Offizielle Docker Images – ein Erfahrungsbericht
A presentation at Continuous Lifecycle in in Mannheim, Germany by Philipp Krenn
Offizielle Docker Images ein Erfahrungsbericht Philipp Krenn @xeraa
Infrastructure | Developer
Who uses Docker?
Who uses Docker in production?
Who uses stateful Docker images?
Who uses our images?
Who uses our stack with other images?
Docker: the world's most heavily funded college project Internal quote from Slack
Content "Official" Base Images Release Policy Security & Stability Customization Orchestration
Docker Hub "official"
What do you get? docker pull elasticsearch:X Same for Kibana and Logstash
It's Complicated Docker Inc Deprecated Replicated
Custom Registry docker.elastic.co
I’m surprised more people don’t just host their own container registries since doing that is faster than every cloud offering and docker hub https://twitter.com/jessfraz/status/978449365261082625
Our Motivation Download statistics Speed & reliability
https://www.docker.elastic.co
Problems Some broken tooling like automated builds, Kitematic,... China IPv6
https://hub.docker.com/r/elastic/ elasticsearch/ kibana/ *beat/ logstash/ apm-server/
Base Images
Elasticsearch Alpine
Kibana Beats Logstash Ubuntu
Common base image in 5.4+ CentOS 7
https://github.com/elastic/elasticsearch-docker/blob/master/templates/Dockerfile.j2 FROM centos:7 AS prep_es_files ENV PATH /usr/share/elasticsearch/bin:$PATH RUN curl -s https://download.java.net/java/GA/jdk11/13/GPL/openjdk-11.0.1_linux-x64_bin.tar.gz | \ tar -C /opt -zxf ENV JAVA_HOME /opt/jdk-11.0.1 RUN groupadd -g 1000 elasticsearch && \ adduser -u 1000 -g 1000 -d /usr/share/elasticsearch elasticsearch
Upside Similar setup Shared layers JVM large anyway
Downside Size
$ docker images REPOSITORY docker.elastic.co/kibana/kibana docker.elastic.co/elasticsearch/elasticsearch docker.elastic.co/beats/filebeat docker.elastic.co/kibana/kibana docker.elastic.co/elasticsearch/elasticsearch docker.elastic.co/beats/filebeat docker.elastic.co/kibana/kibana docker.elastic.co/elasticsearch/elasticsearch docker.elastic.co/beats/filebeat docker.elastic.co/kibana/kibana docker.elastic.co/elasticsearch/elasticsearch docker.elastic.co/beats/filebeat TAG 6.5.0 6.5.0 6.5.0 6.2.4 6.2.4 6.2.4 5.6.13 5.6.13 5.6.13 5.3.3 5.3.3 5.3.3 IMAGE ID fcc1f039f61c ff171d17e77c aee067f4a241 327c6538ba4c 7cb69da7148d 26a00abcde82 59fcc69d2cc6 21673573a265 2aec30f6b3fc ffe778f7e489 5857f98b5920 c01be8a8f630 SIZE 727MB 774MB 299MB 933MB 515MB 319MB 653MB 525MB 284MB 679MB 165MB 232MB
5.3 5.6 6.2 6.5 ES 165MB 525MB 515MB 774MB Kibana 679MB 653MB 933MB 727MB Filebeat 232MB 284MB 319MB 299MB
Does it matter? stateful vs stateless
What to include?
Single image for 5.x Platinum trial
Three flavors 6.0 to 6.2 * Basic , OSS, Platinum trial * Default
Two flavors 6.3+ * Basic / Platinum trial , OSS * Default
Future
Multiple base images?
Windows?!
Release Policy
No :latest
Zombies ideas that should have been killed by evidence, but keep shambling along
6 and 6.4?
What's in a tag? docker.elastic.co/elasticsearch/elasticsearch docker.elastic.co/beats/filebeat docker.elastic.co/kibana/kibana 5.3.3 5.3.3 5.3.3 5857f98b5920 c01be8a8f630 ffe778f7e489 4 months ago 5 months ago 5 months ago
Currently Overwrite tag
Label Schema LABEL org.label-schema.schema-version="1.0" \ org.label-schema.vendor="Elastic" \ org.label-schema.name="elasticsearch" \ org.label-schema.version="{{ elastic_version }}" \ org.label-schema.url="https://www.elastic.co/products/elasticsearch" \ org.label-schema.vcs-url="https://github.com/elastic/elasticsearch-docker" \ {% if image_flavor == 'oss' -%} license="Apache-2.0" {% else -%} license="Elastic License" {% endif -%}
Base image & JVM direct dependencies
Future Add image version?
Security & Stability
Run Elasticsearch as root
Cockroaches claims that disappear for a while when proved wrong, but just keep on coming back
Mode Production: Clusterable Development: Local network
"Docker" mode discovery.type=single-node
Bootstrap checks are here to stay
6.0+ no more default credentials
6.x Security non-trial requires certificates
The container runs Elasticsearch as user elasticsearch using uid:gid 1000:1000. https://www.elastic.co/guide/en/elasticsearch/reference/current/ docker.html
Don't mutate the bind mounted local directory
Those who do not understand Unix are condemned to reinvent it, poorly. — Henry Spencer
Docker default value? LimitNOFILE & LimitNPROC
infinity https://github.com/moby/moby/commit/ 8db61095a3d0bcb0733580734ba5d54bc27a614d (July 2016)
Test $ docker run --rm centos:7 /bin/bash -c \ 'ulimit -Hn && ulimit -Sn && ulimit -Hu && ulimit -Su' 1048576 1048576 unlimited unlimited
Limit for virtual memory? vm.max_map_count
Test $ docker run --rm centos:7 /bin/bash -c \ 'sysctl vm.max_map_count' vm.max_map_count = 262144 Must be set on the host
Combine two new systems to get chaos & despair
Docker is a leaky abstraction
Customization
Feature Request if [ -f /custom/user_init.sh ] then . /custom/user_init.sh fi Or customization through environment variables
No Runtime Mutation
Dockerfile ARG ELASTIC_VERSION FROM docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION} RUN bin/elasticsearch-plugin install analysis-phonetic --batch ARG ELASTIC_VERSION RUN bin/elasticsearch-plugin install \ https://github.com/spinscale/elasticsearch-ingest-langdetect/releases/download/ ${ELASTIC_VERSION}.1/ingest-langdetect-${ELASTIC_VERSION}.1.zip --batch
Generate Keystore $ docker run -p 9200:9200 -p 9300:9300 -e "discovery.type=single-node" \ -v /Users/philipp/Desktop/demo/config/:/usr/share/elasticsearch/config/ \ -it docker.elastic.co/elasticsearch/elasticsearch:6.4.3 /bin/bash [root@1006ed50b646 elasticsearch]# ./bin/elasticsearch-keystore create Created elasticsearch keystore in /usr/share/elasticsearch/config [root@1006ed50b646 elasticsearch]# ./bin/elasticsearch-keystore add test Enter value for test: [root@1006ed50b646 elasticsearch]# exit exit $ cat config/elasticsearch.keystore ??lelasticsearch.keystore?@g?o!?$?K?Lf?w?VAEŠԨm?[?a6?B??? y?,!В}??Ħ?ǣ?AU=?C?:?o? ?W?O8?}U?;p?ӷ???cQ????7?JY? 2A?:???ZUY??2V?9?ϧ??(??0?q\
Mount Keystore (Docker Compose) elasticsearch: image: docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION} secrets: - source: elasticsearch.keystore target: /usr/share/elasticsearch/config/elasticsearch.keystore
Orchestration
Who uses Kubernetes?
Who uses Swarm?
Who uses Mesos?
Who uses Nomad?
No orchestration yet
Kubernetes 1.8 allows dots in env vars https://github.com/kubernetes/kubernetes/issues/2707
Kubernetes has made huge improvements in the ability to run stateful workloads including databases and message queues, but I still prefer not to run them on Kubernetes. https://twitter.com/kelseyhightower/status/963413508300812295
Conclusion
"Docker is disrupting the industry"
"Can I run Elasticsearch on Docker?"
"Should I run Elasticsearch on Docker?"
Even when stateful services do the right things managing state is still hard. Mixing stateful and stateless applications on the same cluster elevates the complexity of the entire cluster. Cluster security and upgrades become much harder. https://twitter.com/kelseyhightower/status/963417215608369153
Quick Quiz What do you get?
docker pull elastic/elasticsearch
$ docker pull elastic/elasticsearch Using default tag: latest Error response from daemon: manifest for elastic/elasticsearch:latest not found
docker pull logstash:alpine
docker pull metricbeat:6.4.3
$ docker pull metricbeat:6.4.3 Error response from daemon: pull access denied for metricbeat, repository does not exist or may require 'docker login'
docker pull elastic/metricbeat:6.4.3
docker pull docker.elastic.co/apm/apm-server:6.4.3
"Aggregierte Logging-Patterns" Tomorrow 15:45 @ Gustav Mahler II
Questions & Discussion Philipp Krenn @xeraa
Nutzer von Softwareprojekten erwarten, dass ihnen Container zur Verfügung gestellt werden. Ist doch ganz simpel – einfach auf Docker Hub hochladen und alles läuft. Leider ist in Wirklichkeit nie alles so einfach, wie es zunächst klingt.
Dieser Vortrag gibt einen Überblick über die Entwicklung, die hinter Elastics offiziellen Docker-Containern steckt. Erörtert werden im Speziellen Überlegungen und Probleme mit Registries, was es beim gewählten Base Image zu beachten gibt, was in einem Release(-Tag) steckt und wie man mit Orchestrierung umgehen kann.
Video
Buzz and feedback
Here’s what was said about this presentation on social media.
