Docker on Docker

Docker on Docker

Add picture here

Brett InmanInfrastructure Engineer

Marcus MartinsSenior Manager - Orchestration

Docker Inc Docker Inc

Docker on Docker● Where we were

● How we moved to Docker EE

● What we learned

● How we’re making Docker EE better

SaaS at Docker● Docker Hub● Docker Store● Docker Cloud

> 1B pulls a month

> 500K builds a month

> 5000 requests / sec

Philosophy● High Availability

● Self-healing

● Self-service

● Build it - own it

Where we were

Previous InfrastructureInfra provides:

● Group of Docker Hosts per team● Docker TLS Certs● Centralized logging● Centralized metrics● Service discovery / routing

How dev used the old setup

Dogfooding Docker since 2013

How dev used the old setupThe good parts:

● Fully containerized● Docker as the only interface● No SSH access

How dev used the old setupThe bad parts:

● Multiple deployments tools● Imperative deployments

How dev used the old setupThe bad parts:

● Hosts as pets● Manual resource management

What was missing

Docker EEAdd picture here

● Docker Swarm● User

Management● Resource

Access Control

How we did it

Didn’t Change Anything*

FocusChanged:

● Orchestration

Did not change:

● Code● Containers● Logs● Metrics● Service Discovery● Routing

Enabling the transition

Self-service transition● Goal: give service teams control● Use both deployments at will● Swarmkit mesh networking - magic, but:

○ Hard cutover transition for us○ Can’t pull metrics from individual containers

Our Routing● Registrator● Consul● Consul-template● Haproxy

Host Port Publishing

--publish mode=host

Enables classic engine behavior of exposing container port on host for Swarm services

Automation

● Bootstrap lock

● Discovery - Load balancer or tags

Quorum failure without intervention

Resources Constraints

Human is no longer the scheduler

Reservation=

Limit

docker service create

--reserve-memory 640m --limit-memory 640m

SystemReservation

docker service create \--name system-reservation \ --reserve-memory 1G \ --limit-memory 1G \--mode global \--init \ubuntu sleep infinity

Cloud Permissions● IAM is at host level - not container● Each team gets an autoscaling group● Leverage UCP Collections

New deployment model

Declarative version: '3.3'services: api: image: example/api:2.1.2 ports: - mode: host protocol: tcp target: 80 environment: DEBUG: False ENVIRONMENT: product ...

● Compose file● Deploy with `docker

stack deploy`● All stacks defined in

source control

Updates version: '3.2'services: api: image: example/api:2.1.2 deploy: replicas: 20 … update_config: delay: 10s parallelism: 2 order: stop-first max_failure_ratio: 0 failure_action: rollback

…

● Rolling updates

● Automated rollback

Access Control version: '3.2'services: api: image: example/api:2.1.2 deploy: replicas: 2 … labels: com.docker.ucp.access.label:/Api …

● Using Docker EE

Collections

What’s better?Decouple host from application

● Host replacement● Host failures● Build it own it - developers don’t own hosts

Host Replacement

Three touches:

● Ops● Dev● Ops

Host Replacement

One touch:

● Ops

What else?● Easy to scale application

● Standardization

● Docker-native

Where we are now

Now● All of Docker SaaS is running on

Docker EE● 80 worker nodes● 60 swarm services● 1000 tasks● Multiple deployments a day

Improving Docker EE

Best PracticesTopics including:

● Managing Resources● Provisioning and Automation● Logging and Monitoring

Coming soon to success.docker.com

Product guidance● In-house customer at scale in production● Architecture● 35+ feature requests ● Host port publishing● More soon!

Canary● Running every Docker EE Release Candidate

● 50+ bugs filed

● Customer Zero

Docker EE

with Kubernetes

in production

Thank you

● Questions?

Docker EE Hosted Demo

Add picture here

docker.com/trial

● Free 4 Hour Demo● No Servers Required● Full Docker EE

Cluster Access