Friday, July 31, 2015

OSCON 2015 Day 1 - Kubernetes Training

The Kubernetes Training (k8s) was built on top of the understanding of Docker and running a simple webapp (NodeJS) in a container and accessing it through security.





This is the second blog in a series of blogs about Docker and Kubernetes training. The first blog covers Docker Containers and a tutorial on how to set things up in Google Compute Engine. Check it out here (Docker Training)

Key Concepts

One of the things I quickly learned was that managing a single Container in Docker is very easy, but I can see how managing several instances of the container can be difficult and managing hundreds of heterogeneous containers would be impossible.
This is where k8s comes in. It basically lets me manage clusters of containers running on different machines in my cloud. To start k8s has a whole new nomenclature
  • Master - maintains the state of k8s server runtime, control entry point for nodes, pods, services
  • Node - represents a resource (machine) that pods are provisioned on. It runs docker, etcd, and kubelet daemons.
  • Pod - a collections of containers that run on a machine in a node. Way to group containers together. Good way to share storage volumes across multiple containers in the same pod.
  • Service and Labels - Defines a logical set of pods that make up a service or application. Policies are set up to the containers in the pods can communicate with each other. Sets up IP/Port configurations for inter-service communication. Creates a kube-proxy to front end the Service for external access.
  • Volume - Storage element served up from etcd. Can connect to AWS EBS, GCE Persistent disk, iSCSI volumem etc...
  • Container - Docker Container.

Hands On Tutorial

After the session went over the concepts we dove right into getting everything up and running. This is when things began to get hard. Mostly because I was on a windows box and "kubectl" (Command to control the k8s master) did not run on my windows box. So I created another VM in the Google Cloud to run through my tutorial. That ran into problems with ssh keys and security so it took much longer than it should have. I was not the only one having problems at this point. So we threw together a quick diagram to see how the k8s installation worked with the docker installation I had set up from the previous session (Docker Training)  This diagram on the right shows how this all fits together.

Kubernetes introduces another command line tool "kubectl" This is accessible after loading components via the glcoud components command. The problem mentioned before is it is not supported on Windows without jumping through some hoops. So I had to create a linux VM instance to run the commands. But I had a hard time getting the right ssh keys on the VM to talk to my Google Cloud Engine Instance. The presenter of and his helpers were having a hard time getting everyone up and running on this step as well. After over an hour of trying to get this set up. about 70% of the people were able to create a k8s pod. "kubeclt create"

One thing that k8s gives developers is the ability to define higher level services with a simple script. They have chosen YAML for the description language to do this. Since YAML is quickly becoming a de facto standard for service description this was the logical choice. My first task was to create a multi-tierd web application. The tutorial walk me through a wordpress installation that had a mysql database, and the wordpress web application.

There are 4 YAML files that need to be created.
  1. mysql pod - Describes the mysql node. Which volume to mount for the containers in the node.
  2. mysql-service file - Describes the mysql-service. It contains the docker container description, ports to expose, volumes to access, user names and passwords.
  3. wordpress pod file - Describes the wordpress node.
  4. wordpress-service file - Describes the wordpress service. It contains the docker container description, ports, volumes and configuration information.

Some of the things to watch out for using k8s to define services:
  • There is no way to reference secure passwords/usernames for authenticated services. These are stored as clear text in the YAML file descriptions.
  • Don't even try this with Windows boxes or images. It just is not there yet.
  • There is not a federated k8s Master. So if your master goes down, you have lost controller of your containers and volumes. They will still be running and consuming resources, with no way to control and monitor them.
  • k8s really requires a higher level scheduler to set up kubelet nodes. Mesos is a good option for this.
  • SSH key management is not as easy as it was with just a simple docker set up.

Darren

OSCON 2015 Day 1 - Docker Training

I had the opportunity to attend a couple of days of OSCON this year. Basically this was full of Open Source Developers learning about the latest and greatest of Open Source projects. As my wife said. I got to "get my geek on" during the two days I spent at OSCON.
The first day I spent the day in a Kubernetes (K8s) and Docker hands on training from the guys at Mesos and Google. The room was packed and they actually increased the size of the room about an hour and a half into the training to allow more people to come in.

There where four sessions in the training: Container overview, Docker overview and setup, K8s overview, K8s hands on.

Training Environment - Google Cloud

To decease the amount of set up the tutorial started with a running cloud that would be easy to install and deploy Docker and Kubernetes. The obvious choice was Google Cloud. So that is what we did. Everyone downloaded the Google cloud command line tools to their laptop. I was at a disadvantage because I had a windows laptop and most of these guys had Linux or MacOS boxes. But with a couple of tweaks I got everything working fine.  The setup of the tutorial was easy to get going because they had a git hub repo that we just had to clone to our boxes. Everything was in there including the slides for the lecture. Very simple and made the start of the training fast.

Container Session

This was a great overview on how containers work, why docker came about, and why using docker makes life so much easier. Containers use old technology that have been in Unix OSs for about 20 years. They are based primarily on chroot, namespaces and cgroups. There were a couple of BKMs and warnings from the trainers:
  • Containers are not as secure as VMs or bare-metal.
  • Having multiple tenants on the same VM with multiple containers is not advised. It can be done, but not advised.
  • Use Docker images to spin up Containers faster.
  • There are public repositories with images that groups can share.
  • Create your own private repositories for secure images.
  • Do not use Docker images from the public domain unless you know they are secure. Because Docker images can access the root on your os. You have to be careful what you are down loading.

Docker Session

Because they had a git repo with all of the scripts and command line setup for us. The tutorial was easy and it worked right out of the box. I created a docker container that had a little nodejs web app and made sure that I could access it remotely. I used the command line to accomplish all of the google cloud commands. There were a couple of problems with copying files from my laptop to the instance because of the windows laptop and ssh keys, but I worked around that by downloading the files from the github repository. Here are the steps we took in the tutorial:
  1. Create a VM Instance to running my docker container on.
  2. Create a Docker image
  3. Inspect a running Docker container
  4. Find Docker images
  5. Launch pre-defined Docker image
I used the command line for most of the work and it was very easy to set up a VM and get my own docker container working on it.
There where a couple of gotcha's I took note:
  • Much of the docker work needed to be done on the VM and could not be done remote on my Laptop.
  • Windows is not a "first class" citizen with Docker Containers You really need to be running command line tools on Linux.
  • You need to install the google cloud command line tools on the VM as well as your laptop.
  • Store your Docker images in your own repository or make sure you have a global unique name in the google repo. We stepped on each other several times.
  • Make sure you expose the ports on the VM that you want to access any web app from the Docker Container Instance.

Running through the tutorial gave me a better understanding of terminology that is thrown around and confusing at times. The following is the list of terms that we covered and finally made some sense:
  • Image - This is a description of the container to run. Similar to a VM image. Images are built and stored in a registry.
  • Container - This is an instance of a image running on a VM in its own namespace and cgroup.
  • VM Instance - This is a virtual machine running in a cloud, in this example it is a Compute Engine.
  • Docker Daemon - This manages the containers on a specific VM or Bare metal machine. The docker command communicates with the Docker Daemon.

Overall the tutorial took about 30 minutes. I would say about 90% of the people made it through the tutorial without any problems. I got some terminology cleared up and found how easy it was to get containers up and running in Google Compute Engine. The one thing that was very clear was that docker managed containers on one machine and not multiple machines.

Darren