Dec
20

Docker Swarm with Nutanix Calm

Review -> What is Nutanix CALM?

Nutanix Calm provides a set of pre-seeded application blueprints that are available to you for consumption.

Docker Swarm is a clustering and scheduling tool for Docker containers. Lots of hype with Kubernetes right now and rightly so but Swarm is a great tool and still getting better. One of the blueprints available with Calm is Docker Swarm. With Swarm, IT administrators and developers can establish and manage a cluster of Docker nodes as a single virtual system. Swarm mode also exists natively for Docker Engine, the layer between the OS and container images. Swarm mode integrates the orchestration capabilities of Docker Swarm into Docker Engine. For AHV, by default blueprint creates 3 Master VMs with 2 Core, 4GB RAM, Root disk – 10GB, and Data Disk 3x10GB. For AWS, by default blueprint create 3 Slave VMs t2.medium, and Data Disk 3x10GB.


Installed Version- Docker - 17.09.0.ce

Variables

DOCKER_VERSION - (Mandatory) Docker version default.
INSTANCE_PUBLIC_KEY - (Mandatory) Instance public key (only for AHV).
Click Marketplace tab.
Click the Docker Swarm blueprint application.
Click Launch.
The blueprint application launch page is displayed.

Enter a name for the application in the Name of the Application field. For the application blueprint naming conventions, see Launching an Application Blueprint.
Select the Application profile.
If the application profile is Nutanix then do the following.
(Optional) Change the VM name.
(Optional) Change the number of vCPUs and RAM.
Select the NIC from the drop-down menu.
Download the CentOS 7 from the repository.
Enter the private key.
If the application profile is AWS then do the following.
(Optional) Change the VM name.
Select the instance type.
Select a CentOS 7 image as per the region and AZ.
Select the VPC and subnet.
Ensure that the security groups have access of ICMP port so that master and slave nodes can ping each other.

Select the SSH keys.
Repeat the above steps for docker slave services.

    Dec
    12

    Running IT: Docker and Cilium for Enterprise Network Security for Micro-Services

    Well I think 40 min is about as long as I can last watching a IT related video while running after that I need music! This time I watched another video from DockerCon, Cilium – Kernel Native Security & DDOS Mitigation for Microservices with BPF

    Skip to 7:23: The quick overview of the presentation is that managing IP Tables to lock down micro-services isn’t going to scale and will be almost impossible to manage. Cilium is open source software for providing and transparently securing network connectivity and load balancing between application workloads such as application containers or processes. Cilium operates at Layer 3/4 to provide traditional networking and security services as well as Layer 7 to protect and secure use of modern application protocols such as HTTP, gRPC and Kafka. BPF is used a lot of the big web-scale properties like Facebook and Netflix to secure their environment and to provide troubleshooting. Like anything with a lot of options there is a lot of ways to shoot yourself in the foot so Cilium provides the wrapper to get it easily deployed and configured.

    The presentation uses that example of locking down a Kafka cluster via layer 7 instead of having the whole API left wind open which would happen if your were only using IP tables. Kafka is used for building real-time pipelines and streaming apps. Kafka is horizontally scalable and fault-tolerant so it’s a good choice to run it in docker. Kakfa is used by 1/3 of Fortune 500 companies.

    Cilium Architecture

    Cilium Integrates with:

    Docker
    Kubernetes
    Mesos

    Cilium runs as a agent on every host.
    Cilium can provide policy for Host to Docker micro-service and even between two containers on the same host.

    The demo didn’t pan out but the 2nd half of the presentation talks about Cilium using BPF with XDP. XDP is a further step in evolution and enables to run a specific flavor of BPF programs from the network driver with direct access to the packet’s DMA buffer. This is, by definition, the earliest possible point in the software stack, where programs can be attached to in order to allow for a programmable, high performance packet processor in the Linux kernel networking data path.

    Since XDP can happen earlier on at the nic versus iptables with ipset, CPU can be saved, rules load faster and latency under load is a lot better with XDP.

    Nov
    27

    Running IT: Using Docker to Scale Operational Intelligence at Splunk

    I am trying to get back into running and would like to complete a marathon at some point but I am taking it slow. Last time I tired, I got up to 36 KM but knees and feet didn’t fare so well. With that being said I am going to have some time on the treadmill and elliptical and one way I can be of service is to tell you the important parts of video’s I watch and hopefully give you back some time as well. The first video I picked was Using Docker to Scale Operational Intelligence at Splunk from Dockercon 17 Europe.

    I was kinda hoping for Splunk and Docker Integration but it was more about how Splunk was using Docker. Interestingly Splunk does have a good use case for needing both Windows and Linux nodes for testing. When I first heard that Docker could have both Linux and Windows hosts in the same Swarm cluster I thought that was cool but didn’t really know how much it would be used.

    Skip to 21:33
    – First half is mainly review of Docker EE and why Splunk picked Docker. I am sure most have heard similar stories. There is mention of RBAC for Nodes which allows secure multi-tenancy across multiple teams through node-based isolation and segregation. At the time of the video Splunk wasn’t using it but would have made life easier.

    Interesting Notes for the Session

    Started with a Bare-metal test lab of 150 nodes using UCP. Now running over 600 servers.

    Splunk 7 was a new feature, Metrics. Metrics is a for system administrators and IT tools engineers that focuses on collecting, investigating, monitoring, and sharing metrics from your technology infrastructure, security systems, and business applications in real time. Splunk is using Collectd to get data into Splunk and also grabs the logs and search it from the same interface.

    Splunk using 1 container per server for performance testing.

    Or test/dev testing Splunk uses 20-30 containers per server.

    Running a complicated system to make sure performance and test/dev containers don’t intermix. Splunk is hoping to use the new RBAC for nodes and the CPU/Memory reservations to clean up the CI workflow.

    Moving away for Jenkins for CI. Using UCP to move away from agents to run over 2,000 concurrent jobs.

    Oct
    17

    My Thoughts On The Kubernetes Support For Docker EE

    Sep
    25

    Maximize Your ROI and Agility with Big Data #Nutanix #Docker #BlueData

    Separate out your data from your compute for more agility.

    The datanode is what is used to build out the HDFS. Typically the the dataNode and the nodeManager are co-located on the same host whether its physical or virtual. The NodeManager is responsible for launching and managing containers that are scheduled from the Resource Manager. On Nutanix if you virtualize the dataNode and the nodeManager on separate virtual machines you have the opportunity to increase your agility. The agility comes from the ability to use your resources to the max of your capacity at all times. When the the cluster isn’t in use or as busy, other systems have the opportunity to use the resources. You can shut down the NodeManager since they’re not responsible for persisting data and make the the CPU and memory available for another project like Spark or maybe a new machine-learning program someone wants to test out.

    Hold the phone! What about data locality? You are correct performance is going to take a hit. Performance may drop from up to 15% from the standard way but if your system is only busy 30% of time it might be more that worth it. Let’s say a job takes 60 minutes to complete. Using this new model of separating out compute and storage, the job may now take 70 minutes to complete. Is the extra 10 minutes worth the agility to use your hardware for other projects? I think so but that is going to depend on your business requirements of course.

    On the data locality side, the datenode still gets to benefit from reading locally. It’s data path on the network isn’t going to cause more stress so that’s a plus. Also the nodeManager is busy writing all of the temporary and shuffle data locally so that is also not going to cause any additional stress compared to having the nodeManager write to a remote shared storage device. Also in some cases the NodeManager will still talk to the local datanode over the local hypervisor switch.

    If your after some real flexibility you could look at using BlueData to run Docker containers along side the dataNodes. BlueData will take over for the nodeManager essentially. Install some CentOS VMs that fit inside the hosts NUMA node and install BlueData. BlueData can help with QofS for different tenants, allow you to run different versions of Hadoop distros, Spark, Kafka and son on without blowing out your data requirements. BlueData also helps to maximize the remote connection between the containers and HDFS distro of choice.

    If your after more agility, avoiding separate hardware for projects, getting better ROI for systems that run only weekly, monthly, quarterly or better testing methodologies this may be the right architecture for you to try out.

    Sep
    07

    Windows Get Some Love with #Docker EE 17.06

    With the new release of Docker 17.06 EE Windows containers gets lots of added features. First up is the ability to run Windows and Linux worker nodes in the same same cluster. This is great because you have centralized security and logging across your whole environment. Your .NET and Java teams can live in peace to consolidate your infrastructure instead of spinning of separate environments.

    Continuously scanning for vulnerabilities in Windows images was added if your have Advanced EE license. Not only does it scan images it will also alert when new vulnerabilities are found in existing images.

    Bringing everything together you can use the same overlay networks to connect your application in the case of SQL server and web servers running on Linux. Your developers can create a single compose file covering both SQL and web severs.

    Other New Windows related features in Docker 17.06:

    Windows Server 2016 support
    Windows 10586 is marked as deprecated; it will not be supported going forward in stable releases
    Integration with Docker Cloud, with the ability to control remote Swarms from the local command line interface (CLI) and view your repositories
    Unified login between the Docker CLI and Docker Hub, Docker Cloud.
    Sharing a drive can be done on demand, the first time a mount is requested
    Add an experimental DNS name for the host: docker.for.win.localhost
    Support for client (i.e. “login”) certificates for authenticating registry access (fixes docker/for-win#569)
    New installer experience

    Sep
    04

    Multi-stage build support in #Docker EE 17.06

    New in Docker EE 17.06 is the ability to have multi-stage builds. This is important because you can now just grab the files(artifacts) you need for the next stage of your build and keep your builds small which leads to faster build times. This change allows you to have mutiple from arguments in your docker file.

    Devs have optional give a name the build stage. Then afterward this name can be used in COPY –from=name src dest and FROM name. If a build stage is defined with that name it takes precedence in these commands, if it is not found, an image with that name is attempted to be used instead.

    FROM node AS test-env
    ADD ./ /app
    WORKDIR /app
    RUN npm install
    RUN npm run build

    FROM nginx AS prod
    COPY --from=test-env /app /var/www/html

    You can run subsets of the dockerfile to get more use of out your work. If you wanted to only run the test-env section you can add a target to the docker build command with –target test-env

    Aug
    29

    VMworld attendees get to the Docker booth to save money & time like Visa.

    The Docker booth is right beside the Nutanix booth at VMworld this year so I have seen lots of people there but not 23,000 but there should be. Docker had been apart of all the announcements if you realized it our not. Lots of talk about Google with Kubernetes. Kubernetes still requires Docker as the container engine so whether it’s Swarm or Kubernetes you’re going to be using Docker. If you want Enterprise support Docker is both you want to be visiting and learning what they can do to develop better end to end software while saving you money.

    With Docker EE has been in production at Visa for over 6 months and is seeing improvements in a number of ways:

    Provisioning time: Visa can now provision in seconds rather than days even while more application teams join the effort. They can also deliver just-in-time infrastructure across multiple datacenters around the world with a standardized format that works across their diverse set of applications.
    Patching & maintenance: With Docker, Visa can simply redeploy an application with a new image. This also allows Visa to respond quickly to new threats as they can deploy patches across their entire environment at one time.
    Tech Refresh: Once applications are containerized with Docker, developers do not have to worry about the underlying infrastructure; the infrastructure is invisible.
    Multi-tenancy: Docker containers provides both space and time division multiplexing by allowing Visa to provision and deprovision microservices quickly as needed. This allows them to strategically place new services into the available infrastructure which has allowed the team to support 10x the scale they could previously.

    Visa moved a VM-based environment to containers running on bare metal and saved the time to provision and decommissioned its first containerized app by 50%.By saving time and money on the existing infrastructure and applications, organizations can reinvest the savings — both the time and money — in transforming the business.

    BTW Nutanix can do bare-metal or run AHV to provide great experience for containers with our own Docker Volume plugin.

    Aug
    18

    Nutanix Docker volume plugin updated

    Last week Nutanix published an update to the Nutanix docker volume plugin with support ubuntu, docker datacenter compatibility and improved logging among other improvements.

    Supported scopes for the plugin are global and local. Any other value in Scope will be ignored, and local is used. Scope allows cluster managers to handle the volume in different ways. For instance, a scope of global, signals to the cluster manager that it only needs to create the volume once instead of on each Docker host.
    https://docs.docker.com/engine/extend/plugins_volume/#volumedrivercapabilities

    Apr
    23

    Operations Getting Down With DJ RunC & ContainerD

    Rundmc_2

    runC and containerd does sound like some rappers from the 80’s. While in the land of hip hop Run–D.M.C. was legendary in creating new school rap, Docker has thrown it’s interia behind runC and containerD to pave the way for future success. runC is an implementation of the Open Container Initiative (OCI) spec which Docker has donated a huge chunk of their own work to the project. runC is a standalone binary that allows you run a single OCI container. This is big because now everyone has a standard way to run a container which creates better portability and creates good code hygiene.

    containerD is a new piece of infrastructure plumbing that allows you to run multiple containers using runC. It’s kinda like a simple init system. containterD takes care of the simple CRUD operations against containers but image management still lives with the Docker Engine. containerD is also event driven so you can build untop of it.

    2016-04-22_23-31-30

    With the release of Docker 1.11 runC and contianerD is fully integrated. I think this important because if your going to pick a horse in the container race you have a company in Docker that is leading with committers for OCI which is essentially helping to set direction for containers. On the operations side of the house if I have to upgrade the Docker Engine, there is now a road map to have an upgrade without affecting your running containers. It’s great containers can run and die but it’s even better if they never fail 🙂

    Docker 1.11 also added DNS round robin load balancing. While may it seems crude to the likes of a F5 or Netscaler engineer I always find simple wins and see it used in lots of places. If you give multiple containers the same alias, Docker’s service discovery will return the addresses of all of the containers for round-robin DNS.

    I think the the 1.11 release of Docker will continue to build great things. Let’s just hope it doesn’t lead to over played Run–D.M.C spoof shirts.