Java Containers Unpacked @ Pittsburgh Java User Group

nscript

0:00
thanks for joining us everyone as always we always appreciate everyone joining and participating
0:06
um welcome to the pittsburgh jug um like always you can follow us on twitter
0:11
everyone here already knows about the meetup but if you don’t go there but you kind of had to go there to join anyway
0:18
we have a few announcements uh first of all we do have a youtube channel we have all of our 2021 presentations up there
0:26
and we’re uploading all the presentations from this year as they happen so today’s uh presentation will
0:32
be uploaded either this weekend or the upcoming week and they’ll always be there and if you search for pittsburgh
0:38
jug on youtube it should be the first result and we have two uh upcoming
0:43
presentations that we want to talk about um on may 12th we’re going to have a presentation from dawn and then in june
0:50
from anna maria and we actually have some exciting news to share um
0:56
we want to thank jfrog for being our first official sponsor um it’s been a long time coming but
1:02
we’re very happy and yeah thank you jfrog
1:08
and on that note um we’re gonna turn it over to melissa um i’ll let you
1:14
introduce yourself because it’s always better from the person but yeah feel free to share and get started
1:21
hi everyone really really glad to see you all there in pittsburgh
1:27
yes so one of the positive things about doing these virtual things is i get to go anywhere now and i get to meet all
1:32
kinds of new people in different places and didn’t have that opportunity as much before so this is really cool
1:39
anyway um yeah i’m melissa mckay i do work for jfrog um i’m a developer advocate
1:45
and uh i’ve been there about two years now and
1:51
in fact i’m gonna go ahead and start sharing my slides here with you
1:56
and go ahead and get into introductions
2:03
okay cool should be able to see that now i’m going to be talking to you today about containers crash course in
2:09
virtualized container technology and before i go any further and get into
2:17
more about my background and stuff ari waller he is jfrog’s meetup manager
2:23
he always likes to put these on for any of the talks that we do for any of the meetup groups we have a raffle so if you
2:29
go to this link here um you will be able to not only see the slides that i’m presenting today they’ll
2:36
all be there but you can also enter a raffle for the amazon echo show eight now um you will have a high chance of
2:43
getting this so go ahead and enter that and um
2:49
you’ll the uh you’ll be notified in the next three business days are you’ll we’ll let you know and then post it in
2:55
the meetup group as well so yeah don’t miss out on that okay so yes um as i said i am a
3:02
developer advocate prior to that however i was a developer all the way from an intern to a principal engineer for about
3:10
in the about 20 years of doing that i remember the very first project i worked on as an
3:15
intern was a ruby on rails project by the end of my career i was mostly in
3:22
java server-side applications a lot of web applications as well
3:27
um at toward the end there i started speaking publicly that came about just
3:34
by man interesting circumstances and opportunities that just happened to
3:40
coincide at the same time i ended up meeting some amazing people at an unconference if you’ve never had a
3:47
chance to visit or participate in an unconference it is an informal
3:52
conference very different than the formal conferences where you have a speaker standing up and you have your all of your audience listening
4:00
anyway uh this particular unconference uh met some pretty incredible people who really shepherded me and
4:08
helped me get you know my career moving as far as a speaker and sharing
4:13
knowledge and teaching that kind of stuff really exciting started doing that decided i needed to
4:18
find an actual position that um where that’s my job so that’s how jfrog came
4:24
in that’s how becoming a developer advocate happened um i did become a java champion at
4:29
jfocus last year was it two years ago now time kind of blurs together the last
4:35
two years uh it was a virtual conference i’ll be heading to j focus again in
4:40
person this time next week actually and i’ll be able to see the people that gave
4:46
me the award pretty exciting very excited about that i did also become a doctor captain so i
4:52
am very much involved in docker what they’re doing these days the new features that they’re putting
4:57
out um they’re putting out one they’ll announce the release and stuff it’s called docker
5:03
extensions it’s kind of fun to play with and and see how that works um i’ve also learned a lot about
5:10
wrapping java in a container and i’ll talk to you about that journey a little bit too during this talk
5:16
um here is my twitter handle that’s probably the best way to reach out to me is my twitter handle so feel free to do
5:22
that my dms are open if you have any questions or just want to reach out to me about this talk or any other that you
5:28
see around that would be welcome [Music] all right today we’re just going to
5:34
start uh with a brief history to give you some background context
5:39
hopefully it’s not too boring but there’s definitely certain milestones in there that are good to know to get a
5:45
better understanding of how we got here today with images and containers and how we work with them now
5:51
we’ll also take a look at the container market i found that really interesting just to see how much it has grown over
5:57
the past few years then we’ll move into getting a real understanding of what docker is
6:03
i am a docker captain but i don’t you know and i’ll be talking a lot about docker but um i do want you to
6:10
understand there are other other things out there besides docker and we will touch on that a little bit
6:16
um docker is not synonymous with containers you can have
6:21
images and containers that are not based on docker all right then we’ll talk more about
6:26
what a container actually is take a little uh tour of what it looks like on on a mac for example
6:33
and then we’ll view we’ll review a few container gotchas and then last but not
6:38
least i’ll talk to you about managing your images and what you might want to consider
6:43
when you start creating your own images and where you know the decisions you need to make on where to put them
6:52
okay uh two reasons i’m showing you this slide i’d just love to know how you are using containers today uh for those of
6:59
you that are here just take a moment and throw in the slack how you’re using containers or if you’re using them at
7:05
all it’s okay to say no we aren’t there yet we’re not doing that or if you haven’t considered it before
7:11
there are good reasons for using containers other than for production maybe you’re just using them locally or
7:17
maybe you’re just using them in your test environments you know maybe not so much in production yet
7:23
just curious how that is so um yeah vernat said she’s using them
7:31
locally uh test qa and prod environment so you’ve got it through the whole shebang there you’ve got
7:37
using containers cool um the top two listed here definitely
7:43
you know helps provide consistent development environments in testing and
7:49
qa environments where you can still gauge the quality of your applications with significantly less resources than a
7:55
full-on production environment so they’re helpful in those areas
8:01
all right we helped we have some oh we have a student awesome i love students i
8:07
recently did a doctorate class at a college it was my my daughter’s college so i had it in
8:14
and that was a lot of fun teaching kids about docker and how to build them so
8:22
yes you have quite a future ahead of you all right and and vj also local test and prod environment cool
8:29
good to know okay let’s jump in and just start talking about containers um sure that
8:34
that is not the graphic that you are expecting i’ve given this talk a few times and i just enjoy this one it’s one
8:40
of my favorites you will not see a container talk from me that uses shipping containers i’m
8:45
just really bored with those so i try to come up with some other theme or idea to work around and this one you get bananas
8:53
so hope you enjoy that okay uh let’s talk about um
9:01
what this all how this all started um way back you know 50s and 60s took a
9:08
long time to get anything done on a computer you had to share resources
9:14
it was just a lot more difficult to do that without causing problems for anyone else using the same machine
9:19
and obviously limits on time and resources created some bottlenecks and inefficiency that
9:26
we started to work on and just being able to share was not enough there needed to be a method of sharing without
9:33
getting in each other’s way or having one person inadvertently cause an entire system to crash for everyone
9:40
this need for better strategies and sharing compute resources actually started
9:45
a path of innovation that we see massive benefits from today and i um it’s really interesting what’s happening
9:52
today there are some key points in time that helped bring us here
9:57
today with containers and we’re going to start with talking about charoot [Music]
10:03
charut was born in 1979 during the development of the seventh edition of
10:08
unix and it was added to bsd the berkeley software distribution in 1982
10:14
and being able to change the apparent root directory for our process and its children that’s what true gives you uh
10:21
results in a bit of isolation in order to provide an environment for testing a
10:26
different distribution for example in fact that’s how it even made it in it was a utility that was used to test
10:33
different distributions and and be isolated from the rest of the machine
10:40
true was definitely a great idea a good start in the right direction but
10:45
more was needed and in 2000 the jail command was in introduced by freebsd
10:52
jail is a little bit more sophisticated than charuet in that its additional features help to further
10:58
isolate file systems users and networks and also the ability to assign an ip address
11:05
to each jail that became important in 2004
11:11
solaris zones brought us ahead even further by giving an application full user process and file system space and
11:18
access to system hardware and solaris zones also made popular this idea of being able to snapshot a file system
11:29
in 2006 google jumped in with their process containers and these were later
11:34
renamed c groups which you may have heard of that centered around isolating and limiting the resource usage of a process
11:42
moving right along in 2008 c groups were merged into the linux kernel which along with linux namespaces
11:49
that led to ibm’s development of linux containers
11:54
2013 was a big year docker came on the scene bringing their ability to package containers and move
12:01
them from one environment to another and the same year google open sourced their let me container that for you project
12:08
which provided applications the ability to create and manage their own sub-containers
12:13
and from here we saw the use of containers and docker specifically explode
12:20
in 2014 docker chose to swap out their use of the lxc toolset for launching
12:26
containers with lib container in order to utilize a native golang solution now
12:32
you can actually go to github and you can find libcontainer that is there you can see you know
12:38
what’s happening in there and um i’m almost done with this history
12:44
lesson this is a lot to throw at you um i’m skipping over you know some details
12:49
um there’s a lot of different projects and organizations and specs that came out during this period of time too but
12:56
something happened in june of 2015 that i really want to get to
13:01
this event is important to know about because it will give you some more
13:06
insight into some of the activity and motivations behind shifts in the market
13:12
the open container initiative was established this is an organization that is under
13:17
the linux foundation very act it’s active still it includes members from many major
13:23
stakeholders including docker with the goal of creating open standards for container run times and image
13:29
specification um even more stuff happened uh still
13:37
happening um but there are a couple of other dates that are also going to be important
13:43
specifically to java does and for us to know about specifically one is that java 7 was released in july
13:50
of 2011 and work was started on java 8 which was released in march of 2014.
13:58
keep that in mind because when you start containerizing your java applications this little bit of history will be
14:03
important to know and i’ll bring it up again later and that’s it for our history lesson i
14:09
know that was a lot what i really want to do to get out of this is the the information about the oci uh how
14:17
the java development has interleaved with docker development and just the fact that this is not new containers and
14:24
images have been around for a long time [Music]
14:29
okay let’s jump into the market and see what’s happened there over the last few years this is more interesting
14:35
information i did a little bit of hunting just to find you know some consistent data to look at and i did
14:41
find a report by systig some viewer might already be familiar with this company they provide a really
14:47
powerful monitoring and troubleshooting tool for linux they put out this container report based
14:52
on analysis of their own users and part of that report includes data on container runtimes that are used so that
14:59
means people that are actually running containers in production
15:05
what what runtime did they choose for their applications and in 2017 they analyzed data from 45
15:13
000 containers there’s no graph available for that one because 99 of those were docker so they
15:20
didn’t bother splitting up those results in 2018 they analyzed data from 90 000
15:26
containers now we’re getting a little more useful data double the sample size 83 percent were darker and then you can
15:33
see there’s a smattering of core os mesos and lxe so it doesn’t look like some other
15:40
container runtimes are starting to encroach a little bit on docker
15:46
moving on to 2019 the systig container report included
15:51
stats from over 2 million containers so you can see just how popular this movement is um
15:58
i yeah there are reasons for that and we’ll talk about those in a minute docker is still holding relatively
16:04
strong at 79 percent but take a look at that eighteen percent of container d
16:10
uh note that container d is actually a runtime that docker builds on top of now
16:16
um they they contributed that project so they’re kind of one in the same
16:22
and then that last four percent is cryo um notice that uh the disappearance of
16:29
rocket containers that was kind of a sad story core os was was acquired by red hat at
16:36
the beginning of 2018 and prior to that rocket was opened or was accepted to the cncf the cloud
16:43
native computing foundation as an incubating project and it looked like a really promising competitor to docker’s
16:50
container d however since that acquisition happened the development of the project went
16:56
dormant i imagine they just didn’t have the resources that they wanted to commit to
17:01
developing that project any further or maintaining it and in mid 2019 rocket was archived by
17:07
the cncf in february 2020 that project was ended now it doesn’t mean that you
17:12
can’t use a rocket container if you wanted to it’s still available in the github repo you can still build one you
17:18
can still deploy them it’s just that no one is actively maintaining that project anymore
17:26
in january of 2021
17:33
system came out with their 2021 container security and usage report it’s hard to know if we’re comparing
17:40
apples to apples here considering that little qualifier there of a subset of customer containers starting to mess
17:47
with their sources of data a little bit but this report includes a ton of detailed information about their
17:53
demographics and data sources as well as other interesting information about what services customers are running as
18:00
well as what they’re using for their orchestration in a nutshell what i pulled from this report was this uh notice that increase
18:07
in the usage of container d from 18 to 33 and it’ll be interesting to see if that
18:14
trend continues which i assume it will um especially since uh kubernetes
18:19
announced a while ago now that they are have deprecated support for docker as a
18:25
runtime later this year that sounded terrifying to a lot of people at first when they heard that
18:31
it just means that docker as the huge tech stack and all of the you know
18:36
extras that had to be put in in order to be able to run it in kubernetes um docker you know broke apart their
18:43
monolith basically and now their runtime container d you can use that instead so
18:49
that makes sense right container d is rising docker is falling
18:55
all right now that i’ve introduced some of these other container runtimes that exist out there besides docker um we can
19:03
take a look at what a container actually is i do have one more report to show you though this one is the most recent
19:11
uh this is also from systig of course this was an analysis of 3 million
19:17
containers and we can see that we don’t see a lot of change here
19:22
for any of these reports all of the links are here on the slides if you wanted to go check them out like i said there is a lot more interesting
19:29
information in there to look at um i did find the information on orchestration
19:34
interesting too like how many are using kubernetes versus other what else is there besides kubernetes
19:41
[Music] all right what exactly is docker um i
19:46
did infer you know in the beginning docker is more of a term that has been generalized kind of like kleenex
19:54
um so just you know it’s used more often for containers and images that aren’t
20:00
really docker container and images so uh nice to know what the difference is and
20:05
what docker actually is docker as a company had over
20:11
other players in this container game they had a focus on commoditizing a complete solution that made it easy for
20:18
developers to package and deploy their applications and once containers became
20:24
easy to use we all witnessed that explosion of tools and resources around
20:29
containers and consequently you know the increase in usage in production
20:35
the docker image format rose to became a de facto standard in the market
20:40
and the stats that i showed from systig are specific to container run times
20:46
that terminology is important to understand we’ll get into the pieces and parts
20:51
involved in working with containers you’ll understand why docker sucked up this market so fast
21:01
okay so we always need to go back to the problem we’re trying to solve and let’s think about what we actually need to get
21:07
our apps out there and running um as far as containers go we just needed a way to be able to lift and
21:13
shift our applications without a whole lot of effort so in order to get that to
21:18
happen we need um tools that allow us to perform those functions so here’s a list
21:24
of needs that are broken up into discrete features and first and foremost we need that container itself
21:31
some of you might be asking about virtual machines right now
21:36
discussing vms is out of the scope of this session but one thing i will say is virtual machine is
21:43
not the same thing as a container the biggest difference being that a vm includes an entire os all to itself and
21:50
containers share the system’s os the point of the container is to be
21:55
lightweight and have the ability to move from one environment to another seamlessly and quickly
22:01
and that said i know that there are some developments in the vm space but that’s a topic for another time
22:09
all right so on top of the container we also need a way to define the container that’s where we get the image format
22:16
we need a way to build an image of a container we need a way to manage those images
22:25
we need a way to distribute and share those images with our colleagues and others
22:30
we need a way to create launch and run a container environment and then we also
22:35
need a way to manage the lifecycle of those running containers and this doesn’t even get into orchestration like
22:42
that like kubernetes those environments but this is plenty to prove my point about docker and why they became so
22:49
popular so in the context of those developer
22:55
needs that we just went through docker was ready with an answer for everything you want to start using containers
23:02
they provided docker engine you need an image format they had a docker image
23:07
format which was actually contributed to the oci you need a way to build an image use a
23:14
docker file called docker build you want to manage images
23:19
you can call docker images docker rm for remove you want to share your images or use an
23:27
image from someone else you can call dr push or docker pull and there’s docker hub where you can
23:33
store and share your images you need a way to launch run and manage
23:38
your containers in their life cycle call docker run docker stop or docker ps
23:45
docker quickly met the needs of a container hungry market especially for developers they made it easy
23:52
this was just a full package and gave them a tremendous part of the
23:57
market share out of the gate so i hope you appreciate this banana graphic here i was trying to find
24:04
something relevant and all i could find was bananas and wedding rings so there you go hope you enjoy that
24:12
all right remember when i talked a little bit about the open container initiative the oci out of all of those
24:18
features that we just listed that was discussed that docker offers there are two of them that were taken up
24:25
for the cause right away by the oci that was the image format and the container runtime
24:31
since then they’ve also contributed distribution which is the push and pull of images and how that works
24:37
so they have standards for that too docker did quite a bit of reorganizing
24:42
their code base and they developed abstractions pulled out discrete functionality they are a heavy
24:48
contributor to the oci they gave the docker v2 image spec as a basis for the
24:53
oci image spec and they also gave run c which that is a reference implementation of
25:01
the oci container runtime spec um there are quite a few other container
25:07
runtimes you might see out there including container d uh cryo and kata which is more vm like all which all have
25:14
various levels of features for specific use cases uh run c just to
25:19
just to clarify there’s a low level and high level container run times run c is actually a
25:26
low level container runtime that container d uses
25:31
um container d actually was contributed by docker to the cloud native computing foundation it
25:38
internally runs run c it was integrated into docker and has been in use in
25:43
docker since version 1.11. that came out way back in 2016 so it’s been a while
25:48
now the next few years are going to be interesting to observe what happens uh with the specs and how the oci moves
25:56
forward there was quite a bit of period of time between the original image specs and then the
26:01
distribution spec that came out it turns out that there is it’s difficult to come
26:06
up with standards and i’ve been on a few like special interest groups now where you know we might spend
26:13
quite a while deciding you know whether our verbiage is correct or whether we’re using the right terminology so it takes
26:19
a while um not only in that respect but there’s quite a range of differing opinions about what should and should
26:26
not be in the standard for a container runtime and we’re in a situation right now where just having the runtime that
26:34
just meets the requirements of the oci it doesn’t seem to be enough to drive
26:40
adoption i’ve added a couple of links here they’re excellent starting places to
26:45
learn more about container run times and dive in deeper if you’re curious
26:50
that second one is the beginning of a blog series by ian lewis it’s it’s aged
26:56
now but it’s still relevant still a very good explanation uh he’s a google dev advocate and the first subtitle in that
27:04
blog is titled why are container runtimes so confusing and so he he takes
27:10
that and really tries to explain succinctly
27:16
why that is and how they actually work
27:22
all right now that we understand what docker entails and what’s you know going on in
27:28
the market let’s focus just on the container itself and what it looks like on your system
27:34
i’ll show you how it’s being stored on my mac because that’s what i’m
27:39
working on but you’ll discover pretty quickly that images and containers aren’t really all that magical
27:48
okay my first experience with containers it was several years ago i was a developer on a new project
27:53
there was a tight deadline of course and i could argue that’s a good description of most projects everyone always has a
28:01
tight deadline but uh the best course of action for me was just to jump in and start getting
28:06
something up and running on my local machine now it was really good to start with this particular project because it
28:12
was a it was from a third party they had originally developed to this project and now it was bringing in you know brought
28:18
in internally to the company and now it was our responsibility to add features to it and maintain it so it wasn’t like
28:24
i needed to start from scratch i could just look and see what was there and start learning that way which was
28:30
good um the docker documentation too is actually really good so if you find yourself in a
28:37
similar position i recommend go directly to their getting started docs i’ve linked to those here they have some
28:45
pretty good ones about java too but i really encourage you to question
28:50
everything that you see about java and just about building images in general
28:56
a lot of examples are meant to be just that just examples they are not always production worthy and by the end of this
29:02
talk you’ll you’ll understand why that is um the first thing to note is that
29:08
docker a docker image itself is really just a tarball of the complete file system and an image just to be clear an
29:15
image is like a blueprint um equivalent to like a class file
29:20
in java and then a container is an implementation of that it’s a it’s an object uh created from that blueprint
29:28
so you could have multiple containers that come from the same image so uh the image is where you need to
29:33
start learn how that image is built uh when an image is unpacked like when it’s about to be launched into a
29:40
container it’s actually just thrown into its own directory and that becomes the root file system of that container
29:48
the second thing to note is that processes that are involved in running the containers are just regular linux
29:55
processes in fact in the docker documentation itself you’ll find a really cool video
30:00
about creating an a container from scratch using go and it really makes it plain
30:07
that these are not magic they’re just you know linux processes
30:12
there’s just a few linux features that are used together in a way to achieve the isolation that we want from
30:19
containers namespaces are just they’re an important ingredient
30:25
they are used to provide virtual separation between containers ones that are running on the same host for example
30:32
this is how processes inside one container don’t interfere with the host
30:37
itself or processes inside another container and here you can see an example of just some name spaces that
30:44
were set up when i launched a postgres container on my box
30:49
c groups functionality is essential to constraining how much a container can
30:55
use things like cpu memory network bandwidth etc i can set up these constraints by
31:01
including options on the docker run command when i’m launching an image here you can see that i’ve constrained
31:08
my memory usage limit on one of my containers
31:15
i’m going to quickly gloss over some file system details where containers and images are actually
31:22
stored on your file system first off after you’ve installed docker
31:27
running the docker command
31:45
running the docker command info will spit out a bunch of information about your installation including the
31:51
docker root directory and this is where you’re going to um care about the most this is where
31:57
everything regarding your doctor images and containers is going to be stored
32:03
if you’re on a mac like me your containers are going to actually
32:14
excuse me trying to take it i’m going to see my voice yeah yeah yeah we can see that
32:21
we can see that i can fill up the silence for a while take it
32:28
um feeling good now okay
32:36
just when we were about to say yes this is it um
32:42
yeah but anyway if if though all those who joined in the last few minutes i’ve pasted a
32:48
link in the chat you can go there and you can find all the slides and also a chance to win
32:54
amazon echo so and the chances of one of you winning is pretty high so go take yeah
33:01
go try your luck out today for sure um but yeah that’s j frog sponsored so
33:08
that’s pretty cool awesome all right let’s see if i can keep going here okay
33:14
cover my little voice box oh yeah all right so we were talking about the root directory uh where everything you’re
33:20
going to care about uh regarding your docker images and containers is going to be stored now
33:26
like i said on the mac you run in a tiny vm so you’re going to use need to use some type of utility to get in there and
33:33
get to that docker root directory to look around i posted a couple commands in here one
33:39
is uh to use a container itself and uh launch it in such a way that you can actually navigate to that directory to
33:46
take a look at it and i did it for windows too i i feel bad because i’m always coming from a mac
33:52
and i don’t disregard windows users quite often so i apologize for that um i stole my son’s machine it’s a windows
33:59
machine and i installed docker on it played around with it for a while to see how how it looked um this was the
34:05
directory that i found the docker images in on the windows machine by the way i
34:11
really like the new windows you know that has the linux included
34:16
so that you can actually run ubuntu for example on your windows box pretty cool how that how that works almost almost
34:24
convinced me to buy a windows machine just to check it out
34:29
[Music] all right this slide shows how you can get information about the images that
34:35
you have stored on your system uh first i listed my available images using the
34:40
docker images command and i actually have several installed but i’m just listing the first couple
34:47
using the docker inspect command you can inspect any image you like using its image id
34:54
this will spit out a ton of interesting information i just want to highlight here the graph driver section which
35:00
contains the paths to the directories where all of the layers that belong to this image live
35:06
docker images are composed of layers i’m sure you’ve heard that before that represents instructions in the
35:12
docker file that was used to build the image originally the layers themselves the commands
35:20
actually translate into individual directories and these layers can be shared across images in order to save
35:27
space on your machine each layer um subsequent layers are just they are
35:33
consisting of the differences between the previous layer and the new stuff that has been added
35:41
the lower mergeder and upper sections here
35:48
those are also important uh to take a look at the lower dirt directory and you can navigate to all these by the way
35:55
if you’re in that root directory you can navigate there and check them out um the lower dirt directory contains all
36:01
of the directories or layers that were used to build the original image and
36:06
these are read only the upper dir directory contains all of the content that has been modified while
36:13
your container is running so if modifications are needed for a read only layer in lower dir then that
36:20
layer is copied into the upper dir where it can be written to and this is called
36:25
a copy on write operation it’s important to remember that the data in upper dir is ephemeral
36:32
data it only lives as long as the container lives in fact if you have data that you want to keep that your
36:39
application generates for example that includes you know logs things like that or database you know stuff like that you
36:47
should utilize the volume feature of docker mount a location that will stick around even after that container dies
36:54
ship your logs out from your container because they are intended to be short-lived
37:01
and this is how most containers you know running a database as well will operate
37:07
lastly the merged dir is kind of like a virtual directory that combines
37:12
everything from the lower dir and the upper dir and that’s the way the union file system works the edited layers that
37:19
were copied into upper der will overlay the layers in the lower dare if you were
37:24
to actually exec into the container and so that you’re inside of it and look around that is the layer that you’re
37:31
looking at the merged dir
37:37
okay this slide it shows i had a few running containers on my system
37:43
two of them were a local jfrog container registry installation i was playing with
37:49
it included a container for artifactory and a container for a postgres database
37:54
the other was just a simple test container i was playing around with just to see how it worked
38:00
note that the container ids of the running containers actually match
38:06
up with the container subdirectory names something to remember here is if you
38:11
stop a container that corresponding directory doesn’t automatically go away until the
38:17
container is actually removed with the docker rm command so if you have stopped containers lying
38:25
around that never get cleaned up you might see your available space to start to dwindle
38:31
docker volumes is another one those will also accumulate on your system um
38:37
that happened to me almost right away when i started working with containers i didn’t realize that
38:43
you can’t just keep launching containers and uh without dealing with them and cleaning them up and they get pretty big
38:49
pretty fast there is a docker system prune command that you can run
38:56
every now and then to help clean things up it will not clean up volumes by default
39:01
there’s a flag that you have to include if you want to clean up volumes as well
39:07
or you can launch a container with a flag to indicate that it should be removed when it’s finished running a
39:14
lot of orchestration will take care of this for you as well so if if you have a you know
39:20
if you’re using kubernetes or something you can indicate that you want your containers to be removed when they’re
39:25
done so the tool sets around building and
39:31
running images and containers have made things so easy now that it’s also easy to shoot
39:36
yourself in the foot and i’m going to go over some of the most common gotchas the ones that i ran into right away
39:42
including some jvm specific gotchas that java developers will care about those i
39:48
also ran into almost immediately when i started working with them
39:53
the docker file uh hard to work with docker without looking at seeing
39:59
manipulating um getting angry with the docker file
40:05
with that docker file you have all the building blocks you could possibly need to get your application out the door and
40:11
into production this is a fairly exhaustive list of the commands that are available to you in a docker file with
40:17
these you can pretty much do anything your heart desires you can do all the right things and you
40:22
can also do all the wrong things and everything in between it’s deceptively simple
40:30
the first is running a containerized application as the root user and i’ll be honest here
40:36
when i was initially getting containers up and running i was just so happy that it was working it was a while before i took this one
40:43
seriously and it um once once you understand that the process is inside a running container or
40:49
just like any other process on the system albeit a few constraints it’s scary now to run as root inside a
40:56
container doing that opens up the possibility of a process escaping the intended confines of the container and
41:03
gaining access to host resources what that means is if anyone were to
41:08
find access to your container be able to exec inside your container and they immediately have root privileges they
41:15
can really mess with your host not just the container so reduce the attack surface of your
41:21
container by following the principle of least privilege and although containers are designed not to affect other running
41:27
containers if someone gains access to it obviously they can immediately cost you some
41:33
problems how do you mitigate obviously don’t run as root
41:39
best thing to do is create a user and you can use the user command inside a
41:45
docker file when the container is built in order to run processes as that user if you look at docker files from a lot
41:52
of um you know official docker images um you’ll find that that
41:59
is exactly what’s what’s happening for example i think the last time i looked at the postgres one
42:04
you could open it up and you can see that they’re setting up a user and running it as a you know postgres user
42:11
um there is also a way to specify a user when you’re using the docker run command
42:17
like when you’re just launching the image from docker run but that leaves open the possibility of
42:22
forgetting to do that so i like it better to have it inside the docker file
42:28
so you don’t forget also um i just mentioned the postgres official image
42:33
from docker hub but pay attention to any official image that you pull from docker hub any image at all actually uh whether
42:40
or not they run as root by default and they could be letting you you know figure that out when you’re building on
42:47
top of the base image so pay attention to what’s going on there and docker official images i mentioned
42:54
those those are a curated set of images
42:59
a dedicated team at docker is responsible for reviewing and publishing those it’s done in a very transparent manner
43:06
and it’s very easy to take all that for granted but of course if you use any of those official images
43:13
you know stop and take a look at their original docker files if you remind me after this talk and you’re interested i
43:20
can show you where to find those as well the link here that i have here well
43:27
that’s that’s it that’s how you find them but i’ll i can show you some more details of where to go in there um that
43:33
is the official repository that docker uses uh for all of the uh official
43:39
images that they have the files in there they contain a path to the corresponding github repo for
43:45
that image and that’s where you can find the docker file
43:55
all right no constraints um even though docker provides you with the
44:01
ability to set resource limits on your container it doesn’t automatically do that for you in fact
44:07
the settings are pretty much a free-for-all with no limits anywhere so make sure you understand the resource
44:12
needs of your application uh just because you can now wrap your in your application inside of an image it
44:18
doesn’t mean that you can be lazy and not understand the resource needs of your application
44:24
um you can use um you’re going to want to monitor this over time so setting up monitoring on
44:31
your containers you’re running containers is important and adjust resources as needed that is a
44:38
very good way to determine if something’s going wrong like if or if load on your system has suddenly changed
44:44
it’s very valuable information and a must do you can also use that information to
44:51
determine if your application should be split up further that actually happened with us uh we
44:56
it wasn’t a huge monolith but there were a couple pieces that we needed to scale differently so we were able to break it
45:02
apart and make a lot of progress that way
45:08
all right never updating this is a very big security issue it’s very easy to get complacent and not pay
45:15
attention to what’s actually getting pulled in when you build images not only do you need to be aware of
45:21
outdated versions that you specify in your docker file but you need to pay attention to what’s in the base image
45:27
that it’s coming from now images can be built in a hierarchical fashion
45:33
so you can have a parent image and when you look at that parent images doctor file it could also have a parent
45:40
image and that can go all the way to the very beginning until you find a doctor file where the first line in the
45:45
docker file says scratch that is your base image
45:52
so um not updating packages and libraries too inside those images those can cause you
45:59
some some issues um and ensuring that you’re running containers with a
46:04
non-privileged user als even that has risk if there’s known vulnerabilities that exist within your container or even
46:12
the kernel of the host so from time to time exploits are found that enable
46:17
attackers to potentially escape the container definitely keep up with those security
46:22
updates i’ve definitely also been on teams where that is not a priority and um usually it’s because of
46:30
the fear of breaking something that is working that’s just a symptom of different
46:35
issues it’s much worse to let those vulnerabilities sit there
46:41
i remember a team that did have some problems with bit mining and stuff and they just
46:47
luckily they had everything monitored so they could tell immediately when resource usage started going through the
46:54
roof they were able to figure out what was going on pretty quickly and fix it
47:01
image bloat like i said images can get pretty big pretty fast especially if you have you know images upon images upon
47:08
images sometimes it’s not all obvious what all’s in there when you’re looking at a docker file
47:14
that’s down at the bottom right but when it’s finally up to you to start adding your own packages
47:20
so uh one thing to do right away is start making sure that you’re using the dot
47:26
docker ignore file it works very much the same as git ignore
47:32
prevents you from adding things like unit tests or secrets even that you really shouldn’t
47:38
be adding extra resources and stuff other than what you absolutely need to run your application
47:45
only move into that image what you need nothing more than that
47:51
um one thing that i hadn’t thought about until much later is you need to you know don’t move in your whole git
47:58
directory into your image um if you’re doing one of these docker files that just does a
48:04
full on copy of everything think about what all that means what you’re actually copying in
48:12
this isn’t limited to doc to java projects either any project
48:18
you should pay attention to that uh another another mitigation is to use the docker’s multi-stage docker build i can
48:26
show an example of that in a moment um that way you can actually do your build and everything pull in in all of
48:32
your third-party dependencies or other dependencies during your build and then
48:38
only copy in the artifacts that were produced from that build into a second stage
48:46
that’ll help limit the size quite a bit okay this one is java specific
48:53
specific to containerizing job applications and very related to being aware of what your application requires
49:00
to successfully um run with the memory it’s been allocated the jvm is pretty
49:05
clever at determining settings for your swap and heap and your garbage collection behavior based on things like
49:11
the memory and the number of cores available on the host remember our history lesson that
49:16
interleaving with java 7 and java 8 and along with docker development
49:22
um considering that timeline uh java 7 and i don’t know anyone on java 7
49:29
still but i do know a lot of people still on java 8. they’re not fully container aware this
49:35
means that your java application won’t necessarily obey memory and cpu constraints that you put on your
49:40
container and you might end up with some out of memory killer activity the reason for that is because the
49:47
mechanisms that the jvm used in these older versions to retrieve the resources available come from the actual host
49:53
machine and not the c groups limit that you would expect there were some improvements around
50:00
container awareness that were introduced in java 8 later updates i think 131 and then
50:08
further improvements in later versions but to really get all of the benefits of container awareness you really should
50:13
try to get to 11 but that’s the earliest lts release that is container aware
50:23
[Music] all right distro list this is another option for you to choose
50:29
um distro-less images there’s some that are available by uh google i believe they
50:37
have 11 and 17 now these are images that really really
50:42
slim down what you absolutely need to run in your image
50:47
in fact they don’t even include a shell which means you can’t even exec into the image when it’s running or when it’s
50:53
running as a container that definitely helps with your security makes troubleshooting a little more
50:59
difficult but you really shouldn’t be exacting into production running containers anyway so it encourages you
51:04
to use best practices like shipping your logs out things like that to do your
51:10
troubleshooting for running containers this also shows you an example of multi-stage build so you can do all of
51:16
your build like in this example at the top and then the second section starting in line seven you get a
51:22
second from statement that’s the distroless image and then only the items that you need are copied in
51:31
there’s a link here lots of more information on digitalis containers if you’re interested
51:38
other methods you can make your own custom image
51:43
this will really slim down java projects and java images you can use jlink that is
51:49
packaged with open jdk 11. what that allows you to do in combination with jdeps is figure out
51:56
exactly what dependencies you need to run your application and only include
52:01
those in the image in the base image you might find this will help a spring
52:08
boot project out quite a bit because that you know particular framework brings in a ton of stuff so you might
52:15
find some benefits there regarding the size of your containers reason we care about size of containers is think about
52:22
you know every time you um need that container to launch and run you’ve got to pull it from a registry
52:29
and get it started so i’m not really talking about the start time but more about
52:35
transfer time getting that thing where it needs to be in order to get launched
52:40
there’s a maven and gradle spring boot plug-in this allows you to avoid having to worry
52:46
about the internals of docker or building docker files but think of all the things we just
52:52
learned about docker files and how you can help yourself so if you choose to use one of these
52:58
methods i would encourage you to pay attention to what’s actually being produced uh one thing about the maven and gradle
53:06
um spring boot plug-in for example is it actually uses build packs and when i used it it uses pocketo build
53:13
packs that means it’s pulling an image and which
53:18
um determines how to build your your application and it does it
53:24
does things like look at the format you know figures out oh this is a maven project i’ll we’ll build an image this
53:30
particular way um but just note that that’s what it’s doing behind the scenes is pulling an image from somewhere else
53:35
so once again you’re relying on an external resource you might want to pull those down
53:41
store those somewhere and then set up your maven or gradle plugin to use your
53:46
bill packs that you have stored so they don’t get changed out from under you
53:52
um we talked about build packs a little bit you can find out more about those from these links
53:58
and then there’s jib jib the pro there it’s simple you just add the plugin
54:03
it but it also builds and pushes your image supposedly that’s good because it
54:10
reduces the number of steps but i find that kind of weird to do as a developer to be pushing images anywhere you really
54:17
should only be checking code in to github and then your ci process would be
54:22
building images and taking care of that so i don’t don’t particularly like that
54:28
idea of pushing images also some defaults might not be what you want um jib
54:36
distrolus base image is often assumed and then of course since it’s pushing
54:42
images um you might have to troubleshoot off is
54:48
off issues with those private repositories
54:53
if you don’t want to use docker at all if you’re on a linux box you’ve got some other options you can go check out
54:59
podman and builda they are not as easy to use on windows
55:05
and mac development machines but if you’re in linux or if you’re more involved in operations this might be the
55:10
preferred method as opposed to using docker
55:17
and the rest of this i’ll go through pretty quickly i do have a link here for
55:23
just information on what to think about what to consider when you’re managing your images where to put them
55:30
think about you know how you want to store them how you want to protect them
55:36
whether you should be using a public repository or registry or private
55:41
um jfrog obviously has a free version that you can try if you wanted to see what that’s like um also when you’re
55:49
just note that when you’re pulling in base images when you already know that your application is relying on a base image pull those in and own them pull
55:56
them in tag them put them in your private reposit private registry so that you know that
56:03
it’s not being changed out from under you for you know future builds
56:10
and that’s it that is all that i had to share with you i didn’t leave you any time for
56:16
questions but i can stick around a little longer if any of you want to chat a little bit more or take a look at a
56:21
couple of different things awesome sounds good yeah
56:26
you guys can leave your questions in the chat or if you want to you can also unmute and ask them
56:32
i actually had a question about the container market slides i think between 2018 and 2019 it went from like
56:41
90 000 to 2 million i just wanted to see if you know if that was an actual huge increase or was the scope
56:47
of what they were looking at also increasing or a little bit of both yeah it could be a little bit of both i
56:54
mean because like i said it systig was only looking at their clients too so it could be that they had
57:00
an explosion of usage you know using systig as well um i do like to look at
57:06
the dates of like when docker came out and what they were doing um i mean the moment that it became you
57:13
know really easy for developers to start building their own images it seems like we went pretty quickly
57:19
from that to images starting to show up in production yeah that makes sense
57:30
i have something interesting okay actually i i forgot about it and i just remembered
57:36
um my friend ben evans he’s another java champion he um
57:41
just doing some research on running java and single core containers this is an article here
57:48
i’m gonna i’m gonna grab the link and just put it in the chat he discovered something interesting
57:55
that uh you know when we’re building these containers we tend to make them small we want to make
58:01
them small and so a lot of these containers are being you know put out there and using one core
58:06
and the consequence of that is you get a default usage of how garbage collection works that may not actually be
58:12
appropriate for your project so i thought this was a really interesting article i i need to read it
58:19
more and get more down into the details but i promised i would share it with the group because it’s interesting information um
58:26
on the deployment side you do have one question melissa
58:33
words of wisdom for someone like myself transitioning into the field of computer science as a student
58:40
you know you are doing the right thing today coming to a meetup group i think
58:45
meetup groups are awesome they really give you a sense of community they give you the connections that you need to ask
58:51
questions and to find mentors that is going to be huge for you
58:56
a lot of this is going to seem overwhelming at first because there is so much to know this industry is huge so
59:04
never be afraid to ask questions and keep your focus on one thing at a time
59:10
so whatever you’re studying in at school figure out how you can just implement that piece
59:16
trying to spread yourself too thin to learn all these all the things uh
59:21
you’re gonna burn yourself out pretty quick so just take it one step at a time um i know i felt discouraged i for a
59:29
long time i just felt like i was dumb everybody knew more than me but it’s not like that it’s everyone
59:36
knows different things and that’s why these communities are so great yeah and i guess to add on to that a
59:42
little bit yeah definitely take it one step at a time even it might take
59:47
years to figure out certain things that others just intuitively know so don’t give up at some point it will click and
59:53
definitely never lose your sense of curiosity yes that’s really good advice
59:59
yeah and and take advantage of pittsburgh java user group for sure i mean if java is something that you are
1:00:06
focusing on come join our sessions i actually just learned some of these things or at least
1:00:12
even hear the terms even if i don’t actively use it or don’t use it at least i’m hearing stuff
1:00:18
and then something sticks something connects at a later point i don’t have to do a phd degree in this but
1:00:24
i learned a little bit more about docker and you know it’s definitely more than what i knew
1:00:29
an hour ago and that’s that’s good enough too right so take advantage of these meetup groups
1:00:37
especially pittsburgh zm groups are better than others
1:00:43
but we don’t play favorites [Laughter] um we also have a youtube channel i
1:00:49
think you should all i mean you can all uh see our sessions from 2021 and 2022 which also covers contents from like
1:00:57
open source futures future of java we did like a bunch of things like um
1:01:02
i think microservices all these things they all connect some in some form or shape
1:01:07
hear it and see like what sticks and then you can take it from there and we have a lot of um
1:01:13
like other talks from 2021 that were about java with java 17 coming out so there’s a lot of stuff to learn there
1:01:22
i do have one more question it’s going to be about container market again because i found that section really interesting um but although whenever the
1:01:29
graphs break down docker versus container d so is the docker portion that monolithic full stack version that you
1:01:36
were talking about that kubernetes will stop supporting soon exactly yes that’s exactly what it is it’s a full-on docker
1:01:44
even though it now includes container d itself there was some
1:01:49
basically some abstractions that were there uh that were only there for docker
1:01:56
um and kubernetes the group got pretty tired of just you know having
1:02:01
having a different set of connections for docker specifically than for everyone else that was all following you
1:02:07
know the oci specs and standards so um once once uh they moved away from that
1:02:14
they pulled out container d container d meets all of those specs and standards and that’s what you would use instead
1:02:21
awesome so yeah we’ll probably continue to see container d growing and growing in use over the next year or two
1:02:28
yep of course i don’t see any more questions on the chat
1:02:34
but i guess or not this youtube video will be available in the next
1:02:40
few days in a few days yeah and i think sirisha already pasted the link to the channel so
1:02:46
subscribe to it so you’ll get notified i can’t believe i’m that person now who says subscribe to youtube channels but
1:02:51
yes subscribe to youtube to this channel so you get notified
1:02:57
oh and don’t forget to enter into the sweepstakes right so let me paste that
1:03:03
link again yeah yeah
1:03:10
do you always choose bananas for this presentation or do you change the fruit for this one yes um and then there’s
1:03:18
another one that i do like different banana pictures that are a lot more fun but um yeah i use bananas quite a bit can
1:03:25
you think of another food no i was i actually got distracted for a second then because what else can it be
1:03:32
a container yeah yeah i did a talk at open source summit
1:03:38
and um someone interrupted me because it was another is a different talk but i also used bananas and he just said i
1:03:44
just want to say bananas is an excellent choice because that’s what we would use when we weren’t sure if like the fruit
1:03:50
was clean you could feel it yeah it was somewhat protected
1:03:56
i know the bananas was an awesome choice it was awesome yeah and it fit it fit almost every slide and i was trying to
1:04:02
like figure out what you might say looking at the mixer it was fun it was fun the entire time i was like
1:04:08
giggling away but it was a lot of fun trying to find the like specific banana related photos or pictures for certain
1:04:14
slides you know i stayed up very late i can imagine there was one night yeah i was just
1:04:21
going through banana pictures yeah yeah pretty funny yeah thank you so much
1:04:27
that was entertaining and you know we learned so much more about good so thank you thank you thanks a lot thank you
1:04:33
very much thanks for having me thank you so much and thank you everyone for joining as
1:04:39
well we will see you all on may 12th that’s going to be our next session so this was our
1:04:45
this is not our usual schedule like we typically do them on second thursdays of each month but this one because devnex
1:04:51
has happened last week we had to push this one out to this week but so our next session will be on may 12th
1:04:57
um yeah you will get notified on meetup so yep that’s
1:05:03
june 9th after that so yeah a couple sessions coming up yep yep yep cool but yeah thank you so much for everyone
1:05:09
coming and thank you jfrog for sponsoring us yep thank you
1:05:15
[Laughter] cool see you all in the next session yeah bye bye bye they