14. Development vs Production
● Standard images
● Code as volumes
● Data in containers (temporary)
● Configuration with environment
● Docker network — OK
● All (debug) ports are exposed
● Non-privileged ports are exposed
● Custom images (Dockerfiles)
● Code "baked" to image
● Data in volumes (persistent)
● Configuration with environment
● Docker network? Swarm?
Kubernetes? Expose ports?
● Public ports are exposed
● Privileged ports are exposed
18. Docker in Production: A History of Failure
https://thehftguy.com/2016/11/01/docker-in-production-an-history-of-failure/
● Breaking changes and regressions
● Kernel support (or lack thereof)
○ The AUFS driver is unstable
○ The AUFS filesystem was finally dropped in kernel version 4
○ OverlayFS development was abandoned within 1 year of its initial release
○ Then comes Overlay2
● Docker Registry can’t clean images
● Docker MUST NOT run any databases in production, EVER
19. Ansible
● Strange A
● Good remote execution tool
○ Requires only SSH and Python 2
● Has tons of modules
○ Try to avoid to write a custom module (v<2)
● Pretty configurable
○ YAML
● Remote Execution != Configuration Management
35. Docker → Ansible
● Docker Service → Ansible Roles
○ Role for base image
■ Take care on versions
○ Role for this project modifications
● Configuration by Environment
○ Systemd Units
● Template config files
● Take care on network
○ Open ports in firewall
○ Define addresses of depending services
36. Ansible Notes
● Variables hell
● Don't use nested variables coolapp.basedir
○ Hard to override
● Roles are fragile
○ Be ready to fix them on next deploy
○ Ansible Galaxy is mostly useless
● Can you trust 3rd party roles?
○ Read them carefully
○ Do it yourself
● Never change anything on servers manually
○ Modify roles and apply them
● Ansible Roles and Playbooks — the best deployment documentation
37. Docker vs Ansible
● Run everything
on developer's machine
● Official images from Hub
● Environment variables
(via Docker Compose)
● Config file templates
(via Confd)
● docker-compose.yml, Dockerfile
● Run everything
on production
● Official packages from repos
● Environment variables
(via Systemd Units)
● Config file templates
(via built-in Ansible templates)
● Roles and everything
Anyway you may need Ansible to install Docker/Swarm/Kubernetes ;)