Docker labs - Release

denzuko · August 7, 2018, 10:49pm

I’ve been working on adding in advance apm, monitoring, and alerting into the docker stack.

The idea here is that elk why great for what it is still relies on java and that requires bulky hardware. a TICK stack is built on Go lang and thus other than a memory leak here or there is quite faster and requires more common COTS friendly hardware.

Plus we get integration with more modern alerting systems like pullover and webhooks along with a scripting language baked in instead of elastic watcher which is a paid feature.

Checkout the latest release files: https://hastebin.com/amivujizih.rb (base64 encoded tar.gz)

denzuko · August 8, 2018, 8:27pm

Updated version: https://gist.githubusercontent.com/denzuko/87d3f8ad96299fe226f757268e69657c/raw/8c01d45fd4829ff43abd09400b8ecebc51e4d538/release.tar.gz.b64

Now with autoscaling and auto updating containers. Everything one needs to run their own cloud.

And don’t forget to add the following to their ~/.profile for advance development and debugging:

# load any docker node on the fly (ie dockerenv default || dockerenv production)
declare -fx dockerenv; dockerenv() { eval $(docker-machine env $1); }

# visualize the internals of docker containers and images: dockviz images -t || dockviz help
alias dockviz="docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock nate/dockviz"

# in depth dtrace style debugging / administration
alias csysdig="docker run -it -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/user --name sysdig --privileged sysdig/sysdig:latest csysdig"

# Security red team testing of docker host (use clair for container and registry security)
alias dockerscan='docker run --rm --net=host waja/dockerscan'

# Host node security testing:
alias dockersecurity='docker run -it --net host --pid host --userns host --cap-add audit_control \
    -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
    -v /var/lib:/var/lib \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v /usr/lib/systemd:/usr/lib/systemd \
    -v /etc:/etc --label docker_bench_security \
    docker/docker-bench-security'
``

denzuko · August 8, 2018, 8:39pm

Chronograf has some predefined dashboards and a really great way of creating one’s one:

My Own Predefined Dashboards

gist.github.com

https://gist.github.com/denzuko/6b372a2fa931929af251627baad2831a

Preformance-Dashboard.json

{
	"meta": {
		"chronografVersion": "1.6.1",
		"sources": {
			"0": {
				"name": "http://influxdb:8086",
				"link": "/chronograf/v1/sources/0"
			}
		}
	},

This file has been truncated. show original

denzuko · August 10, 2018, 4:03pm

Adding CPU Tensorflow to the stack. GPU requires nvidia docker-gpu.

---
version: "3.4"

services:

  tensorflow:
    image: 'tensorflow/tensorflow:latest'
    networks:
      - public
    deploy:
      restart_policy:
        condition: on-failure
      mode: replicated
      replicas: 1
      labels:
        com.centurylinklabs.watchtower.enable: "true"
        traefik.frontend.rule: "Host:${VIRTUAL_HOST}"
        traefik.frontend.priority: "1"
        traefik.backend: "tensorflow"
        traefik.docker.network: "public"
        traefik.port: "8888"
        traefik.enable: "true"
        traefik.default.protocol: "http"
        orbiter: "true"
        orbiter.up: "3"
        orbiter.down: "1"

networks:

  public:
    external:
      name: public

...
# vim: set sts=2 sw=2 ts=2 et ai:

Deployment

typical stuff for docker swarm:

VIRTUAL_HOST="mycustomdomain.example.com" docker stack deploy -c docker-compose.yml $USERNAME

Adding prebuiilt jupyter notebooks

Dockerfile

# IMAGE=$USERNAME-tensorflow
# docker build -t $IMAGE:$SEMVER  .
# docker tag-t $IMAGE:latest .
# docker push $IMAGE:latest
# sed -i "s/tensorflow\/tensorflow/${IMAGE}/g" docker-compose.yml
FROM tensorflow/tensorflow:latest
COPY *.ipynb /notebooks