SlideShare ist ein Scribd-Unternehmen logo

Pluggable Infrastructure with CI/CD and Docker

Bob Killen
Bob Killen

The docker cluster ecosystem is still young, and highly modular. This presentation covers some of the challenges we faced deciding on what infrastructure to deploy, and a few tips and tricks in making both applications and infrastructure easily adaptable.

Technologie
1 von 33
Downloaden Sie, um offline zu lesen
Pluggable Infrastructure with CI/CD and Docker. Bob Killen Systems Programmer/Analyst Senior Department of Pathology University of Michigan Health System Jeffrey Sica Business Systems Analyst Lead Department of Pathology University of Michigan Health System
Disclaimer All opinions spoken by Bob or Jeff are their own and not that of the University of Michigan or its affiliates.
A bit of background Central IT vs Pathology Informatics HIPAA Concerns Our original infrastructure ● Before Docker, there were VMs ● Started on Kubernetes ● Migrated to Individual Hosts
Challenges we faced ● Managing multiple instances of the same infrastructure ○ Public applications must be firewalled from Internal applications (HIPAA) ● Rapid prototyping and demoing of applications ○ Victims of our own success ● Large infrastructure, small staff ○ 40+ independant in house developed applications or services ○ 1 Designer, 1.5 Developers, 1.5 Sysadmins
Workflow - Outside of Host Cluster Commit and Code Push Source Control server notifies Build Server of new commit. Build Server schedules build at new commit. If build successful; tag image and push to registry. Otherwise notify group. After successful build pushed to the registry, trigger cluster update. Notify if problem arises during update.Build
Workflow - In Cluster Cluster is notified of new task. Cluster determines hosts with appropriate resource offerings. Hosts pull containers associated with task. Once containers pass healthcheck, front end is notified of host:port Front End updates configuration and reloads with new services. Service is now accessible to public network
The Pillars of a Container Centric Infrastructure
The path we have chosen. Gitlab Jenkins DTR Mesos Docker
Gitlab ● Open source ● Close-enough mirror to the familiar (GitHub) ● Low barrier to entry for non-developers ● Existing integration into other “pillars” (Jenkins) ● Now comes in a handy dandy container ○ “ docker pull gitlab/gitlab-ce ” ○ https://hub.docker.com/r/gitlab/gitlab-ce/
Jenkins ● Open Source ● Time tested solution ● Plug-ins galore ○ Docker ○ Mesos Cluster ○ Gitlab Webhooks ● No real constraints on architecture ○ No plugin? Use Bash! ● Blank slate for any project ● Windows Support
Docker Trusted Registry ● Security Requirements ○ 100% on premise. ○ LDAP backed. ○ RBAC - v0 api available, use and integration capability growing. ■ https://docs.docker.com/docker-trusted-registry/api/ ○ One-click upgrade. ○ User friendly UI. ● Support Offerings ○ 24/7 support REQUIRED for use in a clinical care setting. ○ Guided install with staff on-site where needed
Mesos ● Generic abstraction of resources. Useful to combine varied host systems (both physical and virtual). ● Caters well to an on prem solution. ● Slightly more mature in the cluster solution ecosystem. ○ Powered by Mesos Users - http://mesos.apache.org/documentation/latest/powered-by-mesos/ ● Large framework ecosystem; with lots of active development.
Mesos (Cont.) ● https://open.mesosphere.com/frameworks/ Just to name a few….
Mesos (Cont…future) Mesos Windows Epic: https://issues.apache.org/jira/browse/MESOS-3094 Docker + Windows + Mesos = Match made in the clouds Screencast Demo: https://www.youtube.com/watch?v=dC2vitIh84M
Docker (CE) ● Support Offerings ○ Touching on this again...24/7 support is REQUIRED when used in a clinical setting. ● Certified stable releases suitable for production use. ● Predictable release schedule for upgrade planning. ● Orchestration components are swappable...docker engine is not, and is the base requirement for everything.
Final Form: Pluggable Infrastructure Pt. 1 ● Application container function should be independent of infrastructure design. ○ Container init script + environment or cluster seed script. ■ container init script variables are static ■ seed script populates container init script with cluster specific information. ■ Build server can inject seed script for environment (local dev vs cluster deployment)
Example Init Script $VAR1 and $VAR2 can be set at container creation or ‘seeded’ via a script sourced as $ENVIRONMENT_INIT. The supplied script could hit a variety of endpoints for configuration information (consul, etcd, registrator, etc). If nothing is provided, it assumes the default value. This allows for init script to remain static, with only the sourced seed script changing per environment.
Final Form: Pluggable Infrastructure Pt. 2 ● Infrastructure components in source control; and if at all possible built as containers themselves. ○ Apply standard ‘infrastructure as code’ methods. ■ Version Everything ■ Design tests and integrate with CI/CD
Final Form: Pluggable Infrastructure Pt. 2 (Cont.) ● Components that may modify host configuration require some level of clean-up. e. g. anything that may require iptables. ○ trap SIGINT, SIGKILL etc. then perform action. ○ Does require some form of ‘init’ or process management. - supervisord, tini, monit etc ● Use of VRRP / Keepalived and deploying in pairs when services may be bound to a single point of failure (no DNS load balancing etc). ○ Provides incredibly simple IP failover. ○ Prerequisites for use: ■ sysctl - net.ipv4.ip_nonlocal_bind=1 ■ container run with host networking and cap NET_ADMIN ○ Added bonus of making it EXTREMELY easy to upgrade and switch services. ■ If upgrading: push new version to backup, then push to master.
Keepalived + HAproxy Demo
Example Keepalived Configuration Master Backup Description ● state - MASTER or BACKUP - Defines server role in the group. ● interface - The interface that keepalived will use for VRRP traffic and monitor by default. ● vrrp_unicast_bind - The ip in which vrrp should bind to. ● vrrp_unicast_peer - The bind ip of the other node in the group. ● virtual_router_id - Unique number between 1-255 that identifies the vrrp group. Multiple instances of vrrp can run at the same time on the same servers. ● priority - In scenarios with more than 2 nodes, priority will dictate the failover order with highest priority becoming the master. ● advert_int - Healthcheck interval (seconds) ● authentication - PASS (cleartext password) or AH (IPSEC Authorization Header). Password and method used by the nodes to validate each other. ● virtual_ipaddress - Virtual IP Address to be generated and interface it should be bound to. IPs in this block WILL be tracked by keepalived. Used for private network interface tracking. ● virtual_ipaddress_excluded - Virtual IP Address to be generated and interface it should be bound to. IPs in this block will NOT be tracked, but automatically failed over if an event would trigger a failure of IP(s) in the virtual_ipaddress block. Used for public facing IPs. ● track_interface - Interface adapters that should have their link state monitored for failover trigger.
Future State Challenges ● Better Secret Management ○ Consul / Vault injection at runtime and seeded via ENVIRONMENT_INIT. ○ Mount secure volume ● Profiling containers for lxc capabilities + apparmor profiles ○ https://github.com/jfrazelle/bane ● Improve logging with logstash framework ○ https://github.com/mesos/logstash ● Notary integration into build pipeline.
Questions? Bob Killen rkillen@med.umich.edu @mrbobbytables github.com/mrbobbytables Jeffrey Sica jsica@med.umich.edu @jeefy github.com/jeefy

Empfohlen

Docker From Scratch
Docker From ScratchDocker From Scratch
Docker From Scratch
Giacomo Vacca
 
Platform Orchestration with Kubernetes and Docker
Platform Orchestration with Kubernetes and DockerPlatform Orchestration with Kubernetes and Docker
Platform Orchestration with Kubernetes and Docker
Julian Strobl
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes Workshop
Bob Killen
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
Stanislav Pogrebnyak
 
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
brendandburns
 
Kubernetes in Docker
Kubernetes in DockerKubernetes in Docker
Kubernetes in Docker
Docker, Inc.
 
Kubernetes laravel and kubernetes
Kubernetes laravel and kubernetesKubernetes laravel and kubernetes
Kubernetes laravel and kubernetes
William Stewart
 
Velocity NYC 2017: Building Resilient Microservices with Kubernetes, Docker, ...
Velocity NYC 2017: Building Resilient Microservices with Kubernetes, Docker, ...Velocity NYC 2017: Building Resilient Microservices with Kubernetes, Docker, ...
Velocity NYC 2017: Building Resilient Microservices with Kubernetes, Docker, ...
Ambassador Labs
 

Empfohlen

Docker From Scratch
Docker From ScratchDocker From Scratch
Docker From Scratch
Giacomo Vacca
 
Platform Orchestration with Kubernetes and Docker
Platform Orchestration with Kubernetes and DockerPlatform Orchestration with Kubernetes and Docker
Platform Orchestration with Kubernetes and Docker
Julian Strobl
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes Workshop
Bob Killen
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
Stanislav Pogrebnyak
 
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
brendandburns
 
Kubernetes in Docker
Kubernetes in DockerKubernetes in Docker
Kubernetes in Docker
Docker, Inc.
 
Kubernetes laravel and kubernetes
Kubernetes laravel and kubernetesKubernetes laravel and kubernetes
Kubernetes laravel and kubernetes
William Stewart
 
Velocity NYC 2017: Building Resilient Microservices with Kubernetes, Docker, ...
Velocity NYC 2017: Building Resilient Microservices with Kubernetes, Docker, ...Velocity NYC 2017: Building Resilient Microservices with Kubernetes, Docker, ...
Velocity NYC 2017: Building Resilient Microservices with Kubernetes, Docker, ...
Ambassador Labs
 
Docker for Java Developers - Fabiane Nardon and Arun gupta
Docker for Java Developers - Fabiane Nardon and Arun guptaDocker for Java Developers - Fabiane Nardon and Arun gupta
Docker for Java Developers - Fabiane Nardon and Arun gupta
Docker, Inc.
 
Kubernetes - introduction
Kubernetes - introductionKubernetes - introduction
Kubernetes - introduction
Sparkbit
 
Kubernetes and Hybrid Deployments
Kubernetes and Hybrid DeploymentsKubernetes and Hybrid Deployments
Kubernetes and Hybrid Deployments
Sandeep Parikh
 
O'Reilly Software Architecture Conference London 2017: Building Resilient Mic...
O'Reilly Software Architecture Conference London 2017: Building Resilient Mic...O'Reilly Software Architecture Conference London 2017: Building Resilient Mic...
O'Reilly Software Architecture Conference London 2017: Building Resilient Mic...
Ambassador Labs
 
Ansible, integration testing, and you.
Ansible, integration testing, and you.Ansible, integration testing, and you.
Ansible, integration testing, and you.
Bob Killen
 
Intro to Docker and clustering with Rancher from scratch
Intro to Docker and clustering with Rancher from scratchIntro to Docker and clustering with Rancher from scratch
Intro to Docker and clustering with Rancher from scratch
John Culviner
 
Kubernetes deep dive - - Huawei 2015-10
Kubernetes deep dive - - Huawei 2015-10Kubernetes deep dive - - Huawei 2015-10
Kubernetes deep dive - - Huawei 2015-10
Vishnu Kannan
 
Kubernetes: The Next Research Platform
Kubernetes: The Next Research PlatformKubernetes: The Next Research Platform
Kubernetes: The Next Research Platform
Bob Killen
 
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
Nati Shalom
 
Kubernetes automation in production
Kubernetes automation in productionKubernetes automation in production
Kubernetes automation in production
Paul Bakker
 
Docker to the Rescue of an Ops Team
Docker to the Rescue of an Ops TeamDocker to the Rescue of an Ops Team
Docker to the Rescue of an Ops Team
Rachid Zarouali
 
Kubernetes architecture
Kubernetes architectureKubernetes architecture
Kubernetes architecture
Janakiram MSV
 
From Code to Kubernetes
From Code to KubernetesFrom Code to Kubernetes
From Code to Kubernetes
Daniel Oliveira Filho
 
Leveraging the Power of containerd Events - Evan Hazlett
Leveraging the Power of containerd Events - Evan HazlettLeveraging the Power of containerd Events - Evan Hazlett
Leveraging the Power of containerd Events - Evan Hazlett
Docker, Inc.
 
Configuration Management and Transforming Legacy Applications in the Enterpri...
Configuration Management and Transforming Legacy Applications in the Enterpri...Configuration Management and Transforming Legacy Applications in the Enterpri...
Configuration Management and Transforming Legacy Applications in the Enterpri...
Docker, Inc.
 
Containers without docker
Containers without dockerContainers without docker
Containers without docker
Ben Hall
 
Microservices using relocatable Docker containers
Microservices using relocatable Docker containersMicroservices using relocatable Docker containers
Microservices using relocatable Docker containers
Mauricio Garavaglia
 
DockerCon SF 2015: Enabling Microservices @Orbitz
DockerCon SF 2015: Enabling Microservices @OrbitzDockerCon SF 2015: Enabling Microservices @Orbitz
DockerCon SF 2015: Enabling Microservices @Orbitz
Docker, Inc.
 
Kubernetes 101 and Fun
Kubernetes 101 and FunKubernetes 101 and Fun
Kubernetes 101 and Fun
Mario-Leander Reimer
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Red Hat Developers
 
Building a Docker powered feature driven delivery pipeline at hoyhoy.nl
Building a Docker powered feature driven delivery pipeline at hoyhoy.nlBuilding a Docker powered feature driven delivery pipeline at hoyhoy.nl
Building a Docker powered feature driven delivery pipeline at hoyhoy.nl
Xebia Nederland BV
 
How Docker simplifies CI/CD
How Docker simplifies CI/CDHow Docker simplifies CI/CD
How Docker simplifies CI/CD
Gabriel N. Schenker
 

Weitere ähnliche Inhalte

Was ist angesagt?

Docker for Java Developers - Fabiane Nardon and Arun gupta
Docker for Java Developers - Fabiane Nardon and Arun guptaDocker for Java Developers - Fabiane Nardon and Arun gupta
Docker for Java Developers - Fabiane Nardon and Arun gupta
Docker, Inc.
 
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
Nati Shalom
 
Kubernetes automation in production
Kubernetes automation in productionKubernetes automation in production
Kubernetes automation in production
Paul Bakker
 
Configuration Management and Transforming Legacy Applications in the Enterpri...
Configuration Management and Transforming Legacy Applications in the Enterpri...Configuration Management and Transforming Legacy Applications in the Enterpri...
Configuration Management and Transforming Legacy Applications in the Enterpri...
Docker, Inc.
 
DockerCon SF 2015: Enabling Microservices @Orbitz
DockerCon SF 2015: Enabling Microservices @OrbitzDockerCon SF 2015: Enabling Microservices @Orbitz
DockerCon SF 2015: Enabling Microservices @Orbitz
Docker, Inc.
 
Kubernetes 101 and Fun
Kubernetes 101 and FunKubernetes 101 and Fun
Kubernetes 101 and Fun
Mario-Leander Reimer
 

Was ist angesagt? (20)

Docker for Java Developers - Fabiane Nardon and Arun gupta
Docker for Java Developers - Fabiane Nardon and Arun guptaDocker for Java Developers - Fabiane Nardon and Arun gupta
Docker for Java Developers - Fabiane Nardon and Arun gupta
 
Kubernetes - introduction
Kubernetes - introductionKubernetes - introduction
Kubernetes - introduction
 
Kubernetes and Hybrid Deployments
Kubernetes and Hybrid DeploymentsKubernetes and Hybrid Deployments
Kubernetes and Hybrid Deployments
 
O'Reilly Software Architecture Conference London 2017: Building Resilient Mic...
O'Reilly Software Architecture Conference London 2017: Building Resilient Mic...O'Reilly Software Architecture Conference London 2017: Building Resilient Mic...
O'Reilly Software Architecture Conference London 2017: Building Resilient Mic...
 
Ansible, integration testing, and you.
Ansible, integration testing, and you.Ansible, integration testing, and you.
Ansible, integration testing, and you.
 
Intro to Docker and clustering with Rancher from scratch
Intro to Docker and clustering with Rancher from scratchIntro to Docker and clustering with Rancher from scratch
Intro to Docker and clustering with Rancher from scratch
 
Kubernetes deep dive - - Huawei 2015-10
Kubernetes deep dive - - Huawei 2015-10Kubernetes deep dive - - Huawei 2015-10
Kubernetes deep dive - - Huawei 2015-10
 
Kubernetes: The Next Research Platform
Kubernetes: The Next Research PlatformKubernetes: The Next Research Platform
Kubernetes: The Next Research Platform
 
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
 
Kubernetes automation in production
Kubernetes automation in productionKubernetes automation in production
Kubernetes automation in production
 
Docker to the Rescue of an Ops Team
Docker to the Rescue of an Ops TeamDocker to the Rescue of an Ops Team
Docker to the Rescue of an Ops Team
 
Kubernetes architecture
Kubernetes architectureKubernetes architecture
Kubernetes architecture
 
From Code to Kubernetes
From Code to KubernetesFrom Code to Kubernetes
From Code to Kubernetes
 
Leveraging the Power of containerd Events - Evan Hazlett
Leveraging the Power of containerd Events - Evan HazlettLeveraging the Power of containerd Events - Evan Hazlett
Leveraging the Power of containerd Events - Evan Hazlett
 
Configuration Management and Transforming Legacy Applications in the Enterpri...
Configuration Management and Transforming Legacy Applications in the Enterpri...Configuration Management and Transforming Legacy Applications in the Enterpri...
Configuration Management and Transforming Legacy Applications in the Enterpri...
 
Containers without docker
Containers without dockerContainers without docker
Containers without docker
 
Microservices using relocatable Docker containers
Microservices using relocatable Docker containersMicroservices using relocatable Docker containers
Microservices using relocatable Docker containers
 
DockerCon SF 2015: Enabling Microservices @Orbitz
DockerCon SF 2015: Enabling Microservices @OrbitzDockerCon SF 2015: Enabling Microservices @Orbitz
DockerCon SF 2015: Enabling Microservices @Orbitz
 
Kubernetes 101 and Fun
Kubernetes 101 and FunKubernetes 101 and Fun
Kubernetes 101 and Fun
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 

Andere mochten auch

How Docker simplifies CI/CD
How Docker simplifies CI/CDHow Docker simplifies CI/CD
How Docker simplifies CI/CD
Gabriel N. Schenker
 
Gradle - time for a new build
Gradle - time for a new buildGradle - time for a new build
Gradle - time for a new build
Igor Khotin
 
Gradle build tool that rocks with DSL JavaOne India 4th May 2012
Gradle build tool that rocks with DSL JavaOne India 4th May 2012Gradle build tool that rocks with DSL JavaOne India 4th May 2012
Gradle build tool that rocks with DSL JavaOne India 4th May 2012
Rajmahendra Hegde
 

Andere mochten auch (20)

Building a Docker powered feature driven delivery pipeline at hoyhoy.nl
Building a Docker powered feature driven delivery pipeline at hoyhoy.nlBuilding a Docker powered feature driven delivery pipeline at hoyhoy.nl
Building a Docker powered feature driven delivery pipeline at hoyhoy.nl
 
How Docker simplifies CI/CD
How Docker simplifies CI/CDHow Docker simplifies CI/CD
How Docker simplifies CI/CD
 
Automating the CI / CD pipeline of your containerized applications
Automating the CI / CD pipeline of your containerized applicationsAutomating the CI / CD pipeline of your containerized applications
Automating the CI / CD pipeline of your containerized applications
 
Jenkins + Docker = Continuous Improvement
Jenkins + Docker = Continuous ImprovementJenkins + Docker = Continuous Improvement
Jenkins + Docker = Continuous Improvement
 
CI/CD Using Ansible and Jenkins for Infrastructure
CI/CD Using Ansible and Jenkins for InfrastructureCI/CD Using Ansible and Jenkins for Infrastructure
CI/CD Using Ansible and Jenkins for Infrastructure
 
Continuous Delivery with Jenkins Workflow
Continuous Delivery with Jenkins WorkflowContinuous Delivery with Jenkins Workflow
Continuous Delivery with Jenkins Workflow
 
Jenkins - From Continuous Integration to Continuous Delivery
Jenkins - From Continuous Integration to Continuous DeliveryJenkins - From Continuous Integration to Continuous Delivery
Jenkins - From Continuous Integration to Continuous Delivery
 
Build, Publish, Deploy and Test Docker images and containers with Jenkins Wor...
Build, Publish, Deploy and Test Docker images and containers with Jenkins Wor...Build, Publish, Deploy and Test Docker images and containers with Jenkins Wor...
Build, Publish, Deploy and Test Docker images and containers with Jenkins Wor...
 
Git,Travis,Gradle
Git,Travis,GradleGit,Travis,Gradle
Git,Travis,Gradle
 
Intro to CI/CD using Docker
Intro to CI/CD using DockerIntro to CI/CD using Docker
Intro to CI/CD using Docker
 
Developing Infrastructure Code for CI & CD
Developing Infrastructure Code for CI & CDDeveloping Infrastructure Code for CI & CD
Developing Infrastructure Code for CI & CD
 
Deployment Automation with Docker
Deployment Automation with DockerDeployment Automation with Docker
Deployment Automation with Docker
 
Introducing Docker Swarm - the orchestration tool by Docker
Introducing Docker Swarm - the orchestration tool by DockerIntroducing Docker Swarm - the orchestration tool by Docker
Introducing Docker Swarm - the orchestration tool by Docker
 
Gradle - time for a new build
Gradle - time for a new buildGradle - time for a new build
Gradle - time for a new build
 
Gradle in 45min
Gradle in 45minGradle in 45min
Gradle in 45min
 
Gradle build tool that rocks with DSL JavaOne India 4th May 2012
Gradle build tool that rocks with DSL JavaOne India 4th May 2012Gradle build tool that rocks with DSL JavaOne India 4th May 2012
Gradle build tool that rocks with DSL JavaOne India 4th May 2012
 
Gradle - the Enterprise Automation Tool
Gradle - the Enterprise Automation ToolGradle - the Enterprise Automation Tool
Gradle - the Enterprise Automation Tool
 
2016 - Continuously Delivering Microservices in Kubernetes using Jenkins
2016 - Continuously Delivering Microservices in Kubernetes using Jenkins2016 - Continuously Delivering Microservices in Kubernetes using Jenkins
2016 - Continuously Delivering Microservices in Kubernetes using Jenkins
 
Database Migrations with Gradle and Liquibase
Database Migrations with Gradle and LiquibaseDatabase Migrations with Gradle and Liquibase
Database Migrations with Gradle and Liquibase
 
Continuous Integration, Build Pipelines and Continuous Deployment
Continuous Integration, Build Pipelines and Continuous DeploymentContinuous Integration, Build Pipelines and Continuous Deployment
Continuous Integration, Build Pipelines and Continuous Deployment
 

Ähnlich wie Pluggable Infrastructure with CI/CD and Docker

Things You MUST Know Before Deploying OpenStack: Bruno Lago, Catalyst IT
Things You MUST Know Before Deploying OpenStack: Bruno Lago, Catalyst ITThings You MUST Know Before Deploying OpenStack: Bruno Lago, Catalyst IT
Things You MUST Know Before Deploying OpenStack: Bruno Lago, Catalyst IT
OpenStack
 
Continuous Security for GitOps
Continuous Security for GitOpsContinuous Security for GitOps
Continuous Security for GitOps
Weaveworks
 
OSDC 2018 | Highly Available Cloud Foundry on Kubernetes by Cornelius Schumacher
OSDC 2018 | Highly Available Cloud Foundry on Kubernetes by Cornelius SchumacherOSDC 2018 | Highly Available Cloud Foundry on Kubernetes by Cornelius Schumacher
OSDC 2018 | Highly Available Cloud Foundry on Kubernetes by Cornelius Schumacher
NETWAYS
 
Robust Network Security and Observability with GitOps and Cilium
Robust Network Security and Observability with GitOps and CiliumRobust Network Security and Observability with GitOps and Cilium
Robust Network Security and Observability with GitOps and Cilium
Weaveworks
 
Free GitOps Workshop
Free GitOps WorkshopFree GitOps Workshop
Free GitOps Workshop
Weaveworks
 

Ähnlich wie Pluggable Infrastructure with CI/CD and Docker (20)

Things You MUST Know Before Deploying OpenStack: Bruno Lago, Catalyst IT
Things You MUST Know Before Deploying OpenStack: Bruno Lago, Catalyst ITThings You MUST Know Before Deploying OpenStack: Bruno Lago, Catalyst IT
Things You MUST Know Before Deploying OpenStack: Bruno Lago, Catalyst IT
 
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...
 
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
Composing services with Kubernetes
Composing services with KubernetesComposing services with Kubernetes
Composing services with Kubernetes
 
Continuous Security for GitOps
Continuous Security for GitOpsContinuous Security for GitOps
Continuous Security for GitOps
 
Meetup Openshift Geneva 03/10
Meetup Openshift Geneva 03/10Meetup Openshift Geneva 03/10
Meetup Openshift Geneva 03/10
 
Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014
 
Deploying software at Scale
Deploying software at ScaleDeploying software at Scale
Deploying software at Scale
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjur
 
12-Factor Apps
12-Factor Apps12-Factor Apps
12-Factor Apps
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
 
Kubernetes and CoreOS @ Athens Docker meetup
Kubernetes and CoreOS @ Athens Docker meetupKubernetes and CoreOS @ Athens Docker meetup
Kubernetes and CoreOS @ Athens Docker meetup
 
ContainerCon - Test Driven Infrastructure
ContainerCon - Test Driven InfrastructureContainerCon - Test Driven Infrastructure
ContainerCon - Test Driven Infrastructure
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
 
Getting to Walk with DevOps
Getting to Walk with DevOpsGetting to Walk with DevOps
Getting to Walk with DevOps
 
OSDC 2018 | Highly Available Cloud Foundry on Kubernetes by Cornelius Schumacher
OSDC 2018 | Highly Available Cloud Foundry on Kubernetes by Cornelius SchumacherOSDC 2018 | Highly Available Cloud Foundry on Kubernetes by Cornelius Schumacher
OSDC 2018 | Highly Available Cloud Foundry on Kubernetes by Cornelius Schumacher
 
Robust Network Security and Observability with GitOps and Cilium
Robust Network Security and Observability with GitOps and CiliumRobust Network Security and Observability with GitOps and Cilium
Robust Network Security and Observability with GitOps and Cilium
 
Introduction to PaaS and Heroku
Introduction to PaaS and HerokuIntroduction to PaaS and Heroku
Introduction to PaaS and Heroku
 
Free GitOps Workshop
Free GitOps WorkshopFree GitOps Workshop
Free GitOps Workshop
 

Mehr von Bob Killen

Tackling New Challenges in a Virtual Focused Community
Tackling New Challenges in a Virtual Focused CommunityTackling New Challenges in a Virtual Focused Community
Tackling New Challenges in a Virtual Focused Community
Bob Killen
 
Intro to the CNCF Research User Group
Intro to the CNCF Research User GroupIntro to the CNCF Research User Group
Intro to the CNCF Research User Group
Bob Killen
 
A Peek Behind the Curtain: Managing the Kubernetes Contributor Community
A Peek Behind the Curtain: Managing the Kubernetes Contributor CommunityA Peek Behind the Curtain: Managing the Kubernetes Contributor Community
A Peek Behind the Curtain: Managing the Kubernetes Contributor Community
Bob Killen
 
Kubernetes The New Research Platform
Kubernetes The New Research PlatformKubernetes The New Research Platform
Kubernetes The New Research Platform
Bob Killen
 

Mehr von Bob Killen (11)

Tackling New Challenges in a Virtual Focused Community
Tackling New Challenges in a Virtual Focused CommunityTackling New Challenges in a Virtual Focused Community
Tackling New Challenges in a Virtual Focused Community
 
KubeCon EU 2021 Keynote: Shaping Kubernetes Community Culture
KubeCon EU 2021 Keynote: Shaping Kubernetes Community CultureKubeCon EU 2021 Keynote: Shaping Kubernetes Community Culture
KubeCon EU 2021 Keynote: Shaping Kubernetes Community Culture
 
Intro to Kubernetes SIG Contributor Experience
Intro to Kubernetes SIG Contributor ExperienceIntro to Kubernetes SIG Contributor Experience
Intro to Kubernetes SIG Contributor Experience
 
Intro to the CNCF Research User Group
Intro to the CNCF Research User GroupIntro to the CNCF Research User Group
Intro to the CNCF Research User Group
 
A Peek Behind the Curtain: Managing the Kubernetes Contributor Community
A Peek Behind the Curtain: Managing the Kubernetes Contributor CommunityA Peek Behind the Curtain: Managing the Kubernetes Contributor Community
A Peek Behind the Curtain: Managing the Kubernetes Contributor Community
 
Kubernetes The New Research Platform
Kubernetes The New Research PlatformKubernetes The New Research Platform
Kubernetes The New Research Platform
 
Getting started with kubernetes
Getting started with kubernetesGetting started with kubernetes
Getting started with kubernetes
 
Federated Kubernetes: As a Platform for Distributed Scientific Computing
Federated Kubernetes: As a Platform for Distributed Scientific ComputingFederated Kubernetes: As a Platform for Distributed Scientific Computing
Federated Kubernetes: As a Platform for Distributed Scientific Computing
 
Kubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive OverviewKubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive Overview
 
(Draft) Kubernetes - A Comprehensive Overview
(Draft) Kubernetes - A Comprehensive Overview(Draft) Kubernetes - A Comprehensive Overview
(Draft) Kubernetes - A Comprehensive Overview
 
The (mutable) config management showdown
The (mutable) config management showdownThe (mutable) config management showdown
The (mutable) config management showdown
 

Kürzlich hochgeladen

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Kürzlich hochgeladen (20)

Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 

Pluggable Infrastructure with CI/CD and Docker

  • 1. Pluggable Infrastructure with CI/CD and Docker. Bob Killen Systems Programmer/Analyst Senior Department of Pathology University of Michigan Health System Jeffrey Sica Business Systems Analyst Lead Department of Pathology University of Michigan Health System
  • 2. Disclaimer All opinions spoken by Bob or Jeff are their own and not that of the University of Michigan or its affiliates.
  • 3. A bit of background Central IT vs Pathology Informatics HIPAA Concerns Our original infrastructure ● Before Docker, there were VMs ● Started on Kubernetes ● Migrated to Individual Hosts
  • 4. Challenges we faced ● Managing multiple instances of the same infrastructure ○ Public applications must be firewalled from Internal applications (HIPAA) ● Rapid prototyping and demoing of applications ○ Victims of our own success ● Large infrastructure, small staff ○ 40+ independant in house developed applications or services ○ 1 Designer, 1.5 Developers, 1.5 Sysadmins
  • 5. Workflow - Outside of Host Cluster Commit and Code Push Source Control server notifies Build Server of new commit. Build Server schedules build at new commit. If build successful; tag image and push to registry. Otherwise notify group. After successful build pushed to the registry, trigger cluster update. Notify if problem arises during update.Build
  • 6. Workflow - In Cluster Cluster is notified of new task. Cluster determines hosts with appropriate resource offerings. Hosts pull containers associated with task. Once containers pass healthcheck, front end is notified of host:port Front End updates configuration and reloads with new services. Service is now accessible to public network
  • 7. The Pillars of a Container Centric Infrastructure
  • 8. The path we have chosen. Gitlab Jenkins DTR Mesos Docker
  • 9. Gitlab ● Open source ● Close-enough mirror to the familiar (GitHub) ● Low barrier to entry for non-developers ● Existing integration into other “pillars” (Jenkins) ● Now comes in a handy dandy container ○ “ docker pull gitlab/gitlab-ce ” ○ https://hub.docker.com/r/gitlab/gitlab-ce/
  • 10. Jenkins ● Open Source ● Time tested solution ● Plug-ins galore ○ Docker ○ Mesos Cluster ○ Gitlab Webhooks ● No real constraints on architecture ○ No plugin? Use Bash! ● Blank slate for any project ● Windows Support
  • 11. Docker Trusted Registry ● Security Requirements ○ 100% on premise. ○ LDAP backed. ○ RBAC - v0 api available, use and integration capability growing. ■ https://docs.docker.com/docker-trusted-registry/api/ ○ One-click upgrade. ○ User friendly UI. ● Support Offerings ○ 24/7 support REQUIRED for use in a clinical care setting. ○ Guided install with staff on-site where needed
  • 12. Mesos ● Generic abstraction of resources. Useful to combine varied host systems (both physical and virtual). ● Caters well to an on prem solution. ● Slightly more mature in the cluster solution ecosystem. ○ Powered by Mesos Users - http://mesos.apache.org/documentation/latest/powered-by-mesos/ ● Large framework ecosystem; with lots of active development.
  • 14. Mesos (Cont…future) Mesos Windows Epic: https://issues.apache.org/jira/browse/MESOS-3094 Docker + Windows + Mesos = Match made in the clouds Screencast Demo: https://www.youtube.com/watch?v=dC2vitIh84M
  • 15. Docker (CE) ● Support Offerings ○ Touching on this again...24/7 support is REQUIRED when used in a clinical setting. ● Certified stable releases suitable for production use. ● Predictable release schedule for upgrade planning. ● Orchestration components are swappable...docker engine is not, and is the base requirement for everything.
  • 16.
  • 17. Final Form: Pluggable Infrastructure Pt. 1 ● Application container function should be independent of infrastructure design. ○ Container init script + environment or cluster seed script. ■ container init script variables are static ■ seed script populates container init script with cluster specific information. ■ Build server can inject seed script for environment (local dev vs cluster deployment)
  • 18. Example Init Script $VAR1 and $VAR2 can be set at container creation or ‘seeded’ via a script sourced as $ENVIRONMENT_INIT. The supplied script could hit a variety of endpoints for configuration information (consul, etcd, registrator, etc). If nothing is provided, it assumes the default value. This allows for init script to remain static, with only the sourced seed script changing per environment.
  • 19. Final Form: Pluggable Infrastructure Pt. 2 ● Infrastructure components in source control; and if at all possible built as containers themselves. ○ Apply standard ‘infrastructure as code’ methods. ■ Version Everything ■ Design tests and integrate with CI/CD
  • 20. Final Form: Pluggable Infrastructure Pt. 2 (Cont.) ● Components that may modify host configuration require some level of clean-up. e. g. anything that may require iptables. ○ trap SIGINT, SIGKILL etc. then perform action. ○ Does require some form of ‘init’ or process management. - supervisord, tini, monit etc ● Use of VRRP / Keepalived and deploying in pairs when services may be bound to a single point of failure (no DNS load balancing etc). ○ Provides incredibly simple IP failover. ○ Prerequisites for use: ■ sysctl - net.ipv4.ip_nonlocal_bind=1 ■ container run with host networking and cap NET_ADMIN ○ Added bonus of making it EXTREMELY easy to upgrade and switch services. ■ If upgrading: push new version to backup, then push to master.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 29. Example Keepalived Configuration Master Backup Description ● state - MASTER or BACKUP - Defines server role in the group. ● interface - The interface that keepalived will use for VRRP traffic and monitor by default. ● vrrp_unicast_bind - The ip in which vrrp should bind to. ● vrrp_unicast_peer - The bind ip of the other node in the group. ● virtual_router_id - Unique number between 1-255 that identifies the vrrp group. Multiple instances of vrrp can run at the same time on the same servers. ● priority - In scenarios with more than 2 nodes, priority will dictate the failover order with highest priority becoming the master. ● advert_int - Healthcheck interval (seconds) ● authentication - PASS (cleartext password) or AH (IPSEC Authorization Header). Password and method used by the nodes to validate each other. ● virtual_ipaddress - Virtual IP Address to be generated and interface it should be bound to. IPs in this block WILL be tracked by keepalived. Used for private network interface tracking. ● virtual_ipaddress_excluded - Virtual IP Address to be generated and interface it should be bound to. IPs in this block will NOT be tracked, but automatically failed over if an event would trigger a failure of IP(s) in the virtual_ipaddress block. Used for public facing IPs. ● track_interface - Interface adapters that should have their link state monitored for failover trigger.
  • 30.
  • 31. Future State Challenges ● Better Secret Management ○ Consul / Vault injection at runtime and seeded via ENVIRONMENT_INIT. ○ Mount secure volume ● Profiling containers for lxc capabilities + apparmor profiles ○ https://github.com/jfrazelle/bane ● Improve logging with logstash framework ○ https://github.com/mesos/logstash ● Notary integration into build pipeline.
  • 32.