title: Containers Patterns name: inverse layout: true class: center, middle, inverse
.bottom-bar[ .left[@mariolet github.com/l0rd] ]
layout: false template: inverse class: center, middle
layout: false
template: inverse
layout: false
layout: false
.tc-left-column[
Copy Sources
Mount Sources
Dockerize Your Tools
ONBUILD Image
Dependencies First Dockerfile
Source 2 Image
] .tc-center-column[
Build From Scratch
Containers Launcher
] .tc-right-column[
Mount Sources
Docker Socket Mount
Containers Launcher
Build From Scratch
Host Spoofing
ENTRYPOINT and CMD combined
Exec Form ENTRYPOINT
Source 2 Image
Sidecar Container
Ambassador Container
]
template: inverse
template: inverse
.left-column[
] .right-column[
Docker Image
httpd
Source code
https://github.com/gabrielecirulli/2048
Run command
docker run -p 8080:80 \
-v $(pwd):/usr/local/apache2/htdocs/ \
httpd
]
.left-column[
] .right-column[
.left-column[
] .right-column[
- Development and Runtime Pattern
- Source folder is bind mounted when running the container
- Pattern particularly suited for dynamic languages
- Not recommended for production
- No need to rebuild or restart container when sources are updated
- Build tools are included in the image
- The same image can be used to compile and run the application ]
template: inverse
.left-column[
] .right-column[
Docker Image
maven:3.3.3-jdk-8
Source code
https://github.com/l0rd/containerspatterns/tree/master/DYT
Run command
# Make the alias of the dockerized tool
alias mvn="docker run \
-w /usr/src \
-v $(pwd):/usr/src \
-v ~/.m2:/root/.m2 \
maven:3.3.3-jdk-8 \
mvn"
# Run the tool
mvn -version
]
.left-column[
] .right-column[
.left-column[
] .right-column[
- Development pattern
- A tool is packaged and distributed as a Docker image
- Allow to run multiple versions of the same tool
- The tool version and installation is described in a Dockerfile
- Files can be shared between the container and the host with volumes
alias
command can be used to make it easier to run ]
template: inverse
.left-column[
] .right-column[
Docker Image
containerspatterns/rust-launcher
Source code
https://github.com/l0rd/containerspatterns/tree/master/CL
Run command
docker run -v $(pwd):/src/ \
-v /var/run/docker.sock:/var/run/docker.sock \
containerspatterns/rust-launcher
]
.left-column[
] .right-column[
.center[![cp-CL-1](images/cp-CL1.svg)] ]
.left-column[
] .right-column[
.center[![cp-CL-2](images/cp-CL2.svg)] ]
.left-column[
] .right-column[
.center[![cp-CL-3](images/cp-CL3.svg)] ]
.left-column[
] .right-column[
.center[![cp-CL-4](images/cp-CL4.svg)] ]
.left-column[
] .right-column[
.center[![cp-CL-5](images/cp-CL5.svg)] ]
.left-column[
] .right-column[
.center[![cp-CL-6](images/cp-CL6.svg)] ]
.left-column[
] .right-column[
- Runtime Pattern
- The Docker socket is bind mounted when the container is started
- Use to compose multiple containers without Docker compose or similar ]
template: inverse
.left-column[
] .right-column[
Docker Image
alpine
Source code
https://github.com/l0rd/containerspatterns/tree/master/HS
Run command
docker run --net=host \
-v /:/hostfs/ \
--pid=host \
--uts=host \
--ipc=host \
-v $(pwd):/src/ \
alpine sh -c ". /src/print_host_info.sh"
]
.left-column[
] .right-column[
.left-column[
] .right-column[
- Runtime Pattern
- Run commands inside a container to inspect or alter the Docker host
- Access to host network, filesystem, processes, users etc...
- Break container isolation
- Won't work when security hardening the Docker install ]
template: inverse
.left-column[
] .right-column[
Docker Images
- maven:3.5-jdk-8 (build)
- openjdk:8-jre (run)
Source code
https://github.com/l0rd/containerspatterns/tree/master/S2I
Build command
docker build -t s2i .
Run command
docker run -t --rm s2i
]
.left-column[
] .right-column[
.left-column[
] .right-column[
- One unique Dockerfile for build and run
- Build tools are not in the final image
- Existed since a long time in OpenShift, recently integrated in Docker (17.05)
- Combine 2 patterns (Copy Source and Copy Executable)
- Suited for static programming languages
- Allow to use the Docker Hub as a CI platform ]
template: inverse
.left-column[
] .right-column[
Docker Images httpd and ubuntu
Source code
https://github.com/l0rd/containerspatterns/tree/master/SC
Run command
# Run apache httpd in the background
cid=$(docker run -dit -p 8080:80 \
-v /usr/local/apache2/htdocs/ httpd:2.4)
# Run a sidecar container that updates index.html
docker run --volumes-from ${cid} -ti --rm ubuntu \
sh -c "echo I am the sidecar >> /usr/local/apache2/htdocs/index.html"
# Run a sidecar container that shares the same PID namespace
docker run --pid=container:${cid} -ti --rm ubuntu \
bash -c "echo -n pid 1 is \$(ps -p 1 -o comm=), killing it...;
kill 1;
echo done."
]
.left-column[
] .right-column[
.left-column[
] .right-column[
- Provide extra functionalities to a running container
- Popular for the Service Mesh model
- Not all namespace are sharable (e.g. userns/uts/filesystem) ]
template: inverse
layout: false
.center[
## [l0rd.github.io/containerspatterns](https://l0rd.github.io/containerspatterns)
layout: false .center[
template: inverse
A development pattern
.left-column[ .footnote[@hguemar, @mariolet, @mjbright ]
.left-column[ .footnote[@hguemar, @mariolet, @mjbright ]
] .right-column[
- development pattern
- Sources are copied inside the image
- Simplest development pattern
- A new image should be built for every code change
- Build tools are included in the image
- Usually a different image is used to run the application ]
.left-column[ .footnote[@hguemar, @mariolet, @mjbright ]
] .right-column[
Docker Image
2048
Source code
https://github.com/l0rd/containerspatterns/tree/master/CS/
Build and run commands
docker build -t 2048 .
docker run -d -p 8080:80 2048
]
??? In this pattern it's particularly important to separate in 2 distinct steps:
- fetching the dependencies
- build of the application
template: inverse
A runtime pattern
.left-column[ .footnote[@hguemar, @mariolet, @mjbright ]
.left-column[ .footnote[@hguemar, @mariolet, @mjbright ]
] .right-column[
- Runtime Pattern
- The Docker socket is bind mounted when the container is started
- Allow to manage containers from another container
- Usages:
- Container monitoring tools
- CI/CD tools
- Containers launchers ]
.left-column[ .footnote[@hguemar, @mariolet, @mjbright ]
] .right-column[
Docker Image
containerslanguages/golang
Source code
https://github.com/l0rd/containerspatterns/tree/master/DSM
Run command
docker run -v /var/run/docker.sock:/var/run/docker.sock \
containerslanguages/golang
]
template: inverse
A Distribution and runtime pattern
.left-column[ .footnote[@hguemar, @mariolet, @mjbright ]
.left-column[ .footnote[@hguemar, @mariolet, @mjbright ]
] .right-column[
- Distribution and Runtime Pattern
- The base image is the smallest possible:
Scratch
- Use to make ridiculously small images
- Works well with statically linked applications (Go, Rust, C etc...) ]
.left-column[ .footnote[@hguemar, @mariolet, @mjbright ]
] .right-column[
Docker Image
emilevauge/tictac
Source code
https://github/emilevauge/tictac/
Run command
docker build -t tictac .
# Compare tictac binary size with tictac docker image size
]
template: inverse
A runtime pattern
.left-column[ .footnote[@hguemar, @mariolet, @mjbright ]
.left-column[ .footnote[@hguemar, @mariolet, @mjbright ]
] .right-column[
- Runtime Pattern
- Instructions ENTRYPOINT and CMD are used together
- ENTRYPOINT is the fixed part of the command
- CMD is the variable part (usually the parameters) ]
.left-column[ .footnote[@hguemar, @mariolet, @mjbright ]
] .right-column[
Docker Image
ecc
Source code
https://github.com/l0rd/containerspatterns/tree/master/ECC
Run command
docker run -ti --rm ecc
docker run -ti --rm ecc -f lean docker
]
template: inverse
A runtime pattern
.left-column[ .footnote[@hguemar, @mariolet, @mjbright ]
.left-column[ .footnote[@hguemar, @mariolet, @mjbright ]
] .right-column[
- Runtime Pattern
- JSON is used to define the command and its parameters
- It's the alternative to the Shell Form (
/bin/sh -c
on Linux orcmd /S /C
on Windows) - No varialbe substitution and the command is PID 1
- Unix signals are notified directly to the program (not the shell) ]
.left-column[ .footnote[@hguemar, @mariolet, @mjbright ]
] .right-column[
Docker Image
httpd
Source code
https://github.com/l0rd/containerspatterns/tree/master/EFE/
Build and Run commands
docker build -t httpd-exec -f Dockerfile.exec .
docker build -t httpd-shell -f Dockerfile.shell .
docker run -i -P --rm httpd-exec
# Stop it using ^C
docker run -i -P --rm httpd-shell
# (Try to) stop it using ^C
]
template: inverse
A development pattern
.left-column[ .footnote[@hguemar, @mariolet, @mjbright ]
.left-column[ .footnote[@hguemar, @mariolet, @mjbright ]
] .right-column[
- Development pattern
- Build behaviour inherited from base image
- Avoid duplicate code in Dockerfiles
- Can make Dockerfile difficult to read ]
.left-column[ .footnote[@hguemar, @mariolet, @mjbright ]
] .right-column[
Docker Image
obi-java
Source code
https://github.com/l0rd/containerspatterns/tree/master/OBI
Build/Run commands
docker build -t obi-java .
docker run --rm obi-java
]
template: inverse
A development pattern
.left-column[ .footnote[@hguemar, @mariolet, @mjbright ]
.left-column[ .footnote[@hguemar, @mariolet, @mjbright ]
] .right-column[
- Development pattern
- Dependencies should not be fetched at every change in source code
- In Dockerfile dependency list should be copied before source code ]
.left-column[ .footnote[@hguemar, @mariolet, @mjbright ]
] .right-column[
Docker Image dfd
Source code
https://github.com/l0rd/containerspatterns/tree/master/dfd
https://github/polyfunc/flask-todolist
Build command
docker build -t dfd .
docker build -t dfd-orig -f Dockerfile.orig .
touch onefile
docker build -t dfd .
docker build -t dfd-orig -f Dockerfile.orig .
]