settingsLogin | Registersettings

[openstack-dev] [OpenStack][Docker] Run OpenStack Service in Docker Container

0 votes

I see a few mentions of OpenStack services themselves being containerized
in Docker. Is this a serious trend in the community?

http://allthingsopen.com/2014/02/12/why-containers-for-openstack-services/

--
Thanks,

Jay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openstack.org/pipermail/openstack-dev/attachments/20140814/96df24a2/attachment.html

asked Aug 14, 2014 in openstack-dev by Jay_Lau (7,320 points)   1 8 11
retagged Apr 14, 2015 by admin

11 Responses

0 votes

I think it's a very interesting test for docker. I too have been think
about this for some time to try and dockerise OpenStack services, but as
the usual story goes, I have plenty things I'd love to try, but there are
only so many hours in a day...

Would definitely be interested to hear if anyone has attempted this and
what the outcome was.

Any suggestions on what the most appropriate service would be to begin with?

On 14 August 2014 14:54, Jay Lau <jay.lau.513 at gmail.com> wrote:

I see a few mentions of OpenStack services themselves being containerized
in Docker. Is this a serious trend in the community?

http://allthingsopen.com/2014/02/12/why-containers-for-openstack-services/

--
Thanks,

Jay


OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

--
Philip Cheong
*Elastx *| Public and Private PaaS
email: philip.cheong at elastx.se
office: +46 8 557 728 10
mobile: +46 702 8170 814
twitter: @Elastx https://twitter.com/Elastx
http://elastx.se
-------------- next part --------------
An HTML attachment was scrubbed...
URL:

responded Aug 18, 2014 by Philip_Cheong (320 points)   1
0 votes

I see that there are some openstack docker images in public docker repo,
perhaps you can check them on github to see how to use them.

[root at db03b04 ~]# docker search openstack
NAME
DESCRIPTION STARS OFFICIAL
AUTOMATED
ewindisch/dockenstack OpenStack development environment
(using D... 6 [OK]
jyidiego/openstack-client An ubuntu 12.10 LTS image that has
nova, s... 1
dkuffner/docker-openstack-stress A docker container for openstack
which pro... 0 [OK]
garland/docker-openstack-keystone
0 [OK]
mpaone/openstack
0
nirmata/openstack-base
0
balle/openstack-ipython2-client Features Python 2.7.5, Ipython
2.1.0 and H... 0
booleancandy/openstack_clients
0 [OK]
leseb/openstack-keystone
0
raxcloud/openstack-client
0
paulczar/openstack-agent
0
booleancandy/openstack-clients
0
jyidiego/openstack-client-rumm-ansible
0
bodenr/jumpgate SoftLayer Jumpgate WSGi OpenStack
REST API... 0 [OK]
sebasmagri/docker-marconi Docker images for the Marconi
Message Queu... 0 [OK]
chamerling/openstack-client
0 [OK]
centurylink/openstack-cli-wetty This image provides a Wetty
terminal with ... 0 [OK]

2014-08-18 16:47 GMT+08:00 Philip Cheong <philip.cheong at elastx.se>:

I think it's a very interesting test for docker. I too have been think
about this for some time to try and dockerise OpenStack services, but as
the usual story goes, I have plenty things I'd love to try, but there are
only so many hours in a day...

Would definitely be interested to hear if anyone has attempted this and
what the outcome was.

Any suggestions on what the most appropriate service would be to begin
with?

On 14 August 2014 14:54, Jay Lau <jay.lau.513 at gmail.com> wrote:

I see a few mentions of OpenStack services themselves being containerized
in Docker. Is this a serious trend in the community?

http://allthingsopen.com/2014/02/12/why-containers-for-openstack-services/

--
Thanks,

Jay


OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

--
Philip Cheong
*Elastx *| Public and Private PaaS
email: philip.cheong at elastx.se
office: +46 8 557 728 10
mobile: +46 702 8170 814
twitter: @Elastx https://twitter.com/Elastx
http://elastx.se


OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

--
Thanks,

Jay
-------------- next part --------------
An HTML attachment was scrubbed...
URL:

responded Aug 18, 2014 by Jay_Lau (7,320 points)   1 8 11
0 votes

I believe that everything can not go as a dock container. For e.g.

  1. compute nodes
  2. baremetal provisioning
  3. L3 router etc

My understanding is that container is good mechanism to deploy
api-controller and scheduler for many services. For backend component of
services (like nova-compute, cinder-volume if LVM is used), I that usage of
baremetal is more appropriate (except backend component like cinder-volume
for external devices, nova-compute proxy etc).

Just thought to check your opinion about my understanding! Need your views!

On Mon, Aug 18, 2014 at 3:34 PM, Jay Lau <jay.lau.513 at gmail.com> wrote:

I see that there are some openstack docker images in public docker repo,
perhaps you can check them on github to see how to use them.

[root at db03b04 ~]# docker search openstack
NAME
DESCRIPTION STARS OFFICIAL
AUTOMATED
ewindisch/dockenstack OpenStack development environment
(using D... 6 [OK]
jyidiego/openstack-client An ubuntu 12.10 LTS image that
has nova, s... 1
dkuffner/docker-openstack-stress A docker container for openstack
which pro... 0 [OK]
garland/docker-openstack-keystone
0 [OK]
mpaone/openstack
0
nirmata/openstack-base
0
balle/openstack-ipython2-client Features Python 2.7.5, Ipython
2.1.0 and H... 0
booleancandy/openstack_clients
0 [OK]
leseb/openstack-keystone
0
raxcloud/openstack-client
0
paulczar/openstack-agent
0
booleancandy/openstack-clients
0
jyidiego/openstack-client-rumm-ansible
0
bodenr/jumpgate SoftLayer Jumpgate WSGi OpenStack
REST API... 0 [OK]
sebasmagri/docker-marconi Docker images for the Marconi
Message Queu... 0 [OK]
chamerling/openstack-client
0 [OK]
centurylink/openstack-cli-wetty This image provides a Wetty
terminal with ... 0 [OK]

2014-08-18 16:47 GMT+08:00 Philip Cheong <philip.cheong at elastx.se>:

I think it's a very interesting test for docker. I too have been think

about this for some time to try and dockerise OpenStack services, but as
the usual story goes, I have plenty things I'd love to try, but there are
only so many hours in a day...

Would definitely be interested to hear if anyone has attempted this and
what the outcome was.

Any suggestions on what the most appropriate service would be to begin
with?

On 14 August 2014 14:54, Jay Lau <jay.lau.513 at gmail.com> wrote:

I see a few mentions of OpenStack services themselves being
containerized in Docker. Is this a serious trend in the community?

http://allthingsopen.com/2014/02/12/why-containers-for-openstack-services/

--
Thanks,

Jay


OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

--
Philip Cheong
*Elastx *| Public and Private PaaS
email: philip.cheong at elastx.se
office: +46 8 557 728 10
mobile: +46 702 8170 814
twitter: @Elastx https://twitter.com/Elastx
http://elastx.se


OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

--
Thanks,

Jay


OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL:

responded Aug 18, 2014 by Jyoti_Ranjan (880 points)   1
0 votes

If you want to run OpenStack services in Docker, I suggest having a look at Dockenstack:

https://github.com/ewindisch/dockenstack

Adrian

On Aug 18, 2014, at 3:04 AM, Jay Lau <jay.lau.513 at gmail.com<mailto:jay.lau.513 at gmail.com>> wrote:

I see that there are some openstack docker images in public docker repo, perhaps you can check them on github to see how to use them.

[root at db03b04 ~]# docker search openstack
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
ewindisch/dockenstack OpenStack development environment (using D... 6 [OK]
jyidiego/openstack-client An ubuntu 12.10 LTS image that has nova, s... 1
dkuffner/docker-openstack-stress A docker container for openstack which pro... 0 [OK]
garland/docker-openstack-keystone 0 [OK]
mpaone/openstack 0
nirmata/openstack-base 0
balle/openstack-ipython2-client Features Python 2.7.5, Ipython 2.1.0 and H... 0
booleancandy/openstack_clients 0 [OK]
leseb/openstack-keystone 0
raxcloud/openstack-client 0
paulczar/openstack-agent 0
booleancandy/openstack-clients 0
jyidiego/openstack-client-rumm-ansible 0
bodenr/jumpgate SoftLayer Jumpgate WSGi OpenStack REST API... 0 [OK]
sebasmagri/docker-marconi Docker images for the Marconi Message Queu... 0 [OK]
chamerling/openstack-client 0 [OK]
centurylink/openstack-cli-wetty This image provides a Wetty terminal with ... 0 [OK]

2014-08-18 16:47 GMT+08:00 Philip Cheong <philip.cheong at elastx.se<mailto:philip.cheong at elastx.se>>:
I think it's a very interesting test for docker. I too have been think about this for some time to try and dockerise OpenStack services, but as the usual story goes, I have plenty things I'd love to try, but there are only so many hours in a day...

Would definitely be interested to hear if anyone has attempted this and what the outcome was.

Any suggestions on what the most appropriate service would be to begin with?

On 14 August 2014 14:54, Jay Lau <jay.lau.513 at gmail.com<mailto:jay.lau.513 at gmail.com>> wrote:
I see a few mentions of OpenStack services themselves being containerized in Docker. Is this a serious trend in the community?

http://allthingsopen.com/2014/02/12/why-containers-for-openstack-services/

--
Thanks,

Jay


OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

--
Philip Cheong
Elastx | Public and Private PaaS
email: philip.cheong at elastx.se<mailto:philip.cheong at elastx.se>
office: +46 8 557 728 10<tel:%2B46%208%C2%A0557%20728%2010>
mobile: +46 702 8170 814
twitter: @Elastxhttps://twitter.com/Elastx
http://elastx.se


OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

--
Thanks,

Jay


OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL:

responded Aug 18, 2014 by Adrian_Otto (11,060 points)   2 4 7
0 votes

On Mon, Aug 18, 2014 at 1:42 PM, Adrian Otto <adrian.otto at rackspace.com>
wrote:

If you want to run OpenStack services in Docker, I suggest having a look
at Dockenstack:

https://github.com/ewindisch/dockenstack

Note, this is for simplifying and speeding-up the use of devstack. It
provides an environment similar to openstack-infra that can consistently
and reliably run on one's laptop, while bringing a devstack-managed
OpenStack installation online in 5-8 minutes.

Like other devstack-based installs, this is not for running production
OpenStack deployments.

--
Regards,
Eric Windisch
-------------- next part --------------
An HTML attachment was scrubbed...
URL:

responded Aug 18, 2014 by ewindisch_at_docker. (920 points)   1
0 votes

On Mon, Aug 18, 2014 at 8:49 AM, Jyoti Ranjan wrote:

I believe that everything can not go as a dock container. For e.g.

  1. compute nodes
  2. baremetal provisioning
  3. L3 router etc

Containers are a good solution for all of the above, for some value of
container. There is some terminology overloading here, however.

There are Linux namespaces, capability sets, and cgroups which may not be
appropriate for using around some workloads. These, however, are granular.
For instance, one may run a container without networking namespaces,
allowing the container to directly manipulate host networking. Such a
container would still see nothing outside its own chrooted filesystem, PID
namespace, etc.

Docker in particular offers a number of useful features around filesystem
management, images, etc. These features make it easier to deploy and manage
systems, even if many of the "Linux containers" features are disabled for
one reason or another.

--
Regards,
Eric Windisch
-------------- next part --------------
An HTML attachment was scrubbed...
URL:

responded Aug 18, 2014 by ewindisch_at_docker. (920 points)   1
0 votes

2014-08-19 4:11 GMT+08:00 Eric Windisch :

On Mon, Aug 18, 2014 at 8:49 AM, Jyoti Ranjan wrote:

I believe that everything can not go as a dock container. For e.g.

  1. compute nodes
  2. baremetal provisioning
  3. L3 router etc

Containers are a good solution for all of the above, for some value of
container. There is some terminology overloading here, however.

Hi Eric, one more question, not quite understand what you mean for
"Containers are a good solution for all of the above", you mean docker
container can manage all of three above? How? Can you please show more
details? Thanks!

There are Linux namespaces, capability sets, and cgroups which may not be
appropriate for using around some workloads. These, however, are granular.
For instance, one may run a container without networking namespaces,
allowing the container to directly manipulate host networking. Such a
container would still see nothing outside its own chrooted filesystem, PID
namespace, etc.

Docker in particular offers a number of useful features around filesystem
management, images, etc. These features make it easier to deploy and manage
systems, even if many of the "Linux containers" features are disabled for
one reason or another.

--
Regards,
Eric Windisch


OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

--
Thanks,

Jay
-------------- next part --------------
An HTML attachment was scrubbed...
URL:

responded Aug 18, 2014 by Jay_Lau (7,320 points)   1 8 11
0 votes

On Mon, Aug 18, 2014 at 8:49 AM, Jyoti Ranjan wrote:

I believe that everything can not go as a dock container. For e.g.

  1. compute nodes
  2. baremetal provisioning
  3. L3 router etc

Containers are a good solution for all of the above, for some value of
container. There is some terminology overloading here, however.

Hi Eric, one more question, not quite understand what you mean for
"Containers are a good solution for all of the above", you mean docker
container can manage all of three above? How? Can you please show more
details? Thanks!

I'm not sure this is the right forum for a nuanced explanation of every
use-case and every available option, but I can give some examples. Keep in
mind, again, that even in absence of security constraints offered by
Docker, that Docker provides imaging facilities and server management
solutions that are highly useful. For instance, there are use-cases of
Docker that might leverage it simply for attestation or runtime artifact
management.

First, one could in the case of an L3 router or baremetal provisioning
where host networking is required, one might specify 'docker run -net
host' to allow the process(es) running inside of the container to operate
as if running on the host, but only as it pertains to networking.
Essentially, it would "uncontain" the networking aspect of the process(es).

As of Docker 1.2, to be released this week, one may also specify "docker
run --cap-add" to provide granular control of the addition of Linux
capabilities that might be needed by processes (see
http://linux.die.net/man/7/capabilities). This allows granular loosing of
restrictions which might allow container-breakout, without fully opening
the gates. From a security perspective, I'd rather provide some
restrictions than none at all.

On compute nodes, it should be possible to run qemu/kvm inside of a
container. The nova-compute program does many things on a host and it may
be difficult to provide a simplified set of restrictions for it without
running a privileged container (or one with many --cap-add statements,
--net host, etc). Again, while containment might be minimized, the
deployment facilities of Docker are still very useful. That said, all of
the really "interesting" things done by Nova that require privileges are
done by rootwrap... a rootwrap which leveraged Docker would make
containerization of Nova more meaningful and would be a boon for Nova
security overall.

--
Regards,
Eric Windisch
-------------- next part --------------
An HTML attachment was scrubbed...
URL:

responded Aug 18, 2014 by ewindisch_at_docker. (920 points)   1
0 votes

Thanks Eric for the detailed explanation, clear. Will check more for
related links, thanks!

2014-08-19 7:09 GMT+08:00 Eric Windisch :

On Mon, Aug 18, 2014 at 8:49 AM, Jyoti Ranjan wrote:

I believe that everything can not go as a dock container. For e.g.

  1. compute nodes
  2. baremetal provisioning
  3. L3 router etc

Containers are a good solution for all of the above, for some value of
container. There is some terminology overloading here, however.

Hi Eric, one more question, not quite understand what you mean for
"Containers are a good solution for all of the above", you mean docker
container can manage all of three above? How? Can you please show more
details? Thanks!

I'm not sure this is the right forum for a nuanced explanation of every
use-case and every available option, but I can give some examples. Keep in
mind, again, that even in absence of security constraints offered by
Docker, that Docker provides imaging facilities and server management
solutions that are highly useful. For instance, there are use-cases of
Docker that might leverage it simply for attestation or runtime artifact
management.

First, one could in the case of an L3 router or baremetal provisioning
where host networking is required, one might specify 'docker run -net
host' to allow the process(es) running inside of the container to operate
as if running on the host, but only as it pertains to networking.
Essentially, it would "uncontain" the networking aspect of the process(es).

As of Docker 1.2, to be released this week, one may also specify "docker
run --cap-add" to provide granular control of the addition of Linux
capabilities that might be needed by processes (see
http://linux.die.net/man/7/capabilities). This allows granular loosing of
restrictions which might allow container-breakout, without fully opening
the gates. From a security perspective, I'd rather provide some
restrictions than none at all.

On compute nodes, it should be possible to run qemu/kvm inside of a
container. The nova-compute program does many things on a host and it may
be difficult to provide a simplified set of restrictions for it without
running a privileged container (or one with many --cap-add statements,
--net host, etc). Again, while containment might be minimized, the
deployment facilities of Docker are still very useful. That said, all of
the really "interesting" things done by Nova that require privileges are
done by rootwrap... a rootwrap which leveraged Docker would make
containerization of Nova more meaningful and would be a boon for Nova
security overall.

--
Regards,
Eric Windisch


OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

--
Thanks,

Jay
-------------- next part --------------
An HTML attachment was scrubbed...
URL:

responded Aug 18, 2014 by Jay_Lau (7,320 points)   1 8 11
0 votes

In particular, I tried to run DevStack inside an LXC a few months ago. I
discovered that DevStack (presumably for the sake of cinder-volume)
pre-reqs a system package named tgt, and tgt does not succeed to install
inside an LXC (the install script launches the daemon, but the daemon
launch fails).

Regards,
Mike

From: Jyoti Ranjan
To: "OpenStack Development Mailing List (not for usage questions)"
,
Date: 08/18/2014 08:53 AM
Subject: Re: [openstack-dev] [OpenStack][Docker] Run OpenStack
Service in Docker Container

I believe that everything can not go as a dock container. For e.g.

  1. compute nodes
  2. baremetal provisioning
  3. L3 router etc

My understanding is that container is good mechanism to deploy
api-controller and scheduler for many services. For backend component of
services (like nova-compute, cinder-volume if LVM is used), I that usage
of baremetal is more appropriate (except backend component like
cinder-volume for external devices, nova-compute proxy etc).

Just thought to check your opinion about my understanding! Need your
views!

On Mon, Aug 18, 2014 at 3:34 PM, Jay Lau <jay.lau.513 at gmail.com> wrote:
I see that there are some openstack docker images in public docker repo,
perhaps you can check them on github to see how to use them.

[root at db03b04 ~]# docker search openstack
NAME
DESCRIPTION STARS OFFICIAL
AUTOMATED
ewindisch/dockenstack OpenStack development environment
(using D... 6 [OK]
jyidiego/openstack-client An ubuntu 12.10 LTS image that
has nova, s... 1
dkuffner/docker-openstack-stress A docker container for openstack
which pro... 0 [OK]
garland/docker-openstack-keystone
0 [OK]
mpaone/openstack
0
nirmata/openstack-base
0
balle/openstack-ipython2-client Features Python 2.7.5, Ipython
2.1.0 and H... 0
booleancandy/openstack_clients
0 [OK]
leseb/openstack-keystone
0
raxcloud/openstack-client
0
paulczar/openstack-agent
0
booleancandy/openstack-clients
0
jyidiego/openstack-client-rumm-ansible
0
bodenr/jumpgate SoftLayer Jumpgate WSGi OpenStack
REST API... 0 [OK]
sebasmagri/docker-marconi Docker images for the Marconi
Message Queu... 0 [OK]
chamerling/openstack-client
0 [OK]
centurylink/openstack-cli-wetty This image provides a Wetty
terminal with ... 0 [OK]

2014-08-18 16:47 GMT+08:00 Philip Cheong <philip.cheong at elastx.se>:

I think it's a very interesting test for docker. I too have been think
about this for some time to try and dockerise OpenStack services, but as
the usual story goes, I have plenty things I'd love to try, but there are
only so many hours in a day...

Would definitely be interested to hear if anyone has attempted this and
what the outcome was.

Any suggestions on what the most appropriate service would be to begin
with?

On 14 August 2014 14:54, Jay Lau <jay.lau.513 at gmail.com> wrote:
I see a few mentions of OpenStack services themselves being containerized
in Docker. Is this a serious trend in the community?

http://allthingsopen.com/2014/02/12/why-containers-for-openstack-services/

--
Thanks,

Jay


OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

--
Philip Cheong
Elastx | Public and Private PaaS
email: philip.cheong at elastx.se
office: +46 8 557 728 10
mobile: +46 702 8170 814
twitter: @Elastx
http://elastx.se


OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

--
Thanks,

Jay


OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL:

responded Aug 19, 2014 by Mike_Spreitzer (8,200 points)   2 10 18
...