things Cyber-Physical Systems Pervasive

System Smart Space Orchestration Orchestration The Internet of Things Cyber-Physical Systems Pervasive Computing 2pace Marc-Oliver Pahl Distributed Smart ds2os.org/ System Overview Orchestration Part I: Flavours of Computing 2pace

380 views • 20 slides
A distributed architecture to support infomobility services Claudia Canali Riccardo Lancellotti

A distributed architecture to support infomobility services Claudia Canali Riccardo Lancellotti

A distributed architecture to support infomobility services Claudia Canali Riccardo Lancellotti University of Modena and Reggio Emilia Motivation Web 2.0 Web 1.0 Dynamic Web-based Static Web pages services Information

409 views • 24 slides
The Dictionary ADT The dictionary ADT models a searchable collection findElement(k): if the

The Dictionary ADT The dictionary ADT models a searchable collection findElement(k): if the

Dictionary ADT methods: The Dictionary ADT The dictionary ADT models a searchable collection findElement(k): if the dictionary has an item with key k, of key-element items returns its element, else, returns the special element The main

594 views • 10 slides
( , , , ) 7 5 = , =

( , , , ) 7 5 = , =

2 2 0 , , 1 9 1 9 6 5 6 10 8 5 1 7 9 4 4 2 9 1 9 6 = , 8 6 10 = , 5 +1 , ,

662 views • 43 slides
Relativistic Red-Black Trees Philip Howard 4/28/2010 pwh@cecs.pdx.edu 4/27/2010 1 Red-Black

Relativistic Red-Black Trees Philip Howard 4/28/2010 pwh@cecs.pdx.edu 4/27/2010 1 Red-Black

Relativistic Red-Black Trees Philip Howard 4/28/2010 pwh@cecs.pdx.edu 4/27/2010 1 Red-Black Trees Root Property : The root is black External Property : Every external node is black Internal Property : The children of red nodes

734 views • 38 slides
3137 Data Structures and Algorithms in C++ Lecture 4 July 17 2006 Shlomo Hershkop 1

3137 Data Structures and Algorithms in C++ Lecture 4 July 17 2006 Shlomo Hershkop 1

3137 Data Structures and Algorithms in C++ Lecture 4 July 17 2006 Shlomo Hershkop 1 Announcements please make sure to keep up with the course, it is sometimes fast paced for extra office hours, please drop us an email etc make

560 views • 23 slides
Data Structures Balanced Binary Search Tree Virendra Singh Associate Professor Computer

Data Structures Balanced Binary Search Tree Virendra Singh Associate Professor Computer

Data Structures Balanced Binary Search Tree Virendra Singh Associate Professor Computer Architecture and Dependable Systems Lab Department of Electrical Engineering Indian Institute of Technology Bombay http://www.ee.iitb.ac.in/~viren/

911 views • 48 slides
Combinatorial Aspects of Key Distribution for Sensor Networks Douglas R. Stinson David R.

Combinatorial Aspects of Key Distribution for Sensor Networks Douglas R. Stinson David R.

Combinatorial Aspects of Key Distribution for Sensor Networks Douglas R. Stinson David R. Cheriton School of Computer Science University of Waterloo CanaDAM 2013 Monday, June 10, 2013 This talk is based on joint work with Kevin Henry,

300 views • 26 slides
Grammar-Based Graph Compression Fabian Peternek October 25, 2016 Use of Grammar-Based

Grammar-Based Graph Compression Fabian Peternek October 25, 2016 Use of Grammar-Based

Grammar-Based Graph Compression Fabian Peternek October 25, 2016 Use of Grammar-Based Compression: Speed-up Algorithms Some queries can be answered in polynomial time on a grammar, e.g., Strings ( O ( n 2 log n ) , see also [Lohrey, 2012])

1.14k views • 99 slides

More recommend