Docker on OpenStack - CORE this report, we describe about docker, its basics and importance of docker containers in comparison ... Docker on OpenStack ... Containers on Google Cloud ...

Download Docker on OpenStack - CORE  this report, we describe about docker, its basics and importance of docker containers in comparison ... Docker on OpenStack ... Containers on Google Cloud ...

Post on 27-May-2018

212 views

Category:

Documents

0 download

TRANSCRIPT

  • Docker on OpenStack

    August 2014

    Author :Nitin Agarwal nitinagarwal3006@gmail.com

    Supervisor(s) :Belmiro Moreira

    CERN openlab Summer Student Report 2014

  • CERN openlab Summer Student Report 2014

    ProjectSpecificationCERNisestablishingalargescaleprivatecloudbasedonOpenStackaspartoftheexpansionofthecomputinginfrastructureforstoringthedatacomingoutoftheLargeHadronCollider(LHC)experiments.Asthedatacomingoutofthedetectorsisincreasingcontinuouslythatneedstobestoredinthedatacenter,weneedmorephysicalresources(moremoney)andsinceVirtualmachinestakeslotofCPUandmemoryoverheadandminutesforcreatingtheimages,bootingupandforsnapshottingaswell.SoherecomesthesolutiontouseDockercontainers.Dockerisanopenplatformtobuild,shipandrundistributedapplications.DockerbeingacontainerbasedvirtualisationframeworkmakesuseofLXC.DockercontainersarelightweightandfastanddockermakesuseofUnionFileSystemwhichmakesitunique.DockercomeswiththeDockerIndex/Hubwhereyoucanstoreandsharethedockerimages.ThisprojectinvolvestheunderstandingofDockeranddockercontainersindetail,deploymentofprivateDockerRegistryaswellastheintegrationofdockerwithOpenstacktoenabletheNovacomputeservicetousethedockerAPIascomputedriverinsteadofthelibvirtAPI.

    1|Page

  • CERN openlab Summer Student Report 2014

    AbstractAtCERN,withtheeverincreasingamountofdatacomingoutofthedetectorsthatneedstobestoredinthedatacenter,newwaysaresoughttohelpanalyzeandstorethisdataaswellashelpresearchersperformtheirownexperiments.Tohelpoffersolutionstosuchproblems,CERNhasemployedtheuseofcloudcomputingandinparticularOpenStackanopensourceandscalableplatformforbuildingpublicandprivateclouds.OpenStackisusedtoview,create,andmanageresourcesinacloudandautomatethetasks.ComputenodesformtheresourcecoreoftheOpenStackComputecloud,providingtheprocessing,memory,networkandstorageresourcestoruninstances.Asthedataisincreasingcontinuouslyaround50PB/secandabout5PB/dayofdatathatneedstobestored,CERNislookingfornewwaystoutilisethehardwareresourcesofthedatacentermoreefficiently.InthisprojectweoutlineanddocumenttheintegrationofDockerwiththeNovacomputeserviceofOpenStack(Devstack,Packstack),deploymentofprivateDockerRegistryatCERNforpushingandpullingthedockerimages.ToallowtheNovacomputeservicetousetotheDockerAPIascomputedriverinsteadoftheLibvirtdriverandtoallownovatobootthedockerimages,weneedtostorethedockerimagesinglancethatactsasanindependentdockerregistryafterconfiguration.Inthisreport,wedescribeaboutdocker,itsbasicsandimportanceofdockercontainersincomparisontovirtualmachines,stepsfordeployingandconfiguringtheprivateDockerRegistryatCERNandstepsforconfiguringtheNovatousedockerdriverinDevstackonUbuntucloudimageandPackstackonRHEL7.

    2|Page

  • CERN openlab Summer Student Report 2014

    TableofContents1. Introduction...5

    2. OpenStack.7

    2.1. Overview72.2. InstallingandRunningOpenStack..82.3. WorkingwithNovaCLI.82.4. WorkingwithGlanceCLI..9

    3. Docker9

    3.1. Overview....93.2. BasicsoftheDockerSystem.103.3. AdvantagesofusingDocker.123.4. HowareDockerContainerslightweight...133.5. DockerContainersvsVMs143.6. InstallingDockeronRHEL7..14

    4. DockerContainersandImages.15

    4.1. RunningDockerContainers..154.2. WorkingwithDockerImages.174.3. UniqueAdvantagesofDockeroverothercontainertechnologies...18

    5. DockerRegistry...19

    5.1. Overview......195.2. DeployingyourownprivateDockerRegistry..195.3. PushingandPullingImagesfromRegistry..23

    6. DockeronOpenStack....23

    6.1. Overview......236.2. NovaDockerArchitecture..246.3. ConfiguringOpenStacktoenableDocker...25

    6.3.1. InstallingDockerforOpenStack...256.3.2. NovaConfiguration266.3.3. GlanceConfiguration.26

    6.4. DeploymentwithDevstack266.5. UploadingDockerImagestoGlance276.6. BootingInstancesusingNova..27

    7. DockeronPackstack.28

    7.1. Overview.28

    3|Page

  • CERN openlab Summer Student Report 2014

    7.2. InstallingPackstackonRHEL7...287.3. ConfiguringPackstacktoenableDocker29

    7.3.1. InstallingDockerforPackstack297.3.2. NovaConfiguration....297.3.3. GlanceConfiguration.31

    7.4. UploadingDockerImagestoGlance....317.5. BootingInstancesusingNova...32

    8. ContainersonGoogleCloudPlatform.33

    8.1. Overview.338.2. ContainerVMs....348.3. Kubernetes......34

    9. Conclusion...35

    10. Bibliography.36

    4|Page

  • CERN openlab Summer Student Report 2014

    1IntroductionLet'sconsiderthedeploymentofarelativelysimpleapplicationWordpress.AtypicalWordpressinstallationrequiresApache2,PHP5,MySQL,Wordpresssourcecode,MySQLdatabasewithWordpressconfiguredtousethisdatabase,apacheconfigurationtoloadthePHPmodule,enablethesupportforURLrewritingand.htaccessfiles,DocumentRootpointingtotheWordpresssources.Whiledeployingandrunningasystemlikethisonourserver,wemayrunintosomeproblemsandchallengesnamelyIsolation,Security,Upgrades,downgrades,Snapshotting,backingup,Reproducibility,Constrainresources,EaseofinstallationandEaseofremoval.AtCERN,wehavearound50PB/secofdatacomingoutofthedetectorsandabout5PB/daytobestoredintheserversdeployedatthedatacenter,wemakeuseofOpenStacktoview,create,andmanageresourcesinacloudandautomatethetasks.ComputenodesformtheresourcecoreoftheOpenStackComputecloud,providingtheprocessing,memory,networkandstorageresourcestoruninstances.Whenwedecidetoruneachindividualapplicationonaseparatevirtualmachine,mostofourproblemsgoawaybutwecomeacrossotherissues:

    Money:canweactuallyreallyaffordbootingupaninstanceforeveryapplicationweneed?Alsocanwepredicttheinstancesizewewillneed,becauseifweneedmoreresourceslater,weneedtostoptheVMtoupgradeitoroverpayforresourceswedon'tendupusing.

    Time:manyoperationsrelatedtovirtualmachinesaretypicallyslow.Bootingtakes

    minutes,snapshottingtootakesminutes,creatinganimagetakesminutes.Theworldkeepsturningandwedon'thavesomuchoftime!

    SousingDocker,Containerbasedvirtualisationframeworkandanopenplatformtobuild,shipandrundistributedapplicationsisthesolution.Dockercontainersarelightweightandfast.BootingupaVMisabigdealasittakesupfewminutestogetstartedandasignificantamountofmemorywhereasbootingupaDockercontainerisfastandusesverylittleCPUandmemoryoverhead.Almostcomparabletostartingaregularprocess.Notonlyrunningacontainerisfast,buildinganimageandsnapshottingthefilesystemisfastaswell.DockercontainersareportabletoanyoperatingsystemthatrunsDockerwhetherit'sUbuntuorCentOS.

    Isolation:Dockerisolatesapplicationsatthefilesystemandnetworkinglevel.Itfeelsalotlikerunning"real"virtualmachinesinthatsense.

    5|Page

  • CERN openlab Summer Student Report 2014

    Reproducibility:Wecanbuildthesystemjustthewaywelike(eitherbylogginginand

    aptgetinallsoftware,orusingaDockerfile),thencommitthechangestoanimage.Wecannowinstantiateasmanyinstancesofitaswewantortransfertoanimagetoanothermachinetoreproduceexactlythesamesetup.

    Security:Dockercontainersaremoresecurethanregularprocessisolation.Link

    Constrainresources:DockercurrentlysupportslimitingCPUusagetoacertainshare

    ofCPUcycles,memoryusagecanalsobelimited.Restrictingdiskusageisnotdirectlysupportedasofyet.

    Easeofinstallation:DockerhasDockerHub/Registry,arepositorywithofftheshelf

    dockerimageswecaninstantiatewithasinglecommand.

    Easeofremoval:Ifwedon'tneedanapplicationanymore,justdestroythecontainer.

    Upgrades,downgrades:Bootupthenewversionofanapplicationfirst,thenswitchovertheloadbalancerfromtheoldporttothenewone.

    Snapshotting,backingup:Dockersupportscommittingandtaggingofimages,which

    incidentally,unlikesnapshottingaVMisinstant.

    6|Page

    http://www.google.com/url?q=http%3A%2F%2Fblog.docker.com%2F2013%2F08%2Fcontainers-docker-how-secure-are-they%2F&sa=D&sntz=1&usg=AFQjCNGbMiKKW9t5E8U3eMvWMyah6Vw3nQhttp://www.google.com/url?q=http%3A%2F%2Fblog.docker.com%2F2013%2F08%2Fcontainers-docker-how-secure-are-they%2F&sa=D&sntz=1&usg=AFQjCNGbMiKKW9t5E8U3eMvWMyah6Vw3nQhttp://www.google.com/url?q=http%3A%2F%2Fblog.docker.com%2F2013%2F08%2Fcontainers-docker-how-secure-are-they%2F&sa=D&sntz=1&usg=AFQjCNGbMiKKW9t5E8U3eMvWMyah6Vw3nQ

  • CERN openlab Summer Student Report 2014

    2OpenStackOpenstackisacloudoperatingsystemthatcontrolslargepoolsofcompute,storage,andnetworkingresourcesthroughoutadatacenter.2.1OverviewTheOpenStackprojectcontainsvariouscomponentsthatindividuallyprovidecompute,storage,networkingandthedashboardbuttogethercreateafunctioningcloudoperatingsystem(OS).

    ThecomponentsofOpenStackare:

    Compute(Nova)theInfrastructureasaService(IaaS)systemprovidingvirtualmachinestohostswithnovacomputeinstalled.

    IdentityService(Keystone)providestheauthenticationandauthorizationforall

    OpenStackcomponents.

    ImageService(Glance)animagerepositoryforallvirtualdiskimages.Glancecanalsobeconfiguredtostoretheseimagesonaremotecluster,suchasCeph.

    Dashboard(Horizon)theuserinterfacetoeasilycontrolmostaspectsofthe

    OpenStackcomponents.Asanalternative,theOpenStackAPIcanbeused.

    7|Page

  • CERN openlab Summer Student Report 2014

    Networking(Neutron)providesnetworkingasaservicebyallowinguserstocreate

    theirownnetworksandinterfacesaswellasmanageIPs.

    ObjectStorage(Swift)isahighlyavailableanddistributedobject/blobstore.

    BlockStorage(Cinder)providesblockstorageasaservice2.2InstallingandRunningOpenStackWehaveinstalledDevstackontheUbuntu14.04imageinadedicatedVM.DevStackisasetofscriptsandutilitiestoquicklydeployanOpenStackcloud.Clonethegithubrepositoryofthedevstackbyexecutingthecommand:>>>gitclonehttps://github.com/openstackdev/devstackTostartadevcloudrunthefollowingNOTASROOT(seeDevStackExecutionEnvironmentbelowformoreonuseraccounts):>>>./stack.shWhenthescriptfinishesexecuting,youshouldbeabletoaccessOpenStackendpoints,likeso:

    Horizon:http://myhost/ Keystone:http://myhost:5000/v2.0/

    WealsoprovideanenvironmentfilethatyoucanusetointeractwithyourcloudviaCLI:#sourceopenrcfiletoloadyourenvironmentwithOpenStackCLIcreds.openrcORsourceopenrc#listinstancesnovalist2.3WorkingwithNovaCLINovaisacomputingprojectforOpenStack.Thelistofallthecommandsthatcanbeexecutedwithnovacanbeseenhere.SomeofthemostcommonnovaclientcommandstogetfamiliarisedwithandworkonDockerwithOpenStackarementionedbelow:

    novabootBootanewserver. novadeleteImmediatelyshutdownanddeletespecifiedserver(s). novaflavorlistPrintalistofavailable'flavors'(sizesofservers).

    8|Page

    http://www.google.com/url?q=http%3A%2F%2Fdocs.openstack.org%2Fuser-guide%2Fcontent%2Fnovaclient_commands.html&sa=D&sntz=1&usg=AFQjCNG3K96xHxyqAPF_zNXV6cthZLzVMQ

  • CERN openlab Summer Student Report 2014

    novaimagecreateCreateanewimagebytakingasnapshotofarunningserver. novaimagedeleteDeletespecifiedimage(s). novaimagelistPrintalistofavailableimagestobootfrom. novalistListactiveservers. novaservicelistShowalistofallrunningservices.Filterbyhost&binary. novashowShowdetailsaboutthegivenserver.

    2.4WorkingwithGlanceCLI GlanceistheimageserviceforOpenStack.Itservesasanimagerepositoryforallvirtualdiskimages.Thelistofallthecommandsthatcanbeexecutedwithglancecanbeseenhere.SomeofthemostcommonglanceclientcommandstogetfamiliarisedwithandworkonDockerwithOpenStackarementionedbelow:

    glanceimagelistListimagesyoucanaccess. glanceimageshowDescribeaspecificimage. glanceimagecreateCreateanewimage. glanceimagedeleteDeletespecifiedimage(s).

    3Docker3.1OverviewDockerisanopenplatformtobuild,shipandrundistributedapplications.Dockerconsistsof:

    DockerEngine,alightweightandpowerfulopensourcecontainervirtualizationtechnologycombinedwithaworkflowforbuildingandcontainerizingyourapplications.

    DockerHub/Registry,aSaaSserviceforsharingandmanagingyourapplication

    stacksandautomatingworkflows.Dockerletsyouquicklyassembleapplicationsfromcomponentsandeliminatesthefrictionthatcancomewhenshippingcode.Asaresult,ITcanshipfasterandrunthesameapp,unchanged,onlaptops,datacenterVMsandonanycloudinfrastructure.Dockerletsyougetyourcodetestedanddeployedintoproductionasfastaspossible.Thenextwaveofvirtualization,andonethathasthepotentialtodisplacehypervisorbasedvirtualizationonLinuxplatforms,isuponusnowthatDocker,thesoftwarecontainerandapplicationpackagingsystem.

    9|Page

    http://www.google.com/url?q=http%3A%2F%2Fdocs.openstack.org%2Fuser-guide%2Fcontent%2Fglanceclient_commands.html&sa=D&sntz=1&usg=AFQjCNGGCW-uAcK8yPsYY7evQsDlhK6Oow

  • CERN openlab Summer Student Report 2014

    3.2BasicsoftheDockerSystem

    Dockermakespackagingallofthepartsofanapplicationthetools,configurationfiles,libraries,andmoreintoamuchsimplertask.It'sabitlikeavirtualmachine,conceptually,allowingforthesegmentationofasinglepowerfulmachinetobesharedwithmanyapplicationswiththeirownindividualspecificconfigurationrequirements,andwithoutallowingthoseapplicationstointerferewithoneanother.Exceptunlikeavirtualmachine,applicationsrunnativelyontheunderlyingLinuxkernel,andeachisjustverycarefullysegmentedfromoneanotherandfromtheunderlyingoperatingsystem.DockercurrentlyusesLinuxContainers,whichrunsinthesameoperatingsystemasitshostandprovidessystemlevelvirtualisation.Thisallowsittosharealotofthehostoperatingsystemresources.Itusesaufsasthefilesystem.DockerusesLinuxcgroupsandnamespacestoisolateprocessesfromeachothersotheyappeartorunontheirownsystem.Dockerconsistsofthreeparts:DockerDaemon,DockerImages,theDockerRepositorieswhichtogethermakeLinuxContainereasyandfuntouse.DockerDaemonrunsasrootandorchestratesallrunningcontainers.Justasvirtualmachinesarebasedonimages,DockerContainersarebasedonDockerimages.Theseimagesaretinycomparedtovirtualmachineimagesandarestackable.

    10|Page

  • CERN openlab Summer Student Report 2014

    AuFSisalayeredfilesystem,soyoucanhaveareadonlypart,andawritepart,andmergethosetogether.Soyoucouldhavethecommonpartsoftheoperatingsystemasreadonly,whicharesharedamongstallofyourcontainers,andthengiveeachcontaineritsownmountforwriting.Namespaces:Dockerusesnamespacestoprovidetheisolatedworkspaceforcontainers.Whenwerunacontainer,Dockercreatesasetofnamespacesforthatcontainer.Thisprovidesalayerofisolation:eachaspectofacontainerrunsinitsownnamespaceanddoesnothaveaccessoutsideit.SomeofthenamespacesthatDockerusesare:

    Thepidnamespace:Usedforprocessisolation(PID:ProcessID). Thenetnamespace:Usedformanagingnetworkinterfaces(NET:Networking). Theipcnamespace:UsedformanagingaccesstoIPCresources(IPC:InterProcess

    Communication). Themntnamespace:Usedformanagingmountpoints(MNT:Mount). Theutsnamespace:Usedforisolatingkernelandversionidentifiers.(UTS:Unix

    TimesharingSystem).Controlgroups:Dockeralsomakesuseofanothertechnologycalledcgroupsorcontrolgroups.Akeytorunningapplicationsinisolationistohavethemonlyusetheresourcesyouwant.Thisensurescontainersaregoodmultitenantcitizensonahost.ControlgroupsallowDockertoshareavailablehardwareresourcestocontainersand,ifrequired,setuplimitsandconstraints.Forexample,limitingthememoryavailabletoaspecificcontainer.Unionfilesystems,orUnionFS,arefilesystemsthatoperatebycreatinglayers,makingthemverylightweightandfast.Dockerusesunionfilesystemstoprovidethebuildingblocksforcontainers.Dockercanmakeuseofseveralunionfilesystemvariantsincluding:AUFS,btrfs,vfs,andDeviceMapper.ContainerFormat:Dockercombinesthesecomponentsintoawrapperwecallacontainerformat.Thedefaultcontainerformatiscalledlibcontainer.DockeralsosupportstraditionalLinuxcontainersusingLXC.Solet'ssayyouhaveacontainerimagethatis1GBinsize.IfyouwantedtouseaFullVM,youwouldneedtohave1GBtimesxnumberofVMsyouwant.WithLXCandAuFSyoucansharethebulkofthe1GBandifyouhave1000containersyoustillmightonlyhavealittleover1GBofspaceforthecontainersOS,assumingtheyareallrunningthesameOSimage.

    11|Page

  • CERN openlab Summer Student Report 2014

    Afullvirtualizedsystemgetsitsownsetofresourcesallocatedtoit,anddoesminimalsharing.Yougetmoreisolation,butitismuchheavier(requiresmoreresources).WithLXCyougetlessisolation,buttheyaremorelightweightandrequirelessresources.Soyoucouldeasilyrun1000'sonahost,anditdoesn'tevenblink.TrydoingthatwithXenorKVM,andunlessyouhaveareallybighost,Idon'tthinkitispossible.Afullvirtualizedsystemusuallytakesminutestostart,LXCcontainerstakeseconds,andsometimesevenlessthanasecond.

    3.3AdvantagesofusingDocker

    Dockerallowsthefasterdeliveryofyourapplications.Dockercontainersarelightweightandfast.Containershavesubsecondlaunchtimes,whichhelpsinreducingthecycletimeofdevelopment,testinganddeployment.

    Dockercontainersrunalmosteverywhere.Youcandeploycontainersondesktops,

    physicalservers,virtualmachines,intodatacenters,anduptopublicandprivateclouds.Youcaneasilymoveanapplicationfromatestingenvironmentintothecloudandbackwheneveryouneed.

    Docker'slightweightcontainersalsomakescalingupanddownfastandeasy.Youcanquicklylaunchmorecontainerswhenneededandthenshutthemdowneasilywhenthey'renolongerneeded.

    12|Page

  • CERN openlab Summer Student Report 2014

    Dockercontainersdon'tneedahypervisor,soyoucanpackmoreofthemontoyour

    hoststogethigherdensityandrunmoreworkloads.Thismeansyougetmorevalueoutofeveryserverandcanpotentiallyreducewhatyouspendonequipmentandlicenses.

    AsDockerspeedsupwithyourworkflow,itiseasyforthesysadminstomakelotsof

    smallchangesinsteadofhuge,bigbangupdates.Smallerchangesmeanreducedriskandmoreuptime.

    3.4HowareDockerContainerslightweight?InVMs,everyapp,everycopyoftheappandeveryslightmodificationoftheapprequiresanewvirtualserverwhereasinContainers,

    OriginalApp:NoOStotakeupspace,resourcesorrequirerestart. CopyoftheApp:NoOS,cansharebinaries/libraries. ModifiedApp:Unionfilesystemallowsustoonlysavethediffsamongthecontainers.

    ContainersareIsolated,butshareOSand,whereappropriate,bins/libraries.

    13|Page

  • CERN openlab Summer Student Report 2014

    3.5DockerContainersvsVMsIfyouwantfullisolationwithguaranteedresources,afullVMisthewaytogo,whereasifyoujustwanttoisolateprocessesfromeachotherandwanttorunatonofthemonareasonablysizedhost,thenLXCisthewaytogo.Deployingaconsistentproductionenvironmentiseasierasevenifyouusetoolslikechefandpuppet,therearealwaysOSupdatesandotherthingsthatchangebetweenhostsandenvironments.WhatdockerdoesisitgivesyoutheabilitytosnapshottheOSintoacommonimage,andmakesiteasytodeployonotherdockerhosts.Thisisgreatforunittesting,letssayyouhave1000testsandtheyneedtoconnecttoadatabase,andinordertonotbreakanythingyouneedtorunseriallysothatthetestsdon'tsteponeachother(runeachtestinatransactionandrollback).WithDockeryoucouldcreateanimageofyourdatabase,andthenrunallthetestsinparallelsinceyouknowtheywillallberunningagainstthesamesnapshotofthedatabase.SincetheyarerunninginparallelandinLXCcontainerstheycouldrunallonthesameboxatthesametime,andyourtestswillfinishmuchfaster.Dockerallowstobundleartifactsandconfigurationsinanimage.Theseimagesrunaslightweightsystemlevelvirtualmachines.3.6InstallingDockeronRHEL7Firstly,youneedtoputthereposfileinthe/etc/yum.repos.d/directoryaftercreatingthenewfilenamedrhel7.repo.Thereposfileisavailableathttp://linux.web.cern.ch/linux/rhel/rhel7/rhel7.repothenupdatethereposfilebyrunningthecommand:>>>sudoyumupdateallPleasenotethatallthedockercommandsareexecutedasrootuser.Youcannowinstalldockerusingthebelowcommand:>>>sudoyuminstalldockerThedefaultversionofdockerv0.11.1devgetsinstalled.Youneedtostartthedockerservicebyrunningthebelowcommandasrootuser

    14|Page

    http://www.google.com/url?q=http%3A%2F%2Flinux.web.cern.ch%2Flinux%2Frhel%2Frhel7%2Frhel7.repo&sa=D&sntz=1&usg=AFQjCNEkWU2lAADw1n0_Uu3X2hJgIEI8hQhttp://www.google.com/url?q=http%3A%2F%2Flinux.web.cern.ch%2Flinux%2Frhel%2Frhel7%2Frhel7.repo&sa=D&sntz=1&usg=AFQjCNEkWU2lAADw1n0_Uu3X2hJgIEI8hQ

  • CERN openlab Summer Student Report 2014

    >>>systemctlstartdocker.servicethenyoucanalsocheckthestatusofthedockerservicebyrunningthecommand:>>>systemctlstatusdocker.serviceYoucanalsostoporrestartthedockerservice.Youcanalsochecktheversionofthedockerinstalledbyrunningthecommand:>>>sudodockervcommand.

    4DockerContainersandImages4.1RunningDockerContainersDockercontainersaresimilartoadirectory.ADockercontainerholdseverythingthatisneededforanapplicationtorun.EachcontaineriscreatedfromaDockerimage.Dockercontainerscanberun,started,stopped,moved,anddeleted.Eachcontainerisanisolatedandsecureapplicationplatform.DockercontainersaretheruncomponentofDocker.Acontainerconsistsofanoperatingsystem,useraddedfiles,andmetadata.EachcontainerisbuiltfromanimageandthatimagetellsDockerwhatthecontainerholds,whatprocesstorunwhenthecontainerislaunched,andavarietyofotherconfigurationdata.TheDockerimageisreadonly.WhenDockerrunsacontainerfromanimage,itaddsareadwritelayerontopoftheimage(usingaunionfilesystem)inwhichyourapplicationcanthenrun.TheDockerdaemonisthepersistentprocessthatmanagescontainers.Dockerusesthesamebinaryforboththedaemonandclient.Torunthedaemonyouprovidethedflag.>>>sudodockerdByusingeitherthedockerbinaryorviatheAPI,theDockerclienttellstheDockerdaemontorunacontainer.>>>dockerrunitubuntu/bin/bashTheDockerclientislaunchedusingthedockerbinarywiththerunoptiontellingittolaunchanewcontainer.ThebareminimumtheDockerclientneedstotelltheDockerdaemontorunthecontaineris:

    WhatDockerimagetobuildthecontainerfrom,hereubuntu,abaseUbuntuimage Thecommandyouwanttoruninsidethecontainerwhenitislaunched,here/bin/bash,to

    starttheBashshellinsidethenewcontainer.

    15|Page

  • CERN openlab Summer Student Report 2014

    Inmoredetail,Dockerdoesthefollowing:

    Pullstheubuntuimage:Dockerchecksforthepresenceoftheubuntuimageand,ifitdoesn'texistlocallyonthehost,thenDockerdownloadsitfromtheDockerHub.Iftheimagealreadyexists,thenDockerusesitforthenewcontainer.

    Createsanewcontainer:OnceDockerhastheimage,itusesittocreateacontainer.

    Allocatesafilesystemandmountsareadwritelayer:Thecontaineriscreatedinthe

    filesystemandareadwritelayerisaddedtotheimage.

    Allocatesanetwork/bridgeinterface:CreatesanetworkinterfacethatallowstheDockercontainertotalktothelocalhost.

    SetsupanIPaddress:FindsandattachesanavailableIPaddressfromapool.

    Executesaprocessthatyouspecify:Runstheapplication.

    Capturesandprovidesapplicationoutput:Connectsandlogsstandardinput,outputs

    anderrorsforyoutoseehowyourapplicationisrunning.Wenowhavearunningcontainer.Fromhere,wecanmanagethecontainer,interactwiththeapplicationapplicationandthen,whenfinished,stopanddeletethecontainer.

    ThevariouscommandsavailablewiththeDockerClientare:

    dockerpsListscontainers.

    dockerlogsShowsusthestandardoutputofacontainer.

    dockerstopStopsrunningcontainers.

    dockerbuildBuildDockerimagesfromaDockerfileandacontext.

    dockercommitcommitanexisitingcontainer.

    dockercpCopyfiles/foldersfromacontainer'sfilesystemtothehostpath.Pathsare

    relativetotherootofthefilesystem.

    dockerdiffListthechangedfilesanddirectoriesinacontainersfilesystem.

    16|Page

  • CERN openlab Summer Student Report 2014

    Toviewallthecommandsthatcanberunusingthedockerclient,executethecommand:>>>sudodocker4.2WorkingwithDockerImagesADockerimageisareadonlytemplate.Forexample,animagecouldcontainanUbuntuoperatingsystemwithApacheandyourwebapplicationinstalled.ImagesareusedtocreateDockercontainers.Dockerprovidesasimplewaytobuildnewimagesorupdateexistingimages,oryoucandownloadDockerimagesthatotherpeoplehavealreadycreated.DockerimagesarethebuildcomponentofDocker.DockerimagesarereadonlytemplatesfromwhichDockercontainersarelaunched.Eachimageconsistsofaseriesoflayers.Dockermakesuseofunionfilesystemstocombinetheselayersintoasingleimage.Unionfilesystemsallowfilesanddirectoriesofseparatefilesystems,knownasbranches,tobetransparentlyoverlaid,formingasinglecoherentfilesystem.OneofthereasonsDockerissolightweightisbecauseoftheselayers.WhenyouchangeaDockerimageforexample,updateanapplicationtoanewversionanewlayergetsbuilt.Thus,ratherthanreplacingthewholeimageorentirelyrebuilding,asyoumaydowithavirtualmachine,onlythatlayerisaddedorupdated.Nowyoudon'tneedtodistributeawholenewimage,justtheupdate,makingdistributingDockerimagesfasterandsimpler.Everyimagestartsfromabaseimage,forexampleubuntu,abaseUbuntuimage,orfedora,abaseFedoraimage.Youcanalsouseimagesofyourownasthebasisforanewimage,forexampleifyouhaveabaseApacheimageyoucouldusethisasthebaseofallyourwebapplicationimages.Dockerimagesarethenbuiltfromthesebaseimagesusingasimple,descriptivesetofstepswecallinstructions.Eachinstructioncreatesanewlayerinourimage.Instructionsincludeactionslike:

    Runacommand. Addafileordirectory. Createanenvironmentvariable. Whatprocesstorunwhenlaunchingacontainerfromthisimage.

    TheseinstructionsarestoredinafilecalledaDockerfile.DockerreadsthisDockerfilewhenyourequestabuildofanimage,executestheinstructions,andreturnsafinalimage.TolistalltheimagesontheHost,executethecommand:>>>sudodockerimages

    17|Page

  • CERN openlab Summer Student Report 2014

    Here,wecanseethreecrucialpiecesofinformationaboutourimagesinthelisting.

    Whatrepositorytheycamefrom. Thetagsforeachimage. TheimageIDofeachimage.

    Dockerwillautomaticallydownloadanyimageweusethatisn'talreadypresentontheDockerhost.Butthiscanpotentiallyaddsometimetothelaunchofacontainer.Ifwewanttopreloadanimagewecandownloaditusingthedockerpullcommand.Let'ssaywe'dliketodownloadthecentosimage.>>>sudodockerpullcentosWecanalsosearchforimagesonthecommandlineusingthedockersearchcommand.Wecansearchforasuitableimagebyusingthedockersearchcommandtofindalltheimagesthatcontainthetermubuntu.>>>sudodockersearchubuntu4.3UniqueAdvantagesofDockeroverothercontainertechnologiesDockertakesadvantageofcontainersandfilesystemtechnologiesinahighlevelwhicharenotgenericenoughtobemanagedbylibvirt.

    ProcesslevelAPI:Dockercancollectthestandardoutputsandinputsoftheprocessrunningineachcontainerforloggingordirectinteraction,itallowsblockingonacontaineruntilitexits,settingitsenvironment,andotherprocessorientedprimitiveswhichdontfitwellinlibvirtsabstraction.

    Advancedchangecontrolatthefilesystemlevel:Everychangemadeonthe

    filesystemismanagedthroughasetoflayerswhichcanbesnapshotted,rolledback,diffedetc.

    Imageportability:Thestateofanydockercontainercanbeoptionallycommittedasan

    imageandsharedthroughacentralimageRegistry.Dockerimagesaredesignedtobeportableacrossinfrastructures,sotheyareagreatbuildingblockforhybridcloudscenarios.

    18|Page

  • CERN openlab Summer Student Report 2014

    Buildfacility:Dockercanautomatetheassemblyofacontainerfromanapplicationssourcecode.ThisgivesdevelopersaneasywaytodeploypayloadstoanOpenStackclusteraspartoftheirdevelopmentworkflow.

    5DockerRegistry5.1OverviewADockerRegistryisaSaaSserviceforsharingandmanagingyourapplicationstacks.ItallowsyoutopushtheDockerImagesforstorageandsharingandpulltheimageswheneverneeded.Ingeneral,arepositoryisacollectionofimageswhicharehostedinaregistry.WhenyouusethepublicDocker.iorepository,alsoknownasDockerIndex,yourrepositoryis/.AtCenterDevice,privateDockerregistriesallowstosafelyshareDockerimagesinanorganization.Onecanmaintainallthebackendservicesaswellastheappimagesinaprivateregistry.Inthisway,adeveloperonlyneedstopullchangedimagestoupdatehisdevelopmentenvironment.Dockerregistriesholdimages.Thesearepublicorprivatestoresfromwhichyouuploadordownloadimages.ThepublicDockerregistryiscalledDockerHub.Itprovidesahugecollectionofexistingimagesforyouruse.Thesecanbeimagesyoucreateyourselforyoucanuseimagesthatothershavepreviouslycreated.OnceyoubuildaDockerimage,youcanpushittoapublicregistryDockerHubortoyourowndeployedprivateregistry.UsingtheDockerclient,youcansearchforalreadypublishedimagesandthenpullthemdowntoyourDockerhosttobuildcontainersfromthem.DockerHubprovidesbothpublicandprivatestorageforimages.Publicstorageissearchableandcanbedownloadedbyanyone.Privatestorageisexcludedfromsearchresultsandonlyyouandyouruserscanpulldownimagesandusethemtobuildcontainers.5.2DeployingyourownprivateDockerRegistryFordeployingtheprivatedockerimagerepository,alsotermedasdockerregistry,youneedtofollowthebelowmentionedstepsinchronologicalorder.

    19|Page

  • CERN openlab Summer Student Report 2014

    1.InstallgitandwgetonRHEL7byrunningthecommand:>>>sudoyuminstallgit>>>sudoyuminstallwget2.Installtherequireddependenciesbyrunningthecommand:>>>sudoyuminstallpythondevellibeventdevelpythonpipgccxzdevelNote:pythonpipdoesnotgetsinstalledwhiletheotherpackagesgetssuccessfullyinstalled.3.Toinstallpythonpip,firstlyinstalltheEPELrepositoriesbyrunningthebelowcommands:>>>cd/tmp>>>wgethttp://dl.fedoraproject.org/pub/epel/beta/7/x86_64/epelrelease70.2.noarch.rpm>>>ls*.rpm>>>sudoyuminstallepelrelease70.2.noarch.rpm4.Nowyoucaninstallpythonpipbyrunningthecommand:>>sudoyuminstallpythonpip5.Thereexiststwowaystoinstalldockerregistry:Installdockerregistryfromthegithubrepositorybyrunningthecommands:>>>sudogitclonehttps://github.com/dotcloud/dockerregistry>>>cddockerregistry>>>pipinstall.Assumingweareinthe/vardirectlywhilecloningthedockerregistrycodefromgithub.ORInstalldockerregistrydirectlybyrunningthecommand:>>>sudopythonpipinstalldockerregistryThepackagewhichgetsinstalledishttps://pypi.python.org/pypi/dockerregistry/0.7.06.TheDockerRegistrycomeswithasampleconfigurationfile,config_sample.yml.Copythistoconfig.ymltoprovideabasicconfiguration:Ifyouhaveinstalleddockerregistryusingthefirstmethod,runthebelowcommands:>>>cd/var/dockerregistry>>>cpconfig/config_sample.ymlconfig/config.yml

    20|Page

    http://www.google.com/url?q=http%3A%2F%2Fdl.fedoraproject.org%2Fpub%2Fepel%2Fbeta%2F7%2Fx86_64%2Fepel-release-7-0.2.noarch.rpm&sa=D&sntz=1&usg=AFQjCNENvfBIoIT6MNUcVKsCTsCO6UHK0Ahttps://www.google.com/url?q=https%3A%2F%2Fgithub.com%2Fdotcloud%2Fdocker-registry&sa=D&sntz=1&usg=AFQjCNEGYPDnetsQjh_k4Sv1Vh7LQKdWAwhttps://www.google.com/url?q=https%3A%2F%2Fgithub.com%2Fdotcloud%2Fdocker-registry&sa=D&sntz=1&usg=AFQjCNEGYPDnetsQjh_k4Sv1Vh7LQKdWAwhttps://www.google.com/url?q=https%3A%2F%2Fpypi.python.org%2Fpypi%2Fdocker-registry%2F0.7.0&sa=D&sntz=1&usg=AFQjCNEJD-xlVIFAZfY9taLgDjsBLEdtMghttps://www.google.com/url?q=https%3A%2F%2Fpypi.python.org%2Fpypi%2Fdocker-registry%2F0.7.0&sa=D&sntz=1&usg=AFQjCNEJD-xlVIFAZfY9taLgDjsBLEdtMghttps://www.google.com/url?q=https%3A%2F%2Fpypi.python.org%2Fpypi%2Fdocker-registry%2F0.7.0&sa=D&sntz=1&usg=AFQjCNEJD-xlVIFAZfY9taLgDjsBLEdtMg

  • CERN openlab Summer Student Report 2014

    Elserunthebelowcommands:>>>cd/usr/lib/python2.7/sitepackages/>>>cpconfig/config_sample.ymlconfig/config.yml7.Makeadirectorywhereyouwishtostoreyourimagesandrepositoriesforthedockerregistrybyrunningthecommands:Here,Immakingadirectorynameddocker_registryin/vardirectory.>>>cd/var>>>mkdirdocker_registry8.DockerRegistrycanruninseveralflavors.Thisenablesyoutorunitindevelopmentmode,productionmodeoryourownpredefinedmode.Intheconfig_sample.ymlfile,you'llseeseveralsampleflavors:

    common:usedbyallotherflavorsasbasesettings local:storesdataonthelocalfilesystem s3:storesdatainanAWSS3bucket dev:basicconfigurationusingthelocalflavor test:usedbyunittests prod:productionconfiguration(basicallyasynonymforthes3flavor) gcs:storesdatainGooglecloudstorage swift:storesdatainOpenStackSwift glance:storesdatainOpenStackGlance,withafallbacktolocalstorage glanceswift:storesdatainOpenStackGlance,withafallbacktoSwift elliptics:storesdatainEllipticskey/valuestorage

    Youcandefineyourownflavorsbyaddinganewtoplevelyamlkey.YoucanspecifywhichflavortorunbysettingSETTINGS_FLAVORinyourenvironment:>>>exportSETTINGS_FLAVOR=devThedefaultflavorisdev.NOTETheconfigurationflavourusedislocaltostoredataonthefilesystem.Youneedtospecifythestoragetypeandstoragepathunderthedevconfigurationflavourintheconfig.ymlfile.storage:localstorage_path:/var/docker_registry

    21|Page

    https://www.google.com/url?q=https%3A%2F%2Ftwiki.cern.ch%2Ftwiki%2Fbin%2Fedit%2FAgileInfrastructure%2FOpenStack%3Ftopicparent%3DAgileInfrastructure.DockerNotes%3Bnowysiwyg%3D1&sa=D&sntz=1&usg=AFQjCNH56uHgGwcUFLb3XAjXKS8oi3hnCghttps://www.google.com/url?q=https%3A%2F%2Ftwiki.cern.ch%2Ftwiki%2Fbin%2Fedit%2FAgileInfrastructure%2FOpenStack%3Ftopicparent%3DAgileInfrastructure.DockerNotes%3Bnowysiwyg%3D1&sa=D&sntz=1&usg=AFQjCNH56uHgGwcUFLb3XAjXKS8oi3hnCghttps://www.google.com/url?q=https%3A%2F%2Ftwiki.cern.ch%2Ftwiki%2Fbin%2Fedit%2FAgileInfrastructure%2FOpenStack%3Ftopicparent%3DAgileInfrastructure.DockerNotes%3Bnowysiwyg%3D1&sa=D&sntz=1&usg=AFQjCNH56uHgGwcUFLb3XAjXKS8oi3hnCghttps://www.google.com/url?q=https%3A%2F%2Ftwiki.cern.ch%2Ftwiki%2Fbin%2Fedit%2FAgileInfrastructure%2FOpenStack%3Ftopicparent%3DAgileInfrastructure.DockerNotes%3Bnowysiwyg%3D1&sa=D&sntz=1&usg=AFQjCNH56uHgGwcUFLb3XAjXKS8oi3hnCghttps://www.google.com/url?q=https%3A%2F%2Ftwiki.cern.ch%2Ftwiki%2Fbin%2Fedit%2FAgileInfrastructure%2FOpenStack%3Ftopicparent%3DAgileInfrastructure.DockerNotes%3Bnowysiwyg%3D1&sa=D&sntz=1&usg=AFQjCNH56uHgGwcUFLb3XAjXKS8oi3hnCghttps://www.google.com/url?q=https%3A%2F%2Ftwiki.cern.ch%2Ftwiki%2Fbin%2Fedit%2FAgileInfrastructure%2FOpenStack%3Ftopicparent%3DAgileInfrastructure.DockerNotes%3Bnowysiwyg%3D1&sa=D&sntz=1&usg=AFQjCNH56uHgGwcUFLb3XAjXKS8oi3hnCg

  • CERN openlab Summer Student Report 2014

    Exampleconfiguration

    common: loglevel:info search_backend:"_env:SEARCH_BACKEND:" sqlalchemy_index_database: "_env:SQLALCHEMY_INDEX_DATABASE:sqlite:////tmp/dockerregistry.db"

    prod: loglevel:warn storage:s3 s3_access_key:_env:AWS_S3_ACCESS_KEY s3_secret_key:_env:AWS_S3_SECRET_KEY s3_bucket:_env:AWS_S3_BUCKET boto_bucket:_env:AWS_S3_BUCKET storage_path:/srv/docker smtp_host:localhost from_addr:docker@meSPAMNOT.com to_addr:contact@meSPAMNOT.com

    dev: loglevel:debug storage:local storage_path:/var/docker_registry

    test: storage:local storage_path:/tmp/tmpdockertmp

    9.SpecifytheconfigfiletobeusedbysettingDOCKER_REGISTRY_CONFIGinyourenvironment:>>>exportDOCKER_REGISTRY_CONFIG=config.ymlThedefaultlocationoftheconfigfileisconfig.yml,locatedintheconfigsubdirectory.IfDOCKER_REGISTRY_CONFIGisarelativepath,thatpathisexpandedrelativetotheconfigsubdirectory.10.Youcanrunthedockerregistrybyrunningthecommand:>>>gunicornaccesslogfiledebugkgeventb0.0.0.0:5000w1docker_registry.wsgi:applicationTherecommendedsettingtoruntheRegistryinaprodenvironmentisgunicornbehindanginxserverwhichsupportschunkedtransferencoding(nginx>=1.3.9).

    22|Page

  • CERN openlab Summer Student Report 2014

    GunicornisaPythonWSGIHTTPServerforUNIX.ItsapreforkworkermodelportedfromRubysUnicornproject.Itisbroadlycompatiblewithvariouswebframeworks,simplyimplemented,lightonserverresources,andfairlyspeedy.5.3PushingandPullingImagesfromRegistryTopushanimagetothedockerregistry,firstyouneedtotagtheimageandthenpushtothedockerregistry:>>>sudodockertaghostname.cern.ch:5000/slc6>>>sudodockerpushhostname.cern.ch:5000/slc6Theimagegetspushedtoyourdockerregistry.Youcanpulltheimagefromthedockerregistrybyrunningthecommand:>>>sudodockerpullhostname.cern.ch:5000/slc6

    6DockeronOpenStack6.1OverviewTheDockerdriverisahypervisordriverforOpenstackNovaCompute.Dockerisanopensourceenginewhichautomatesthedeploymentofapplicationsashighlyportable,selfsufficientcontainerswhichareindependentofhardware,language,framework,packagingsystemandhostingprovider.DockerprovidesmanagementofLinuxcontainerswithahighlevelAPIprovidingalightweightsolutionthatrunsprocessesinisolation.Itprovidesawaytoautomatesoftwaredeploymentinasecureandrepeatableenvironment.ADockercontainerincludesasoftwarecomponentalongwithallofitsdependenciesbinaries,libraries,configurationfiles,scripts,virtualenvs,jars,gems,tarballs,etc.Dockercanberunonanyx64Linuxkernelsupportingcgroupsandaufs.Dockerisawayofmanagingmultiplecontainersonasinglemachine.HoweverusedbehindNovamakesitmuchmorepowerfulsinceitsthenpossibletomanageseveralhosts,whichinturnmanagehundredsofcontainers.ThecurrentDockerprojectaimsforfullOpenStackcompatibility.Containersdon'taimtobeareplacementforVMs,theyarecomplementaryinthesensethattheyarebetterforspecificusecases.

    23|Page

  • CERN openlab Summer Student Report 2014

    6.2NovaDockerArchitectureTheNovadriverembedsatinyHTTPclientwhichtalkswiththeDockerinternalRestAPIthroughaunixsocket.ItusestheHTTPAPItocontrolcontainersandfetchinformationaboutthem.ThedriverwillfetchimagesfromtheOpenStackImageService(Glance)andloadthemintotheDockerfilesystem.ImagesmaybeplacedinGlancebyexportingthemfromDockerusingthe'dockersave'command.

    24|Page

  • CERN openlab Summer Student Report 2014

    Dockerregistryisanimageproxy. Userscanuploadthroughdockerregistryortoglancedirectly. Dockerpullsimagesthroughthedockerregistryproxy.

    6.3ConfiguringOpenStacktoenableDocker6.3.1InstallingDockerforOpenStackInorderforNovatocommunicatewithDockeroveritslocalsocket,addnovatothedockergroupandrestartthecomputeservicetopickupthechange:>>>usermodGdockernova>>>serviceopenstacknovacomputerestartYouwillalsoneedtoinstallthenovadockerdriverbyexecutingthecommands:>>>gitclonehttps://git.openstack.org/stackforge/novadocker>>>cdnovadocker>>>pythonsetup.pyinstall

    25|Page

    https://www.google.com/url?q=https%3A%2F%2Fgit.openstack.org%2Fstackforge%2Fnova-docker&sa=D&sntz=1&usg=AFQjCNGiqvdcGviJbs8wcWwv8qLS971rHAhttps://www.google.com/url?q=https%3A%2F%2Fgit.openstack.org%2Fstackforge%2Fnova-docker&sa=D&sntz=1&usg=AFQjCNGiqvdcGviJbs8wcWwv8qLS971rHA

  • CERN openlab Summer Student Report 2014

    6.3.2NovaConfigurationNovaneedstobeconfiguredtousetheDockervirtdriver.Edittheconfigurationfile/etc/nova/nova.confaccordingtothefollowingoptions:[DEFAULT]compute_driver=novadocker.virt.docker.DockerDriverRestarttheNovacomputeservicetopickupthechange:>>>systemctlrestartopenstacknovacompute.serviceYoucancheckthestatusofthenovacomputeservicebyexecutingthecommand:>>>systemctlstatusopenstacknovacompute.service6.3.3GlanceConfigurationGlanceneedstobeconfiguredtosupportthedockercontainerformat.It'simportanttoleavethedefaultonesinordertonotbreakanexistingglanceinstall.Edittheglanceapi.conffilelocatedin/etc/glanceandrestarttheglanceapiservicetopickupthechange.>>>vi/etc/glance/glanceapi.confcontainer_formats=ami,ari,aki,bare,ovf,docker>>>systemctlrestartopenstackglanceapi.serviceYoucancheckthestatusoftheglanceapiservicebyexecutingthecommand:>>>systemctlstatusopenstackglanceapi.service6.4DeploymentwithDevstackUsingDockerhypervisorthroughDevStackreplacesallmanualconfigurationneededabove.ToinstallthenovadockeronDevstack,runthefollowingcommands:>>>gitclonehttps://git.openstack.org/stackforge/novadocker/opt/stack/novadocker>>>gitclonehttps://git.openstack.org/openstackdev/devstack/opt/stack/devstackNote:onlyneededuntilwecanmakeuseofconfigure_nova_hypervisor_rootwrap>>>gitclonehttps://git.openstack.org/openstack/nova/opt/stack/nova

    26|Page

    https://www.google.com/url?q=https%3A%2F%2Fgit.openstack.org%2Fstackforge%2Fnova-docker&sa=D&sntz=1&usg=AFQjCNGiqvdcGviJbs8wcWwv8qLS971rHAhttps://www.google.com/url?q=https%3A%2F%2Fgit.openstack.org%2Fstackforge%2Fnova-docker&sa=D&sntz=1&usg=AFQjCNGiqvdcGviJbs8wcWwv8qLS971rHAhttps://www.google.com/url?q=https%3A%2F%2Fgit.openstack.org%2Fopenstack-dev%2Fdevstack&sa=D&sntz=1&usg=AFQjCNGDOzwWR-D7jtUqymLIAxdcYPF0SQhttps://www.google.com/url?q=https%3A%2F%2Fgit.openstack.org%2Fopenstack-dev%2Fdevstack&sa=D&sntz=1&usg=AFQjCNGDOzwWR-D7jtUqymLIAxdcYPF0SQhttps://www.google.com/url?q=https%3A%2F%2Fgit.openstack.org%2Fopenstack%2Fnova&sa=D&sntz=1&usg=AFQjCNF5Kof4pk4eQMY8gYhXWPQwCARxFAhttps://www.google.com/url?q=https%3A%2F%2Fgit.openstack.org%2Fopenstack%2Fnova&sa=D&sntz=1&usg=AFQjCNF5Kof4pk4eQMY8gYhXWPQwCARxFA

  • CERN openlab Summer Student Report 2014

    >>>cd/opt/stack/novadocker>>>./contrib/devstack/prepare_devstack.shNow,rundevstackbyrunningthecommands:>>>cd/opt/stack/devstack>>>./stack.sh6.5UploadingDockerImagestoGlanceImagescannowbesaveddirectlytoGlance:>>>dockerpullubuntu>>>dockersaveubuntu|glanceimagecreatecontainerformat=dockerdiskformat=rawnameubuntuThenameoftheimageinGlanceshouldbeexplicitlysettothesamenameastheimageasitisknowntoDocker.Intheexampleabove,animagehasbeentaggedinDockeras'ubuntu'.Matchingthisisthe'nameubuntu'argumenttoglanceimagecreate.Ifthesenamesdonotalign,theimagewillnotbebootable.NOTES:

    Earlierreleasesofthisdriverrequiredthedeploymentofaprivatedockerregistrywhichisnolongerrequired.ImagesarenowsavedandloadedfromGlance,whichservesasanindependentdockerregistrytostoreimages.

    ImagesloadedfromGlancemaydobadthings.Onlyallowadministratorstoaddimages.

    Usersmaycreatesnapshotsoftheircontainers,generatingimagesinGlancetheseimagesaremanagedandthussafe.

    6.6BootingInstancesusingNovaYoucannowbootinstanceswithdockerimagesusingnovabyexecutingthecommand:>>>novabootflavorimageThedifferentflavortypesavailablearem1.tiny,m1.small,m1.mediumandm1.large.Youcanspecifyanyoftheseflavortypes.Youcanchecktheinstanceidandthestatusoftheinstancebootedbyexecutingthecommand:

    27|Page

  • CERN openlab Summer Student Report 2014

    >>>novalistOR>>>novashow

    7DockeronPackstack

    7.1OverviewPackstackisautilitythatusesPuppetmodulestodeployvariouscomponentsofOpenStackonmultiplepreinstalledserversoverSSHautomatically.CurrentlyonlyFedora,RedHatEnterpriseLinux(RHEL)andcompatiblederivativesofbotharesupported.Dockerisanopensourceenginewhichautomatesthedeploymentofapplicationsashighlyportable,selfsufficientcontainerswhichareindependentofhardware,language,framework,packagingsystemandhostingprovider.DockerprovidesmanagementofLinuxcontainerswithahighlevelAPIprovidingalightweightsolutionthatrunsprocessesinisolation.Itprovidesawaytoautomatesoftwaredeploymentinasecureandrepeatableenvironment.ADockercontainerincludesasoftwarecomponentalongwithallofitsdependenciesbinaries,libraries,configurationfiles,scripts,virtualenvs,jars,gems,tarballs,etc.TheDockerdriverisahypervisordriverforOpenstackNovaCompute.ItwasintroducedwiththeHavanarelease,butlivesoutoftreeforIcehouse.Beingoutoftreehasallowedthedrivertoreachmaturityandfeatureparityfasterthanwouldbepossibleshouldithaveremainedintree.7.2InstallingPackstackonRHEL71.Firstly,youneedtoputthereposfileinthe/etc/yum.repos.d/directoryaftercreatingthenewfilenamedrhel7.repo.Thereposfileisavailableathttp://linux.web.cern.ch/linux/rhel/rhel7/rhel7.repothenupdatethereposfilebyrunningthecommand:>>>sudoyumupdateall2.Youcannowinstalldockerusingthebelowcommand:>>>sudoyuminstalldocker

    28|Page

    http://www.google.com/url?q=http%3A%2F%2Flinux.web.cern.ch%2Flinux%2Frhel%2Frhel7%2Frhel7.repo&sa=D&sntz=1&usg=AFQjCNEkWU2lAADw1n0_Uu3X2hJgIEI8hQhttp://www.google.com/url?q=http%3A%2F%2Flinux.web.cern.ch%2Flinux%2Frhel%2Frhel7%2Frhel7.repo&sa=D&sntz=1&usg=AFQjCNEkWU2lAADw1n0_Uu3X2hJgIEI8hQ

  • CERN openlab Summer Student Report 2014

    Thedefaultversionofdockerv0.11.1devgetsinstalled.Pleasenotethatallthedockercommandsareexecutedasrootuser.3.InstallIcehouseRDObyexecutingthecommand:>>>sudoyuminstallyhttp://rdo.fedorapeople.org/openstackicehouse/rdoreleaseicehouse.rpmOnthecontrollernoderun:>>>sudoyuminstallopenstackpackstack4.Runpackstackbyexecutingthecommand:>>>packstackgenanswerfile=config.txtEditconfig.txtforyourenvironmentandthenexecute:>>>packstackanswerfile=config.txt5.Sourcethekeystonerc_adminfileandverifyservicesareupbyexecutingthebelowcommands:>>>sourcekeystonerc_admin>>>openstackstatus6.DownloadandsourcetheOpenstackRCfilefromtheopenstackdashboard.Loginwiththeusernameandpasswordprovidedinthekeystone_adminfile.>>>sourceadminopenrc.sh7.3ConfiguringPackstacktoenableDocker7.3.1InstallingDockerforPackstackInstallnovadockerbyexecutingthecommands:>>>gitclonehttps://git.openstack.org/stackforge/novadocker>>>cdnovadocker>>>pythonsetup.pyinstall7.3.2NovaConfiguration

    29|Page

    http://www.google.com/url?q=http%3A%2F%2Frdo.fedorapeople.org%2Fopenstack-icehouse%2Frdo-release-icehouse.rpm&sa=D&sntz=1&usg=AFQjCNGyrBjAZtEvIgep5qmHFQUoyWUa0whttp://www.google.com/url?q=http%3A%2F%2Frdo.fedorapeople.org%2Fopenstack-icehouse%2Frdo-release-icehouse.rpm&sa=D&sntz=1&usg=AFQjCNGyrBjAZtEvIgep5qmHFQUoyWUa0whttps://www.google.com/url?q=https%3A%2F%2Fgit.openstack.org%2Fstackforge%2Fnova-docker&sa=D&sntz=1&usg=AFQjCNGiqvdcGviJbs8wcWwv8qLS971rHAhttps://www.google.com/url?q=https%3A%2F%2Fgit.openstack.org%2Fstackforge%2Fnova-docker&sa=D&sntz=1&usg=AFQjCNGiqvdcGviJbs8wcWwv8qLS971rHA

  • CERN openlab Summer Student Report 2014

    Enablethedriverinnovaconfigurationfilenova.conflocatedin/etc/nova.>>>vi/etc/nova/nova.confcompute_driver=novadocker.virt.docker.DockerDriverInorderforNovatocommunicatewithDockeroveritslocalsocket,addnovatothedockergroupandrestartthecomputeservicetopickupthechange:>>>usermodGdockernova>>>systemctlrestartopenstacknovacompute.serviceYoucancheckthestatusofthenovacomputeservicebyexecutingthecommand:>>>systemctlstatusopenstacknovacompute.serviceERROR:TheNovacomputeservicefailedtorestartandgotinactiveasthenovadockerhasbeenallowedtouseonlythedockerclientAPIversion1.13whichdoesnotcomesbydefaultinRHEL7.Checkthis:https://github.com/stackforge/novadocker/blob/master/novadocker/virt/docker/client.py#L98Inrhel7,thedefaultdockerclientAPIversion1.12comes.STEPStoresolvetheaboveERROR:1.Removethedefaultversionofdockerbyexecutingthecommand:>>>sudoyumremovedocker2.GettheRPMtoinstallthedockerversion1.1.2thathastheclientAPIversion1.13.>>>wgethttps://kojipkgs.fedoraproject.org//packages/dockerio/1.1.2/2.fc22/x86_64/dockerio1.1.22.fc22.x86_64.rpm3.InstalltheRPMbyexecutingthecommand:>>>sudoyuminstalldockerio1.1.22.fc19.x86_64.rpm4.Checktheversionofdockerinstalledbyexecutingthecommand:>>>sudodockerversionOutput:Clientversion:1.1.2ClientAPIversion:1.13Goversion(client):go1.2.2Gitcommit(client):d84a070/1.1.2

    30|Page

    https://www.google.com/url?q=https%3A%2F%2Fgithub.com%2Fstackforge%2Fnova-docker%2Fblob%2Fmaster%2Fnovadocker%2Fvirt%2Fdocker%2Fclient.py%23L98&sa=D&sntz=1&usg=AFQjCNFNRMwxKbYTlt2ZHFMvBmISyMLSbQhttps://www.google.com/url?q=https%3A%2F%2Fgithub.com%2Fstackforge%2Fnova-docker%2Fblob%2Fmaster%2Fnovadocker%2Fvirt%2Fdocker%2Fclient.py%23L98&sa=D&sntz=1&usg=AFQjCNFNRMwxKbYTlt2ZHFMvBmISyMLSbQhttps://www.google.com/url?q=https%3A%2F%2Fkojipkgs.fedoraproject.org%2F%2Fpackages%2Fdocker-io%2F1.1.2%2F2.fc22%2Fx86_64%2Fdocker-io-1.1.2-2.fc22.x86_64.rpm&sa=D&sntz=1&usg=AFQjCNH_oSxqRPF56uRqqWbhJ_Ejl4OxMAhttps://www.google.com/url?q=https%3A%2F%2Fkojipkgs.fedoraproject.org%2F%2Fpackages%2Fdocker-io%2F1.1.2%2F2.fc22%2Fx86_64%2Fdocker-io-1.1.2-2.fc22.x86_64.rpm&sa=D&sntz=1&usg=AFQjCNH_oSxqRPF56uRqqWbhJ_Ejl4OxMAhttps://www.google.com/url?q=https%3A%2F%2Fkojipkgs.fedoraproject.org%2F%2Fpackages%2Fdocker-io%2F1.1.2%2F2.fc22%2Fx86_64%2Fdocker-io-1.1.2-2.fc22.x86_64.rpm&sa=D&sntz=1&usg=AFQjCNH_oSxqRPF56uRqqWbhJ_Ejl4OxMA

  • CERN openlab Summer Student Report 2014

    Serverversion:1.1.2ServerAPIversion:1.13Goversion(server):go1.2.2Gitcommit(server):d84a070/1.1.25.Makesuredockerdaemonisrunningbyexecutingthecommand:>>>psauwx|grepdockerIfdockerisnotrunningcurrently,executethecommand:>>>sudodockerd6.InorderforNovatocommunicatewithDockeroveritslocalsocket,addnovatothedockergroupandrestartthecomputeservicetopickupthechange:>>>usermodGdockernova>>>systemctlrestartopenstacknovacompute.service7.Checkthestatusofthenovacomputeservicebyexecutingthecommand:>>>systemctlstatusopenstacknovacompute.serviceORTocheckthestatusonlyofthenovaservices,executethecommand:>>>novamanageservicelist7.3.3GlanceConfigurationGlanceneedstobeconfiguredtosupportthedockercontainerformat.It'simportanttoleavethedefaultonesinordertonotbreakanexistingglanceinstall.Edittheglanceapi.conffilelocatedin/etc/glanceandrestarttheglanceapiservicetopickupthechange.>>>vi/etc/glance/glanceapi.confcontainer_formats=ami,ari,aki,bare,ovf,docker>>>systemctlrestartopenstackglanceapi.serviceYoucancheckthestatusoftheglanceapiservicebyexecutingthecommand:>>>systemctlstatusopenstackglanceapi.service7.4UploadingDockerImagestoGlance

    31|Page

  • CERN openlab Summer Student Report 2014

    Imagescannowbesaveddirectlytoglancebyexecutingthecommands:>>>dockerpullubuntu>>>dockersaveubuntu|glanceimagecreatecontainerformat=dockerdiskformat=rawnameubuntuThenameoftheimageinGlanceshouldbeexplicitlysettothesamenameastheimageasitisknowntoDocker.Intheexampleabove,animagehasbeentaggedinDockeras'ubuntu'.Matchingthisisthe'nameubuntu'argumenttoglanceimagecreate.Ifthesenamesdonotalign,theimagewillnotbebootable.7.5BootingInstancesusingNovaYoucannowbootinstanceswithdockerimagesusingnovabyexecutingthecommand:>>>novabootflavorimageThedifferentflavortypesavailablearem1.tiny,m1.small,m1.mediumandm1.large.Youcanspecifyanyoftheseflavortypes.Youcanchecktheinstanceidandthestatusoftheinstancebootedbyexecutingthecommand>>>novalistOR>>>novashowERROR:Theinstancebootedresultedinerror.Thefaultmessagedisplayedwas"Novalidhostwasfound".Formoreinformation,youcancheckthenovacomputelogsinthe/var/log/nova/novacompute.logfileandnovaschedulerlogsinthe/var/log/nova/novascheduler.logfile.STEPStoresolvetheaboveERROR:1.Editthe/etc/nova/nova.conffiletochangetheschedulerdefaultfilterstoreturnallhostssotheschedulerwillreturnsomeinstance.scheduler_default_filters=ComputeFilter

    32|Page

    https://www.google.com/url?q=https%3A%2F%2Ftwiki.cern.ch%2Ftwiki%2Fbin%2Fedit%2FAgileInfrastructure%2FComputeFilter%3Ftopicparent%3DAgileInfrastructure.DockerNotes%3Bnowysiwyg%3D1&sa=D&sntz=1&usg=AFQjCNFZa6113cpFhax2L0Fy8uL--32-Wghttps://www.google.com/url?q=https%3A%2F%2Ftwiki.cern.ch%2Ftwiki%2Fbin%2Fedit%2FAgileInfrastructure%2FComputeFilter%3Ftopicparent%3DAgileInfrastructure.DockerNotes%3Bnowysiwyg%3D1&sa=D&sntz=1&usg=AFQjCNFZa6113cpFhax2L0Fy8uL--32-Wg

  • CERN openlab Summer Student Report 2014

    Reference:https://answers.launchpad.net/nova/+question/192511Restarttheschedulerservicetopickupthechangebyexecutingthecommand:>>>systemctlrestartopenstacknovascheduler.serviceCheckthestatusofthenovaschedulerservicebyexecutingthecommand:>>>systemctlstatusopenstacknovascheduler.serviceThesameERRORstillpersistswhilebootinganinstancewithdockerimage.NOTE:Thesameerroralsopersistswhilebootinganyimageotherthandockerimages.2.RelaunchedtheInstancewiththeRHEL7image.Now,installedPackstackfollowingthesamestepsbutdisabledthenovaneutronservicefornetworkingandconfiguredthenovanetworkonasinglehosteth0.CONFIG_NEUTRON_INSTALL=nCONFIG_NOVA_COMPUTE_PRIVIF=eth0CONFIG_NOVA_NETWORK_PRIVIF=eth0YoucandisabletheCinder,CeilometerandCinderserviceforquickinstallationofPackstackastheyarenotneeded.CONFIG_CINDER_INSTALL=nCONFIG_SWIFT_INSTALL=nCONFIG_CEILOMETER_INSTALL=nNOTE:ThesameERROR[NoValidHostwasfound]stillpersistswhilebootinganinstancewithdockerimage.

    8ContainersonGoogleCloudPlatform8.1Overview

    EverythingatGoogle,fromSearchtoGmail,ispackagedandruninaLinuxcontainer.Everyweek,Googlelaunchesmorethan2billioncontainerinstancesacrosstheirglobaldatacenters,andthepowerofcontainershasenabledbothmorereliableservicesandhigher,moreefficientscalability.

    33|Page

    https://www.google.com/url?q=https%3A%2F%2Fanswers.launchpad.net%2Fnova%2F%2Bquestion%2F192511&sa=D&sntz=1&usg=AFQjCNE3qg2GuS7isX5qa83A1_rUAXiM-Qhttps://www.google.com/url?q=https%3A%2F%2Fanswers.launchpad.net%2Fnova%2F%2Bquestion%2F192511&sa=D&sntz=1&usg=AFQjCNE3qg2GuS7isX5qa83A1_rUAXiM-Qhttps://www.google.com/url?q=https%3A%2F%2Fanswers.launchpad.net%2Fnova%2F%2Bquestion%2F192511&sa=D&sntz=1&usg=AFQjCNE3qg2GuS7isX5qa83A1_rUAXiM-Q

  • CERN openlab Summer Student Report 2014

    TheKubernetesandcontaineroptimizedVMreleasesmakesitsimpletorunDockercontainersonGoogleCloudPlatform.ThecontaineroptimizedVMprovidesawaytostaticallyanddeclarativelyrunmultipleDockercontainersonaGoogleComputeEngineinstance.TheKubernetesenablesdynamiccontainerschedulingacrossmultipleVMinstances,includingovercontaineroptimizedVMs.

    8.2ContainerVMsContaineroptimizedGoogleComputeEngineimagesareDebianimageswithafewadditions:

    TheDockerruntimeispreinstalled,soyouarereadytocreatecontainersassoonasyourinstanceisup.

    Theimageincludesanagentthathandlescontainermanifestfiles,tocreateandmonitorcontainersautomatically.

    8.3KubernetesKubernetesisanopensourcecontainerclustermanager.Itschedulesanynumberofcontainerreplicasacrossagroupofnodeinstances.AmasterinstanceexposestheKubernetesAPI,throughwhichtasksaredefined.Kubernetesspawnscontainersonnodestohandlethedefinedtasks.Thenumberandtypeofcontainerscanbedynamicallymodifiedaccordingtoneed.Anagent(akubelet)oneachnodeinstancemonitorscontainersandrestartsthemifnecessary.KubernetesisoptimizedforGoogleCloudPlatform,butcanrunonanyphysicalorvirtualmachine.

    34|Page

  • CERN openlab Summer Student Report 2014

    9ConclusionInconclusion,Dockerisinarguablyahugeplus,mustbereleasedinProductionatCERNtosolvetheissuesofmoneyandtimeandtousethehardwareresourcesmoreefficiently.

    Fast Boot : Docker provides ability to create / delete a clean environment quickly which is great for Unit Testing. Using Docker makes a big difference when developing Chef recipesinwhichacleanenvironmentmustbestartedforeveryfailure.

    Small Container Sizes and ability to diff containers : While its nearly impossible to

    share a VM with a remote teammate, its entirely possible to share a container due to the Docker registry because of its ability to pull only incremental changes. The ability to diff twocontainersisindeedabigpointofobservation.

    Ability to run a container in AWS as well as on Cross Cloud : We can not run

    VMware in AWS, but Docker offers the ability to use the same container in AWS. Furthermore,Dockercanusethesamecontainercrosscloud,whichisindeedawin.

    35|Page

  • CERN openlab Summer Student Report 2014

    12Bibliography

    Dockerhttps://www.docker.com/

    DockerHubhttps://registry.hub.docker.com/

    DockerRegistryhttps://github.com/docker/dockerregistry

    OpenStackhttp://www.openstack.org/

    Devstackhttps://github.com/openstackdev/devstack

    NovaDockerhttps://github.com/stackforge/novadocker

    Packstackhttps://github.com/stackforge/packstack

    36|Page

    https://www.google.com/url?q=https%3A%2F%2Fwww.docker.com%2F&sa=D&sntz=1&usg=AFQjCNE5nyFU509RkAzKxHJaHHo4XAXEsQhttps://www.google.com/url?q=https%3A%2F%2Fregistry.hub.docker.com%2F&sa=D&sntz=1&usg=AFQjCNGEyQB-9OLuoeIpy7_CbZwCZV_zSwhttps://www.google.com/url?q=https%3A%2F%2Fgithub.com%2Fdocker%2Fdocker-registry&sa=D&sntz=1&usg=AFQjCNHDudz05Q2iBq9N9Vd4yWQmVo4OvAhttp://www.google.com/url?q=http%3A%2F%2Fwww.openstack.org%2F&sa=D&sntz=1&usg=AFQjCNEsfOrIWvjV1vAwF-L4L8IGEmbM9Qhttps://www.google.com/url?q=https%3A%2F%2Fgithub.com%2Fopenstack-dev%2Fdevstack&sa=D&sntz=1&usg=AFQjCNHH22fvFYBqQOc2RseSh2mwaA465Qhttps://www.google.com/url?q=https%3A%2F%2Fgithub.com%2Fstackforge%2Fnova-docker&sa=D&sntz=1&usg=AFQjCNHmreyzgp07LWahp3SDTWxSesdZIwhttps://www.google.com/url?q=https%3A%2F%2Fgithub.com%2Fstackforge%2Fpackstack&sa=D&sntz=1&usg=AFQjCNEP2PvRY-GpSQ9WF6bn7a5N8fx9bg

Recommended

View more >