 Thank you. Okay, and I'm on the on the loudspeaker as well. So welcome to the Last no, there's one more after me, right? There's a keynote coming. So It's 4 p.m. It's probably your heads are exploding with all the information today So I will not help you with that or I will help with exploding your heads My name is Marek. I work at Red Hat in the OpenShift team and I will tell you something about Docker, about containers, about OpenShift, Kubernetes, and we will do some walkthrough What you may want to do and what you don't may not want to do with containers and Other technologies. So I just need some information. That's why I asked to lower the lights what I will move a bit here Who is an engineer like developers? That's the guys who build cool stuff Okay, nice. How many operations that the guys who run the cool stuff? And How many managers those are the guys who slow down the other two groups? Okay, almost no one. Good. So I have some basic idea. So I'm speaking mostly to engineers and Developers, so that's cool because it's mostly about developer experience and how did you have to work with that? so first I will define a small problem that I found out recently and I have been speaking to some of our customers and I found out that they have a problem with Very basic and very trivial stuff that has been here for years first Inconsistent environments that means it worked on my machine. It should work in production as well, right? but everybody knows that problem and Even though we are in the year 2017 right 2017 There are still companies struggling with this problem. So that's one of the things that we could tackle with containers The other one is deployments done over SFTPS depends on what you're trying to use or just directly get pulling and Checkouting stuff. That's it is better than SFTPs, but still it's a lot of manual work that is error-prone and could be a problematic and Manual interactions are required to do to do deployments like I have to SSH into the machine Do get pull do check out some specific commit or something like that So this is some of the problems that I have seen in the wild like people are struggling with those and In my talk, I would love to somehow tackle these problems and show you that there might be a solution that could help with those So as you might expect based on my based on the Name of the talk and what was on the slides We are going to speak about containers and containers pretty much Are the biggest password of today? Everybody speaks about them. Who heard about containers already? We heard about containers two years ago Yeah, almost no one It's like a technology that just came and it took the IT world like a bomb and everybody now wants to do containers Even though pretty much no one knows what they want to do and it's quite a mess, but everybody likes them So what is a container just basic basic information to get us started So on the left side, I have a container image and on the right side. There is a virtual machine So if you check the layers that are that are on the on the picture the virtual machine has more layers That means There is more stuff has to be has to run to actually make something run something usable So if you want to use containers, it's much more life-based because you don't have to virtualize the whole operating system When you are in the virtualization land you are making a virtual hardware and running The operating system on it in a virtual machine, right? if you are in a container you are virtualizing parts of the operating system and Then you are running application in that small part of the operating system So it's much more life-length, but there is one one downside to that you have only one kernel So you cannot run Windows applications on Linux and you cannot learn Linux applications on Windows because there has to be There is one cannot shared between all these containers. So that's just basic information to get us started So what containers do or what they are supposed to do? Containers ship software, so they allow you to package something It's a unit of packaging and you can take it you can send it to somebody somebody can download it and spin up the application That's in that container that up that container should be self-contained so it's pretty much the whole user land that the application needs for running except the kernel because the kernel is shared and Containers are supposed to be universal Which has not been super true until recently there is open container initiative and some other standardization processes. So there is work to being done to actually make containers build one wine technology runnable using some other technology and When we understand what containers are supposed to do for us we can speak about Docker who have heard about Docker Yeah, most of you so that is pretty much the most famous technology for containers right now and When somebody says I want to run containers. They usually think about running the containers There are some other implementations like rocket. There are free bsd jails Sun zones crude is actually a container technology. It didn't allow like proper security constraints It didn't allow resource is a resource isolation, but it was a container technology by itself very simple, but it was So Docker is the container technology of today most people like it Well, people want to work with it. So what Tucker does is on one side it defines a packaging format So it says okay, if you want to package a container, it will be this kind of Tar GZ it will be this meta information saved somewhere in this specific format and this is described as a Docker container this Description is actually being standardized as the open container initiative So the the standard is not something artificial created just to somehow Describe any container it is actually getting docker and their specification and make it a standard so that other tools can use it as well Docker is also a tool that allows you to build containers share them and Get them. So that's something that we are gonna use today. So one of the demos that I have is actually building the container and then Running the application that's in the container But also docker hub is a marketplace. So that's a place where you can share containers So if you build a container, you can take the container Push it into the docker hub and somebody can discover it and pull it to his machine and spin it up So it's a way how to distribute software as well. Yeah, okay. So I'm already at my demo site. So I Will move over to Atom so I have some source code prepared here. I have really a really complex PHP application Prepared for you. It's one file. I'll make it bigger so we can read it actually So because it's so complex so you need it has to be big so you can understand all the code that's there but it actually makes everything simpler because The way how you package a complex application is very much similar how you how you would package this small application so if you try to package something something bigger it may more take more time to actually take the time and Make it happen, but with this modification It will be quick and easy and the process is pretty is going to be very much the same so if you do want to package application with a docker container what you have to do is to write a docker file and I apologize for my weird Moving of my mouse because my trackpad and my keyboard died on the laptop. So I bought myself a Wireless keyboard yesterday, so I'm using a keyboard and a mouse because the laptop is not really functioning So if you see weird movements, it's it's okay So what does what this does is okay? Let's let's build a container that means the from PHP because what docker is has designed is hierarchy was different layers of containers and You can say from PHP and then there is a version and it says take the PHP container. That's already on docker hub and This docker container will be the base and then all the other comments will be below it We'll take this base image and somehow extend it Right, so somebody had done all the hard work for us to already build the nor like install Apache configure Apache Install PHP link these things together. This has already be done. So from PHP just gives me 7.1 PHP and Apache running in the container what all I have to do is take my source code and copy it copy it into that bar www.html directory and then When the container is committed, I will get something that I can distribute. I can run my application is there runnable So how about how do I build a container? It's a very simple command so Docker build this T says name the container PHP UK and take The docker file in the current directory as the source, right? So I'm going to copy paste this into my console and We are going to build a container. So first what we are doing is Let me make it slightly bigger Can you read it? Hands up. Can you read it? No, not in the back Now Yeah, cool So what we said docker build container using this looker file so from PHP it Used the container with each shovels this this number. So I because I already did the Time-consuming part of downloading all the layers on my machine So it is using the layers from my cache on my machine So it was pretty fast and the next step which was second and last was take the source code in the SRH directory and put it into the container. So my container was built and The only thing that I now got to do is to start something, right? So when I want to run a container, I do docker run There's T dash I so I want to have I Want to have STDI connected with the container and my shell and I want a TTI for that for that container and the piece says that a Port 8080 on my machine will be mapped to a 8080 port in the container and PHP UK is the name of the container which we named in the previous step taking this in here Spinning up a container. You see that Apache has been started There is some problem with host names as usual and Apache is running in the foreground which is okay Let's go back here Right and I have PHP info page on my on my screen So what I did is I took my my simple PHP application I put it into the container I can I can run it now if I have something more complex like WordPress Drupal Whatever I But I will package the application exactly the same way The only thing is I will need to link it with some database with something else That's that's running next to it, but that's a configuration problem. That's not like how you package the application That's more like how you start the application later so Our application was running so that's how you do this kind of stuff with With Docker, but there are still some problem with that right so for every application I need to write a Docker file because the Docker file this defines how I put my source code into the into the container so Even though in in the most simplest cases, I would need I would just copy paste that That file that I had before the profile into all my my projects I still have to have the profiles there and The other thing is engineers have to understand how Docker how Docker works and need to write the Docker file My probe what I don't like about it also is that I have to put all if I want to do something more complex I would need to put run commands and do some shell scripting in the Docker file, which is not very convenient and The last and biggest problem is that my builds the builds of the containers are being done on on the local machine on my machine right here This is problematic mostly if you are a startup. There is like small startup where the where the engineers and The operations have a fluid set of functions and they just move from one role to the other. That's quite fine But once you get a bigger company and you find out that there is a specific division between I am supposed to develop stuff and I'm supposed to run stuff. So I'm developer or an operations person building containers on Local machines of the engineers or developers is quite problematic because what happens if the operations person takes the takes the cooker container It's in production container is running everything's fine and three days into into that the container starts failing And there is a problem that is only being fixed is only fixable by changing the Docker file or rebuilding the container So the operations person has to go back to the engineer and say hey, there is a problem You need I need you to fix it and he says sorry. I have a deadline I cannot do it right now next week, but my production is failing. Yeah, not my problem and This can be a problematic. So It is beneficial if the yes, it's cruel if engineers write the Docker files And but it's not really cool if they build the profiles and the operations people only rely on The binary blobs that are produced by the engineers. This can be problematic So there is a tool called source to image That is trying to mitigate some of those problems not all of them, but some of those So first it understands the technology that they're trying to build So the bit the basic idea is let's create a container that is capable of building other containers I will take I will somebody who understands how to build stuff how to do operations will create a container with all the dependencies with everything and the developer only needs to point this Docker container on some specific source code and it will build container reconfigured by the operations and Take we'll take the source code in and we'll create a new container. That's runnable pretty much what we did in the previous one but without doing the Docker file stuff and Yeah, that's pretty much what I have in my bullet points. So Let's move to small demo Back to back here. So as to I now my application is still very complex still extremely complex application and I go to build There is one command that I can do so source to image build using the source code in the directory SRC and Using the image that that uses PHP 7 0 on CentOS 7 and create a new container named PHP UK Well, let's do something first. Docker RMI PHP UK So I have cleaned the the container that we created in the first step So you will trust me that I actually built a new container So we are in the S2I So I already have the the CentOS PHP 7 0 CentOS 7 cached So there was nothing to download it was quite fast So only thing I need to do is install the application source because I don't I have no composer file I am not pulling any dependencies or anything like that. It's just putting the source code there exactly as we did in the previous in the previous Example so when I move back to Start I will spin it up Do you see the difference between these command this command and the one that we had in previous example? the port yeah, so That's also one of the problems that Some of the joker containers have mostly those that are in Docker Hub when you spin when we build the previous one the effective user running in the container was root and I will ask those Operations people who I have in the audience who would run your application as root on your machine in production Okay, no hands so what we do is we actually whenever we package a container and Using the S2I tool We don't run the container as root. You don't have to be a root to actually run the container So you cannot bind to port 80 as it was possible in the previous container But it's bound to 8080 because it is running as some specific user So that's one of the one of the security implications that S2I also brings to you Okay spin it up Pretty much the same will put it in the previous case refresh the page and Is there there is More things in the there are more dependencies in the 40 any file and there is a different version So we have built a new container, but this time no Docker file was involved and somebody who I'm just who was Okay, or who was willing who was knowledgeable to build the container He built container for me and I just used his container with all his knowledge to build to put my source code in there and build the application so Let's go back to my presentation and Small recap so with Docker it's a packaging format format It's a it's a nice tool to manage containers on single machine And you can use it to go to registry or like micro place S2I builds on top of Docker It allows you to build containers from source code and your source code doesn't have to be aware of the Docker There's no need for Docker file. So with these things We might have fixed some of the problems right so in for the inconsistent environments even though my Development is still happening on my machine. I can package The I can package the application in the container So the environment the application is running in it can be the same as in the in the in the production Because if it's built using the from the same image or if it's you built using the same image in S2I example I have the same environment for for my application and I don't have to do deployments over SFTPS or GIT GIT because I can push my container and the container can be deployed. There is still the problem that the containers are built on my machine so the operations people don't have access to my my Docker files and The manual integration interactions are still Required because I have to SSH into my machine Docker pool the container or get it there somehow and then spin it up so Once you try to solving the problem of the manual manual Interactions, you will actually find out that it is solved by most of the tools that allow running containers on on a scale not on a single machine and Do you remember? The the shortcut pass PAS who does Okay So it was very popular a few years back The poor it is slightly slightly going down. So it was on one side. You had engineer There is some black box and then you had a running application. So usually it was like that you do Get get commit get push The tool does some some some work for me and then I have my application running. So we had a tool like that called OpenShift Which we extended and we completely rewrote and we came up with what we call OpenShift v3 it's a Platform for running and building containers it leverages Docker and Kubernetes. Do you know Kubernetes? Hey Kubernetes is a project started by Google Google has been using containers since like 2004 everything that runs in Google infrastructure has to be in a container and How big is Google infrastructure? Big Nobody knows really, but I probably it's it's very big. So We have been running Containers on this Google scale and then they started the project called Kubernetes and then where they are Open sourcing they know how of running containers for 10 years on this Google scale so we are basing on that and We are also using many other open source projects. We are also copied the open source So you can go GitHub.com slash open chips origin. You can get the source code So origin is the open source project we have OpenShift container platform, which is a product that we sell support for and then we have online which is a service that You can run on and we are leveraging the S2i tool So it's it's possible to use the the platform to build containers and then deploy them And as well as deploying containers from from Docker Hub We try to make the platform much more much more versatile then It was with the PAIS concept So we call it actually container orchestration platform, which is very important for the microservices way of doing stuff because it doesn't matter if it's HTTP or So PAIS was mostly developed for running PHP HTTP applications But container platforms are usually okay to run whatever is TCP based or UDP based We put a lot of security constraints around the stuff so if your container is compromised and the Attacker gets out of the container. We have a silenix policies around those containers so even though he gets out of the container he still is isolated by the a silenix and You can allocate like specify quota and and how much resources users can use So How difficult is to use the platform so again OC is the is the client tool so we can do OC New app then I say what technology I want to use as the source to I so PHP and then I point at some At some github repository So it will create all the big all the stuff in the background that needs to be there to make a complication running It will pull the code it will build a code build a container deploy the container. I Can also do it like my SQL So it will just look into Docker Hub and it will pull the container and deploy my SQL Using the container pull from Docker Hub or you can pull for whatever Repository or registry you want to if you have something already internal you can use that as well If you want to try some I will do something most but if you want to do something like that in On your own machine or do it at home. We have project called mini shift Which allows you to spin up open shift locally so you do mini shift start it will download boot to Docker iso It will download the OC client tool in there and then it will run OC cluster up which spins up the cluster in the VM. So you have okay Spins up the open shift in the VM So everything's contained in this virtual machine and you can access it and do whatever you want and It's extremely simple. So let's do some demos and I'm going to close this page and I will start with With my web console. So when you spin up open shift, it looks something like that You can add something to the project. So project is like a namespace where things are located So I can choose PHP. We have a very I have a very old version right here 5.6 But that's quite fine for the for the example. So let's select it. I can name my application so demo demo in Web console or something like that. I take my source code from HTTPS from github It's still the same complex application as we had before Let's click it. The Wi-Fi is not working. Is it? Is it loading? Yeah But it's very slow. Well, let's hope it will work here. So Create back to overview So what happened is there is no deployment yet. It's not very readable on the screen. Is it better now? Yeah, I don't have internet now. I have internet. So, okay my build failed So there was a build so it was trying to clone my repository and The build failed so that can happen. So I just I can start the build again So new boot is running and see the log So, yeah, so right now I have pulled the source code I am I was installing the application source into the into the container So that was the same step as I did before and then I am pushing into the Local registry. So when I get back to my overview page You can see that I have one container running already. My application is available on this DNS Yeah, so it's older older PHP, but pretty much the same workflow would be for 7 1 7 0 or whatever and I can check my my container running somewhere here. So I can see the logs So this is the same box as I saw before and I can go to terminal. I can see that My application is running, right? So I didn't have to do anything on my laptop what I what I would have to do with this workflow is Work on my work on my things and when I'm ready get commit get push to some get get up repo or get love repo or whatever I using in your in your company and You can you can configure web hooks to actually trigger the build in the platform So whenever you get push the the container is going to be built and is going to be deployed So the engineer who is working on something he doesn't have to at all Understand how the crew works hard container works for him. It's like a two project select select the PHP version This is my source code configure my github with the web hooks and whenever I get push I will see the current version of my application running in the platform So that's one of the ways so that's okay, but not everybody wants to Push into get repose not everybody wants to use Use github or github so you can also do pretty much the same thing using source code In your in your command line. So again, I have some scripts prepare over here. So when I am in In here, I have a source code again the same my extreme complex application So this time I will do similar things as I did before In the web console, but I will do it From the from the command line and I will use the source code That's in the source directory. So first, I will create a new application using the source code and name it PHP UK So that's this and when I switch back to my web console to see it very nicely you see that My fail my my build failed right now. That's expected, but I created all the Things required around it to actually make it happen. I can also create that you didn't create the DNS this time So I can create it manually. So, okay, I want to expose my application using some DNS Let's go back. So now I have a DNS Not nothing's running there yet but what I have to do is I need to start a build and Stream my source code from the source directory into into the build container So I will start new build and I will use the source directory to actually make it happen. So It's packaging my my source Streaming it into the platform then expecting it into the container and the build will do pretty much the same thing as it did Before but instead of cloning from some get repo. I just streamed in my My source code and then I committed new container. So when I refresh my page I can see that I have my application running already So when I switch back to my presentation So They managed to solve something during my talk. So I The inconsistent environments I would say it's pretty much solved because whenever you take your your source code and you put it into the Docker container this Docker container can be moved from one stage to the other So if whatever tool or whatever workflow you are going to use you can solve these Inconsistent environments problem using Docker containers. So that's okay. So deployments are done over as FTP or did This can be solved because I can look or push my containers or I can build from source code somewhere else So that's okay. My new interactions are required So it's solved because if I have if I if I have to like open shift I can trigger the builds and Deployments using web hooks or something whenever I get pushed whenever I have new source code. So that's pretty much solved higher ability of containers that's pretty much easy and I can show you that so if I go down my Console OC get thoughts. This is the containers. I am running at this moment. So there is One that should be running this one Go back to the console make over here get me over you come on So PHP okay, it's this container. So what I can do OC delete So I'm going to kill the container. This is like container failed. I'm simulating container failure So what's gonna happen is the platform will detect that the container failed and it will automatically create new container That is going to be deployed because I already have the image of the application in the container in the platform It's just matter of pulling the image if it's not already cached on the node and not just spinning up the container So it's very fast and you have pretty much and you have pretty much high ability for the for your application The same goes for scaling you can scale up and scale down the containers. That's a nice benefit of using such something like that something like open shift Who I lost my Okay So the only problem that I haven't solved is development on local machines Which I don't consider a problem even though some people would love to code in the web interface or using some web IDE I still consider developing on my own machine much more productive. So I am not trying to solve this problem right now So thank you for being here and I have if you have any questions I am super happy to answer them and I will just move out of this light So I see on the person who is going to ask No questions Okay. Hi. Thank you for the talk One question that Application you just showed where you run all this where you had the problem with GitHub is that running locally or is that available online or where's that running? What do you mean can you repeat the question my application the source code you mean no not the source code you showed You run the commands on your command line to get the PHP UK Container built in your web frame in your web front end. Yes Where's that application that web front end running because that looked to me like a local Installation or is that yes? Yes. So what I did before I I came here because I wanted to have the things ready. I Use this mini shift to actually I did mini shift start So I spin up open shift running on my machine so it was running in a virtual box on that laptop and I was using the zip. I owe if you have seen it so I can translate the IP address of the container into DNS so it was running everything on my laptop and when I clean it up it will be gone of course and The problem was that if you if I run it here on my laptop I have to rely on the Wi-Fi of the of the connection. That was the problem. Thank you Hi, great talk. Thank you. I've never seen s2i before it looks really interesting How can you handle parameterization or configuration? Through s2i because we saw you loading source code for an application into the container with that tool What about loading configuration for your application or for your environment stuff like that? You mean build time configuration or run time configuration either both So that's like s2i is only trying to solve the build time problem, right? So s2i itself can take environment variables can take some properties file that define some information That's being then pushed into the container. You can also map Specific directory from your machine into the container so you can read something from well-known path or something like that or I would probably say that the easiest one is to set some environment variables and if like build Change the build based on that the container that is doing the build is essentially simple because container that you install all the dependencies in and you create Generally two scripts assemble as the build process and run which is the how to start the application And this is this is going to be the entry point of the container that's being committed after the build, right? so for the build process this is that for The runtime configuration it depends on where you're going to run if you're going to run in something like OpenShift You can use environment variables. We have config maps which allows you to mount a file into the container you can have Secrets which is encrypted information. There are several ways If you're going to run like Docker just Docker Environment variables and in the latest release they have some kind of secrets or something like that So it depends on what technology you want to use but first source to I Generally either environment variables or mounting some configuration directory into the container Hi Sorry Really good talk my question may be based in complete ignorance, so I apologize before I ask it But one thing I didn't really understand was so if you're deploying an application like say WordPress to Docker I don't know whether people would bother, but if they are you would have a Files permissions issue as in not all your directories not all your files require the same user permissions and user ownership How do you deal with that issue in Docker? Or how do you config that to say for instance like the uploads folder needs read write versus everything else that doesn't Well, it depends in our case When you spin up a container in the platform It always runs as some randomly generated user ID because that mitigates some of the known actor ethics vector attack vectors on the containers and The root the group is root. So what we do is we set Read write to group on the con on the fast are generated by the container So there is a common call. There is a command called fixed permissions, which does that It's part of the tooling. So whenever you commit the container It will allow the root group to actually write into those files that are part of the application itself not to the whole image and That helps you with the file permissions, but there is more Well depends on what you want to do like if you're running WordPress or Drupal those Tools usually like to write to file system So if you are in a container if you are trying to do something that's more scalable You need a scalable file system as well So that's again one of the features that we have is you it allows you to mount that dynamically some Either distributed file system or normal file system into the container so when your container restarts the data is still there and So because by default containers are fmr when you when you go into the running container you change something and Then you stop the container all this data is lost generally. That's how you should approach containers That time I was just gonna suggest and Does it support zero tools support you it mapping sorry UID mapping What do you mean? So mapping UIDs from inside the container can run as zero route And then you can map that to a normal user ID outside and there's some parameters in Docker to do that You could do that, but the problem is if you run the container as a root, which is by default You allowing somebody to get out of the container if it gets out of the container You can medic get into the but because user namespaces are not yet there in docker. That's something that's being worked on So once we get user namespaces. Yes, it will be much much much easier But we are getting into technical details, which are probably too weird So if you let's Discuss this after the after the talk so I can still handle some few more questions. It'd be okay Yeah, but I saw like five hands. So Are there any Platforms of the service where we can throw a couple of you know, two three containers up there and see it running live Understand the mini shift is you know good for your machine But I want to be able to test stuff With a live machine with the live web server and live services Redis my SQL So the other people can bang on it as well Yeah, so I have here I count on developer preview of open shift as a service for general use cases, so I am running two simple applications over here, but essentially what I can do exactly the same way is Deploy deploy select PHP Do I have it already here? No Take this. Yes, please go go create Continue to overview. So right now I am What did I do? Why is my build not happening? builds builds PHP there are no builds interesting start build builds happening Okay, so right now I am using Open Sheets as a service that's all if you go to open chip.com you can sign up for the service It's an developer preview. So it's they come like right now lasts for one month but we will be extending it hopefully very soon and You can do pretty much exactly the same with I did on my machine you can do there Open shift itself can run on any infrastructure. So if you spin it up on GCE on AWS your own bare metal You can do it It's open source. So if you are okay to running it yourself You can do it yourself. If you want us to help you with that. There is a product that we have been very Help you as a support. So there are different ways how to do it Yes, I didn't try to do cluster on digital ocean I am using a single VM cluster on Linot. Linot is similar to digital ocean But has double the memory than for the same price, but technically is the same So the things the the small problem is that I am not sure was their network configuration. So because for every single project we create Virtual network that isolates the communication inside that project. So different projects cannot see each other's communication which is one of the security aspects and I'm not sure what will what's gonna happen if you put this on the digital ocean private networks It may not work. I'm not sure but definitely what will work is and one of my colleagues is doing it on digital ocean and I am doing it on On the Linot spin up one node cluster that works that just fine It works fine on GCE as a cluster on AWS and Azure. That's tested as a cluster multi machine I couldn't hear right now. So can you repeat that that doesn't get you at half a dozen, you know containers Across a do you need to run across more than one machine? Yeah, if you if you want to get the high ability, you need to have it on multiple machines Yeah, and not just high availability, but you know more than one machine could handle Yeah, so yeah, but you still can scale up if you cannot scale horizontally You can scale vertically on digital ocean, right? It's not the best approach But still solves problem for if you don't have resources to run something like GCE or AWS Yeah Just if you have follow-up questions, don't worry come here and you can discuss that Okay, so the build finished And the application should be running If my internet is going to work this time I'm resolving costs. So DNS seems to be failing stuck on resolving costs Okay, any more questions? No more questions. So again, I will switch back to my slides and say Thank you, you were a great audience And I have books here. So this is open sheet for developers book It walks you through deploying applications spinning up open sheet on your own machine as well This time not not using mini-shift, but using vagrant If you are interested they are here if I run a lot of them, I still have a box down So there is still more books. So come here and take one if you want