Automate Drupal deployments with Linux Containers, Vagrant and Docker

An overview of deployment strategies @ricardoamaro

About me
Free/Opensource software lover Senior Cloud Engineer @Acquia Drupal.org infrastructure/devops Drupalist & Linux enthusiast Father, artist, community facilitator

@ricardoamaro

About us

Vicente e Dlia

todays agenda
1. The sad VirtualMachine story 2. Containers and non-containers 3. Drupal on LXC 4. How to Puppetize a container 5. Docker & LXC 6. Shipping containers with Drupal

What is virtualization?
Hardware virtualization or platform virtualization refers to the creation of a virtual machine that acts like a real computer with an operating system.
Software executed on these virtual machines is separated from the underlying hardware resources.

Why should i care?

Increase + efficiency + availability + security Reduce - costs - hardware - energy

Cloud infrastructure providers like Amazon Web Service sell virtual machines. EC2 revenue is expected to surpass $1B in revenue this year. That's a lot of VMs

Virtual Machine platforms

The sad Virtual Machine story...

We are also paying for lot of avoidable overhead. The Virtual Machine is a full-blown operating system image. This is a heavyweight solution to run applications in the cloud.

What is the solution?

A new concept, a new hope

Containers used to be terrible, but not anymore

Because LXC is ready to roll!

On any recent Linux Kernel near you!

Virtual Machines vs Containers

Virtualization and paravirtualization require a full operating system image for each instance.

Source : http://www.linuxjournal.com/content/containers%E2%80%94not-virtual-machines%E2%80%94are-future-cloud

Virtual Machines vs Containers

Containers can share a single Linux Kernel and, optionally, other binary and library resources.

Source : http://www.linuxjournal.com/content/containers%E2%80%94not-virtual-machines%E2%80%94are-future-cloud

The time to provision

Source : http://www.linuxjournal.com/content/containers%E2%80%94not-virtual-machines%E2%80%94are-future-cloud

From the simple concept of chroot

mount /dev/sda /target chroot /target

source: http://openvz.org

but that had no resource and security isolation goals for multi-tenant designs...

What if you could control...

Cpu Devices Processes Memory Disk space Network

Containers & Cgroups

Openvz & LXC Need control over specific host resources cgroups
Control Groups provide a mechanism for aggregating/partitioning sets of tasks, and all their future children, into hierarchical groups with specialized behaviour.

~$ ls /sys/fs/cgroup blkio cpu cpuacct cpuset devices freezer hugetlb memory perf_event example: lxc-cgroup -n foo cpuset.cpus "0,3"

https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt

LXC on Ubuntu
ricardo@ricardo-box:~$ sudo lxc-checkconfig Kernel configuration not found at /proc/config.gz; searching... Kernel configuration found at /boot/config-3.8.0-26-generic --- Namespaces --Namespaces: enabled Utsname namespace: enabled Ipc namespace: enabled Pid namespace: enabled User namespace: missing Network namespace: enabled Multiple /dev/pts instances: enabled --- Control groups --Cgroup: enabled Cgroup clone_children flag: enabled Cgroup device: enabled Cgroup sched: enabled Cgroup cpu account: enabled Cgroup memory controller: enabled Cgroup cpuset: enabled --- Misc --Veth pair device: enabled Macvlan: enabled Vlan: enabled File capabilities: enabled Note : Before booting a new kernel, you can check its configuration usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

LXC Security with Apparmor

Since Ubuntu 12.04, containers are constrained by apparmor by default
- /usr/bin/lxc-start is automatically transitioned to its own profile, where it is only allowed to mount into the containers tree. - The default policy attempts to protect the host from accidental container abuses such as writing to /proc/sysrqtrigger and /proc/mem, - Each container configuration can specify a custom profile.

On Ubuntu 13.04
- We are able to exploit user namespaces and support stacked apparmor profiles - Apport hooks for better debug support, - Greater scriptability by providing a liblxc api.

By 14.04
User namespace should support container use by unprivileged users.
Other resources: http://www.ibm.com/developerworks/linux/library/l-lxc-security/index.html https://wiki.ubuntu.com/LxcSecurity http://wiki.ubuntu.com/UserNamespace

Lets start with Vagrant and puppetize it!

Wait I dont have to use heavy virtualboxes?

You just need that guy

My contribution to Drupal Containers

You will get:
1. Drupal (latest version) 2. Nginx 3. Php + php-fpm 4. Mysql 5. Phpmyadmin 6. xhprof 7. xdebug 8. composer

https://github.com/ricardoamaro/drupal-lxc-vagrant-docker

Vagrant LXC (demo) - Install

Install latest Vagrant from: http://downloads.vagrantup.com/tags/v1.2.7 or later. Install lxc + redir.

sudo dpkg -i vagrant_1.2.7_x86_64.deb sudo apt-get install lxc redir

1 - Clone the code

Get the code from: https://github.com/ricardoamaro/drupal-lxc-vagrant-docker

git clone git@github.com:ricardoamaro/drupal-lxc-vagrant-docker. git cd ~/drupal-lxc-vagrant-docker

2 - Get the plugin & deploy

vagrant plugin install vagrant-lxc vagrant up --provider=lxc sudo lxc-ls --fancy

# redirect port 80 to the host sudo redir --lport=80 --cport=80 --caddr={container ip} & # and/or edit the /etc/hosts file with: ${IP} drupal phpmyadmin xhprof

Now I have to

build this every time?

use Docker

Docker Who??

this Docker

and ship them has containers

Ship containers? Build Once, Run Anywhere

You can ship your image into a Docker container

Install docker: sudo apt-get -y install docker curl get.docker.io | sudo sh -x Import container to docker: sudo tar -C /var/lib/lxc/{container name}/rootfs/ -c . | sudo docker import - dev/drupal Start docker: sudo docker run -i -t -p :80 dev/drupal /bin/bash The image is already pushed to https://index.docker.io, and can be pulled using: sudo docker pull ricardoamaro/drupal

Or... build it the Docker way:

https://github.com/ricardoamaro/docker-drupal https://github.com/ricardoamaro/docker-drupal-nginx

The docker is awesome!

the Commands:
attach commit diff export Attach to a running container Create a new image from a container's changes Inspect changes on a container's filesystem Stream the contents of a container as a tar archive

the Api
http://docs.docker.io/en/latest/api/registry_index_spec/

history Show the history of an image images import info List images Create a new filesystem image from the contents of a tarball Display system-wide information

the Registry
http://docs.docker.io/en/latest/api/index_api/

inspect Return low-level information on a container kill login logs port ps pull push Kill a running container Register or Login to the docker registry server Fetch the logs of a container Lookup the public-facing port which is NAT-ed to PRIVATE_PORT List containers Pull an image or a repository to the docker registry server Push an image or a repository to the docker registry server

restart Restart a running container rm rmi run start stop tag Remove a container Remove an image Run a command in a new container Start a stopped container Stop a running container Tag an image into a repository

version Show the docker version information wait Block until a container stops, then print its exit code

Docker on Docker

(v0.6)

Continuous Deployments & Development

Container layers to be used for hosting applications

Just commit the good apples

Changes to the container can be committed to the central index or rolled back

Openstack and Docker...

The future has a bonus extra: http://blog.docker.io/2013/06/openstack-docker-manage-linux-containers-with-nova/ https://wiki.openstack.org/wiki/Docker

...with the Nova driver

Nova is intended to be modular and easy to extend and adapt. It supports many different hypervisors (KVM and Xen to name a few), different database backends (SQLite, MySQL, and PostgreSQL, for instance), different types of user databases (LDAP or SQL), etc.
And it supports Docker containers!

This project is open-source and available at: https://github.com/dotcloud/openstack-docker.

Awesomeness!
Develop the box in layers Use only one Linux Kernel Deploy quickly Build Once, Run Anywhere

Questions?
Locate this session at the DrupalCon Prague website: https://prague2013.drupal.org/node/388

Click the Take the survey link

@ricardoamaro

@ricardoamaro
Locate this session at the DrupalCon Prague website: https://prague2013.drupal.org/node/388

Click the Take the survey link

THANK YOU!