Some google-managed base images would be helpful. The last time I checked, some of the major public docker images were still shellshock-vulnerable. Pre-installed GCE tools would be helpful. Perhaps automated environment variables about region, etc.
If you have found an official Docker image that is still shellshock vulnerable, the library maintainers [1] would love to hear from you as they take that stuff quite seriously. As far as I know the entire library is fully patched.
As one of the maintainers in question, I'd absolutely mirror this whole statement: if any of the image upstreams have an important update available that isn't applied, we're very interested in rectifying that.
Given that this is the alpha launch of Container Engine, and the Beta launch of Autoscaling and Managed VMs, what is the anticipated timeframe for this to be ready for production workloads?
I'm assuming that there'll be a beta of Container Engine in the near future, and then a stable 1.0 launch?
We use AWS Elastic Beanstalk for Docker deployment. Can you comment on how this is different? I see it supports multiple containers per VM - are there other significant distinguishing factors?
Elastic Beanstalk is a VM centric management framework.
Kubernetes and GKE operate at a different level. It is an API for being able to schedule and manage containers instead of VMs. At this point, k8s/GKE doesn't have an idea of an "app" any more than a VM IaaS service has an idea of an app.
Moving from a VM centric view to a container centric view improves a lot of things:
* Easier to create and manage images
* Portability -- images can be moved between providers. Develop on your laptop with docker/k8s and deploy the exact same container image.
* More transparency into compute workload. The hosting VM or cloud can see more of what is going on in the container for monitoring and logging, etc.
* More efficient/higher density -- you can run more on any piece of (virtual?) hardware
* More flexible resource sharing/overcommit -- as you drive density up you can get more nuanced about what workloads take get priority.
Some of this stuff is still in its infancy -- complex resource models aren't fully supported in Docker yet -- but it is where things are going, at least based on Google's experience.
>>Because this new service is officially in alpha, you’ll need to apply for access and be whitelisted to use the service. It also means the service isn’t feature complete and the whole infrastructure could melt down at any minute.
Not sure what the take away here is other than, this may one day be a feature. No information about pricing, support, or sla. My attitude is wait and see. Should it be otherwise?
Edit: Can someone tell me why this isn't a valid question? Why the down votes?
It's all open source (including kubernetes) - so worst case you move it to the cloud provider of your choice. Other than Docker / k8s being a little immature, I don't see a ton of risk.
My biggest question on Docker / k8s: How does one control where persistent data lives and the required performance characteristics? Example: I need SSD + a certain level of availability? Is there a good strategy for managing this?
Right now, it isn't plumbed in but it is on the roadmap.
Either (a) you have network based block device and the master/manager maps that to a machine dynamically as the container get scheduled or (b) you constrain the containers to machines that have the hardware/data you need.
This is THE open question for Docker right now. The first person to actually solve it is going to be in a pretty damn good place.
Docker could make most infrastructure-level "cloud" abstraction obsolete and let people run resilient, scalable clusters on hardware pretty easily. There's CoreOS, Kubernetes, and a few others in the app-instance-scheduling space, but right now, if you want persistent data storage of any kind (block, SQL, blob, whatever) then you still need to tie things down to an individual machine or use VM-level cloud technology to acheive some semblance of fault tolerance. The inability to do persistent storage in a reasonable way is, from where I sit, the main thing keeping Docker from eating the world.
When you can run Postgres in a stable/supported way in a container on my own hardware that gets scheduled around failure/crowding/etc, you no longer needs AWS, VMWare, etc. That could be huge.
This is also what's holding me back from delving into Docker more. Love the concept, and the workflow, but trying to get my head around how the persistent data storage will work is still troubling me.
Is it possible to run a KVM VM inside one of the containers? I have an application for launching and managing VMs and letting people spin up a Google container to try it out would be neat.
But if you are running Kubernetes on bare metal, there is no reason you couldn't map in /dev/kvm and have k8s run VMs for you. I haven't done it though :)
As someone who doesn't know, why would you want to run VMs inside of a docker container? Wouldn't this have tremendous overhead relative to just running the hypervisor?
If you use the -privileged flag, docker containers can access /dev/kvm and start low-overhead KVM instances.
It's advantageous for me, because I can say "hey check out this software" and they just have to run a single docker command, compared to installing Go, apt-getting a bunch of packages, fetching our repo, compiling, etc.
Because the software I'm attempting to demonstrate/distribute is specifically designed for running VMs. That is its sole purpose--sorta like OpenStack.
Do you see this being useful for analytical workloads (ie i need a bunch of cores for a short time to run a parallel job) or more focused on scaling web apps and services?
It can be used as both. As we build out better resource isolation and QoS, you'll be able to run mixed workload on the same hardware/VMs and use "every part of the animal".
Does this mean that Google feels confident in running untrusted code inside containers? Or is each container actually running in an isolated VM?
It is my understanding that Docker containers are "generally" secure (https://docs.docker.com/articles/security/). But that statement isn't enough for me to use them to power a multi-user production hosting environment.
Can someone explain the difference between Apache Mesos, Apache Spark, and Kubernetes. As someone reading just announcements, and having never experimented with any of these tools, they sound like they promise the same capabilities.
Is it just that they are different open source projects aiming for the same goal ... or are their goals different?
Mesos and Kubernetes share lot of commonalities: both are useful for managing (virtual) compute resources for a given application. Primarily, as an app developer, you are interesting in specifying the required resources at a high level: 10 front end instances, 20 middle tier, and 3 back end database instances. You may not care how the resources are provisioned as long as some underlying SLA is satisfied. This is useful for boosting service uptime since in any long running service the nodes may go offline anytime and the framework will re-provision the resources automatically--often within few mins.
Mesos is useful to share resources across multiple clusters (i.e., multiple departments using Hadoop within a same organization may want to share the resources), where as Kubernetes seems to focus on container applications using docker. In addition, Mesos implements dominant-resource-fairness (DRF) scheduling, which has some nice properties [0].
Lastly, Spark is just an application running on the top of Mesos or Kubernetes. Using my earlier example, Spark and Hadoop can run in a single datacenter on the top of Mesos without statically partitioning the clusters a priori each having an illusion that they own the entire datacenter.
Apache Mesos is a distributed system that is kind of a "bottom layer" for computations and storage (whether in-memory or on disk).
Apache Spark is a distributed application that runs on top of Mesos and does computations that takes advantage of cluster computing. It can do classic MapReduce or other algorithms that you write using its API.
Kubernetes is a distributed system that runs Docker in a cluster. Docker is a way to run sandboxed applications. Kubernetes can run on Mesos.
I'll give it a shot, with the disclaimer that this explanation is based on conference talks I've seen and documentation I've read.
Spark is a successor to Hadoop, aiming to perform big distributed data crunching jobs more quickly by not limiting itself to a map-reduce paradigm and by holding more data in memory.
Apache Mesos is a resource scheduler for a cluster of machines. It is architected to be agnostic about the kind of application running on it, but I get the impression it's primarily used to make things like Hadoop and Spark run on the same cluster without stepping on each other's toes (and not used so much for long-running services like a web app). An application says to Mesos "hey I'd like to run job X", outlining the resources that it needs, and then Mesos looks at the cluster to see the best place to run the job. Mesos has some Docker integration but it's weird. Instead of launching your job and creating cgroups directly as it usually does, Mesos has to run a proxy process that talks to Docker and asks it to do it. (This is because Docker no longer has standalone mode. Which is my biggest gripe about Docker.)
Kubernetes is solving a similar problem to Mesos, how to allocate resources in a cluster to all the jobs that you might want to run on it. It's explicitly focused on "containers", though not necessarily just Docker containers. (The README at https://github.com/GoogleCloudPlatform/kubernetes makes no mention of Docker.) I get the impression it's focused more on long-running processes like web servers and less on ephemeral Hadoop-style jobs.
> and not used so much for long-running services like a web app
Mesosphere Marathon, which sits on top of Mesos, makes doing long-running services easier; it starts services, restarts them if machines crash, etc etc. Where Mesos is the resource schedular, Marathon is more like a *nix init system.
Aurora is supposed to do much the same thing, but is in Incubation at the moment. There's also "Singularity", which does a bunch of stuff including managing long-running services and one-off services through an HTTP API and webapp.
Mesos is supposed to be treated sort of as a "cluster kernel", with "frameworks" which sit on top of it and use it to schedule things. It's a lot more versatile than "I want to deploy a bunch of services" - it's more along the lines of having your own EC2 that you can request resources from on-demand.
Apache Mesos is based on Twitter's expertise in deploying their cluster, Kubernetes on Google's. They do things in different ways. Spark seems to be in the same area as Hadoop, so not relevant to the conversation.
Yep, but there's an important difference I think...
Mesos (some customizations, but largely the same as open-source Apache Mesos) IS what Twitter uses to deploy and manage their clusters. Battle-hardened at scale running diverse production workloads.
With Kubernetes, we're told that it is built using architectural and philosophical principles proven to work at scale on Google's production systems. But it's a fairly clean-room built-from-scratch implementation and although developing quickly, is still immature and untested.
No. Apache Mesos was originally developed at the UC Berkeley AMPLab as a research project. Twitter was a very early adopter, who subsequently hired the Mesos author/creator.
Strongly agree with this. I've been interviewing for DevOps jobs and it seems like everyone thinks they need to be using Docker for some reason or another. Studying up on it has improved my interview feedback substantially.
Hi Joe, I guess you folks are not running containers from customers side-by-side in the same host. So if I scale up my cluster size while I have containers deployed, do you folks rebalance the load on the host machines on the fly (by stopping/relocating some containers) or do you rebalance the new containers?
I hope this have the ripple effect of allowing enterprises to feel comfortable using things like Firebase and Docker. I floated the idea of using Docker but the idea was turned down because we have no idea how it affects performance in a production environment.
I'm on the Kubernetes/GKE team and happy to answer any questions you all might have.
We also all hang out on IRC at #google-containers on freenode.