Docker Deployment: A View From the Trenches
Deploying Linux containers in production and at scale remains problematic, particularly given ongoing security concerns. Docker container engineers demonstrated a new security feature dubbed Docker Content Trust during this week's LinuxCon in Seattle that makes it possible to verify the publisher of Docker images.
Those efforts are aimed at addressing lingering concerns about packaging critical enterprise applications in de facto standard Docker containers.
Meanwhile, Mesosphere, developer of the Datacenter Operating System (DCOS), is emphasizing a different aspect of the problem of deploying and scaling containers: an orchestration system built around Apache Mesos and a cluster-wide initialization and control system called Marathon that supports Docker containers but is also promoted as scaling and updating applications.
For starters, DCOS provides native support for Docker containers. Marathon is among a list of DCOS services that also includes Kubernetes, the open source container manager designed to work across multiple hosts. Along with native support for Docker containers, Sunil Shah, a Mesophere distributed applications engineer, also emphasized the need to manage resources.
For example, the Marathon tool is designed to automate running multiple tasks on clusters by determining available processing and memory resources. Meanwhile, a "cluster resource negotiator" that allocates resources for container workloads can scale to tens of thousands of nodes, Shah asserted.
"Containers need to be sized appropriately," Shah argued. Hence, developers need to "think harder about how much of various [IT] resources your application really needs."
Moreover, he urged container adopters to "leave some slack in your resource limits when deploying an application to account for performance differences between servers."
The Mesosphere approach also relies on a configuration management system to build the underlying machines used to scale container deployments.
Once configuration processes are standardized, "Docker with a container orchestration system makes it easier to treat machines like 'cattle'—they are all the same." Added Shah: "Treat your servers like cattle, not like pets."
Indeed, Mesosphere has been gaining traction with its cluster manager billed as a datacenter operating system. Apple recently rebuilt backend services for its Siri digital assistant using Apache Mesos.
Mesophere also disclosed that Yelp selected Apache Mesos to help manage its aggressive Docker container deployment. The online local business review web site opted for Docker containers over virtual machines "because it gave developers the ability to manage their own containers, and to deal with packaging and dependency issues rapidly without waiting for golden images to build," Mesosphere's Derrick Harris noted in a recent blog post.
Harris said Yelp opted to go beyond basic Apache Mesos in favor of a full-blown Marathon platform-as-a-service framework that runs alongside Mesos. Yelp uses the framework to schedule and orchestrate compute jobs. It also has built a Docker-based micro-services architecture on top of Mesosphere that allows container-size jobs to run regardless of the computing platform, Harris said.
As of early June, Mesosphere said Yelp is launching more than 1 million Docker containers a day using its framework. Shah said this week about 20 percent of Yelp web sites are running on DCOS.
As more hyper-scalers like Yelp adopt new orchestration tools and continue to work out the kinks in Docker deployment, the shift of deployment and production workloads will likely gain momentum.