Providing and Supporting Docker Images

A presentation at OSDC in June 2018 in Berlin, Germany by Philipp Krenn

Providing and Supporting Docker Images Philipp Krenn 4444 @xeraa

Infrastructure | Developer !

Who uses Docker?

Who uses Docker in production?

Who uses stateful Docker images?

Who uses our images?

Who uses our stack with other images?

Docker: the world's most heavily funded college project Internal quote from Slack

Content "Official" Base images Release policy Security Support Orchestration

Docker Hub "official"

What do you get? docker pull elasticsearch

Custom registry docker.elastic.co

I’m surprised more people don’t just host their own container registries since doing that is faster than every cloud offering and docker hub https://twitter.com/jessfraz/status/978449365261082625

Our Motivation Download statistics Speed & reliability

https://www.docker.elastic.co

Problems Some broken tooling like automated builds, Kitematic,... China IPv6

https://hub.docker.com/r/elastic/ elasticsearch/ kibana/ *beat/ logstash/ apm-server/

Quick Quiz Our image or not?

docker pull logstash:alpine

docker pull elastic/elasticsearch

docker pull kibana

docker pull docker.elastic.co/beats/filebeat:6.2.3

Base Images

Elasticsearch Alpine

Kibana 4 Beats 4 Logstash Ubuntu

Common base image in 5.4+ CentOS 7

https://github.com/elastic/elasticsearch-docker/blob/master/templates/Dockerfile.j2 FROM centos:7 LABEL maintainer "Elastic Docker Team docker@elastic.co" ENV ELASTIC_CONTAINER true ENV PATH /usr/share/elasticsearch/bin:$PATH ENV JAVA_HOME /usr/lib/jvm/jre-1.8.0-openjdk RUN yum update -y &&
yum install -y nc java-1.8.0-openjdk-headless unzip wget which &&
yum clean all

Upside Similar setup Shared layers JVM images largish anyway

Downside Size

$ docker images REPOSITORY TAG IMAGE ID SIZE docker.elastic.co/kibana/kibana 6.3.0 128b6bfb9645 729MB docker.elastic.co/elasticsearch/elasticsearch 6.3.0 7e188ef97fe0 783MB docker.elastic.co/beats/filebeat 6.3.0 f90fd7f32529 318MB docker.elastic.co/kibana/kibana 6.2.4 327c6538ba4c 933MB docker.elastic.co/elasticsearch/elasticsearch 6.2.4 7cb69da7148d 515MB docker.elastic.co/beats/filebeat 6.2.4 26a00abcde82 319MB docker.elastic.co/kibana/kibana 5.6.7 0f8347a118b3 697MB docker.elastic.co/elasticsearch/elasticsearch 5.6.7 f9bc1b5416b9 574MB docker.elastic.co/beats/filebeat 5.6.7 02648e71cced 334MB docker.elastic.co/kibana/kibana 5.3.3 ffe778f7e489 679MB docker.elastic.co/elasticsearch/elasticsearch 5.3.3 5857f98b5920 165MB docker.elastic.co/beats/filebeat 5.3.3 c01be8a8f630 232MB

5.3 5.6 6.2 6.3 ES 165MB 574MB 515MB 783MB Kibana 679MB 697MB 933MB 729MB Filebeat 232MB 334MB 319MB 318MB

Does it matter? stateful vs stateless

What to include?

Single image for 5.x Platinum trial

Three flavors 6.0 to 6.2 Basic * , OSS, Platinum trial * Default

Two flavors 6.3+ Basic / Platinum trial * , OSS 783MB vs 673MB * Default

Future

Multiple JDK versions? 6.2: OpenJDK 8 6.3 BC: OpenJDK 10.0.1

Multiple base images?

Windows?!

Release Policy

No :latest

Zombies ideas that should have been killed by evidence, but keep shambling along

5 and 5.6 ?

What's in a tag? docker.elastic.co/elasticsearch/elasticsearch 5.3.3 5857f98b5920 4 months ago docker.elastic.co/beats/filebeat 5.3.3 c01be8a8f630 5 months ago docker.elastic.co/kibana/kibana 5.3.3 ffe778f7e489 5 months ago

Currently Overwrite tag

Label Schema LABEL org.label-schema.schema-version="1.0"
org.label-schema.vendor="Elastic"
org.label-schema.name="elasticsearch"
org.label-schema.version="{{ elastic_version }}"
org.label-schema.url="https://www.elastic.co/products/elasticsearch"
org.label-schema.vcs-url="https://github.com/elastic/elasticsearch-docker"
{% if image_flavor == 'oss' -%} license="Apache-2.0" {% else -%} license="Elastic License" {% endif -%}

Base image & JVM direct dependencies

Future Add image version?

Security

Run Elasticsearch as root

Cockroaches claims that disappear for a while when proved wrong, but just keep on coming back

Mode Production: Clusterable Development: Local network

"Docker" mode discovery.type=single-node

Bootstrap checks are here to stay

6.0+ no more default credentials

6.0+ X-Pack non-trial requires certificates

Support

The container runs Elasticsearch as user elasticsearch using uid:gid 1000:1000 . https://www.elastic.co/guide/en/elasticsearch/reference/current/ docker.html

Don't mutate the bind mounted local directory

Zombies ideas that should have been killed by evidence, but keep shambling along

Those who do not understand Unix are condemned to reinvent it, poorly. — Henry Spencer

Docker default value? LimitNOFILE & LimitNPROC

infinity https://github.com/moby/moby/commit/ 8db61095a3d0bcb0733580734ba5d54bc27a614d (July 2016)

Test $ docker run --rm centos:7 /bin/bash -c \
'ulimit -Hn && ulimit -Sn && ulimit -Hu && ulimit -Su' 1048576 1048576 unlimited unlimited

Combine two new systems to get chaos & despair

Docker is a leaky abstraction

Orchestration

Who uses Kubernetes?

Who uses Swarm?

Who uses Mesos?

Who uses Nomad?

No orchestration yet

Testing images for orchestration

Kubernetes 1.8 allows dots in env vars https://github.com/kubernetes/kubernetes/issues/2707

Kubernetes has made huge improvements in the ability to run stateful workloads including databases and message queues, but I still prefer not to run them on Kubernetes. https://twitter.com/kelseyhightower/status/963413508300812295

Kubernetes makes it easier to deploy stateful services not manage them. Stateful services must meet Kubernetes half way and manage their own cluster membership, failover, and replication. CockroachDB and Consul are two great examples, but far from perfect. https://twitter.com/kelseyhightower/status/963415653930553345

Conclusion

"Docker is disrupting the industry"

"Can I run Elasticsearch on Docker?"

"Should I run Elasticsearch on Docker?"

Even when stateful services do the right things managing state is still hard. Mixing stateful and stateless applications on the same cluster elevates the complexity of the entire cluster. Cluster security and upgrades become much harder. https://twitter.com/kelseyhightower/status/963417215608369153

https://www.meetup.com/Elasticsearch-Berlin/ Thursday June 14, 19:00 Springer Nature

Questions & Discussion Philipp Krenn 444 @xeraa

Philipp Krenn
@xeraa

1 / 97

Docker is eating the world. If you want to be taken seriously, you need to provide containers to your users. It's easy — everybody is uploading containers to Docker Hub, right? Unfortunately, reality is never as easy as it sounds at first. This talk gives an overview of Elastic's ongoing journey to providing official Docker containers:

Docker Hub: What "official" really means and why we are using our own registry.
Base image: Just use Alpine — it is small and the perfect fit for containers. We tried that and reconsidered...
Release policy: What do you actually get in a specific tag and how are we releasing our images?
Support: Combine two complex systems like Elasticsearch and Docker — and you will get a lot of questions.
Orchestration: Our current approach for orchestration and how we are treating feature requests.

Buzz and feedback

Here’s what was said about this presentation on social media.

Now is the time for @xeraa from @elastic talk on “Providing and Supporting #Docker images” #osdc /kk pic.twitter.com/dB7gGtSxWl
— netways (@netways) June 13, 2018
.@xeraa on #docker 😂 #osdc pic.twitter.com/0jgbHo2QSJ
— Michael Friedrich (@dnsmichi) June 13, 2018
Great to see @xeraa talking. Now on stage at #osdc pic.twitter.com/fsBYJOfpX7
— xtruthx (@Xtruth_be_toldX) June 13, 2018
.@xeraa quotes @jessfraz on #container registries at #osdc 😎 pic.twitter.com/Jm4xH5HIxL
— Michael Friedrich (@dnsmichi) June 13, 2018
Which images do you use ?? #baseimages #alpine #docker #osdc /kk pic.twitter.com/gUAtqCfkCt
— netways (@netways) June 13, 2018
Multiple #jdk versions for #elastic #docker images #osdc /mif pic.twitter.com/V9TugPqfJ2
— netways (@netways) June 13, 2018
Elasticsearch has problems serving Docker images over IPv6 because their cloud vendor doesn't offer v6 everywhere. "They should stick to sellng books" #osdc
— Devdas Bhagat (@f3ew) June 13, 2018
"No :latest" — wise decision for #elastic #docker images. #osdc pic.twitter.com/a3rpRqhCbx
— Michael Friedrich (@dnsmichi) June 13, 2018
"With #docker the idea comes back to run everything as root." #osdc pic.twitter.com/hvvDK6BP7D
— Michael Friedrich (@dnsmichi) June 13, 2018
"A lot of people want us to magically fix their shit." — @xeraa at #osdc
— Michael Friedrich (@dnsmichi) June 13, 2018
Combine two new complex systems to get chaos and despair #osdc
— Devdas Bhagat (@f3ew) June 13, 2018
Docker - Those who not know Unix are forced to reinvent it poorly. #osdc
— Devdas Bhagat (@f3ew) June 13, 2018
Starting with 5.4 @elastic #docker images switched from #alpine to #centos as base image #osdc pic.twitter.com/SyeE8rpUy0
— Michael Friedrich (@dnsmichi) June 13, 2018
philipp krenn from @elastic is now talking about providing and supporting docker images at #OSDC pic.twitter.com/DCDskqAzcJ
— bastelfreak (@BastelsBlog) June 13, 2018