Blog

I won't say "Long time, no post" - but...

As I had some time at my hands the last couple of months, I was iterating on my idea on hardware optimization using manifest list from the last post Match Node-Specific Needs Using Manifest Lists.

ReCap

The gist is that hardware optimization with containers is a bit of a step back, as the kernel virtualization (aka containers) promises to provide isolation on-top of a Linux (or Windows) kernel without caring to much about the underlying host configuration.

In the previous post I explained how hardware optimized images are used to get the best performance / functionality out of a node.

Containers gain more and more foothold as a lightweight mode of isolating different application relying on kernel features to not spin up emulated hardware - create (rather) heavy virtual machines. That worked great so far, as the resource isolation was only focusing on what the kernel can provide:

• CPU cycles
• Memory
• Input/output to resources controlled by the kernel (e.g. network and filesystems)

The 'Linux Container' workshop at the ISC 2018 was called: High Performance Container Workshop

It was held as part of the International Supercomputing Conference in Frankfurt on June 28nd from 9AM to 6PM at the Marriott Hotel.

I've been working for Docker for a month now and it is already a fun ride. I joined just before the DockerConEU announcement two weeks back, that the Docker Enterprise Edition as well as the Docker Community Editions for Desktops (Docker4Mac/Docker4Win) will support Kubernetes in the future.

Talking to security engineers I was asked how to secure a docker-socket, so that applications like metrics collector, are only able to access a subset of API endpoints.

When looking into it I was looking into the authorisation plugins already out there, but it as far as I understood them, they are only working on TCP sockets and rely on an SSL certificate providing informations about who is accessing them. Recently I tried to create a plugin using the newest plugin system, but that failed to some extend. The plugin system is currently in a transition to be used within the plugin framework and not be directly started at startup.

To circumvent this and get something to work with, I created a little golang tool, that creates a httputil.ReverseProxy, providing a proxy-socket, checking the request against some regular expressions and forwards granted requests to the docker socket on the behalf of the user.

Meet doxy:

Recently Docker released its 17.06 version of the Docker Engine (Announcement) and in there is the new plugin type 'Metrics'.

The example they provide just copies over the internal Prometheus unix socket to an external HTTP endpoint.

ISC 2017 Workshop

The 'Linux Container' workshop at the ISC 2017 was called: Linux Container to optimise IT Infrastructure and High-Performance Workloads.

It was held after the International Supercomputing Conference in Frankfurt on June 22nd from 2PM to 6PM at the Marriott Hotel.

I like the idea and prospect of having only the plain Docker stack running, as it provides a nice experience from development to operations (I am talking about you: DevOps!). I can start with a single container, create a set of (unreplicated) services and try to make it work in a distributed setup - all on my little laptop and stay confident that it will work on a cluster as well.

During the April MeetUp I introduced some guidelines about how to build and run containers, the talk was recorded and is available on youtube: