Saturday, 3 December 2016

Dhahran-Docker November 2016 meetup

On Wednesday, 16th November, Dhahran Docker meetup participated in the global #learndocker event "Global Mentor Week." two useful resources that were used to some extent were PWD: Play With Docker and Katacoda.

There were lots of questions asked during and after the meetup. So here I am trying to capture to the best of my knowledge Docker and containers questions and some of the answers for the future meetup mentors as a taste of things to come, I will  try to update and answer more questions, however I encourage joining the Docker community Slack channel and Forum for any further questions.



Technical:

Q: I am still confused what is the difference between image, and containers, aren't container and image both the same thing?

A: Think of the image is the golden template, and when Docker run it, it creates an instance of it in memory with the required customization "port exposed, environment variables set to configure an aspect, volumes bound, network connected,.., etc";  when the process/container is done, it still exists but now in disk, in case you need to create a  template from it, otherwise one needs to clean them up periodically. Although that question seems easy to answer, it was the most asked question from everyone at some time;

from Stackoverflow.com docker-image-vs-container

Docker Images vs. Containers

In Dockerland, there are images, and there are containers. The two are closely related, but distinct. For me, grasping this dichotomy has clarified Docker immensely.

What's an Image?

An image is an inert, immutable, file that's essentially a snapshot of a container. Images are created with the build command, and they'll produce a container when started with a run. Images are stored in a Docker registry such as registry.hub.docker.com. Because they can become quite large, images are designed to be composed of layers of other images, allowing a minimal amount of data to be sent when transferring images over the network.
Local images can be listed by running docker images
REPOSITORY                TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
ubuntu                    13.10               5e019ab7bf6d        2 months ago        180 MB
ubuntu                    14.04               99ec81b80c55        2 months ago        266 MB
ubuntu                    latest              99ec81b80c55        2 months ago        266 MB
ubuntu                    trusty              99ec81b80c55        2 months ago        266 MB
<none>                    <none>              4ab0d9120985        3 months ago        486.5 MB
Some things to note:
  1. IMAGE ID is the first 12 characters of the true identifier for an image. You can create many tags of a given image, but their IDs will all be the same (as above).
  2. VIRTUAL SIZE is virtual because its adding up the sizes of all the distinct underlying layers. This means that the sum of all the values in that column is probably much larger than the disk space used by all of those images.
  3. The value in the REPOSITORY column comes from the -t flag of the docker buildcommand, or from docker tag-ing an existing image. You're free to tag images using a nomenclature that makes sense to you, but know that Docker will use the tag as the registry location in a docker push or docker pull.
  4. The full form of a tag is [REGISTRYHOST/][USERNAME/]NAME[:TAG]. For aboveubuntu, REGISTRYHOST is inferred to be registry.hub.docker.com. So if you plan on storing your image called my-application in a registry at docker.example.com, you should tag that image docker.example.com/my-application.
  5. The TAG column is just the [:TAG] part of the full tag. This is unfortunate terminology.
  6. The latest tag is not magical, it's simply the default tag when you don't specify a tag.
  7. You can have untagged images only identifiable by their IMAGE IDs. These will get the <none> TAG and REPOSITORY. It's easy to forget about them.
More info on images is available from the Docker docs and glossary.

What's a container?

To use a programming metaphor, if an image is a class, then a container is an instance of a class—a runtime object. Containers are hopefully why you're using Docker; they're lightweight and portable encapsulations of an environment in which to run applications.
View local running containers with docker ps:
CONTAINER ID        IMAGE                               COMMAND                CREATED             STATUS              PORTS                    NAMES
f2ff1af05450        samalba/docker-registry:latest      /bin/sh -c 'exec doc   4 months ago        Up 12 weeks         0.0.0.0:5000->5000/tcp   docker-registry
Here I'm running a dockerized version of the docker registry, so that I have a private place to store my images. Again, some things to note:
  1. Like IMAGE ID, CONTAINER ID is the true identifier for the container. It has the same form, but it identifies a different kind of object.
  2. docker ps only outputs running containers. You can view stopped containers with docker ps -a.
  3. NAMES can be used to identify a started container via the --name flag.

How to avoid image and container buildup?

One of my early frustrations with Docker was the seemingly constant buildup of untagged images and stopped containers. On a handful of occassions this buildup resulted in maxed out hard drives slowing down my laptop or halting my automated build pipeline. Talk about "containers everywhere"!
We can remove all untagged images by combining docker rmi with the recent dangling=truequery:
docker images -q --filter "dangling=true" | xargs docker rmi
Docker won't be able to remove images that are behind existing containers, so you may have to remove stopped containers with docker rm first:
docker rm `docker ps --no-trunc -aq`
These are known pain points with Docker, and may be addressed in future releases. However, with a clear understanding of images and containers, these situations can be avoided with a couple of practices:
  1. Always remove a useless, stopped container with docker rm [CONTAINER_ID].
  2. Always remove the image behind a useless, stopped container with docker rmi [IMAGE_ID]
more from Stackoverflow "whats-the-difference-between-a-container-and-an-image"

Images are frozen immutable snapshots of live containers. Containers are running (or stopped) instances of some image.
Start with the base image called 'ubuntu'. Let's run bash interactively within the ubuntu image and create a file. We'll use the -i and -t flags to give us an interactive bash shell.
$ docker run -i -t ubuntu  /bin/bash
root@48cff2e9be75:/# ls
bin  boot  dev  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
root@48cff2e9be75:/# cat > foo
This is a really important file!!!!
root@48cff2e9be75:/# exit
Don't expect that file to stick around when you exit and restart the image. You're restarting from exactly the same defined state as you started in before, not where you left off.
$ docker run -i -t ubuntu  /bin/bash
root@abf181be4379:/# ls
bin  boot  dev  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
root@abf181be4379:/# exit
But, the container, now no longer running, has state and can be saved (committed) to an image.
$ docker ps -a
CONTAINER ID        IMAGE               COMMAND                CREATED              STATUS                          PORTS                      NAMES
abf181be4379        ubuntu:14.04        /bin/bash              17 seconds ago       Exited (0) 12 seconds ago                                  elegant_ardinghelli    
48cff2e9be75        ubuntu:14.04        /bin/bash              About a minute ago   Exited (0) 50 seconds ago                                  determined_pare        
...
Let's create an image from container ID 48cff2e9be75 where we created our file:
$ docker commit 48cff2e9be75 ubuntu-foo
d0e4ae9a911d0243e95556e229c8e0873b623eeed4c7816268db090dfdd149c2
Now, we have a new image with our really important file:
$ docker run ubuntu-foo /bin/cat foo
This is a really important file!!!!
Try the command docker images. You should see your new image ubuntu-foo listed along with the ubuntu standard image we started with.


Q: the "FROM" directive in Dockerfile, Shouldn't the best practice pin the image with a tag?


A: Yes, I think it would be a good practice to pin the base image in the FROM directive line in Dockerfile. The reasoning is the default is latest, that could mean if someone rebuilds the image again, he is not guaranteed original functionality as things might have changed in future base images that might affect the other layers, not guaranteed security also if it will be pulled from non-trusted repository/hub.

Q: What if my image was compiled with optimisation in mind, would that work with another platform that does not have the instruction set?

No, it would not work,  if one is targeting portability, he will build the image for the lowest denominator with no special platform specific compiler flags. There could be internal Enterprise use cases where different builds of the containers for particular platform, tags could be used to distinguish such images.

Q: How would containers help us startups? Do you have use cases?

Docker history has some good lessons to learn from, Docker by itself is a good use case. When Solomon Hykes the Docker founder started up dotcloud in Y Combinator and how the dotcloud team was supporting other Y Combinator startups build, deploy and ship their apps into AWS, and the 20 startups from YC that adopted Docker early. Check out the origin story of dotcloud and how it transformed to Docker.

Also, the rich Docker Hub app repository, regarding application subsystems, and ready components. If one have an idea how to help a customer, it can be fast and easy to prototype into a fully working application or build an appliance. The entire Docker Ecosystem to create a full working operational and development workflow for the prototype and help the application scale.

In most cases, containers are an alternative to virtual machines. So it's easier to talk to people that already have virtual machines in use as they can relate. Containers could prove faster, more performant, and easy to manage.

One case I had seen recently with Zenoss when they moved their architecture to Docker containers, it helped them ship a standalone version of a complex distributed application in a scalable, manageable approach. That customers can install Zenoss behind their firewall. The Zenoss distributed architecture is very complicated, it uses a mix of many solutions, but still user's the whole installation, upgrade, and management experience have been inspiring. 

How does Docker differ or relate to vagrant? How about docker-machine vs. vagrant?

The essence of Docker is the a-z of the software application lifecycle regarding build, ship, and run; that could be in any environment, development, production, QA, and could be multiple of environments mixed. Vagrant, on the other hand, is meant to be mainly for development, the Vagrant file is more or less like  the Docker compose YAML file describes the environment setup but doesn't describe how  the application instances or images are created, in Docker the images can be described using Dockerfile if not pulled from a registry/repository/Docker hub.

How can swarm allocate a container that might later overuse memory resources of the host?

How does Docker hub ensure images pushed to are lawfully licensed?

Some questions related to differences between images and containers
some questions when to use virtualizations vs. container or can one use both? 
Will it be possible to run Windows containers on Linux platform, or the opposite without docker-machine?
Can one enforce network usage limits,? Bandwidth on a container?
Not yet in current Docker versions at the time of this blog writing. There are several closed/open Github issues related to throttling/limiting network bandwidth for a container.  For example, Github shivacherukuri Docker-Network-Bandwidth solution is one way to go about it.

One questions about build Docker images for a legacy app that its container size reached 10G in size have asked him to follow up with me with details?

What is the size limit or expectations of container size?

it depends on the storage driver, Docker version used, and file system limits. for example for Docker 1.10+ and devicemapper it can be increased over 10G: Docker 1.10 daemon option to increase the basedevice size


Questioning the numbers of 7B+ downloads, the percentage of Docker in production? Having access to the application survey would have helped.?


As for the downloads number these were from Docker Hub, and most of it is the community images, a quick search today in the newly store, shows around 439,440 community images, and as one can see captured image below, some of these images had already been downloaded over 10M+ times

Docker Store showing community images with 10M+ downloads

there are several surveys done that report different statics regarding the adoption of Docker in production and in the Enterprise, however, all of them almost agree on the rate of growth of using Docker in production. one good resource discussing some of these statistics earlier this year is
Coscale Docker usage statistics increased adoption by enterprises and for production use

Some other example surveys:
  • https://clusterhq.com/assets/pdfs/state-of-container-usage-june-2016.pdf
  • https://redmonk.com/fryan/2016/12/01/containers-in-production-is-security-a-barrier-a-dataset-from-anchore/
  • https://www.datadoghq.com/docker-adoption/
  • https://www.cloudfoundry.org/wp-content/uploads/2016/06/Cloud-Foundry-2016-Container-Report.pdf
All these numbers are obsolete by now due to the rapid growth Docker and containers, in general, are seeing.

Non-technical  questions:

I did register for the Docker community, I do not see the general/ Global-Mentor-Week channel?


After you sign up for the Docker community group, you will get in your email a Slack invite, this is a manual process and could take some from few hours to a couple of days. Also double check your spam folder for any Docker/Slack related emails. 

 Can I download the training instructions offline?


I have raised the question in Docker community slack.  However, all training is now accessible free online; you should note that the practice is based on Docker community GitHub repos for the development course check it out at  Docker Github Labs, as for the operations, you can find it here Docker Orchestration Workshop


Some business related questions to local support, and resellers/partnerships in Saudi?


check  https://www.docker.com/docker-support-services#/faq and email sales@docker.com

Other questions:

Why the voter app breaks build breaks in Linux platform but does not on Windows? And using proposed solution makes the app not function right?

What is the percentage of serious critical/stateful business enterprise applications compared to web/cloud apps? Is Docker mostly for web/cloud apps?

Will there be professional certifications and exams on Docker ECO system?

As far as I know, Red Hat have some courses and exams:


Doing an ldd/pmap inside a container, how can the view from inside the container relate to the outside view from the host system, and what is static vs. dynamic in here?

Friday, 2 December 2016

Devops and traditional HPC

Last April, I have co-presented in Saudi HPC 2016 a short talk titled "What HPC can learn from DevOps." It was meant to bring awareness to DevOps culture and mindset to HPC practitioners. Following day, the talk was complemented by an Introductory tutorial to containers. This talk and tutorial were my second contribution promoting DevOps locally. The first attempt was In Saudi HPC 2013 with the DevOps afternoon; in which we had speakers from Puppet and Ansible with good examples back then of how automation "Infrastructure as code" frameworks encourage communications, visibility and feedback loops within the organisation.

Talk Abstract: 

Cloud, Web, Big Data operations and DevOps mindsets are changing the Internet, IT and Enterprise services and applications scene rapidly. What can HPC community learn from these technologies, processes, and culture? From the IT unicorns "Google, Facebook, Twitter, Linkedin, and Etsy" that are in the lead? What could be applied to tackle HPC operations challenges? The problem of efficiency, better use of resources? A use case of automation and version control system in HPC enterprise data centre, as well a proposal for utilising containers and new schedulers to drive better utilizations and diversify the data centre workloads, not just HPC but big data, interactive, batch, short and long-lived scientific jobs.

Here are some of my personal talk notes at that time. Apparently, they did not fit the 15 minutes window I was given.



Talk reflections and thought points:


Definitions: Presenting the different possible HPC workloads: HTC, HPC, HSC, and the recent trend in Data Centre convergence by considering BigData “Analytics” and more recently MLDM “Machine learning, Data mining.” Highlighting the diversity and variability of HPC workload, then moving to what DevOps means to HPC, Why it did not pick up as much? What HPC can learn from Enabling, cloud, and Big Data operations?

The disconnect: Traditional HPC software changes are infrequent; HPC does not need to be agile handling frequent continuous deployments. Each HPC cluster deployment is a snowflake unique in its way, making it hard for group users to port their work to other clusters, a process that takes days, weeks, often months.  The concept of application instrumentation and performance monitoring is not the norm, nor the plumbing and CI/CD pipelines.

The motivation: However, HPC infrastructures inevitably have to grow, innovations in HPC hardware requires a new look into HPC software deployments and development, HPC data centres will need them few highly skilled operational engineers to scale operations with fewer resources efficiently. The defragmented use of system resources needs to be optimised. The scientific and business applications might be rearranged, refactored, reworked to consider better workflows. Analysing application and data processing stages and dependencies looking at them as a whole and connected parts while avoiding compartmentalization and infrastructure silos.

The scalability Challenge: What could be the primary HPC driver to introduce DevOps culture and tooling?  Can't stress enough on scalability (the imminent growth due to initiative like national grids, and International Exascale computing, the workload, number of nodes, number of personalities or roles an HPC node might take)

DevOps tools: Emphasise richness of the tool set and culture that have driven tools evolution. Pointing out it is not about the tools, more than the concepts that tools enable. Not just automation, building, shipping and delivery workflows, but the ever engaging feedback loops, the collaboration, ease because of integration, highlight that communication and feedback are not just the human face-to-face but also the meaningful dashboards and actionable metrics,  the importance of code reviews, the rich API, the natural UX.  Such comprehensive set of tools and unlike the current HPC defragmented alternatives or in some cases Enterprise tools used wrongly for HPC.

Use case of differences:  The case of Provisioning; and how the terminology differs between the HPC and web/cloud communities. Taking this example further to pivot to the false assumptions of HPC can be just bare-metal provisioning.

Validation: Validation of the hypothesis of serious HPC workload in the cloud, and recent use cases for containers deployment in HPC from surveys and production ready vendor solution trending the last couple of years may be present some of the related HPC cloud news.

2nd Generation Data Centre provisioning tools: Alternatives, offer open source alternatives to traditional HPC provisioning tools and highlight their diversity in handling bare-metal, virtual images instances, and containers. As well the possibilities for combining this with diskless and thing OS hosts.

The current state of the HPC Data Centre:  Highlight the problem of static partitioning (silos), and the various workload needed to either support or complement the bigger business/scientific application and discuss valid reasons of partitioning.

Resource Abstraction:  What if we abstract the data centre resources, and break down the silos? How should that be done?  What core components need to be addressed? Why? Present an example proposal of such tooling with the reasoning behind it.

Unit of change:  Containers technology is a useful enabling technology for such problems. Does not have the performance overhead issues that HPC shied away from in virtualisation related solutions, and will enable portability for the various HPC workload deployments. Not to mentions the richness of its ecosystem to enhance the current status quo of scheduling, resources, and workload management to greater levels of efficiency and better utilisation of Data Centre resources.

The software-defined data Centre:  Everything so far can be either code or managed and monitored by code. How flexible is that? And what new opportunities it brings?  How can everything be broken down into components? How parts integrate and fit together? enabling a “Lego style” Compose-able infrastructure driven and managed by code, policies, and desired state models. How has code opened new possibilities to stakeholders?


Some Docker evaluation use cases:

Challenges ahead: The road ahead expectations? The unique differences and requirements?  Which underlying container technologies need to be in place and for what?  The right amount of namespace isolation vs. cgroups control, how about LXC, LXD, Singularity, Docker? What would we see coming next?


The importance of having the right mindset to evaluate, experiment new paradigms and technologies, eventually deploy and utilise them in production; introduce new workflows, enable better communication between the different teams (developers, users, security, operations, business stakeholders). The concept of indirection and abstraction to solve computer problems, in this case, the 2-level indirection scheduling for granular resource management. The container unit concept for the workload is not just for applications; it could also be for data.

to be continued ...

References:

https://blog.ajdecon.org/the-hpc-cluster-software-stack/
http://sebgoa.blogspot.com/2012/11/i-was-asked-other-day-what-was.html
http://qnib.org/data/isc2016/2_docker_drivers.pdf