Orchestration in Docker Swarm mode, Docker services and declarative - PowerPoint PPT Presentation

Orchestration in Docker Swarm mode, Docker services and declarative application deployment Mike Goelzer & Victor Vieux Docker

Orchestration Overview Mike Goelzer / mgoelzer@docker.com / gh: mgoelzer

Orchestration in Docker Orchestration ● ○ Swarm Mode ○ Docker Services ○ Security ○ Routing mesh Container Healthcheck ●

Swarm Mode Engine $ docker swarm init

Swarm Mode Engine Engine $ docker swarm init $ docker swarm join <IP of manager>:2377

Swarm Mode Engine Engine Engine Engine Engine Engine $ docker swarm init $ docker swarm join <IP of manager>:2377

Services Engine Engine Engine mynet Engine Engine Engine $ docker service create --replicas 3 --name frontend --network mynet --publish 80:80/tcp frontend_image:latest

Services Engine Engine Engine mynet Engine Engine Engine $ docker service create --replicas 3 --name frontend --network mynet --publish 80:80/tcp frontend_image:latest $ docker service create --name redis --network mynet redis:latest

Node Failure Engine Engine Engine mynet Engine Engine Engine $ docker service create --replicas 3 --name frontend --network mynet --publish 80:80/tcp frontend_image:latest $ docker service create --name redis --network mynet redis:latest

Node Failure Engine Engine Engine mynet Engine Engine Engine $ docker service create --replicas 3 --name frontend --network mynet --publish 80:80/tcp frontend_image:latest $ docker service create --name redis --network mynet redis:latest

Desired State ≠ Actual State Engine Engine Engine mynet Engine Engine $ docker service create --replicas 3 --name frontend --network mynet --publish 80:80/tcp frontend_image:latest $ docker service create --name redis --network mynet redis:latest

Converge Back to Desired State mynet Engine Engine Engine Engine Engine $ docker service create --replicas 3 --name frontend --network mynet --publish 80:80/tcp frontend_image:latest $ docker service create --name redis --network mynet redis:latest

Scaling mynet Engine Engine Engine Engine Engine $ docker service scale frontend=6

Scaling mynet Engine Engine Engine Engine Engine $ docker service scale frontend=10

Global Services mynet Engine Engine Engine Engine Engine $ docker service create --mode=global --name prometheus prom/prometheus

Constraints docker daemon --label Engine com.example.storage="ssd" Engine Engine Engine docker daemon --label Engine Engine com.example.storage="ssd"

Constraints Engine docker daemon --label com.example.storage="ssd" Engine Engine Engine docker daemon --label Engine Engine com.example.storage="ssd" $ docker service create --replicas 3 --name frontend --network mynet --publish 80:80/tcp --constraint engline.labels.com.example.storage==ssd frontend_image:latest

Constraints Engine docker daemon --label com.example.storage="ssd" Engine Engine Engine docker daemon --label Engine Engine com.example.storage="ssd" $ docker service create --replicas 3 --name frontend --network mynet --publish 80:80/tcp --constraint engline.labels.com.example.storage==ssd frontend_image:latest $ docker service scale frontend=10

Services

Services are grouped into stacks

Swarm mode orchestration is optional You don’t have to use it ● 1.12 is fully backwards compatible ● Will not break existing deployments and scripts ●

Routing Mesh User accesses • Operator reserves a myapp.com:8080 :8080 swarm-wide ingress port Manager (8080) for myapp • Every node listens on 8080 • Container-aware routing mesh can transparently reroute :8080 :8080 :8080 traffic from Worker3 to a node Worker 1 Worker 2 Worker 3 that is running container • Built in load balancing into the Engine frontend frontend frontend • DNS-based service discovery $ docker service create --replicas 3 --name frontend --network mynet -p 8080:80 frontend_image:latest

Routing Mesh: Published Ports User accesses • Operator reserves a myapp.com:8080 :8080 swarm-wide ingress port Manager (8080) for myapp • Every node listens on 8080 • Container-aware routing mesh can transparently reroute :8080 :8080 :8080 traffic from Worker3 to a node Worker 1 Worker 2 Worker 3 that is running container • Built in load balancing into the Engine frontend frontend frontend • DNS-based service discovery $ docker service create --replicas 3 --name frontend --network mynet -p 8080:80 frontend_image:latest

Security out of the box Cryptographic Node Identity ○ Workload segregation (think PCI) There is no “insecure mode”: ○ TLS mutual auth ○ TLS encryption ○ Certificate rotation

Container Health Check in Dockerfile HEALTHCHECK --interval=5m --timeout=3s --retries 3 CMD curl -f http://localhost/ || exit 1 Checks every 5 minutes that web server can return index page within 3 seconds. Three consecutive failures puts container in an unhealthy state.

Orchestration Deep Dive + demo at the end Victor Vieux / vieux@docker.com / gh: vieux

Swarm Topology Node Node Node Node Node Node Node Node Node Node Node Node

Swarm Topology Node Node Node Node Node Node Node Node Node Node Node Node Manager Worker

Swarm Topology Node ● Each Node has a role ● Roles are dynamic Node ● Programmable Topology Node Node Node Node Node Node Node Node Node Node Manager Worker

Docker swarm mode communication internals Raft consensus group Internal Distributed State Store Manager Manager Manager gRPC Worker Worker Worker Worker Worker Worker Worker Gossip network

Quorum Layer Raft consensus group Internal Distributed State Store Manager Manager Manager ● Strongly consistent: Holds desired state ● Simple to operate ● Blazing fast (in-memory reads, domain specific indexing, ...) ● Secure

Worker-to-Worker Gossip Worker Worker Worker Worker Worker Worker Worker Gossip network ● Eventually consistent: Routing mesh, load balancing rules, ... ● High volume, p2p network between workers ● Secure: Symmetric encryption with key rotation in Raft

Node Breakdown docker service create Accepts command from client and creates service object API Orchestrator R Reconciliation loop for service objects and creates tasks Manager A Allocator Node Allocates IP addresses to tasks F T Scheduler Assigns nodes to tasks Checks in on workers Dispatcher Connects to dispatcher to check on assigned tasks Worker Worker Executor Executes the tasks assigned to worker node Node

Internal Load Balancer

Ingress Load Balancer

Secure by default with end-to-end encryption Cryptographic node • identity Manager Node Manager Node Manager Node Automatic encryption • TLS TLS TLS and mutual auth (TLS) Certificate Certificate Certificate Automatic c ert rotation • Authority Authority Authority External CA • integration Worker Worker Worker TLS TLS TLS

DEMO

Questions? Victor Vieux Mike Goelzer vieux@docker.com / @vieux mgoelzer@docker.com / @mgoelzer

Victor Vieux Mike Goelzer vieux@docker.com / @vieux mgoelzer@docker.com / @mgoelzer