How To Manage Multiple Docker Containers at Scale | by Matt Bentley | May, 2022

A information for managing Docker containers at scale, together with growth, steady integration, setting promotion, and DevSecOps

Credit score: docker.com

With the rise of containers and container orchestrators, Docker has turn into a must have talent for all modern-day programmers. This text is for anybody who builds customized container photographs from their software code, whether or not you’re utilizing Kubernetes as a container orchestrator or naked metallic servers.

Right here I will probably be specializing in how a number of totally different container photographs might be managed all through the entire growth and launch cycle. We are going to cowl:

  • Constructing a number of photographs without delay
  • Operating a set of photographs for testing functions
  • Executing instructions on a number of photographs. I’ll present how this can be utilized for DevSecOps processes resembling picture scanning
  • Selling photographs from one registry to a different through the launch course of

I’ll assume that you’ve got some information of Docker and Docker Compose.

In the event you simply need to soar straight to the great things, here’s a reference GitHub repository for the strategies defined on this article.

Earlier than we get began, listed below are some objectives and ideas this text is making an attempt to satisfy:

Totally automated

Our processes for managing container photographs needs to be fully automated.

Versatile

The fantastic thing about containers is that they will run throughout a number of totally different internet hosting environments. The method for managing photographs needs to be relevant it doesn’t matter what applied sciences you’re utilizing for CI/CD.

Ideally, we need to make as few adjustments as potential to our scripts and infrastructure/pipelines-as-code once we are including new photographs/companies to our options.

Construct As soon as

One of the vital essential advantages of containers is that they are going to run constantly throughout totally different internet hosting environments. We needs to be taking full benefit of this by solely constructing our photographs as soon as and selling these photographs via every setting once we launch. It will make sure that the identical picture is deployed to manufacturing that has already been examined in all decrease environments.

Container Picture Promotion

A sample project is supplied to assist reveal a few of the strategies on this article. The challenge consists of the next functions:

  • .NET Blazor Webassembly net software
  • .NET Employee agent console software
  • SQL Server database

The appliance consists of a easy Internet UI for retrieving random climate forecasts from a SQL Server database. The agent service updates the forecasts each 10 seconds and performs the preliminary database schema migration when began.

A pattern Azure DevOps pipeline is supplied; nonetheless, these strategies can be utilized for any CI/CD course of as they’re all command-line pushed.

My workforce has discovered {that a} docker-compose.yml file is an ideal place to declare additions and adjustments to your photographs. It’s properly understood and can be utilized by many container administration instruments resembling Docker Desktop and Podman, Docker Engine.

Even with a completely automated CI/CD course of in place, new companies and their related picture names should be specified someplace and your challenge’s docker-compose.yml is a reasonably good place for that.

Docker Compose profiles are a comparatively new addition, making it a lot simpler to work with totally different configurations at every level within the growth cycle. Operating docker construct, run and pull/push instructions via Docker Compose is pretty properly understood; nonetheless, a docker-compose.yml file and its related profiles may also be used to run extra actions utilizing customized bash scripts.

The pattern challenge has the next profiles, which can be utilized to get totally different actions working rapidly:

  • dev: Used for native growth. Native sources resembling a database or message bus can rapidly be spun up.
  • take a look at: Check all companies for the challenge collectively.
  • ci: Used to construct and push customized photographs from software code within the steady integration course of. This could possibly be break up into extra granular profiles when you wished to run the builds throughout totally different jobs in parallel.

A profile can be utilized to construct a choice of photographs to your challenge. The next command will construct the entire companies for the ci profile:

docker-compose --profile ci construct

This can be utilized in your Steady Integration (CI) course of to construct your whole photographs. As companies are added to your docker-compose.yml file, they are going to robotically be picked up within the CI construct with out requiring any adjustments to your CI code.

I’ve discovered Docker Compose profiles helpful for splitting long-running picture builds from the remainder of the opposite companies. Usually, net software picture builds utilizing a number of JavaScript npm libraries can take a very long time, so it’s best to create separate profiles for working them in parallel.

Constructing Profiles in Parallel in a Steady Integration Course of

Profiles may also be used to run a choice of companies to your challenge. The next command will run the entire companies required to check the pattern software domestically utilizing the take a look at profile:

docker-compose --profile take a look at up

The companies might be stopped and containers eliminated by working:

docker-compose --profile take a look at down

Native Growth

For growing code, a special set of companies could also be wanted. I typically discover it helpful to have a dev profile for working native sources resembling a database or message bus. The next command will run solely the database for native growth:

docker-compose --profile dev up

Information Persistence

The docker-compose.yml file supplied creates a quantity in order that information within the database will persist when the database container is stopped and deleted. To cease the database and delete the info quantity, the next can be utilized:

docker-compose --profile take a look at down -v

Now that our companies are already laid out in our docker-compose.yml file, we will go even additional by working customized actions towards their related photographs.

The docker-compose-extract.sh script can be utilized to extract picture names from a Docker Compose file primarily based on a profile or picture filters. The next command prints the picture names from the ci profile:

./pipelines/scripts/docker-compose-extract.sh -p ci

Word: your docker-compose recordsdata should have Unix line endings to work with the supplied bash scripts. Use VS Code or dos2unix to transform from Home windows to Unix line endings if required. The scripts needs to be run from a bash terminal if you’re utilizing Home windows attempt utilizing GitBash.

The output from the above command and extra choices for filtering which photographs are extracted is proven under:

The principle logic for docker-compose-extract.sh is proven under. Two arrays are created for the photographs and their related profiles. A number of totally different filters are run on the picture names and profiles primarily based on the parameters supplied.

Primary Logic from docker-compose-extract.sh

Now that we’ve got a pleasant approach of retrieving our photographs by a selected profile, we will chain this to extra scripts.

The earlier script helps us with our first two objectives; this subsequent script will enable us to construct our photographs as soon as and promote these photographs via our totally different environments as we launch.

The next course of is carried out earlier than deploying code to every setting:

  • Pull photographs to advertise from the earlier setting
  • Use Docker tag to alter the registry title on the photographs to the promotion registry
  • Push the promoted photographs to the present setting registry

The docker-compose-promote.sh script makes use of the docker-compose-extract.sh script to extract the photographs required for promotion after which makes use of Docker tag to alter the registry title of the photographs domestically. The next command will promote photographs from the ci profile with the 1.0.0 picture tag and alter the registry title from devregistry.io to qaregistry.io:

./pipelines/scripts/docker-compose-promote.sh -p ci -t 1.0.0 -r devregistry.io -u qaregistry.io

This script can be utilized in a Steady Deployment (CD) course of, as proven under:

Selling Photographs When Deploying From a Steady Deployment Course of

The principle logic from the docker-compose-promote.sh is proven under. The extracted photographs from the docker-compose.yml file are looped over, and the registry title and tag are changed with the required values.

Primary Logic from docker-compose-promote.sh

Now that we’ve got a pleasant strategy to extract teams of photographs for our challenge, we will run customized instructions towards them for processes resembling DevSecOps. Usually, most safety and automation instruments are CLI-based, which makes it straightforward to chain them to the docker-compose-extract.sh script.

The docker-compose-command.sh script can be utilized to run a customized command towards extracted photographs from a docker-compose.yml file. Your supplied command should comprise @picture, this can get changed with the title of the extracted picture.

The next command reveals an instance of working a container scan utilizing Dive on every of the photographs within the ci profile within the devregistry.io registry with the 1.0.0 tag. Dive is used to scan photographs for wasted area. Nonetheless, this could possibly be swapped out for another container scanning or automation instrument:

./pipelines/scripts/docker-compose-command.sh -r devregistry.io -p ci -t 1.0.0 -c "dive @picture"

The output from Dive scans in a Steady Integration course of is proven under:

Operating Picture Scans From a Steady Integration Course of

The principle logic for docker-compose-command.sh is proven under. The extracted photographs from the docker-compose.yml file are looped over and the supplied command is executed towards every of them.

Primary Logic from docker-compose-command.sh

The scripts supplied can be utilized in any CI/CD course of as they’re command-line primarily based. An instance of an Azure DevOps CI/CD pipeline might be present in azure-pipelines.yml.

Pattern Azure DevOps CI/CD Pipeline

The Construct stage is answerable for constructing, scanning, and pushing the photographs. The photographs are initially pushed to a Growth registry, and the next deployment artifact is produced:

Deployment Artifact

The supplied scripts and docker-compose.yml file are used within the Deploy levels to advertise and launch photographs. In case you are utilizing a container orchestrator resembling Kubernetes, then your deployment manifest recordsdata or Helm charts also needs to be added to your deployment artifact.

More Posts