Java Containers Unpacked @ Pittsburgh Java User Group

April 21, 2022

2 min read

Details
ABOUT THE SESSION

JFrog is a proud 2022 Sponsor for the Pittsburgh Java User Group: https://www.meetup.com/The-Pittsburgh-Java-Meetup-Group/events/285024772/

A Crash Course in Virtualized Container Technology
Containers have become integral to every phase in the lifecycle of application development. Production grade orchestration tools such as Kubernetes have been built to manage them and container platforms like Docker are becoming commonplace in both testing and development. Web tutorials on how to build and manage simple Docker images abound!
But what are containers exactly and why have they become so essential to the DevOps ecosystem? This session is for those curious minds who want to look below the surface and really understand the mechanics of a technique that has actually been around longer than you may think.
– Where did Docker come from?
– What about other projects in the container ecosystem – are there alternatives?
– What does a Docker image actually look like on the filesystem?
– How do Docker image layers work?
– What are cgroups?
– How are system resources allocated and managed?
– Are there any gotchas that you should be aware of as a Java developer?
– What about security?
– How do I manage my Docker images?

After this talk, you will have a solid understanding of the what, how & why of virtualized container technology.

ABOUT THE SPEAKER

Melissa’s career as a developer and software engineer spans over 20 years. Given her passion for Java and DevOps, she chose to pursue a developer advocacy role and is currently a Developer Advocate with the JFrog Developer Relations team. Her experience spans a slew of technologies and tools used in the development and operation of enterprise products and services. She is a mom, Java Champion, Docker Captain, and co-author of the upcoming book DevOps Tools for Java Developers. She is active in the developer community, has spoken at numerous software conferences including Kubecon and DockerCon, and is part of the JCrete and JAlba UNconference teams.

View Slides Here

Speakers

    Melissa McKay

    Melissa is a long-time developer/software engineer turned international speaker and is currently a Developer Advocate on the JFrog Developer relations team, sharing in the mission to improve the developer experience with DevOps methodologies. Her background and experience as a software engineer span a slew of languages, technologies, and tools used in the development and operation of enterprise products and services. She is a mom, Java Champion, Docker Captain, co-author of the upcoming book DevOps Tools for Java Developers, a huge fan of UNconferences, and is always on the lookout for ways to grow and learn. She has spoken at Kubecon, DockerCon, CodeOne, JFokus, Java Dev Day Mexico, the Great International Developer Summit, and is part of the JCrete and JAlba UNconference teams. Given her passion for teaching, sharing, and inspiring fellow practitioners, you are likely to cross paths with her in the conference circuit — both online and off!

    Video Transcript

    nscript

    0:00
    thanks for joining us everyone as always we always appreciate everyone joining and participating
    0:06
    um welcome to the pittsburgh jug um like always you can follow us on twitter
    0:11
    everyone here already knows about the meetup but if you don’t go there but you kind of had to go there to join anyway
    0:18
    we have a few announcements uh first of all we do have a youtube channel we have all of our 2021 presentations up there
    0:26
    and we’re uploading all the presentations from this year as they happen so today’s uh presentation will
    0:32
    be uploaded either this weekend or the upcoming week and they’ll always be there and if you search for pittsburgh
    0:38
    jug on youtube it should be the first result and we have two uh upcoming
    0:43
    presentations that we want to talk about um on may 12th we’re going to have a presentation from dawn and then in june
    0:50
    from anna maria and we actually have some exciting news to share um
    0:56
    we want to thank jfrog for being our first official sponsor um it’s been a long time coming but
    1:02
    we’re very happy and yeah thank you jfrog
    1:08
    and on that note um we’re gonna turn it over to melissa um i’ll let you
    1:14
    introduce yourself because it’s always better from the person but yeah feel free to share and get started
    1:21
    hi everyone really really glad to see you all there in pittsburgh
    1:27
    yes so one of the positive things about doing these virtual things is i get to go anywhere now and i get to meet all
    1:32
    kinds of new people in different places and didn’t have that opportunity as much before so this is really cool
    1:39
    anyway um yeah i’m melissa mckay i do work for jfrog um i’m a developer advocate
    1:45
    and uh i’ve been there about two years now and
    1:51
    in fact i’m gonna go ahead and start sharing my slides here with you
    1:56
    and go ahead and get into introductions
    2:03
    okay cool should be able to see that now i’m going to be talking to you today about containers crash course in
    2:09
    virtualized container technology and before i go any further and get into
    2:17
    more about my background and stuff ari waller he is jfrog’s meetup manager
    2:23
    he always likes to put these on for any of the talks that we do for any of the meetup groups we have a raffle so if you
    2:29
    go to this link here um you will be able to not only see the slides that i’m presenting today they’ll
    2:36
    all be there but you can also enter a raffle for the amazon echo show eight now um you will have a high chance of
    2:43
    getting this so go ahead and enter that and um
    2:49
    you’ll the uh you’ll be notified in the next three business days are you’ll we’ll let you know and then post it in
    2:55
    the meetup group as well so yeah don’t miss out on that okay so yes um as i said i am a
    3:02
    developer advocate prior to that however i was a developer all the way from an intern to a principal engineer for about
    3:10
    in the about 20 years of doing that i remember the very first project i worked on as an
    3:15
    intern was a ruby on rails project by the end of my career i was mostly in
    3:22
    java server-side applications a lot of web applications as well
    3:27
    um at toward the end there i started speaking publicly that came about just
    3:34
    by man interesting circumstances and opportunities that just happened to
    3:40
    coincide at the same time i ended up meeting some amazing people at an unconference if you’ve never had a
    3:47
    chance to visit or participate in an unconference it is an informal
    3:52
    conference very different than the formal conferences where you have a speaker standing up and you have your all of your audience listening
    4:00
    anyway uh this particular unconference uh met some pretty incredible people who really shepherded me and
    4:08
    helped me get you know my career moving as far as a speaker and sharing
    4:13
    knowledge and teaching that kind of stuff really exciting started doing that decided i needed to
    4:18
    find an actual position that um where that’s my job so that’s how jfrog came
    4:24
    in that’s how becoming a developer advocate happened um i did become a java champion at
    4:29
    jfocus last year was it two years ago now time kind of blurs together the last
    4:35
    two years uh it was a virtual conference i’ll be heading to j focus again in
    4:40
    person this time next week actually and i’ll be able to see the people that gave
    4:46
    me the award pretty exciting very excited about that i did also become a doctor captain so i
    4:52
    am very much involved in docker what they’re doing these days the new features that they’re putting
    4:57
    out um they’re putting out one they’ll announce the release and stuff it’s called docker
    5:03
    extensions it’s kind of fun to play with and and see how that works um i’ve also learned a lot about
    5:10
    wrapping java in a container and i’ll talk to you about that journey a little bit too during this talk
    5:16
    um here is my twitter handle that’s probably the best way to reach out to me is my twitter handle so feel free to do
    5:22
    that my dms are open if you have any questions or just want to reach out to me about this talk or any other that you
    5:28
    see around that would be welcome [Music] all right today we’re just going to
    5:34
    start uh with a brief history to give you some background context
    5:39
    hopefully it’s not too boring but there’s definitely certain milestones in there that are good to know to get a
    5:45
    better understanding of how we got here today with images and containers and how we work with them now
    5:51
    we’ll also take a look at the container market i found that really interesting just to see how much it has grown over
    5:57
    the past few years then we’ll move into getting a real understanding of what docker is
    6:03
    i am a docker captain but i don’t you know and i’ll be talking a lot about docker but um i do want you to
    6:10
    understand there are other other things out there besides docker and we will touch on that a little bit
    6:16
    um docker is not synonymous with containers you can have
    6:21
    images and containers that are not based on docker all right then we’ll talk more about
    6:26
    what a container actually is take a little uh tour of what it looks like on on a mac for example
    6:33
    and then we’ll view we’ll review a few container gotchas and then last but not
    6:38
    least i’ll talk to you about managing your images and what you might want to consider
    6:43
    when you start creating your own images and where you know the decisions you need to make on where to put them
    6:52
    okay uh two reasons i’m showing you this slide i’d just love to know how you are using containers today uh for those of
    6:59
    you that are here just take a moment and throw in the slack how you’re using containers or if you’re using them at
    7:05
    all it’s okay to say no we aren’t there yet we’re not doing that or if you haven’t considered it before
    7:11
    there are good reasons for using containers other than for production maybe you’re just using them locally or
    7:17
    maybe you’re just using them in your test environments you know maybe not so much in production yet
    7:23
    just curious how that is so um yeah vernat said she’s using them
    7:31
    locally uh test qa and prod environment so you’ve got it through the whole shebang there you’ve got
    7:37
    using containers cool um the top two listed here definitely
    7:43
    you know helps provide consistent development environments in testing and
    7:49
    qa environments where you can still gauge the quality of your applications with significantly less resources than a
    7:55
    full-on production environment so they’re helpful in those areas
    8:01
    all right we helped we have some oh we have a student awesome i love students i
    8:07
    recently did a doctorate class at a college it was my my daughter’s college so i had it in
    8:14
    and that was a lot of fun teaching kids about docker and how to build them so
    8:22
    yes you have quite a future ahead of you all right and and vj also local test and prod environment cool
    8:29
    good to know okay let’s jump in and just start talking about containers um sure that
    8:34
    that is not the graphic that you are expecting i’ve given this talk a few times and i just enjoy this one it’s one
    8:40
    of my favorites you will not see a container talk from me that uses shipping containers i’m
    8:45
    just really bored with those so i try to come up with some other theme or idea to work around and this one you get bananas
    8:53
    so hope you enjoy that okay uh let’s talk about um
    9:01
    what this all how this all started um way back you know 50s and 60s took a
    9:08
    long time to get anything done on a computer you had to share resources
    9:14
    it was just a lot more difficult to do that without causing problems for anyone else using the same machine
    9:19
    and obviously limits on time and resources created some bottlenecks and inefficiency that
    9:26
    we started to work on and just being able to share was not enough there needed to be a method of sharing without
    9:33
    getting in each other’s way or having one person inadvertently cause an entire system to crash for everyone
    9:40
    this need for better strategies and sharing compute resources actually started
    9:45
    a path of innovation that we see massive benefits from today and i um it’s really interesting what’s happening
    9:52
    today there are some key points in time that helped bring us here
    9:57
    today with containers and we’re going to start with talking about charoot [Music]
    10:03
    charut was born in 1979 during the development of the seventh edition of
    10:08
    unix and it was added to bsd the berkeley software distribution in 1982
    10:14
    and being able to change the apparent root directory for our process and its children that’s what true gives you uh
    10:21
    results in a bit of isolation in order to provide an environment for testing a
    10:26
    different distribution for example in fact that’s how it even made it in it was a utility that was used to test
    10:33
    different distributions and and be isolated from the rest of the machine
    10:40
    true was definitely a great idea a good start in the right direction but
    10:45
    more was needed and in 2000 the jail command was in introduced by freebsd
    10:52
    jail is a little bit more sophisticated than charuet in that its additional features help to further
    10:58
    isolate file systems users and networks and also the ability to assign an ip address
    11:05
    to each jail that became important in 2004
    11:11
    solaris zones brought us ahead even further by giving an application full user process and file system space and
    11:18
    access to system hardware and solaris zones also made popular this idea of being able to snapshot a file system
    11:29
    in 2006 google jumped in with their process containers and these were later
    11:34
    renamed c groups which you may have heard of that centered around isolating and limiting the resource usage of a process
    11:42
    moving right along in 2008 c groups were merged into the linux kernel which along with linux namespaces
    11:49
    that led to ibm’s development of linux containers
    11:54
    2013 was a big year docker came on the scene bringing their ability to package containers and move
    12:01
    them from one environment to another and the same year google open sourced their let me container that for you project
    12:08
    which provided applications the ability to create and manage their own sub-containers
    12:13
    and from here we saw the use of containers and docker specifically explode
    12:20
    in 2014 docker chose to swap out their use of the lxc toolset for launching
    12:26
    containers with lib container in order to utilize a native golang solution now
    12:32
    you can actually go to github and you can find libcontainer that is there you can see you know
    12:38
    what’s happening in there and um i’m almost done with this history
    12:44
    lesson this is a lot to throw at you um i’m skipping over you know some details
    12:49
    um there’s a lot of different projects and organizations and specs that came out during this period of time too but
    12:56
    something happened in june of 2015 that i really want to get to
    13:01
    this event is important to know about because it will give you some more
    13:06
    insight into some of the activity and motivations behind shifts in the market
    13:12
    the open container initiative was established this is an organization that is under
    13:17
    the linux foundation very act it’s active still it includes members from many major
    13:23
    stakeholders including docker with the goal of creating open standards for container run times and image
    13:29
    specification um even more stuff happened uh still
    13:37
    happening um but there are a couple of other dates that are also going to be important
    13:43
    specifically to java does and for us to know about specifically one is that java 7 was released in july
    13:50
    of 2011 and work was started on java 8 which was released in march of 2014.
    13:58
    keep that in mind because when you start containerizing your java applications this little bit of history will be
    14:03
    important to know and i’ll bring it up again later and that’s it for our history lesson i
    14:09
    know that was a lot what i really want to do to get out of this is the the information about the oci uh how
    14:17
    the java development has interleaved with docker development and just the fact that this is not new containers and
    14:24
    images have been around for a long time [Music]
    14:29
    okay let’s jump into the market and see what’s happened there over the last few years this is more interesting
    14:35
    information i did a little bit of hunting just to find you know some consistent data to look at and i did
    14:41
    find a report by systig some viewer might already be familiar with this company they provide a really
    14:47
    powerful monitoring and troubleshooting tool for linux they put out this container report based
    14:52
    on analysis of their own users and part of that report includes data on container runtimes that are used so that
    14:59
    means people that are actually running containers in production
    15:05
    what what runtime did they choose for their applications and in 2017 they analyzed data from 45
    15:13
    000 containers there’s no graph available for that one because 99 of those were docker so they
    15:20
    didn’t bother splitting up those results in 2018 they analyzed data from 90 000
    15:26
    containers now we’re getting a little more useful data double the sample size 83 percent were darker and then you can
    15:33
    see there’s a smattering of core os mesos and lxe so it doesn’t look like some other
    15:40
    container runtimes are starting to encroach a little bit on docker
    15:46
    moving on to 2019 the systig container report included
    15:51
    stats from over 2 million containers so you can see just how popular this movement is um
    15:58
    i yeah there are reasons for that and we’ll talk about those in a minute docker is still holding relatively
    16:04
    strong at 79 percent but take a look at that eighteen percent of container d
    16:10
    uh note that container d is actually a runtime that docker builds on top of now
    16:16
    um they they contributed that project so they’re kind of one in the same
    16:22
    and then that last four percent is cryo um notice that uh the disappearance of
    16:29
    rocket containers that was kind of a sad story core os was was acquired by red hat at
    16:36
    the beginning of 2018 and prior to that rocket was opened or was accepted to the cncf the cloud
    16:43
    native computing foundation as an incubating project and it looked like a really promising competitor to docker’s
    16:50
    container d however since that acquisition happened the development of the project went
    16:56
    dormant i imagine they just didn’t have the resources that they wanted to commit to
    17:01
    developing that project any further or maintaining it and in mid 2019 rocket was archived by
    17:07
    the cncf in february 2020 that project was ended now it doesn’t mean that you
    17:12
    can’t use a rocket container if you wanted to it’s still available in the github repo you can still build one you
    17:18
    can still deploy them it’s just that no one is actively maintaining that project anymore
    17:26
    in january of 2021
    17:33
    system came out with their 2021 container security and usage report it’s hard to know if we’re comparing
    17:40
    apples to apples here considering that little qualifier there of a subset of customer containers starting to mess
    17:47
    with their sources of data a little bit but this report includes a ton of detailed information about their
    17:53
    demographics and data sources as well as other interesting information about what services customers are running as
    18:00
    well as what they’re using for their orchestration in a nutshell what i pulled from this report was this uh notice that increase
    18:07
    in the usage of container d from 18 to 33 and it’ll be interesting to see if that
    18:14
    trend continues which i assume it will um especially since uh kubernetes
    18:19
    announced a while ago now that they are have deprecated support for docker as a
    18:25
    runtime later this year that sounded terrifying to a lot of people at first when they heard that
    18:31
    it just means that docker as the huge tech stack and all of the you know
    18:36
    extras that had to be put in in order to be able to run it in kubernetes um docker you know broke apart their
    18:43
    monolith basically and now their runtime container d you can use that instead so
    18:49
    that makes sense right container d is rising docker is falling
    18:55
    all right now that i’ve introduced some of these other container runtimes that exist out there besides docker um we can
    19:03
    take a look at what a container actually is i do have one more report to show you though this one is the most recent
    19:11
    uh this is also from systig of course this was an analysis of 3 million
    19:17
    containers and we can see that we don’t see a lot of change here
    19:22
    for any of these reports all of the links are here on the slides if you wanted to go check them out like i said there is a lot more interesting
    19:29
    information in there to look at um i did find the information on orchestration
    19:34
    interesting too like how many are using kubernetes versus other what else is there besides kubernetes
    19:41
    [Music] all right what exactly is docker um i
    19:46
    did infer you know in the beginning docker is more of a term that has been generalized kind of like kleenex
    19:54
    um so just you know it’s used more often for containers and images that aren’t
    20:00
    really docker container and images so uh nice to know what the difference is and
    20:05
    what docker actually is docker as a company had over
    20:11
    other players in this container game they had a focus on commoditizing a complete solution that made it easy for
    20:18
    developers to package and deploy their applications and once containers became
    20:24
    easy to use we all witnessed that explosion of tools and resources around
    20:29
    containers and consequently you know the increase in usage in production
    20:35
    the docker image format rose to became a de facto standard in the market
    20:40
    and the stats that i showed from systig are specific to container run times
    20:46
    that terminology is important to understand we’ll get into the pieces and parts
    20:51
    involved in working with containers you’ll understand why docker sucked up this market so fast
    21:01
    okay so we always need to go back to the problem we’re trying to solve and let’s think about what we actually need to get
    21:07
    our apps out there and running um as far as containers go we just needed a way to be able to lift and
    21:13
    shift our applications without a whole lot of effort so in order to get that to
    21:18
    happen we need um tools that allow us to perform those functions so here’s a list
    21:24
    of needs that are broken up into discrete features and first and foremost we need that container itself
    21:31
    some of you might be asking about virtual machines right now
    21:36
    discussing vms is out of the scope of this session but one thing i will say is virtual machine is
    21:43
    not the same thing as a container the biggest difference being that a vm includes an entire os all to itself and
    21:50
    containers share the system’s os the point of the container is to be
    21:55
    lightweight and have the ability to move from one environment to another seamlessly and quickly
    22:01
    and that said i know that there are some developments in the vm space but that’s a topic for another time
    22:09
    all right so on top of the container we also need a way to define the container that’s where we get the image format
    22:16
    we need a way to build an image of a container we need a way to manage those images
    22:25
    we need a way to distribute and share those images with our colleagues and others
    22:30
    we need a way to create launch and run a container environment and then we also
    22:35
    need a way to manage the lifecycle of those running containers and this doesn’t even get into orchestration like
    22:42
    that like kubernetes those environments but this is plenty to prove my point about docker and why they became so
    22:49
    popular so in the context of those developer
    22:55
    needs that we just went through docker was ready with an answer for everything you want to start using containers
    23:02
    they provided docker engine you need an image format they had a docker image
    23:07
    format which was actually contributed to the oci you need a way to build an image use a
    23:14
    docker file called docker build you want to manage images
    23:19
    you can call docker images docker rm for remove you want to share your images or use an
    23:27
    image from someone else you can call dr push or docker pull and there’s docker hub where you can
    23:33
    store and share your images you need a way to launch run and manage
    23:38
    your containers in their life cycle call docker run docker stop or docker ps
    23:45
    docker quickly met the needs of a container hungry market especially for developers they made it easy
    23:52
    this was just a full package and gave them a tremendous part of the
    23:57
    market share out of the gate so i hope you appreciate this banana graphic here i was trying to find
    24:04
    something relevant and all i could find was bananas and wedding rings so there you go hope you enjoy that
    24:12
    all right remember when i talked a little bit about the open container initiative the oci out of all of those
    24:18
    features that we just listed that was discussed that docker offers there are two of them that were taken up
    24:25
    for the cause right away by the oci that was the image format and the container runtime
    24:31
    since then they’ve also contributed distribution which is the push and pull of images and how that works
    24:37
    so they have standards for that too docker did quite a bit of reorganizing
    24:42
    their code base and they developed abstractions pulled out discrete functionality they are a heavy
    24:48
    contributor to the oci they gave the docker v2 image spec as a basis for the
    24:53
    oci image spec and they also gave run c which that is a reference implementation of
    25:01
    the oci container runtime spec um there are quite a few other container
    25:07
    runtimes you might see out there including container d uh cryo and kata which is more vm like all which all have
    25:14
    various levels of features for specific use cases uh run c just to
    25:19
    just to clarify there’s a low level and high level container run times run c is actually a
    25:26
    low level container runtime that container d uses
    25:31
    um container d actually was contributed by docker to the cloud native computing foundation it
    25:38
    internally runs run c it was integrated into docker and has been in use in
    25:43
    docker since version 1.11. that came out way back in 2016 so it’s been a while
    25:48
    now the next few years are going to be interesting to observe what happens uh with the specs and how the oci moves
    25:56
    forward there was quite a bit of period of time between the original image specs and then the
    26:01
    distribution spec that came out it turns out that there is it’s difficult to come
    26:06
    up with standards and i’ve been on a few like special interest groups now where you know we might spend
    26:13
    quite a while deciding you know whether our verbiage is correct or whether we’re using the right terminology so it takes
    26:19
    a while um not only in that respect but there’s quite a range of differing opinions about what should and should
    26:26
    not be in the standard for a container runtime and we’re in a situation right now where just having the runtime that
    26:34
    just meets the requirements of the oci it doesn’t seem to be enough to drive
    26:40
    adoption i’ve added a couple of links here they’re excellent starting places to
    26:45
    learn more about container run times and dive in deeper if you’re curious
    26:50
    that second one is the beginning of a blog series by ian lewis it’s it’s aged
    26:56
    now but it’s still relevant still a very good explanation uh he’s a google dev advocate and the first subtitle in that
    27:04
    blog is titled why are container runtimes so confusing and so he he takes
    27:10
    that and really tries to explain succinctly
    27:16
    why that is and how they actually work
    27:22
    all right now that we understand what docker entails and what’s you know going on in
    27:28
    the market let’s focus just on the container itself and what it looks like on your system
    27:34
    i’ll show you how it’s being stored on my mac because that’s what i’m
    27:39
    working on but you’ll discover pretty quickly that images and containers aren’t really all that magical
    27:48
    okay my first experience with containers it was several years ago i was a developer on a new project
    27:53
    there was a tight deadline of course and i could argue that’s a good description of most projects everyone always has a
    28:01
    tight deadline but uh the best course of action for me was just to jump in and start getting
    28:06
    something up and running on my local machine now it was really good to start with this particular project because it
    28:12
    was a it was from a third party they had originally developed to this project and now it was bringing in you know brought
    28:18
    in internally to the company and now it was our responsibility to add features to it and maintain it so it wasn’t like
    28:24
    i needed to start from scratch i could just look and see what was there and start learning that way which was
    28:30
    good um the docker documentation too is actually really good so if you find yourself in a
    28:37
    similar position i recommend go directly to their getting started docs i’ve linked to those here they have some
    28:45
    pretty good ones about java too but i really encourage you to question
    28:50
    everything that you see about java and just about building images in general
    28:56
    a lot of examples are meant to be just that just examples they are not always production worthy and by the end of this
    29:02
    talk you’ll you’ll understand why that is um the first thing to note is that
    29:08
    docker a docker image itself is really just a tarball of the complete file system and an image just to be clear an
    29:15
    image is like a blueprint um equivalent to like a class file
    29:20
    in java and then a container is an implementation of that it’s a it’s an object uh created from that blueprint
    29:28
    so you could have multiple containers that come from the same image so uh the image is where you need to
    29:33
    start learn how that image is built uh when an image is unpacked like when it’s about to be launched into a
    29:40
    container it’s actually just thrown into its own directory and that becomes the root file system of that container
    29:48
    the second thing to note is that processes that are involved in running the containers are just regular linux
    29:55
    processes in fact in the docker documentation itself you’ll find a really cool video
    30:00
    about creating an a container from scratch using go and it really makes it plain
    30:07
    that these are not magic they’re just you know linux processes
    30:12
    there’s just a few linux features that are used together in a way to achieve the isolation that we want from
    30:19
    containers namespaces are just they’re an important ingredient
    30:25
    they are used to provide virtual separation between containers ones that are running on the same host for example
    30:32
    this is how processes inside one container don’t interfere with the host
    30:37
    itself or processes inside another container and here you can see an example of just some name spaces that
    30:44
    were set up when i launched a postgres container on my box
    30:49
    c groups functionality is essential to constraining how much a container can
    30:55
    use things like cpu memory network bandwidth etc i can set up these constraints by
    31:01
    including options on the docker run command when i’m launching an image here you can see that i’ve constrained
    31:08
    my memory usage limit on one of my containers
    31:15
    i’m going to quickly gloss over some file system details where containers and images are actually
    31:22
    stored on your file system first off after you’ve installed docker
    31:27
    running the docker command
    31:45
    running the docker command info will spit out a bunch of information about your installation including the
    31:51
    docker root directory and this is where you’re going to um care about the most this is where
    31:57
    everything regarding your doctor images and containers is going to be stored
    32:03
    if you’re on a mac like me your containers are going to actually
    32:14
    excuse me trying to take it i’m going to see my voice yeah yeah yeah we can see that
    32:21
    we can see that i can fill up the silence for a while take it
    32:28
    um feeling good now okay
    32:36
    just when we were about to say yes this is it um
    32:42
    yeah but anyway if if though all those who joined in the last few minutes i’ve pasted a
    32:48
    link in the chat you can go there and you can find all the slides and also a chance to win
    32:54
    amazon echo so and the chances of one of you winning is pretty high so go take yeah
    33:01
    go try your luck out today for sure um but yeah that’s j frog sponsored so
    33:08
    that’s pretty cool awesome all right let’s see if i can keep going here okay
    33:14
    cover my little voice box oh yeah all right so we were talking about the root directory uh where everything you’re
    33:20
    going to care about uh regarding your docker images and containers is going to be stored now
    33:26
    like i said on the mac you run in a tiny vm so you’re going to use need to use some type of utility to get in there and
    33:33
    get to that docker root directory to look around i posted a couple commands in here one
    33:39
    is uh to use a container itself and uh launch it in such a way that you can actually navigate to that directory to
    33:46
    take a look at it and i did it for windows too i i feel bad because i’m always coming from a mac
    33:52
    and i don’t disregard windows users quite often so i apologize for that um i stole my son’s machine it’s a windows
    33:59
    machine and i installed docker on it played around with it for a while to see how how it looked um this was the
    34:05
    directory that i found the docker images in on the windows machine by the way i
    34:11
    really like the new windows you know that has the linux included
    34:16
    so that you can actually run ubuntu for example on your windows box pretty cool how that how that works almost almost
    34:24
    convinced me to buy a windows machine just to check it out
    34:29
    [Music] all right this slide shows how you can get information about the images that
    34:35
    you have stored on your system uh first i listed my available images using the
    34:40
    docker images command and i actually have several installed but i’m just listing the first couple
    34:47
    using the docker inspect command you can inspect any image you like using its image id
    34:54
    this will spit out a ton of interesting information i just want to highlight here the graph driver section which
    35:00
    contains the paths to the directories where all of the layers that belong to this image live
    35:06
    docker images are composed of layers i’m sure you’ve heard that before that represents instructions in the
    35:12
    docker file that was used to build the image originally the layers themselves the commands
    35:20
    actually translate into individual directories and these layers can be shared across images in order to save
    35:27
    space on your machine each layer um subsequent layers are just they are
    35:33
    consisting of the differences between the previous layer and the new stuff that has been added
    35:41
    the lower mergeder and upper sections here
    35:48
    those are also important uh to take a look at the lower dirt directory and you can navigate to all these by the way
    35:55
    if you’re in that root directory you can navigate there and check them out um the lower dirt directory contains all
    36:01
    of the directories or layers that were used to build the original image and
    36:06
    these are read only the upper dir directory contains all of the content that has been modified while
    36:13
    your container is running so if modifications are needed for a read only layer in lower dir then that
    36:20
    layer is copied into the upper dir where it can be written to and this is called
    36:25
    a copy on write operation it’s important to remember that the data in upper dir is ephemeral
    36:32
    data it only lives as long as the container lives in fact if you have data that you want to keep that your
    36:39
    application generates for example that includes you know logs things like that or database you know stuff like that you
    36:47
    should utilize the volume feature of docker mount a location that will stick around even after that container dies
    36:54
    ship your logs out from your container because they are intended to be short-lived
    37:01
    and this is how most containers you know running a database as well will operate
    37:07
    lastly the merged dir is kind of like a virtual directory that combines
    37:12
    everything from the lower dir and the upper dir and that’s the way the union file system works the edited layers that
    37:19
    were copied into upper der will overlay the layers in the lower dare if you were
    37:24
    to actually exec into the container and so that you’re inside of it and look around that is the layer that you’re
    37:31
    looking at the merged dir
    37:37
    okay this slide it shows i had a few running containers on my system
    37:43
    two of them were a local jfrog container registry installation i was playing with
    37:49
    it included a container for artifactory and a container for a postgres database
    37:54
    the other was just a simple test container i was playing around with just to see how it worked
    38:00
    note that the container ids of the running containers actually match
    38:06
    up with the container subdirectory names something to remember here is if you
    38:11
    stop a container that corresponding directory doesn’t automatically go away until the
    38:17
    container is actually removed with the docker rm command so if you have stopped containers lying
    38:25
    around that never get cleaned up you might see your available space to start to dwindle
    38:31
    docker volumes is another one those will also accumulate on your system um
    38:37
    that happened to me almost right away when i started working with containers i didn’t realize that
    38:43
    you can’t just keep launching containers and uh without dealing with them and cleaning them up and they get pretty big
    38:49
    pretty fast there is a docker system prune command that you can run
    38:56
    every now and then to help clean things up it will not clean up volumes by default
    39:01
    there’s a flag that you have to include if you want to clean up volumes as well
    39:07
    or you can launch a container with a flag to indicate that it should be removed when it’s finished running a
    39:14
    lot of orchestration will take care of this for you as well so if if you have a you know
    39:20
    if you’re using kubernetes or something you can indicate that you want your containers to be removed when they’re
    39:25
    done so the tool sets around building and
    39:31
    running images and containers have made things so easy now that it’s also easy to shoot
    39:36
    yourself in the foot and i’m going to go over some of the most common gotchas the ones that i ran into right away
    39:42
    including some jvm specific gotchas that java developers will care about those i
    39:48
    also ran into almost immediately when i started working with them
    39:53
    the docker file uh hard to work with docker without looking at seeing
    39:59
    manipulating um getting angry with the docker file
    40:05
    with that docker file you have all the building blocks you could possibly need to get your application out the door and
    40:11
    into production this is a fairly exhaustive list of the commands that are available to you in a docker file with
    40:17
    these you can pretty much do anything your heart desires you can do all the right things and you
    40:22
    can also do all the wrong things and everything in between it’s deceptively simple
    40:30
    the first is running a containerized application as the root user and i’ll be honest here
    40:36
    when i was initially getting containers up and running i was just so happy that it was working it was a while before i took this one
    40:43
    seriously and it um once once you understand that the process is inside a running container or
    40:49
    just like any other process on the system albeit a few constraints it’s scary now to run as root inside a
    40:56
    container doing that opens up the possibility of a process escaping the intended confines of the container and
    41:03
    gaining access to host resources what that means is if anyone were to
    41:08
    find access to your container be able to exec inside your container and they immediately have root privileges they
    41:15
    can really mess with your host not just the container so reduce the attack surface of your
    41:21
    container by following the principle of least privilege and although containers are designed not to affect other running
    41:27
    containers if someone gains access to it obviously they can immediately cost you some
    41:33
    problems how do you mitigate obviously don’t run as root
    41:39
    best thing to do is create a user and you can use the user command inside a
    41:45
    docker file when the container is built in order to run processes as that user if you look at docker files from a lot
    41:52
    of um you know official docker images um you’ll find that that
    41:59
    is exactly what’s what’s happening for example i think the last time i looked at the postgres one
    42:04
    you could open it up and you can see that they’re setting up a user and running it as a you know postgres user
    42:11
    um there is also a way to specify a user when you’re using the docker run command
    42:17
    like when you’re just launching the image from docker run but that leaves open the possibility of
    42:22
    forgetting to do that so i like it better to have it inside the docker file
    42:28
    so you don’t forget also um i just mentioned the postgres official image
    42:33
    from docker hub but pay attention to any official image that you pull from docker hub any image at all actually uh whether
    42:40
    or not they run as root by default and they could be letting you you know figure that out when you’re building on
    42:47
    top of the base image so pay attention to what’s going on there and docker official images i mentioned
    42:54
    those those are a curated set of images
    42:59
    a dedicated team at docker is responsible for reviewing and publishing those it’s done in a very transparent manner
    43:06
    and it’s very easy to take all that for granted but of course if you use any of those official images
    43:13
    you know stop and take a look at their original docker files if you remind me after this talk and you’re interested i
    43:20
    can show you where to find those as well the link here that i have here well
    43:27
    that’s that’s it that’s how you find them but i’ll i can show you some more details of where to go in there um that
    43:33
    is the official repository that docker uses uh for all of the uh official
    43:39
    images that they have the files in there they contain a path to the corresponding github repo for
    43:45
    that image and that’s where you can find the docker file
    43:55
    all right no constraints um even though docker provides you with the
    44:01
    ability to set resource limits on your container it doesn’t automatically do that for you in fact
    44:07
    the settings are pretty much a free-for-all with no limits anywhere so make sure you understand the resource
    44:12
    needs of your application uh just because you can now wrap your in your application inside of an image it
    44:18
    doesn’t mean that you can be lazy and not understand the resource needs of your application
    44:24
    um you can use um you’re going to want to monitor this over time so setting up monitoring on
    44:31
    your containers you’re running containers is important and adjust resources as needed that is a
    44:38
    very good way to determine if something’s going wrong like if or if load on your system has suddenly changed
    44:44
    it’s very valuable information and a must do you can also use that information to
    44:51
    determine if your application should be split up further that actually happened with us uh we
    44:56
    it wasn’t a huge monolith but there were a couple pieces that we needed to scale differently so we were able to break it
    45:02
    apart and make a lot of progress that way
    45:08
    all right never updating this is a very big security issue it’s very easy to get complacent and not pay
    45:15
    attention to what’s actually getting pulled in when you build images not only do you need to be aware of
    45:21
    outdated versions that you specify in your docker file but you need to pay attention to what’s in the base image
    45:27
    that it’s coming from now images can be built in a hierarchical fashion
    45:33
    so you can have a parent image and when you look at that parent images doctor file it could also have a parent
    45:40
    image and that can go all the way to the very beginning until you find a doctor file where the first line in the
    45:45
    docker file says scratch that is your base image
    45:52
    so um not updating packages and libraries too inside those images those can cause you
    45:59
    some some issues um and ensuring that you’re running containers with a
    46:04
    non-privileged user als even that has risk if there’s known vulnerabilities that exist within your container or even
    46:12
    the kernel of the host so from time to time exploits are found that enable
    46:17
    attackers to potentially escape the container definitely keep up with those security
    46:22
    updates i’ve definitely also been on teams where that is not a priority and um usually it’s because of
    46:30
    the fear of breaking something that is working that’s just a symptom of different
    46:35
    issues it’s much worse to let those vulnerabilities sit there
    46:41
    i remember a team that did have some problems with bit mining and stuff and they just
    46:47
    luckily they had everything monitored so they could tell immediately when resource usage started going through the
    46:54
    roof they were able to figure out what was going on pretty quickly and fix it
    47:01
    image bloat like i said images can get pretty big pretty fast especially if you have you know images upon images upon
    47:08
    images sometimes it’s not all obvious what all’s in there when you’re looking at a docker file
    47:14
    that’s down at the bottom right but when it’s finally up to you to start adding your own packages
    47:20
    so uh one thing to do right away is start making sure that you’re using the dot
    47:26
    docker ignore file it works very much the same as git ignore
    47:32
    prevents you from adding things like unit tests or secrets even that you really shouldn’t
    47:38
    be adding extra resources and stuff other than what you absolutely need to run your application
    47:45
    only move into that image what you need nothing more than that
    47:51
    um one thing that i hadn’t thought about until much later is you need to you know don’t move in your whole git
    47:58
    directory into your image um if you’re doing one of these docker files that just does a
    48:04
    full on copy of everything think about what all that means what you’re actually copying in
    48:12
    this isn’t limited to doc to java projects either any project
    48:18
    you should pay attention to that uh another another mitigation is to use the docker’s multi-stage docker build i can
    48:26
    show an example of that in a moment um that way you can actually do your build and everything pull in in all of
    48:32
    your third-party dependencies or other dependencies during your build and then
    48:38
    only copy in the artifacts that were produced from that build into a second stage
    48:46
    that’ll help limit the size quite a bit okay this one is java specific
    48:53
    specific to containerizing job applications and very related to being aware of what your application requires
    49:00
    to successfully um run with the memory it’s been allocated the jvm is pretty
    49:05
    clever at determining settings for your swap and heap and your garbage collection behavior based on things like
    49:11
    the memory and the number of cores available on the host remember our history lesson that
    49:16
    interleaving with java 7 and java 8 and along with docker development
    49:22
    um considering that timeline uh java 7 and i don’t know anyone on java 7
    49:29
    still but i do know a lot of people still on java 8. they’re not fully container aware this
    49:35
    means that your java application won’t necessarily obey memory and cpu constraints that you put on your
    49:40
    container and you might end up with some out of memory killer activity the reason for that is because the
    49:47
    mechanisms that the jvm used in these older versions to retrieve the resources available come from the actual host
    49:53
    machine and not the c groups limit that you would expect there were some improvements around
    50:00
    container awareness that were introduced in java 8 later updates i think 131 and then
    50:08
    further improvements in later versions but to really get all of the benefits of container awareness you really should
    50:13
    try to get to 11 but that’s the earliest lts release that is container aware
    50:23
    [Music] all right distro list this is another option for you to choose
    50:29
    um distro-less images there’s some that are available by uh google i believe they
    50:37
    have 11 and 17 now these are images that really really
    50:42
    slim down what you absolutely need to run in your image
    50:47
    in fact they don’t even include a shell which means you can’t even exec into the image when it’s running or when it’s
    50:53
    running as a container that definitely helps with your security makes troubleshooting a little more
    50:59
    difficult but you really shouldn’t be exacting into production running containers anyway so it encourages you
    51:04
    to use best practices like shipping your logs out things like that to do your
    51:10
    troubleshooting for running containers this also shows you an example of multi-stage build so you can do all of
    51:16
    your build like in this example at the top and then the second section starting in line seven you get a
    51:22
    second from statement that’s the distroless image and then only the items that you need are copied in
    51:31
    there’s a link here lots of more information on digitalis containers if you’re interested
    51:38
    other methods you can make your own custom image
    51:43
    this will really slim down java projects and java images you can use jlink that is
    51:49
    packaged with open jdk 11. what that allows you to do in combination with jdeps is figure out
    51:56
    exactly what dependencies you need to run your application and only include
    52:01
    those in the image in the base image you might find this will help a spring
    52:08
    boot project out quite a bit because that you know particular framework brings in a ton of stuff so you might
    52:15
    find some benefits there regarding the size of your containers reason we care about size of containers is think about
    52:22
    you know every time you um need that container to launch and run you’ve got to pull it from a registry
    52:29
    and get it started so i’m not really talking about the start time but more about
    52:35
    transfer time getting that thing where it needs to be in order to get launched
    52:40
    there’s a maven and gradle spring boot plug-in this allows you to avoid having to worry
    52:46
    about the internals of docker or building docker files but think of all the things we just
    52:52
    learned about docker files and how you can help yourself so if you choose to use one of these
    52:58
    methods i would encourage you to pay attention to what’s actually being produced uh one thing about the maven and gradle
    53:06
    um spring boot plug-in for example is it actually uses build packs and when i used it it uses pocketo build
    53:13
    packs that means it’s pulling an image and which
    53:18
    um determines how to build your your application and it does it
    53:24
    does things like look at the format you know figures out oh this is a maven project i’ll we’ll build an image this
    53:30
    particular way um but just note that that’s what it’s doing behind the scenes is pulling an image from somewhere else
    53:35
    so once again you’re relying on an external resource you might want to pull those down
    53:41
    store those somewhere and then set up your maven or gradle plugin to use your
    53:46
    bill packs that you have stored so they don’t get changed out from under you
    53:52
    um we talked about build packs a little bit you can find out more about those from these links
    53:58
    and then there’s jib jib the pro there it’s simple you just add the plugin
    54:03
    it but it also builds and pushes your image supposedly that’s good because it
    54:10
    reduces the number of steps but i find that kind of weird to do as a developer to be pushing images anywhere you really
    54:17
    should only be checking code in to github and then your ci process would be
    54:22
    building images and taking care of that so i don’t don’t particularly like that
    54:28
    idea of pushing images also some defaults might not be what you want um jib
    54:36
    distrolus base image is often assumed and then of course since it’s pushing
    54:42
    images um you might have to troubleshoot off is
    54:48
    off issues with those private repositories
    54:53
    if you don’t want to use docker at all if you’re on a linux box you’ve got some other options you can go check out
    54:59
    podman and builda they are not as easy to use on windows
    55:05
    and mac development machines but if you’re in linux or if you’re more involved in operations this might be the
    55:10
    preferred method as opposed to using docker
    55:17
    and the rest of this i’ll go through pretty quickly i do have a link here for
    55:23
    just information on what to think about what to consider when you’re managing your images where to put them
    55:30
    think about you know how you want to store them how you want to protect them
    55:36
    whether you should be using a public repository or registry or private
    55:41
    um jfrog obviously has a free version that you can try if you wanted to see what that’s like um also when you’re
    55:49
    just note that when you’re pulling in base images when you already know that your application is relying on a base image pull those in and own them pull
    55:56
    them in tag them put them in your private reposit private registry so that you know that
    56:03
    it’s not being changed out from under you for you know future builds
    56:10
    and that’s it that is all that i had to share with you i didn’t leave you any time for
    56:16
    questions but i can stick around a little longer if any of you want to chat a little bit more or take a look at a
    56:21
    couple of different things awesome sounds good yeah
    56:26
    you guys can leave your questions in the chat or if you want to you can also unmute and ask them
    56:32
    i actually had a question about the container market slides i think between 2018 and 2019 it went from like
    56:41
    90 000 to 2 million i just wanted to see if you know if that was an actual huge increase or was the scope
    56:47
    of what they were looking at also increasing or a little bit of both yeah it could be a little bit of both i
    56:54
    mean because like i said it systig was only looking at their clients too so it could be that they had
    57:00
    an explosion of usage you know using systig as well um i do like to look at
    57:06
    the dates of like when docker came out and what they were doing um i mean the moment that it became you
    57:13
    know really easy for developers to start building their own images it seems like we went pretty quickly
    57:19
    from that to images starting to show up in production yeah that makes sense
    57:30
    i have something interesting okay actually i i forgot about it and i just remembered
    57:36
    um my friend ben evans he’s another java champion he um
    57:41
    just doing some research on running java and single core containers this is an article here
    57:48
    i’m gonna i’m gonna grab the link and just put it in the chat he discovered something interesting
    57:55
    that uh you know when we’re building these containers we tend to make them small we want to make
    58:01
    them small and so a lot of these containers are being you know put out there and using one core
    58:06
    and the consequence of that is you get a default usage of how garbage collection works that may not actually be
    58:12
    appropriate for your project so i thought this was a really interesting article i i need to read it
    58:19
    more and get more down into the details but i promised i would share it with the group because it’s interesting information um
    58:26
    on the deployment side you do have one question melissa
    58:33
    words of wisdom for someone like myself transitioning into the field of computer science as a student
    58:40
    you know you are doing the right thing today coming to a meetup group i think
    58:45
    meetup groups are awesome they really give you a sense of community they give you the connections that you need to ask
    58:51
    questions and to find mentors that is going to be huge for you
    58:56
    a lot of this is going to seem overwhelming at first because there is so much to know this industry is huge so
    59:04
    never be afraid to ask questions and keep your focus on one thing at a time
    59:10
    so whatever you’re studying in at school figure out how you can just implement that piece
    59:16
    trying to spread yourself too thin to learn all these all the things uh
    59:21
    you’re gonna burn yourself out pretty quick so just take it one step at a time um i know i felt discouraged i for a
    59:29
    long time i just felt like i was dumb everybody knew more than me but it’s not like that it’s everyone
    59:36
    knows different things and that’s why these communities are so great yeah and i guess to add on to that a
    59:42
    little bit yeah definitely take it one step at a time even it might take
    59:47
    years to figure out certain things that others just intuitively know so don’t give up at some point it will click and
    59:53
    definitely never lose your sense of curiosity yes that’s really good advice
    59:59
    yeah and and take advantage of pittsburgh java user group for sure i mean if java is something that you are
    1:00:06
    focusing on come join our sessions i actually just learned some of these things or at least
    1:00:12
    even hear the terms even if i don’t actively use it or don’t use it at least i’m hearing stuff
    1:00:18
    and then something sticks something connects at a later point i don’t have to do a phd degree in this but
    1:00:24
    i learned a little bit more about docker and you know it’s definitely more than what i knew
    1:00:29
    an hour ago and that’s that’s good enough too right so take advantage of these meetup groups
    1:00:37
    especially pittsburgh zm groups are better than others
    1:00:43
    but we don’t play favorites [Laughter] um we also have a youtube channel i
    1:00:49
    think you should all i mean you can all uh see our sessions from 2021 and 2022 which also covers contents from like
    1:00:57
    open source futures future of java we did like a bunch of things like um
    1:01:02
    i think microservices all these things they all connect some in some form or shape
    1:01:07
    hear it and see like what sticks and then you can take it from there and we have a lot of um
    1:01:13
    like other talks from 2021 that were about java with java 17 coming out so there’s a lot of stuff to learn there
    1:01:22
    i do have one more question it’s going to be about container market again because i found that section really interesting um but although whenever the
    1:01:29
    graphs break down docker versus container d so is the docker portion that monolithic full stack version that you
    1:01:36
    were talking about that kubernetes will stop supporting soon exactly yes that’s exactly what it is it’s a full-on docker
    1:01:44
    even though it now includes container d itself there was some
    1:01:49
    basically some abstractions that were there uh that were only there for docker
    1:01:56
    um and kubernetes the group got pretty tired of just you know having
    1:02:01
    having a different set of connections for docker specifically than for everyone else that was all following you
    1:02:07
    know the oci specs and standards so um once once uh they moved away from that
    1:02:14
    they pulled out container d container d meets all of those specs and standards and that’s what you would use instead
    1:02:21
    awesome so yeah we’ll probably continue to see container d growing and growing in use over the next year or two
    1:02:28
    yep of course i don’t see any more questions on the chat
    1:02:34
    but i guess or not this youtube video will be available in the next
    1:02:40
    few days in a few days yeah and i think sirisha already pasted the link to the channel so
    1:02:46
    subscribe to it so you’ll get notified i can’t believe i’m that person now who says subscribe to youtube channels but
    1:02:51
    yes subscribe to youtube to this channel so you get notified
    1:02:57
    oh and don’t forget to enter into the sweepstakes right so let me paste that
    1:03:03
    link again yeah yeah
    1:03:10
    do you always choose bananas for this presentation or do you change the fruit for this one yes um and then there’s
    1:03:18
    another one that i do like different banana pictures that are a lot more fun but um yeah i use bananas quite a bit can
    1:03:25
    you think of another food no i was i actually got distracted for a second then because what else can it be
    1:03:32
    a container yeah yeah i did a talk at open source summit
    1:03:38
    and um someone interrupted me because it was another is a different talk but i also used bananas and he just said i
    1:03:44
    just want to say bananas is an excellent choice because that’s what we would use when we weren’t sure if like the fruit
    1:03:50
    was clean you could feel it yeah it was somewhat protected
    1:03:56
    i know the bananas was an awesome choice it was awesome yeah and it fit it fit almost every slide and i was trying to
    1:04:02
    like figure out what you might say looking at the mixer it was fun it was fun the entire time i was like
    1:04:08
    giggling away but it was a lot of fun trying to find the like specific banana related photos or pictures for certain
    1:04:14
    slides you know i stayed up very late i can imagine there was one night yeah i was just
    1:04:21
    going through banana pictures yeah yeah pretty funny yeah thank you so much
    1:04:27
    that was entertaining and you know we learned so much more about good so thank you thank you thanks a lot thank you
    1:04:33
    very much thanks for having me thank you so much and thank you everyone for joining as
    1:04:39
    well we will see you all on may 12th that’s going to be our next session so this was our
    1:04:45
    this is not our usual schedule like we typically do them on second thursdays of each month but this one because devnex
    1:04:51
    has happened last week we had to push this one out to this week but so our next session will be on may 12th
    1:04:57
    um yeah you will get notified on meetup so yep that’s
    1:05:03
    june 9th after that so yeah a couple sessions coming up yep yep yep cool but yeah thank you so much for everyone
    1:05:09
    coming and thank you jfrog for sponsoring us yep thank you
    1:05:15
    [Laughter] cool see you all in the next session yeah bye bye bye they