Federated Cloud Containers
Overview | For users | For resource providers | Infrastructure status | Site-specific configuration | Architecture |
Single-node containers can be executed at any EGI Federated Cloud site by either:
- (recommended) using a pre-configured image with docker like the EGI Docker image
- installing docker on top of an existing VM (e.g. by following the installation instructions on docker docs)
When using Docker for complex applications with several interrelated containers it is recommended to use some container orchestration platform like Kubernetes or use the Docker Swarm mode.
EGI Docker image
There are two Docker-ready images at the AppDB:
You can start that image as any other image available from AppDB:
- Go to the EGI Docker image entry in AppDB
- Check the IDs of the OCCI templates and endpoints to run the image for your VO at the selected site
- Use a ssh-key when creating the VM (check FAQ for more info)
- (Optional) Some sites may require the allocation of a public IP before you can log in
- Then you can either log in into the VM and use docker from there, or configure your docker client to connect to the remote VM.
Using docker from inside the VM
You can log in with user ubuntu
and your private ssh key:
ssh -i <private key> ubuntu@<your VM ip>
Verify if docker is installed correctly. This command downloads a test image and runs it in a container.
ubuntu@fedcloud_vm:~$ sudo docker run hello-world Unable to find image 'hello-world:latest' locally latest: Pulling from library/hello-world b901d36b6f2f: Pull complete 0a6ba66e537a: Pull complete Digest: sha256:8be990ef2aeb16dbcb9271ddfe2610fa6658d13f6dfb8bc72074cc1ca36966a7 Status: Downloaded newer image for hello-world:latest Hello from Docker. This message shows that your installation appears to be working correctly. To generate this message, Docker took the following steps: 1. The Docker client contacted the Docker daemon. 2. The Docker daemon pulled the "hello-world" image from the Docker Hub. 3. The Docker daemon created a new container from that image which runs the executable that produces the output you are currently reading. 4. The Docker daemon streamed that output to the Docker client, which sent it to your terminal. To try something more ambitious, you can run an Ubuntu container with: $ docker run -it ubuntu bash Share images, automate workflows, and more with a free Docker Hub account: https://hub.docker.com For more examples and ideas, visit: https://docs.docker.com/userguide/
Start using docker:
ubuntu@fedcloud_vm:~$ sudo docker run busybox echo "hello" Unable to find image 'busybox:latest' locally latest: Pulling from library/busybox c00ef186408b: Pull complete ac6a7980c6c2: Pull complete Digest: sha256:e4f93f6ed15a0cdd342f5aae387886fba0ab98af0a102da6276eaf24d6e6ade0 Status: Downloaded newer image for busybox:latest hello
Connect remotely to the VM
Alternatively, you can use docker-machine
to easily configure your VM to run docker commands from your computer. Use the following command to do so:
docker-machine create --driver generic --generic-ip-address <ip of your VM> \ --generic-ssh-user ubuntu \ --generic-ssh-key <your public ssh key> \ <a name for the VM>
then configure your shell to connect to that VM:
eval "$(docker-machine env <name of the VM>)"
and start using docker:
$ docker run docker/whalesay cowsay boo Unable to find image 'docker/whalesay:latest' locally latest: Pulling from docker/whalesay 2880a3395ede: Pull complete 515565c29c94: Pull complete 98b15185dba7: Pull complete 2ce633e3e9c9: Pull complete 35217eff2e30: Pull complete 326bddfde6c0: Pull complete 3a2e7fe79da7: Pull complete 517de05c9075: Pull complete 8f17e9411cf6: Pull complete ded5e192a685: Pull complete Digest: sha256:178598e51a26abbc958b8a2e48825c90bc22e641de3d31e18aaf55f3258ba93b Status: Downloaded newer image for docker/whalesay:latest _____ < boo > ----- \ \ \ ## . ## ## ## == ## ## ## ## === /""""""""""""""""___/ === ~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ / ===- ~~~ \______ o __/ \ \ __/ \____\______/
Container Orchestration
You can run several docker clusters management tools on the EGI FedCloud, each tool has its own specifics, but there are plenty of tools to aid in their setup. Here we cover how to configure Docker Swarm and Kubernetes by leveraging Ansible configuration management and Infrastructure Manager (IM) IaaS orchestrator
IM
For using IM, you will need to follow these steps first:
- create an account on the IM server.
- Install the im client with pip (it is recommended you do this in a
virtualenv
):
pip install IM-client
- Create a authorization file, with the endpoints of the sites you plan to use, for example:
cat > ~/.im_auth << EOF id = im; type = InfrastructureManager; username = <youruser name>; password = <your password> id = occi_bari; type = OCCI; proxy = file(/tmp/x509up_u1000); host = http://cloud.recas.ba.infn.it:8787/occi/ id = occi_cesnet; type = OCCI; proxy = file(/tmp/x509up_u1000); host = https://carach5.ics.muni.cz:11443/ EOF
The endpoints of the services can be obtained with Federated_Cloud_APIs_and_SDKs#Discovery_of_resources discovery tools of FedCloud
Docker Swarm
Swarm mode is native Docker clustering technology. Since release 1.12 it is included with the Docker Engine and its configuration is greatly simplified.
Create the RADL description of your deployment
IM uses a [RADL file] that describes your infrastructure. You can use the following as a base to create your own deployment:
IN PREPARATION
AA
Accessing the EGI Federated Cloud from a Docker container
EGI maintains a docker image with OCCI and VOMS clients ready-to-use to access the EGI Federated Cloud. If you have a working docker installation you can get it with the following command:
docker pull egifedcloud/fedcloud-userinterface
The image is based on ubuntu and has on top of it an installation of the latest versions of rOCCI-cli (as available in rOCCI-cli AppDB entry) and VOMS clients (as available in UMD). You can run the commands easily with docker:
docker run -it egifedcloud/fedcloud-userinterface occi [args]
or
docker run -it egifedcloud/fedcloud-userinterface voms-proxy-init [args]
To ease the usage of the docker client, you can get the git repository https://github.com/enolfc/fedcloud-userinterface where you can find one helper script: occi. This script will check if you have a valid proxy and create one for you if not found (expects to find certificates under ~/.globus
, check installation of certificate files for more information on certificates) and then runs the occi command against a endpoint defined in environment variable OCCI_ENDPOINT
with any options passed, e.g.:
OCCI_ENDPOINT=http://server4-epsh.unizar.es:8787 ./occi --action list --resource compute
will execute action list on resource compute for endpoint http://server4-epsh.unizar.es:8787.
Current directory will be mounted as a volume in /data
will be mounted at the container when using this script. For example, to use a context.sh
file as user_data:
./occi -a create -r compute -T user_data="file:///data/context.sh" [...]
Using Windows
In order to use the script on Windows follow this instructions (from the docker terminal):
- Follow the instructions below taking into account that in order to perform step 2 (copying the certificates to the machine) you can access your Windows home folder at
/c/Users/<user name>/
. For example of you have yourYourCert.p12
file at your Desktop, you can use the following command (user name here isenol
):cp /c/Users/enol/Desktop/YourCert.p12 .
, all the other steps remain the same. - Clone the git repository:
git clone https://github.com/enolfc/fedcloud-userinterface.git
- cd into the git repo and start using the commands:
cd fedcloud-userinterface OCCI_ENDPOINT=http://server4-epsh.unizar.es:8787 sh ./occi --action list --resource compute