[one-dev] Docker - OpenNebula - Megam

Megam Systems gomegam at megam.co.in
Thu Jun 19 08:09:12 PDT 2014 

Dear Javier,

I am going to push the second proposal with answers added. The reason
being "Docker shouldn't be treated as a hypervisor".
I drew a picture for my proposal which will suit all the container
virtualization folks (I hope so :)).

https://docs.google.com/drawings/d/1DUYv1NoYunor5KZT4ckKpVVIe7tIRb5tfQd35v8OGEU/edit?usp=sharing

*Terminology*:
Docker VM: A VM(Ubuntu,Debian/CentOS) with Docker daemon in it.
Docker container : A docker image that is running inside the "Docker VM".

Docker daemon can be interfaced via an API.

*Assumptions*:
We are going to use an instance "Docker VM" with docker installed. Hence
Docker can be an appliance in the OpenNebula Marketplace.

We need a layer on the "Docker VM" which act as a translator to talk to
all the stood-up containers. Let us call the layer an agent. The *agent*
will be native and can be connected using messaging or api.

*SSH*
https://docs.docker.com/articles/security/
The *agent* will act as a proxy ssh authentication for the user and will
allow access to the user's container.  The container needs to run as the
user.

The sshconfig can be tweaked in the DockerVM to  say that, we'll use a
binary to verify the authentication. The ssh keys should be stored as
before (authorized_keys) etc.

The sshconfig of the Docker VM:

*AuthorizedKeysCommand* : will use our native binary and perform per
container authentication and will let the user into that container by
executing docker run container id /bin/sh"
*AuthorizedKeysUser* : nobody (default)

*Logs*
The Docker containers will be spinned off by "upstart" or systemd and it
runs as a  process. We'll use "Docker's log API", and the logs of the
"upstart/systemd" process for that container.

*Metrics/Monitoring*
https://docs.docker.com/articles/runmetrics/
We should be able to pull the correct "cgroup of our container id" and
pull the mem.stat, cpu.stat, network.stat. Using OneGate the data can be
sent out periodically.

|grep cgroup /proc/mounts|

The stuff needs to happen at the PaaS level and operated external to the
Docker container. I am anxious to hear the team's feedback.

-- 
Cheers,
Megam Systems; http://www.gomegam.com
email : gomegam at megam.co.in; twitter: @megamsystems
web   : http://www.gomegam.com  | try   : https://www.megam.co
blog  : http://blog.megam.co    | github: https://github.com/megamsys

On Wednesday 18 June 2014 09:20 PM, Javier Fontan wrote:
> Hi,
>
> I'm happy to find this email as I've been tinkering with Docker and
> LXC recently.
>
> There are a lot of discussions these days about Docker. I see it as a
> nice way to package and deploy apps but I'm not really sure it fits
> into OpenNebula. I really want to be wrong on this.
>
> The second proposal (starting up VMs with docker prepared) is straight
> forward. It requires an image with the software prepared and maybe
> some context scripts that do some kind of configuration so an external
> user can call its docker daemon and start new containers.
>
> The first one is a bit more problematic. Even if creating the drivers
> to manage docker instances is relatively easy (but time consuming)
> there is a problem I couldn't find a solution. VMs usually can be
> reached using ssh or VNC. Containers don't have VNC server and with
> the Docker philosophy of one app per container you also lose ssh. In
> OpenNebula there is not another way of reaching those containers. The
> containers will run and do its duty but when something does not work
> as expected you can not attach to it to change something and features
> like getting the logs from the app are gone.
>
> It may be possible to add some sort of layer to do this. Maybe an ssh
> in some host configured like a git server [1] that starts some docker
> command instead of a shell. Anyway, this seemed too far fetched for a
> pet project and moved to LXC that is more similar to a VM.
>
> Maybe with a bit more heads on the problem we can find an architecture
> that makes Docker right at home in OpenNebula.
>
> Cheers
>
> [1] http://gitolite.com/gitolite/glssh.html#restricting-shell-accessdistinguishing-one-user-from-another
>
> On Wed, Jun 18, 2014 at 3:56 PM, Megam Systems <gomegam at megam.co.in> wrote:
>> Dear All,
>>
>> Docker 1.0 was released recently. Megam is a cloud automation engine,
>> and would like to support this feature.  With the latest release Docker
>> uses libcontainer.
>>
>> Our *vision* is to enable and simplify running Docker container images
>> using Megam on OpenNebula.
>>
>> *Terminology:*
>>
>>   * Docker container image  : A tiny image which can be unwrapped and
>>     run by "Docker"
>>   * Docker container : An instance that is  created as a result of
>>     running the Docker container image.
>>   * Docker service : A regular Ubuntu or Wheezy VM spinned off by
>>     OpenNebula having the "docker" executable installed.
>>
>>
>> Docker helps to run container images  very quickly.  A Docker container
>> image is built by an user. So an user builds the Docker container image
>> and stores it in a docker registry (this can be public or private).
>>
>> An example Docker container image can hold  "apache2" or "postgresql".
>> Recommendation by Docker is to run just one process.
>>
>> There are 2 ways in integrating it to OpenNebula.
>>
>>  1. Docker as a hypervisor which would spin of the user's container
>>     image in the OpenNebula host.
>>  2. A Docker service which is stood-up and shared by an user. Multiple
>>     Docker container can run inside the stood-up Docker service. The
>>     Docker service will  be owned by the user and the user can stand-up
>>     multiple Docker container in it.
>>
>>
>> We would like to hear the communities feedback and thoughts in taking it
>> forward.
>>
>> Also how are you using Docker today ? How would like to see it being
>> used in OpenNebula or using an orchestrator on top of OpenNebula like Megam.
>>
>> If you haven't started on using Docker, what are the use cases you are
>> exploring its use ? What is your wish list for the above integration  ?
>>
>>
>>
>> --
>> Cheers,
>> Megam Systems; http://www.gomegam.com
>> email : gomegam at megam.co.in; twitter: @megamsystems
>> web   : http://www.gomegam.com  | try   : https://www.megam.co
>> blog  : http://blog.megam.co    | github: https://github.com/megamsys
>>
>>
>> _______________________________________________
>> Dev mailing list
>> Dev at lists.opennebula.org
>> http://lists.opennebula.org/listinfo.cgi/dev-opennebula.org
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/dev-opennebula.org/attachments/20140619/45f3b2b7/attachment.htm>

More information about the Dev mailing list