At Docker, we are striving to enable the extensibility of Docker via "Plugins" and make them available for developers and enterprises alike. Come attend this talk to understand what it takes to build, ship, store and run plugins. We will deep dive into plugin lifecycle management on a single engine and across a swarm cluster. We will also demonstrate how you can integrate plugins from other enterprises or developers into your ecosystem. There will be fun demos accompanying this talk! This will be session will be beneficial to you if you: 1) Are an ops team member trying to integrate Docker with your favorite storage or network vendor 2) Are Interested in extending or customizing Docker; or 3) Want to become a Docker partner, and want to make the technology integration seamless.
7. SSHFS (SSH Filesystem) is a filesystem client
to mount and interact with directories and
files located on a remote server or
workstation over a normal ssh connection
What is sshfs?
https://en.wikipedia.org/wiki/SSHFS
10. $ ssh user@host
# cd /some/path && echo austin > dockercon && exit
Prepare directory on ssh host
11. Prepare directory on ssh host
$ docker plugin help
Usage: docker plugin COMMAND
Manage plugins
Options:
--help Print usage
Commands:
create Create a plugin from a rootfs and configuration. Plugin data directory must contain config.json
disable Disable a plugin
enable Enable a plugin
inspect Display detailed information on one or more plugins
install Install a plugin
ls List plugins
push Push a plugin to a registry
rm Remove one or more plugins
set Change settings for a plugin
upgrade Upgrade an existing plugin
Run 'docker plugin COMMAND --help' for more information on a command.
12. $ docker plugin install vieux/sshfs
Plugin "vieux/sshfs" is requesting the following privileges:
- network: [host]
- mount: [/var/lib/docker/plugins/]
- device: [/dev/fuse]
- capabilities: [CAP_SYS_ADMIN]
Do you grant the above permissions? [y/N]
Install vieux/sshfs
13. Install vieux/sshfs
$ docker plugin install vieux/sshfs
Plugin "vieux/sshfs" is requesting the following privileges:
- network: [host]
- mount: [/var/lib/docker/plugins/]
- device: [/dev/fuse]
- capabilities: [CAP_SYS_ADMIN]
Do you grant the above permissions? [y/N] y
latest: Pulling from vieux/sshfs
b2bcc48d3424: Download complete
Digest:
sha256:151e6d386ab93a4d9f8ec0befd6c43485fe9e1151fd9784493b147ca621d3d5d
Status: Downloaded newer image for vieux/sshfs:latest
Installed plugin vieux/sshfs
14. Use vieux/sshfs plugin
$ docker plugin ls
ID NAME DESCRIPTION ENABLED
dfe9270de30a vieux/sshfs:latest sshFS plugin for Docker true
$ docker volume create -d vieux/sshfs -o sshcmd=user@host:/some/path -o
password=”$password” -o port=”$port” mysshvolume
$ docker run -it --rm -v mysshvolume:/remote busybox sh
/ # cat /remote/dockercon
austin
20. $ docker volume rm mysshvolume
$ docker plugin disable vieux/sshfs
$ docker plugin set vieux/sshfs DEBUG=1
$ docker plugin enable vieux/sshfs
$ docker volume create -d vieux/sshfs -o sshcmd=user@host:/some/path -o
password=”$badpassword” -o port=”$port” mysshvolume
The DEBUG setting is NOT generic to all plugins, it is defined by this vieux/sshfs
plugin (more on this later).
Modify plugin settings
21. $ docker plugin ls --no-trunc
ID NAME
DESCRIPTION ENABLED
9fef4eb6fa883d44e9c1c2901fb598f39f67d50bcc0e1653b4f393807fb80558
vieux/sshfs:latest sshFS plugin for Docker true
$ docker-runc exec -t
9fef4eb6fa883d44e9c1c2901fb598f39f67d50bcc0e1653b4f393807fb80558 sh
/ # echo hi from plugin container
Pro Tip: Access plugin container
22. - grep plugin=$pluginID docker.log
- if plugin allows it, set higher verbosity with
docker plugin set
- docker-runc exec -t $pluginID sh
Recap: Debugging a plugin
24. What constitutes a plugin?
- Rootfs of plugin container
- JSON description defining what interface it
implements, what permissions it needs
- Reference:
https://docs.docker.com/engine/extend/config
25. - Docker bind-mounts the host’s
/run/docker/plugins/$pluginID into the container’s
/run/docker/plugins
- Each plugin has to listen on a socket inside
/run/docker/plugins
$ ls /run/docker/plugins/*/
sshfs.sock
How does it work?
26. Plugins serve via the socket, an HTTP+JSON API
specified in the documentation for each plugin type.
Authorization:
https://docs.docker.com/engine/extend/plugins_authorization
Volume:
https://docs.docker.com/engine/extend/plugins_volume/
Network:
https://docs.docker.com/engine/extend/plugins_network/
IPAM:
https://github.com/docker/libnetwork/blob/master/docs/ipam.md
How does it work?
27. Pro Tip: Use helper package
Go helper package:
https://github.com/docker/go-plugins-helpers
For volume plugins:
https://godoc.org/github.com/docker/go-plugins-help
ers/volume
29. $ git clone https://github.com/vieux/docker-volume-sshfs
$ cd docker-volume-sshfs
$ ls
Dockerfile LICENSE README.md main.go
Dockerfile.dev Makefile config.json vendor
$ vim main.go
Demo: building vieux/sshfs
30. Demo: building vieux/sshfs
Config.json defines:
- Type of functionality the plugin provides docker.volumedriver/1.0 in addition
to the name of the socket sshfs.sock.
- entrypoint to the binary
- a DEBUG environment variable that’s settable by the user
- Access to device /dev/fuse
- Linux capability CAP_SYS_ADMIN to be able to mount FUSE from the container
- Host networking to access the remote host
- Bind mount to store state outside the plugin
- Last but not least, PropagatedMount: the path inside the container that needs
to be propagated back into docker’s mount namespace
31. Demo: building vieux/sshfs
Build the sshfs image and extract rootfs
$ docker build -t sshfs .
$ docker container create --name tmp sshfs
$ mkdir -p ./plugin/rootfs
$ docker container export tmp | tar -x -C ./plugin/rootfs
Add plugin config
$ cp config.json ./plugin/
$ ls ./plugin
config.json rootfs/
32. Demo: building vieux/sshfs
Create plugin
$ docker plugin create tiborvass/sshfs ./plugin
$ docker plugin ls
ID NAME DESCRIPTION ENABLED
f207db14aa5b vieux/sshfs:latest sshFS plugin for Docker true
3fd525f16cb6 tiborvass/sshfs:latest sshFS plugin for Docker false
33. - implement plugin HTTP+JSON API corresponding to the
desired plugin type
- containerize plugin + export rootfs
- write config.json for plugin
- docker plugin create tiborvass/sshfs ./plugin
where ./plugin contains:
- config.json
- rootfs/
Recap: Building a plugin
34. - docker plugin push tiborvass/sshfs
- Collaborate
- View plugin scans
Collaborate on your plugin