!doctype html> Docker, Kubernets, & OpenShift - FOSS Community FTW!

Building a modern PaaS:

Docker, Kubernets, & OpenShift - FOSS Community FTW!

Presented by:

Steven Pousty


@TheSteve0 on Twitter, IRC, Instagram, Ingress, Skype, SmugMug, and Github

Cloud Services

Quick Demo:
OpenShift Now

Create a new PHP app from the command line:

rhc app create newphp -t php-5.4

Enter the new local git repo and modify a file:

cd newphp
vim index.php

Commit the change, push it to the app:

git commit -am "Comment"
git push

So Why a New PaaS?

  • Three years in, we've learned a lot about PaaS
  • As more people focus on PaaS, more tools are becoming available
  • We want to combine the best user experience in PaaS with the best underlying technologies

Built for Speed: Project Atomic


Project Atomic logo
  • Stripped down and optimized for deployment into cloud
  • Uses ostree filesystems
  • Best supported Linux kernel available


Docker.io Logo

What is a Container?

Diagram of a multi-layered docker container
  • In Docker parlance, a container is a running instance of an image
  • Based on linux containers (namepaces, control groups)
  • Combines file system layers into a "Union File System"
  • Includes all of the components necessary to run a process, store persistent data, or both

Containers vs. VMs

Docker and VM comparison diagram

Layers and UFS

Diagram of a multi-layered docker container

Layers and UFS

  • One or more read-only file systems and one read/write file system
  • All presented as a single file system via one of several methods: device mapper thin provisioning (direct-lvm, loopback-lvm) or at the filesystem level (btrfs, OverlayFS)
  • Behavior is similar to using a LiveCD

"Data Volume Container": A Docker container with only a read/write file system, either strictly within the container or linked to real storage on the host

Images: More like git than tar

  • Images can be pulled from and pushed to a remote registry.
  • Images can be versioned and tagged.
  • Containers can be diffed to show how they differ from their base images.

Container Operations

Instantiate a Docker container with docker run:

$ docker run -i -t nhripps/centos /bin/bash
bash-4.1# exit

List running and exited docker processes with docker ps:

$ docker ps -l
CONTAINER ID  IMAGE                  COMMAND      CREATED         STATUS      NAMES
7c4ef3596fa5  nhripps/centos:latest  "/bin/bash"  49 seconds ago  Exited (0)  grave_newton

Rejoin containers with docker attach:

$ docker start grave_newton
$ docker attach grave_newton
bash-4.1# exit

Docker Containers as Daemons

Start a container as a detached process with docker run -d:

$ docker run -d nhripps/nginx:base
$ docker ps
CONTAINER ID  IMAGE               COMMAND               PORTS   NAMES
1aa9f0bd1418  nhripps/nginx:base  "/bin/sh -c '/usr/sb  80/tcp  elegant_bell

Use the -P flag to automatically map container ports to the Docker host:

$ docker run -d -P nhripps/nginx:base
$ docker ps
CONTAINER ID  IMAGE               COMMAND               PORTS                  NAMES
1c2e06d8f85e  nhripps/nginx:base  "/bin/sh -c '/usr/sb>80/tcp  loving_mclean

Note that the process still runs as a foreground process within the container.

Linking Containers

Docker links diagram
  • Containers on the same host can be linked together
  • Links between containers are not accessible outside the host
  • Links are shared via ENV and /etc/hosts

Docker: Pros and Cons


  • Extreme application portability
  • Very easy to create and work with derivative images
  • Fast boot on containers


  • Host-centric solution; not aware of anything else
  • No higher-level provisioning
  • No Developer Workflow

How we use Kubernetes

Kubernetes Logo

Kubernetes Terminology

Kubernetes minion diagram  
Kubernetes Node
Kubernetes Node
A Docker host running the kubelet and the proxy service.
One or more inter-related (linked) Docker containers.
A collection of one or more Minions.

Node Daemon:

Kubelet works between etcd and docker.
  • Primary responsilibity: pod metadata and management
  • Maintain a record of pod state
  • Take instructions from the cluster master

Kubernetes Daemon:

The proxy maps a single port on the minion to all relevant pods
  • Mapping of a minion host port to a pod label is called a service
  • The proxy service maps a common port on every node to relevant pods across the entire cluster
  • It can forward both HTTP and UDP

Kubernetes Cluster Management - the control pane

Kubernetes cluster master diagram
Kubernetes API
RESTful web API for Kubernetes, running on nginx
One job: choose minions for pods
Controller Manager
Monitoring service for deployed pods
(A newer iteration of this is now called kubectl )
CLI for working with a Kubernetes cluster


  • Highly available key/value data store
  • Built-in clustering support
  • RAFT consensus-based algorithm for updates
Visualization of raft consensus

and Replication Controllers

You tell controller-manager what you need, and it does the rest.
  • You tell it what you need, it decides which minions to deploy on
  • Constant monitoring; starts and stops pods as necessary to match the count
  • Decoupled from service proxying

The Kubernetes API

A REST api to interact with Kubernetes

  • Minions (docker hosts)
  • Pods (docker container configurations)
  • Services (port proxy mappings)
  • Replication Controllers (replicated, monitored pod deployments)


OpenShift Logo

What does OpenShift Bring to the Party

  1. A Built-in Software Defined Network
  2. A Well Defined Workflow from Code to Deployed Application
  3. A Much Friendlier Interface with Monitoring and Reporting

Networking Layer

  1. Using OpenVSwitch
  2. Handles IP routing at the application level in terms of isolation and discoverability
  3. Provides Load Balancing - HAProxy in it's own pod

Applications in OpenShift 3



config, n.
A collection of Kubernetes and OpenShift 3 objects that describes any combination of pods, services, replicationControllers, environment variables and OpenShift 3 objects that we'll discuss in a few slides.

template, n.
A parameterized version of a config for generalized re-use.

Build Options


  1. docker-builder - pulls docker images and merges code
  2. Source-to-Image (STI) - take a docker image and source and run it through a build
  3. BuildConfig - A url for code + a build type above + auth code for using webhooks

Application Lifecycle:

Integrating with CI and CD through "triggers"

Make a platform that is aware of changes:

  • In source code
  • On a CI system
  • In an image repository

...so that the entire product lifecycle is
repeatable, fault-tolerant and automated.

What we make easier


  • Configurations
    • Collections of Kubernetes and OpenShift 3 objects
    • Parameterized templates
    • Post-processed configs
  • Builds
    • Where is the code coming from?
    • How do we turn it into a Docker image?
  • Deployments
    • When do we deploy?
    • How do we deploy?
    • What should the deployment look like?

Teams and Management


  • Users, Teams and Projects
    • A project controls access to a set of resources
    • Projects have hard and soft resource limits
    • Projects are based on organizational boundaries
  • Quota and Usage
    • Leverage Kubernetes to get fine-grained resource control
    • Performance policies can be specified along many dimensions

Thank You!



Learn More: