Chef for ContainersUsing config management in your container workflowTom DuffieldSoftware Development Engineer at ChefTwitter: @tomduffield

Fossetcon 2014

AgendaIntroduction to DockerChef ContainerKnife Container WorkflowMore InformationQuestions

Introduction to Docker

What are Linux containers?• Lightweight virtualization provided by libraries inside the

Linux Kernel.

• cgroups• namespaces• capabilities• selinux

• apparmor• netlink• netfilter

What is Docker?• Utility that improves the usability of Linux Containers by

providing:• a layered file system (Docker Images)• a cross-platform execution engine (Docker Engine)• a social space to share common libraries (Docker Hub)

Hypervisor Virtualization

Server

Host OS

Hypervisor

Guest OS

bins/libs

app a

Guest OS

bins/libs

app d

Guest OS

bins/libs

app b

Guest OS

bins/libs

app c

Virtual Machine

Docker Containers

Server

Host OS

bins/libs

app b app dapp cContainer

Docker Engine

bins/libs

app a

Benefits & Gaps of Containers

Benefits GapsSpeed

Portability

Density

Security

Persistent State

Credentials

Simple Docker Workflow

Pull(Download)

Run(Launch)

Commit(Snapshot)

docker pull ubuntu:12.04

ubuntu 12.04

docker run ubuntu:12.04 apt-get update

ubuntu 12.04

apt-get update

012345678

docker commit 012345678

ubuntu 12.04

apt-get update

012345678

docker run 012345678 apt-get upgrade

ubuntu:12.04

apt-get update

012345678

apt-get upgrade

ABCDEFG

docker commit ABCDEFG

ubuntu:12.04

apt-get update

ABCDEFG

apt-get upgrade

The DockerfileFROM ubuntu:12.04

RUN apt-get update

RUN apt-get upgrade

Dockerfile Workflow

Pull Build Run

Run Commit

docker build mycontext

FROM ubuntu:12.04

RUN apt-get update

RUN apt-get install apache2

ADD myconf.conf \

/etc/apache2/sites-enabled/mysite

ADD mysite /var/www/mysite

Dockerfile

myconf.conf

mycontext

mysite

index.html

Dockerfile

Chef Container

Chef Container is a package that provides configuration management for your containers.

Chef Container allows you to:• define your container configuration using Chef recipes.• idempotently manage the running state of your container.• safely manage multiple services inside your container.

Chef Container is a great for handling:• installation and configuration of complex applications.• transitioning traditional architecture to containers.• handling last-mile configuration when container boots.

Consistency Across Architectures

Physical Virtual Cloud Container

Mixed Architecture Applications

Development Test QA Prod

Understanding the PID1 Problem

$ docker run busybox ps -ef

PID USER COMMAND1 root ps -ef

• The command you specify via docker run replaces init and becomes the root process (PID1).

Addressing the PID1 Problem• The root process (PID1) is responsible for:

• telling the container what processes it should run.

• ensuring all child processes are properly managed.

Chef Container Components

chef-client

runit

chef-init

runit is a lightweight, cross-platform init scheme you can use to ensure all child processes are properly managed.

http://smarden.org/runit/

chef-init is a root process which can launch and manage multiple processes inside a container.

https://github.com/opscode/chef-init

debian logo redhat logo centos logo

init init init init

debian logo redhat logo centos logo

docker

debian logo redhat logo centos logo

chef-init chef-init chef-init chef-init

docker

runit runit runit runit

Knife Container Workflow

knife container TOOL SUBCOMMAND

chef gem install knife-container

knife container docker init

Generate Docker Context

Download Base Docker Image

Docker Components

Chef Components

knife container docker init

$ knife container docker init NAMESPACE/IMAGE_NAME [options]

Frequently Used Options

Flag Description

-f The base Docker image to use. The default is chef/ubuntu-12.04.

-r Your Chef run list.

-z Use chef-client local mode.

-b Use Berkshelf to manage cookbook dependencies.

v0

ubuntu-12.04

knife container docker init

myorg/myapp

knife container docker build

Resolve Chef Dependencies

Build Docker Image

Cleanup Chef Artifacts

knife container docker build

$ knife container docker build NAMESPACE/IMAGE_NAME [options]

Frequently Used Options

Flag Description

--force Force the resolution of Chef dependencies.

v0

ubuntu-12.04

knife container docker build

myorg/myapp

v1

v0

ubuntu-12.04

knife container docker build

myorg/myapp

v1 v2

Long Term Speed Benefits

A B C D

L1 L2 L3 L4

R1 R2 R3 R4

Long Term Speed Benefits

A B C D

L1 L2 L3 L4

R1 R2 R3 R4

ubuntu:12.04

L1

Image v1

ubuntu-12.04

CCR1 : R1-4

Image v1

L2

L3

L4

ubuntu:12.04

L1

Image v2

ubuntu-12.04

CCR1 : R1-4

Image v2

L2

L3

L4

CCR2 : R2

Why use Chef Container?1) Fast and easy transition from existing architecture. 2) Consistent configuration model across containerization

solutions and types of architectures.3) Mixed infrastructure environments.4) Idempotency in your image build process and in your

running containers.5) Decreased overhead for configuration changes.

More Information

DocumentationDocumentation: http://docs.getchef.com/containers.htmlDocker Images: https://hub.docker.com/u/chef

Feedback: http://github.com/opscode/chef-init http://github.com/opscode/knife-container

Roadmap• Rebuild images from a fresh base image.• Add multiple, custom tags to your Docker images.• Improved management of secure credentials.

What would you like to see? Submit input and feedback!http://github.com/opscode/knife-container/issueshttp://github.com/opscode/chef-init/issues

Questions?

Tom Duffield | @tomduffield