Automate drupal deployments with linux containers, docker and vagrant
- 2. Free/Opensource software lover
Senior Cloud Engineer @Acquia
Drupal.org infrastructure/devops
Drupalist & Linux enthusiast
Father, artist, community facilitator
@ricardoamaro
About me
- 4. 1. The sad VirtualMachine story
2. Containers and non-containers
3. Drupal on LXC
4. How to Puppetize a container
5. Docker & LXC
6. Shipping containers with Drupal
today’s agenda
- 5. Hardware virtualization or platform
virtualization refers to the creation of a
virtual machine that acts like a real
computer with an operating system.
Software executed on these virtual
machines is separated from the underlying
hardware resources.
What is virtualization?
- 6. Cloud infrastructure providers like Amazon Web Service sell virtual
machines. EC2 revenue is expected to surpass $1B in revenue this year.
That's a lot of VMs…
Why should i care?
Increase
+ efficiency
+ availability
+ security
Reduce
- costs
- hardware
- energy
- 8. ➢ We are also paying for lot of
avoidable overhead.
➢ The Virtual Machine is a full-blown
operating system image.
➢ This is a heavyweight solution to
run applications in the cloud.
The sad Virtual Machine story...
- 10. Containers used to be terrible, but not anymoreContainers used to be terrible, but not anymore
A new concept, a new hope
- 15. The time to provision
Source : http://www.linuxjournal.com/content/containers%E2%80%94not-virtual-machines%E2%80%94are-future-cloud
- 16. mount /dev/sda /target
chroot /target
but that had no resource and security isolation goals
for multi-tenant designs...
From the simple concept of “chroot”
source: http://openvz.org
- 18. Openvz & LXC
Need
control
over
specific
host
resources
cgroups
Control Groups provide a mechanism for aggregating/partitioning sets
of tasks, and all their future children, into hierarchical groups with
specialized behaviour.
~$ ls /sys/fs/cgroup
blkio
cpu
cpuacct
cpuset
devices
freezer
hugetlb
memory
perf_event
example:
lxc-cgroup -n foo cpuset.cpus "0,3"
Containers & Cgroups
https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt
- 19. ricardo@ricardo-box:~$ sudo lxc-checkconfig
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-3.8.0-26-generic
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: missing
Network namespace: enabled
Multiple /dev/pts instances: enabled
--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled
--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: enabled
Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig
LXC on Ubuntu
- 20. Since Ubuntu 12.04, containers are constrained by apparmor by default
- /usr/bin/lxc-start is automatically transitioned to its own profile, where it is only allowed to mount into the
container’s tree.
- The default policy attempts to protect the host from accidental container abuses – such as writing to /proc/sysrq-
trigger and /proc/mem,
- Each container configuration can specify a custom profile.
On Ubuntu 13.04
- We are able to exploit user namespaces and support stacked apparmor profiles
- Apport hooks for better debug support,
- Greater scriptability by providing a liblxc api.
By 14.04
User namespace should support container use by unprivileged users.
Other resources:
http://www.ibm.com/developerworks/linux/library/l-lxc-security/index.html
https://wiki.ubuntu.com/LxcSecurity
http://wiki.ubuntu.com/UserNamespace
LXC Security with Apparmor
- 21. Wait…
I don’t have to use
heavy virtualboxes?
Let’s start with Vagrant
and puppetize it!
You just need that guy
- 22. You will get:
1. Drupal (latest version)
2. Nginx
3. Php + php-fpm
4. Mysql
5. Phpmyadmin
6. xhprof
7. xdebug
8. composer
https://github.com/ricardoamaro/drupal-lxc-vagrant-docker
My contribution to Drupal Containers
- 23. Install latest Vagrant from: http://downloads.vagrantup.com/tags/v1.2.7 or later.
Install lxc + redir.
sudo dpkg -i vagrant_1.2.7_x86_64.deb
sudo apt-get install lxc redir
Vagrant LXC (demo) - Install
- 24. Get the code from:
https://github.com/ricardoamaro/drupal-lxc-vagrant-docker
git clone git@github.com:ricardoamaro/drupal-lxc-vagrant-docker.
git
cd ~/drupal-lxc-vagrant-docker
1 - Clone the code
- 25. vagrant plugin install vagrant-lxc
vagrant up --provider=lxc
sudo lxc-ls --fancy
# redirect port 80 to the host
sudo redir --lport=80 --cport=80 --caddr={container ip} &
# and/or edit the /etc/hosts file with:
${IP} drupal phpmyadmin xhprof
2 - Get the plugin & deploy
- 32. Install docker:
sudo apt-get -y install docker
curl get.docker.io | sudo sh -x
Import container to docker:
sudo tar -C /var/lib/lxc/{container name}/rootfs/ -c . | sudo
docker import - dev/drupal
Start docker:
sudo docker run -i -t -p :80 dev/drupal /bin/bash
The image is already pushed to https://index.docker.io, and can be pulled using:
sudo docker pull ricardoamaro/drupal
You can ship your image into a Docker container
- 35. the Commands:
attach Attach to a running container
commit Create a new image from a container's changes
diff Inspect changes on a container's filesystem
export Stream the contents of a container as a tar archive
history Show the history of an image
images List images
import Create a new filesystem image from the contents of a tarball
info Display system-wide information
inspect Return low-level information on a container
kill Kill a running container
login Register or Login to the docker registry server
logs Fetch the logs of a container
port Lookup the public-facing port which is NAT-ed to PRIVATE_PORT
ps List containers
pull Pull an image or a repository to the docker registry server
push Push an image or a repository to the docker registry server
restart Restart a running container
rm Remove a container
rmi Remove an image
run Run a command in a new container
start Start a stopped container
stop Stop a running container
tag Tag an image into a repository
version Show the docker version information
wait Block until a container stops, then print its exit code
The docker is awesome!
the Api
http://docs.docker.io/en/latest/api/registry_index_spec/
the Registry
http://docs.docker.io/en/latest/api/index_api/
- 38. Changes to the container can be committed
to the central index or rolled back
Just commit the good apples
- 39. Openstack and Docker...
The future has a bonus extra:
http://blog.docker.io/2013/06/openstack-docker-manage-linux-containers-with-nova/
https://wiki.openstack.org/wiki/Docker
- 40. “Nova is intended to be modular and easy to extend and adapt. It supports many
different hypervisors (KVM and Xen to name a few), different database backends
(SQLite, MySQL, and PostgreSQL, for instance), different types of user
databases (LDAP or SQL), etc.”
And it supports Docker containers!
This project is open-source and available at:
https://github.com/dotcloud/openstack-docker.
...with the Nova driver
- 41. Develop the box in layers
Use only one Linux Kernel
Deploy quickly
Build Once, Run Anywhere
Awesomeness!