by 
Here is my post on kloia blog:
https://blog.kloia.com/kubernetes-on-rancher-with-weave-db5319361b78
CategoryDevOps
by Routing Mesh is not magic, it just uses ha-proxy inside to route the traffic to the related container.
What is the use-case of Routing Mesh?
You have plenty of services/apps working on HTTP/HTTPS and you do not want to deal with ports. Routing Mesh simply, manages the "Virtual Hosting"
1. In case you have Docker Datacenter UCP:
Step1: Enable Routing Mesh
UCP –> Admin Settings –> Routing Mesh –> Enable HTTP Routing Mesh –> Update (I used port 8090 just for test, normally it should be 80)
Step2: Create a service
UCP –> Resources –> Services –> Create a Service
Service Name: meshtest
Image Name: nginx:latest
Next –> Rosources –> Networks
Choose the network "ucp-hrm"
Next –> Environment
Create a Service Label "com.docker.ucp.mesh.http.80" with label "external_route=http://meshtest,internal_port=80"
2. In case you just have Docker 1.12+:
Add the following to you docker-compose YAML under the necessary service:
# labels:
# com.docker.ucp.mesh.http.80=external_route=http://meshtest,internal_port=80
Save Settings and it works!
by During the installation of Docker Engine and UCP(Universal Control Plane), there is a risk that the networks it chooses by default like 172.17.0.0/16, 172.18.0.0/16, 172.19.0.0/16, 172.20.0.0/16 may overlap with your existing LANs in your organization. Although there are some related posts:
https://forums.docker.com/t/dtr-network-overlaps-corporate-lan/22193/2
https://blog.docker.com/2016/03/docker-networking-design-philosophy/
IMHO they do not provide a practical solution for that particular case…
Beside, there are the following open issues under github:
https://github.com/docker/docker/issues/21776
https://github.com/docker/docker/pull/29376
Here is a workaround we have founded and applied and working:
- Before the installtion of Docker Engine/UCP, create a virtual interface or extend the netmask of the current interface covering all corporate networks:
ifconfig eth0:0 <yourinternalcorporateIPAddress> netmask <netmask> up
- After you finalize the Docker Engine, swarm or UCP, you will notice that it uses A Class(10.x.x.x/x) or C Class(192.168.x.x/x) rather than 172.x.x.x !!!! Docker installation is smart that it jumps to other network classes.
- Revert back your network interface you the initial state ad that's all!!
by You need to install 1.21.1 CS(Commercial Support) version of the Docker Engine specific commercial version, in case Ubuntu, here is the way to do that:
sudo rpm –import "https://sks-keyservers.net/pks/lookup?op=get&search=0xee6d536cf7dc86e2d7d56f59a178ac6c6238f52e"
curl -s 'https://sks-keyservers.net/pks/lookup?op=get&search=0xee6d536cf7dc86e2d7d56f59a178ac6c6238f52e' | sudo apt-key add –import
sudo apt-get update && sudo apt-get install apt-transport-https
sudo apt-get install -y linux-image-extra-$(uname -r) linux-image-extra-virtual
echo "deb https://packages.docker.com/1.12/apt/repo ubuntu-trusty main" | sudo tee /etc/apt/sources.list.d/docker.list
sudo apt-get update && sudo apt-get install docker-engine=1.12.1~cs1-0~trusty
docker info
service docker restart
by You can use the following for Ansible, Docker, ebextensions or any automated provisioning you need. The first command especially saves time otherwise you have to click on "Accept license" on browser in order to download from Oracle…
# wget –no-check-certificate –no-cookies –header "Cookie: oraclelicense=accept-securebackup-cookie" http://download.oracle.com/otn-pub/java/jdk/8u102-b14/jdk-8u102-linux-x64.rpm
# rpm -Uvh jdk-8u102-linux-x64.rpm
# alternatives –install /usr/bin/java java /usr/java/latest/bin/java 200000
# alternatives –install /usr/bin/javac javac /usr/java/latest/bin/javac 200000
# alternatives –install /usr/bin/jar jar /usr/java/latest/bin/jar 200000
# export JAVA_HOME="/usr/java/latest/"
# wget -O /etc/yum.repos.d/jenkins.repo http://pkg.jenkins-ci.org/redhat/jenkins.repo
# rpm –import https://jenkins-ci.org/redhat/jenkins-ci.org.key
# yum update -y
# yum install jenkins -y
# systemctl enable jenkins.service
# systemctl restart jenkins.service
by Another typical error happened during i tried to install a new Python module:
Deryas-MacBook-Pro:etugra dsezen$ sudo pip install zeep The directory '/Users/dsezen/Library/Caches/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag. You are using pip version 7.1.0, however version 8.1.2 is available. You should consider upgrading via the 'pip install --upgrade pip' command. The directory '/Users/dsezen/Library/Caches/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag. Collecting zeep Downloading zeep-0.14.0-py2.py3-none-any.whl (65kB) 100% |████████████████████████████████| 65kB 245kB/s Requirement already satisfied (use --upgrade to upgrade): lxml>=3.0.0 in /Library/Python/2.7/site-packages (from zeep) Requirement already satisfied (use --upgrade to upgrade): pytz in /System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python (from zeep) Requirement already satisfied (use --upgrade to upgrade): appdirs>=1.4.0 in /Library/Python/2.7/site-packages (from zeep) Requirement already satisfied (use --upgrade to upgrade): cached-property>=1.0.0 in /Library/Python/2.7/site-packages (from zeep) Requirement already satisfied (use --upgrade to upgrade): defusedxml>=0.4.1 in /Library/Python/2.7/site-packages (from zeep) Collecting six>=1.9.0 (from zeep) Downloading six-1.10.0-py2.py3-none-any.whl Collecting isodate>=0.5.4 (from zeep) Collecting requests>=2.7.0 (from zeep) Downloading requests-2.11.1-py2.py3-none-any.whl (514kB) 100% |████████████████████████████████| 516kB 283kB/s Installing collected packages: six, isodate, requests, zeep Found existing installation: six 1.4.1 DEPRECATION: Uninstalling a distutils installed project (six) has been deprecated and will be removed in a future version. This is due to the fact that uninstalling a distutils project will only partially uninstall the project. Uninstalling six-1.4.1: Exception: . . . OSError: [Errno 1] Operation not permitted: '/tmp/pip-zeJjMk-uninstall/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/six-1.4.1-py2.7.egg-info'
Just i didn't want to digout whatever the hell reason regarding with access rights, Python 2.7 vs 3.x awesomeness and directly injected a Dockerfile a solved the problem right away!
FROM python:3-onbuild MAINTAINER funkydorian RUN mkdir /etugra VOLUME /etugra WORKDIR /etugra CMD python -m pip install zeep ENV PYTHONPATH .:/usr/local/lib/python3.5 CMD ["python","./etugra.py","secinitd.log"]
Build the image with:
docker build -t etugra .
Run the code whenever i make a change simply by:
docker run -it --rm --name etugra -v $PWD:/etugra etugra
by I had many unused images appeared because of my fault:
Deryas-MacBook-Pro:etugra dsezen$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
etugra latest 0e0485e9abbf 5 minutes ago 704.1 MB
<none> <none> 8a2ffaa937f3 8 minutes ago 704.1 MB
<none> <none> d13dd077234c 9 minutes ago 704.1 MB
<none> <none> 017cb8b846b7 17 minutes ago 704.1 MB
<none> <none> f671aaefbeb8 18 minutes ago 704.1 MB
<none> <none> 280ea3ac4ae5 44 minutes ago 704.1 MB
<none> <none> 97dcf929d414 45 minutes ago 704.1 MB
<none> <none> 019bcd4d779e 53 minutes ago 704.1 MB
<none> <none> 053a969a5a22 55 minutes ago 704.1 MB
<none> <none> 94be3db991db 58 minutes ago 704.1 MB
<none> <none> cd284b979277 59 minutes ago 704.1 MB
<none> <none> 56181d2f6edf 59 minutes ago 704.1 MB
<none> <none> a55ec92c3137 About an hour ago 704.1 MB
<none> <none> 7e9afad720aa About an hour ago 704.1 MB
<none> <none> 907bbba168bf About an hour ago 704.1 MB
<none> <none> f42d87e744f6 About an hour ago 704.1 MB
<none> <none> 804aa0feedf2 About an hour ago 704.1 MB
<none> <none> 1036b6db0f20 About an hour ago 704.1 MB
<none> <none> 4868a31676cb About an hour ago 704.1 MB
<none> <none> 7ade30482774 About an hour ago 704.1 MB
<none> <none> 353b07a482be About an hour ago 704.1 MB
<none> <none> d827f90112d1 About an hour ago 704.1 MB
<none> <none> efb1e94f2c4f About an hour ago 704.1 MB
<none> <none> 9e1210fd7d8f 2 hours ago 684.3 MB
<none> <none> 63eaa30ce706 2 hours ago 684.3 MB
<none> <none> b89d5acf03e5 2 hours ago 684.3 MB
<none> <none> c9905abf50b8 2 hours ago 709.6 MB
<none> <none> af6393bc4b96 2 hours ago 696.2 MB
<none> <none> 4bb0534b3bd0 21 hours ago 675.1 MB
python 3-onbuild 61bd1f884054 11 days ago 684.3 MB
Seems docker rmi does not accept standard input, so here is the way i found so that you can overcome this:
docker images|grep none|awk {'print $3'} > /tmp/dockertmp
for i in `cat /tmp/dockertmp`; do docker rmi $i; done
by If you also need to trigger Visual Studio Code for creating a new file into the codebase, in my case Dockerfile, he is the way to do that:
1. Open Visual Studio Code
2. Type ⇧⌘P
3. Type 'Shell command' and choose 'Install code command in PATH'
This simply adds 'code' binary link to the PATH
4. Type the following to initiate a new file:
Deryas-MacBook-Pro:DIGOUT dsezen$ code Dockerfile
by Meetup happened at Google Fremont.
Although there were other presentations, i could only participate the following:
1. Aqua: As there are ongoing security concerns regarding with Docker/MicroServices approaches, as a response, i see various solutions to that. After my initial bias that Aqua is YADSC(Yet-another Docker Security Scanning), i realized it has other capabilities as well. Beside the CVE scan, it has also
- Container Inspection which actively checks suspicious behaviour
- Fingerprint the image from dev to production, preventing spoofing
- Multiregistry support like ECR, GCR, Quay, JFrog…
- Anomality Detection on containers
- Prevent malicious behaviours
Demo regarding to malicious behaviour was fork-bomb
which is also known-as
:(){ :|:& };:
If you enter this command on your bash, you will see the effect, no responsibility is accepted:)
@chernymi demonstraited the effect of fork-bomb and container freezed, after we saw that Aqua can handle this anomality.
2. rktnetes: @wobscale beginned with explaining what is rkt and differentiation with docker, going deeper with Stage1-2-3 approach of rkt.
He continued pointing out the SPOF of dockerd for <1.11 and continerd for >=1.11
Finally, he started to explain rkynetes, which basically use rkt as the container runtime.
Some of the benefits can be summarized as
- There is no daemon running the containers
- Works with systemd
- runc is supported:)
- features/speed competes with kubernetes:
Official release seems to be coming with Kubernetes 1.3
As a summary, Kubernetes is creating its own ecosystem as well. Especially for the ones using GCP, as Google Container Engine is kubernetes, it makes sense to go with.
Strava
Sharing
© 2024 Derya (Dorian) Sezen
Theme by Anders Norén — Up ↑
