How Docker and containers changed the way we manage technology - Docker Orlando meetup

all right welcome everybody my name is Shelly benhoff and this is the Docker Orlando on line event um we are here today to talk about how Docker has changed the way we manage It featuring my friend David Clinton uh he is a Solutions architect pluralsight author and uh or if you would like you can call him your majesty which I love because I always have on a tiara that's my personal brand so so without further Ado here is David thank you Shelley let's say uh it's still I think it's going to be a lot of fun to be here I'm uh I'm I might be a little less focused on on Docker than some of you uh day to day I don't do a lot of Docker work day to day in my my regular activities but I go back a long way with the container Technologies and and with Docker and I and I'm going to focus here not so much on the how stuff gets done how do you you you you you make sure your networks are are opening up what's supposed to be open and closing what's supposed to be closed and how do you know you can access your your volumes your storage volumes uh that's uh very important of course and it's something that anybody working with Docker has to has to spend time on but I'm going to focus more on the why that is what can containers do for us and what could they do for us that we haven't thought about yet creativity I've always found is a uh is a uh ephemeral thing it's uh you you can try to think creatively and come up with new ideas for new applications and you can think for hours and for me anyway I just run around in circles most of the time my real creativity usually comes in five minute bursts and it usually comes by stepping back and taking a look at the the big picture of of a technology or of a problem so the uh the the container World it has a has a very big picture and it's and it's maybe worth it I hope it'll be worth it for you but it's certainly worth it for me to to take a big take a step or two back and and look at the history of container Technologies and virtualization as a whole and then at the end maybe we'll talk about maybe we'll come up with something newer we'll certainly talk about the kinds of things we we might want to think about to come up with something really new and useful so yes we're talking about Docker and containers but for my from a historical perspective so the topics we're going to focus on uh are uh well a little bit of History I'm not going to tell you what virtualization is and does I'm sure that's not necessary In This Crowd but a little bit of the history how it evolved and we'll talk about shrut and jails and ltsp and those of you don't know what ltsp was and is I'll introduce you a little bit to that lxc and and here I just recently discovered even though I've been working with with lxc Linux containers it stands for for many years but I just discovered that lxcn is is pronounced lxc but lxd is actually pronounced Lex D for some reason the official pronunciation for the technology is Lex D okay we'll talk about then the the primary illustration of creative applications for containers is going to be admin environments in my particular case I'm primarily assisted men I worry about administer about about Administration environments and how where applications live and and where Administration gets done so that's what I think about a lot I'm going to use an illustration that put very specific illustration for of an environment which was completely turned upside down by actually Docker containers yeah and I'm going to keep an eye on the on the chat by the way if anybody does have any questions and or or uh observations or insults or good jokes anything is is just fine in chat um so we'll start a little bit with the even though this is not going to be groundbreaking for anybody here but the the difference between virtual machines and containers uh so a virtual machine as you can see the it requires two extra layers of of resources a hypervisor which interfaces between the host operating system and anything running within the hypervisor any any VMS running within the hypervisor that there's a resource overhead for that the hypervisor takes um a certain amount of system memory and system storage uh the and then each guest OS each VM running within the hypervisor uh for an example by the way of a hypervisor which we probably all use is is a virtualbox oracle's virtualbox it's very very handy very versatile very flexible tool it allows you to run operating systems that have nothing to do with your host operating system that's Linux and windows windows and Linux anything in Mac OS Mac OS and nothing you can't run Mac OS anywhere else but as far as I know um but the flexibility comes with the cost that there is uh there's uh it takes system resources to run a hypervisor as I said and it takes system resources to replicate a complete gas operating system for each virtual machine you're running so it takes up resources containers on the other hand uh they each container shares the the kernel of the host excuse me so you you lose two layers of um of of resources that that are overhead and you have as a result fast and lightweight and easy to share and easy to uh to script and automate uh containers it you know little operating systems as you all know running uh running happily with a very very light footprint um and of course Docker is a container Docker is a as was not the first species of container that the world ever saw but it was for a while it's most popular and it's still rolling along at full speed and and uh with the tremendous Innovation happening within its ecosystem so uh but but uh but as I said it wasn't the first it wasn't the uh the first type of virtualization that could be Loosely described as a container if you want to get really loose in your description or your definition of container then you go all the way back I believe to the late 1970s on timeshare machines um that predate just about everything uh obviously this was units and um the technology was called Schrute which stands for change root and again it's useful to to I think it's useful to to think about how this worked and what it was used for to give us again this big picture of of uh of how virtualization can be useful in new and innovative ways so shrut effectively you're working within a a unit system it should still exists today in in Linux I guess it's in Mac OS also um what you do these these are just two commands that um that are Illustrated you can actually run a whole route with two commands but you mount you would create a a uh a location in the file system let's in this case Mount slash dead temp slash Dev and you mount various resources uh to the uh to that that directory using bind uh so you would Mount system resources that would allow you to run commands within that directory independent of the host operating system when you've mounted all the necessary resources in the directory then you you load the directory or actually you would you create a new shell in the directory using the shroop command and you'll find yourself the Shroud the shell looks the same I'm not going to do it replicated now it's a little complicated and it's just not worth it uh but you you you were in a shell that where you all the commands you run within the shell exist only in the shell and have no impact on the host operating system the advantage of course is isolation that you are okay you're not risking making a mess of your uh of your host system you're not changing any configuration files you're not you're not uh you're not loading out directories that shouldn't be loaded up with with extraneous data you're running something specific to that directory that shell and what happens there stays there nothing goes it's it we have a fairly robust layer of level of isolation nothing like what you can get today in Linux systems using c groups or or similar isolation tools but but it was pretty good for the 1970s um where are you going to use shrewd even today if you're running a Linux system and you lose your uh your uh admin password uh and the if you've lost the admin password then there's really no and you're the only admin on that system you don't have a whole lot of options the the system is is pretty impenetrable unless you happen to get lucky and the password wasn't that complicated and you managed to hack it but under most circumstances and of course you're not the type of people who would use a weak password you're you're in a lot of trouble unless you want to um unmount the the drive uh not going to go through the whole process now some of you've probably seen it but you can then Mount the drive on a different system a different Linux system uh and you can make a create a shoot in the um the just the the drive which isn't mounted you you you you do I suppose Mount that drive as a shrut in which case you'll be able to run commands within the shrewd environment and the commands you'll run will be password to update your password and uh then you simply unmount the system and run it again normally and you'll have a a fully accessible Linux system with a password that's convenient fun and it's a little bit magical and and it's a lot of fun to watch people who who were desperate and about to and then feeling they had no choice but to burn their machine uh to somehow again have life again another place where you're going to use route in a modern context is a Linux kernel compiling again when you edit the kernel directory in the file system because you want to create your own distro you want to create a a flavor of Linux that does specific and customize things things that that you might you might be the only one who needs but you need that environment so the best way to do that in in many cases is by compiling your own kernel you take the the file system the kernel file system itself make any edits you want and then and then what well this little snippet this code the the uh which features the fake root command is is similar to shrut it's just called fake root but what it does is builds a little isolated environment within your Linux system where you can import the the kernel file system itself which includes any changes you've made and compile your own new kernel it's completely independent and isolated from the host environment so you're not making a mess of your host but again you're you're creating a clean and new environment for a complex process which otherwise would have been um really really complicated and messy to do it's another place where you're going to use a schrute-like technology for uh for a very modern application but again this isn't a container in which way is it not a container well a container as you know is its own Standalone operating system that we can save it share it move it somewhere else about it then you'll have the exact same environment anywhere this isn't Standalone what we're doing with fake root and shrut is not Standalone you may have some of the comparable isolation features that that a container might have but it's not a container in and of itself we came a little closer to the container Paradigm a lot closer actually with FreeBSD jails the first commercial or the first Enterprise servers I actually worked on a bunch of years ago I'm gonna say how many we're actually still running FreeBSD jails that was kind of towards the end of the free BSD um popularity I suppose it's still around the operating system from this website website to screenshot you can see that it's definitely still the project is Alive and Kicking but um it's not dominant in a way that it once was FreeBSD by the way is an operating system that was built on a licensed Fork of Unix I believe and it was built long before Linux I think I think it was around long before some time before Linux BSD stands for well the first two letters are are Barkley software Berkeley is the university in California which um was a great home of of Open Source software development uh and still is I believe uh Berkeley software something I'm not sure what the d stands for free BSD was the is the operating system that came out of that lab so a jail is pretty much like a container it's uh gets its own IP address unlike Schrute which is still living really in the shadow of its host a a jail gets its own IP address it has greater isolation than a shrewd would have uh and uh and I believe is uh simply based on a it's a it's a file system that saved two disk so it can be copied and and moved somewhere else so you're getting a lot closer to the kind of uh environment that we became familiar with through docker um a bit of a I guess maybe a little step to the side uh I came into virtualization originally about 15 years ago you through the ltsp project back then as my memory if my memory serves me ltsp stood for Linux thin client server project it kind of petered out when it wasn't necessary anymore I'll explain why in a minute uh and now it's someone has brought it back to life with a Different Twist and it's now called the Linux terminal server project it's something a little different back then though the Linux sin client server project you're probably if you're of a certain age you'll be familiar with with a thin client that is in a time when hard drives were very expensive and RAM was really expensive and you had a a school or a bank or a large company where a lot of what each terminal had to had to do a lot of the functions that each uh each user sitting in front of a computer screen would have to do was repeat it it was identical to what the the next person over and the next next copy or the next classroom was doing so since there was so much overlap and repetition and since hard drives and memory were so expensive what uh what the what a lot of systems a lot of a lot of companies used was thin clients that they would basically have a screen a keyboard sometimes announced if you were really lucky and um a network card that would access the network and it would head out into the network every time you turn the computer on they're trying to when you turn the box on you'd have to have CPU of course in some memory it would head out into the network it would look for a network host using a technology called PX pxe I believe it's been a long time yes pxe um it would sir it would run out into the network looking for a host using pxe the um the host would provide an image the host uh wherever it was would provide a an operating system image the client would load the image and it would become a working operating system entirely running in local Ram there was nothing necessarily served to any local hard drive they didn't actually have to be a hard drive I did this I created I created yeah it was a lot of fun too I'll tell you the I created uh I was teaching in high school again this is 15 years ago a small private not-for-profit high school it definitely was not for profit and um we didn't have uh enough funds for a decent computer lab that would serve all the students properly so I created um I I I think the first one I created there were six thin clients none of them had a hard drive and there was a seventh machine I believed that was the server and it had the only hard drive in the system the other six whenever they booted they would look for the network host and that was the seventh computer and they would boot the image using ltsp and each of them had a perfectly functioning Linux desktop with access to Shared um uh shared storage space but each one according to each one according to the the login account so you'd log into your account and you would have automatic and invisible access to to specifically your files it was easy to manage it was uh loads of fun and I could actually do nasty things to the students I didn't if I didn't think they're behaving quite right I would reduce access to certain resources or rights or whatever there's loads of fun but um but it's also really really cheap so the thing is that it was it youth shirt basically you were running um the little bit of RAM on the thin clients was enough to load a street environment on the server so really everything was running on the server just didn't look that way the thing is that as uh like by the end of uh by around 2010 I suppose uh hard drives were cheap enough and coming down in price weekly that this wasn't really necessary anymore you didn't need there was no reason to have 30 computers in a classroom without hard drives and all sharing the resources of the server that was it was just Overkill uh and entirely unnecessary so the ltsp program kind of fell apart and fell into disuse now as you can see from the screenshot of their their current website uh they uh they are the terminal server project that still uses shrut to not necessarily use the the resources of the server but to access a the desktop settings in a desktop um configurations uh the and and everybody is getting a perfectly updated and and uh and synchronized experience on their desktops even if they're of course using their own resources to get there in the day we would have called those fat clients but somehow that's not not quite as popular description anymore in any case that was uh um that was ltsp it's important because it was a very creative application of these shroop technology and um and it was uh and it was a a a a I don't know if there were tens of thousands of people using it but it was an important step towards containers now how do I know that because one of the main developers of ltsp at the time was a fellow named Stefan Graber and Stefan Graber when ltsp ltsp originally disappeared and you know sort of fell out of use he moved over to the canonicals lxc project and that lxc containers those are the first I guess you could say True Modern containers and that's the uh the model that was used by Docker when they developed their own system so ltsp is like a grandparent you might say of of uh of uh of Docker so let me show you just uh since I I have a computer I might as well use it I'll show you what lxc is again lxc stands for Linux container or Linux containers project and this is the uh lxd version of it I'm running so it's a modern version so let's all right let's see if I can type the answer probably is not so I'm going to launch a brand new container it's going to run Linux Ubuntu 2204 but it could be any flavor of Linux pretty much and any version of any flavor of Linux so it's a uh the the I can run really anything natively on this kernel it happens to be a new Bluetooth system I'm using I'll call the new container test it's creating it from scratch if necessary it'll pull the the image itself I don't think it's necessary to pull the image itself right now and it's done I can [Music] go in log into test uh with a shell and there I am I am in a I'm in a uh a working living Linux machine as a container very lightweight container um and just I don't know now of course you're all Docker people right so you're you're saying uh yeah big deal I mean we can do that with Docker exact also that's true you can do this with Docker exec also but you shouldn't docker's not really meant to be to be a a system you log into and mess around with that's probably you all know docker is meant to be scripted with Docker file or whatever whatever orchestration tool you used but it's meant to be scripted until it's time to replace it and then you kill it replace it Linux I should say lxc containers can be scripted and can be uh brought up and then destroyed when no longer necessary but they actually have a different Focus the the you can use them as fantastic test beds to build a a container on on any distribution you like a Linux distribution to do anything you can build it as a web server as a as a proxy server as really an application server anything and you keep it alive until it's not necessary and you kill it but you can run it as a real server so one is not better than the other Docker is not better than Alexa and Alex is not better than Docker but they have different focuses and Docker really is something that is is orchestrated by scripting so there that's the end of my um that's the end of that demo as you can see from this screenshot of the LFC um image uh image Library you see two things number one it's host is canonical canonical as you probably know is the um supporter and developer of Ubuntu they also have many other uh businesses that are all adjacent to open source software one sort or another they're a great patron of the open source world and have been for a long long time but they are the the uh the the developers and supporters of the lxd and lxt and Alex C projects so they have in this particular Library um maybe 150 or more uh distributions Linux distributions and and various versions of them various releases of them and various architectures like AMD 64 arm as you can see so uh that are all available to as lxc images to pull and run um within the LLC environment it's a it's a fantastic tool and it's a fantastic community and Stefan Graber is still very much involved with it and uh and uh very much in charge and by the way um I should add that in the trade-off when you you're choosing you're thinking about a new project should this be a VM a virtual machine using let's say a virtual box or should it be a container um it used to be you were constrained and sometimes the answer was obvious well for instance if I wanted to to build a container or build a VM that will in which within which I can launch Locker contain Docker containers um to experiment then the answer always was well it's going to have to be a virtual box because you can't launch Docker containers within an lxc container that's not true anymore you can actually now I've done it you can actually run nested Docker containers in almost in in lxc within Galaxy within Galaxy I don't know I don't know how many layers you can go down but but it's mind-blowing uh how much you can actually do with an lxc container and yes 100 without a doubt you can run Docker within Galaxy you can also run Galaxy within Galaxy I don't know what you'd want to um you can also now another use case that virtualbox was was uh um was usually necessary for at least we think it was necessary for is if you need to do a desktop if you actually need to whatever application you want to run is is a desktop application well that's not going to work within lxc containers well that was then now actually you can run GUI desktops within Galaxy containers so um they're lighter faster and uh and just mind-blowing I can't get over what you can do so that's the some of the The Wonder of lxc foreign I really wanted to talk what inspired me to to uh to talk about this whole thing from the beginning this screenshot uh is uh is uh from the website of a company called greenbone they um produce some software that uh one version of the software the open source version of the software is called openvas and vas is a open vas is a vulnerability uh assessment and vulnerabilities and vulnerabilities scanning software it's it's a cyber security software package um I have created a number of versions of a course teaching the use of openvas for pluralsight and the first two versions of the course one I think was from 2017 another was in 2020 I believe excuse me the first two versions of the course were thirty percent of the course time was spent install on installing the software and that was because I would um if I remember correctly I would install the software from the Ubuntu or red hat I'm not sure which which I was using at the time from the the software repositories and then um when the software was installed I tried to start it and it wouldn't start because there was some um uh there were some background the the um the requirements that with that system wasn't meeting so uh so I would go online and I would try to figure out uh what what am I missing and what what do I have to install or what do I have to change and I would spend well preparing the course I would spend a few days tracking down all the all the bugs and the beating all the bugs and then I teach the installation process that I had experienced that week the problem is by the time I finish teaching that that and published the course on pluralsight and people started to use the course on pluralsight there was a completely new set of bugs uh that that were facing somebody who was installing so really it was a waste of time the the uh the whatever it was and in video it might have been a half an hour video describing how to get around all the bugs um the uh the the um it was mostly useless for the students who are actually watching the course a month later and when I did the same thing in 2020 the second version of the course I had the same new set of problems but the same general idea which were also outdated by the time the course was published when I had to do a third version of the course about six months ago I think um I discovered and I don't know exactly when the change happened but greenbone I mean if you look through by the way the text on this page that's why I have it here uh the important under the important section there are all these caveats that this it may not work the way you expect it may not the the contents of the of the the package coming from your repository may not be exactly the way we expected it to be things may go wrong so um I discovered then that they also provide for self-preservation purposes they provide a um a on on GitHub and on Docker Hub also uh a Docker container for openvas which eliminates 98 of the problems because Docker containers of course are self-contained all the system configurations and and the settings are all there already every package and every module that's necessary is there in the container all you have to do is come to the their GitHub page copy the script which is above this page above the the screenshot you see right here copy the script look through the script before you run it because of course as you know you should never copy and paste stuff off the internet and then actually run it because you don't know what's in there but uh in my experience the the the script is fantastic run the curl command that'll actually download the script and then run the setup and start greenbone Community edition.sh script and you're basically there what was a a uh a two-day process trying to troubleshoot all the bugs turned into a five minute process and very relaxing too so this is an example of a a fairly Innovative but absolutely fantastic application of the container system that the container mindset I guess that a you can use a tool like Docker to build an environment that's completely portable and solve real Administration problems it's really what I wanted to to to to draw out more than anything else with this little little little meeting we're having the Meetup we're having is that um is that there's there are a lot of problems in administration forget about the forget about application production the application deployments which are an important area also but forget about that in administration tools that admins use tools that that that a company will use internally that can be complicated and can can can get in the get in the step on their own feet get in their own way simply because of the layers and layers that are of Stack resource stack that are necessary that can be avoided with an intelligent um container so the uh I I it's not just green bone they they do it as I said for self-preservation because they were overwhelmed with the with the with bug reports and and uh constantly a a stream of of uh requests for help please for help from users who are trying to get installed I should back up a little bit greenbone itself has a commercial project product uh and that is as far as I understand actual physical servers if uh if you if you deploy open Bas or green bone the way they ideally want you to you will buy one of their physical servers and they'll ship it to your your server room and uh you'll uh uh you'll deploy it there the advantages of that include that it's got the if you're going to start doing the scanning operations at scale that uh it's it's a it's a open Bas is generally not used by just one person on his own his own household devices usually it's used by by Security Professionals who are monitoring the the security status of of hundreds or thousands of servers so if you're going to do that kind of scaling scanning at that kind of scale uh so it's it's helpful to have Standalone Hardware so green bone sells the sandal and Hardware but they send the hardware out it's going to work it's guaranteed to work it's their environment they built it themselves however when we want to use the the open Bas open source version so as we've seen that gets complicated and they were uh probably getting close to jumping out the window but under the this the blizzard of of help requests that they're receiving and Docker was simply a a fantastic alternative to um to to uh to that kind of customer support okay um the as I said this this whole uh discussion is really about uh trying to uh to open up new possibilities to get ourselves ourselves thinking in New Directions and uh what what what other problems can uh uh can can Docker solve for us what other containers can we or images can we build uh that uh uh that are going to make make life a lot easier for a lot of people so that's that actually that's what I what I uh what I had to present and I and I uh I really want to hear if anybody out there anybody is is has has some other ideas things that you've already done or things that you uh you're planning to do or things that are just sitting for the last half hour uh has has made you imagine that might be possible so now I'm going to throw it at you does anybody have their own input on this kind of topic awesome thank you so much

2022-12-24 08:18

Other news