Federated Cloud Containers

From EGIWiki
Jump to: navigation, search
Overview For users For resource providers Infrastructure status Site-specific configuration Architecture

The EGI Container Compute service is implemented as Docker Container support in the EGI Cloud service. You need to get access to the EGI Cloud Compute service to run Docker containers. --> Getting access to the EGI Cloud Compute

This support is twofold:

  1. Single-node containers can be executed at any EGI Cloud site by either:
    1. (recommended) using a pre-configured image with docker like the EGI Docker image
    2. installing docker on top of an existing VM (e.g. by following the installation instructions on docker docs)
  2. When using Docker for complex applications with several interrelated containers it is recommended to use some container orchestration platform like Kubernetes or use the Docker Swarm mode.

EGI Docker image

There are two Docker-ready images at the AppDB:

You can start that image as any other image available from AppDB:

  1. Go to the EGI Docker image entry in AppDB
  2. Check the IDs of the OCCI templates and endpoints to run the image for your VO at the selected site
  3. Use a ssh-key when creating the VM (check FAQ for more info)
  4. (Optional) Some sites may require the allocation of a public IP before you can log in
  5. Then you can either log in into the VM and use docker from there, or configure your docker client to connect to the remote VM.

Using docker from inside the VM

You can log in with user ubuntu and your private ssh key:

ssh -i <private key> ubuntu@<your VM ip>

Verify if docker is installed correctly. This command downloads a test image and runs it in a container.

ubuntu@fedcloud_vm:~$ sudo docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
b901d36b6f2f: Pull complete
0a6ba66e537a: Pull complete
Digest: sha256:8be990ef2aeb16dbcb9271ddfe2610fa6658d13f6dfb8bc72074cc1ca36966a7
Status: Downloaded newer image for hello-world:latest
Hello from Docker.
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.
To try something more ambitious, you can run an Ubuntu container with:
 $ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker Hub account:
For more examples and ideas, visit:

Start using docker:

ubuntu@fedcloud_vm:~$ sudo docker run busybox echo "hello"
Unable to find image 'busybox:latest' locally
latest: Pulling from library/busybox
c00ef186408b: Pull complete
ac6a7980c6c2: Pull complete
Digest: sha256:e4f93f6ed15a0cdd342f5aae387886fba0ab98af0a102da6276eaf24d6e6ade0
Status: Downloaded newer image for busybox:latest

Connect remotely to the VM

Alternatively, you can use docker-machine to easily configure your VM to run docker commands from your computer. Use the following command to do so:

docker-machine  create --driver generic --generic-ip-address <ip of your VM> \
                                        --generic-ssh-user ubuntu  \
                                        --generic-ssh-key <your public ssh key> \
                                        <a name for the VM>

then configure your shell to connect to that VM:

eval "$(docker-machine env <name of the VM>)"

and start using docker:

$ docker run docker/whalesay cowsay boo
Unable to find image 'docker/whalesay:latest' locally
latest: Pulling from docker/whalesay
2880a3395ede: Pull complete
515565c29c94: Pull complete
98b15185dba7: Pull complete
2ce633e3e9c9: Pull complete
35217eff2e30: Pull complete
326bddfde6c0: Pull complete
3a2e7fe79da7: Pull complete
517de05c9075: Pull complete
8f17e9411cf6: Pull complete
ded5e192a685: Pull complete
Digest: sha256:178598e51a26abbc958b8a2e48825c90bc22e641de3d31e18aaf55f3258ba93b
Status: Downloaded newer image for docker/whalesay:latest
< boo >
                    ##        .
              ## ## ##       ==
           ## ## ## ##      ===
       /""""""""""""""""___/ ===
  ~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ /  ===- ~~~
       \______ o          __/
        \    \        __/

Container Orchestration

You can run several docker clusters management tools on the EGI FedCloud, each tool has its own specifics, but there are plenty of tools to aid in their setup. Here we cover how to configure Docker Swarm and Kubernetes by using Ansible configuration management.

Create your infrastructure

First of al you will need some VMs where the cluster will be created. You can create the VMs either manually or by using some kind of IaaS orchestrator. There are several to choose from, more information is avaiable at Federated_Cloud_IaaS_Orchestration

Configure your cluster


You will need Ansible in your machine. Installation with pip is simple (it is recommended you do this in a virtualenv):

pip install ansible


Kubernetes includes an Ansible playbook and roles in Kubernetes Ansible. For details check the documentation at github. You will need to:

  • ansible 1.9+ and python-netaddr available at your machine
  • Collect the IP addresses/hostname of the machines that will be part of the cluster: one of them will be the master, one the etcd server (same as master is ok) and then others will be nodes (master can also be a node)

To get started, clone the kubernetes/contrib git repo and cd into the ansible directory:

$ git clone https://github.com/kubernetes/contrib.git
$ cd contrib/ansible

Then create the inventory file at inventory/inventory with your hosts, for example:

[masters] ansible_connection=ssh ansible_user=fedora

[nodes] ansible_connection=ssh ansible_user=fedora ansible_connection=ssh ansible_user=fedora ansible_connection=ssh ansible_user=fedora

[etcd] ansible_connection=ssh ansible_user=fedora

In that file we are setting as master, node and etc. and will act as nodes.

Now cd into scripts and execute deploy-cluster.sh

$ cd scripts
$ ./deploy-cluster.sh

It will start deploying the Kubernetes cluster that you can access by sshing into the master node.

$ ssh fedora@ "kubctl get nodes"

Docker Swarm

Swarm mode is native Docker clustering technology. Since release 1.12 it is included with the Docker Engine and its configuration is greatly simplified and just requires the execution of one command at each member of the cluster, bu you can still use ansible to install and configure the nodes in an automated way.

First, get the role atosatto.docker-swarm from ansible galaxy, you can do it with (in this example using ~/.ansible/roles/ for storing the downloaded roles):

$ export ANSIBLE_ROLES_PATH=~/.ansible/roles/
$ ansible-galaxy install atosatto.docker-swarm

Then, create your inventory with the nodes you want to become part of the cluster

swarm-1 ansible_ssh_host= ansible_user=ubuntu ansible_become=true
swarm-2 ansible_ssh_host= ansible_user=ubuntu ansible_become=true
swarm-3 ansible_ssh_host= ansible_user=ubuntu ansible_become=true




And create the playbook:

- hosts: all
  gather_facts: False
  - name: install python 2
    raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal)

- name: "Provision Docker Swarm Cluster"
  hosts: all
    - { role: atosatto.docker-swarm }

Finally, run ansible to configure the nodes

$ ansible-playbook -i inventory playbook.yml

You can now manage your Swarm from the master node:

$ ssh ubuntu@ docker info
Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 0
Server Version: 1.13.0
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 0
 Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
 Volume: local
 Network: bridge host macvlan null overlay
Swarm: active
 NodeID: 4gzjx8vnrrp6udwag1hiet6hs
 Is Manager: true
 ClusterID: stj0xhd5f88p5f9ddompjj3tg
 Managers: 1
 Nodes: 3
  Task History Retention Limit: 5
  Snapshot Interval: 10000
  Number of Old Snapshots to Retain: 0
  Heartbeat Tick: 1
  Election Tick: 3
  Heartbeat Period: 5 seconds
 CA Configuration:
  Expiry Duration: 3 months
 Node Address:
 Manager Addresses:
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 03e5862ec0d8d3b3f750e19fca3ee367e13c090e
runc version: 2f7393a47307a16f8cee44a37b262e8b81021e3e
init version: 949e6fa
Security Options:
  Profile: default
Kernel Version: 4.4.0-59-generic
Operating System: Ubuntu 16.04.1 LTS
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 1.899 GiB
Name: swarm-1
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
WARNING: No swap limit support
Live Restore Enabled: false

Accessing the EGI Federated Cloud from a Docker container

EGI maintains a docker image with OCCI and VOMS clients ready-to-use to access the EGI Federated Cloud. If you have a working docker installation you can get it with the following command:

docker pull egifedcloud/fedcloud-userinterface

The image is based on ubuntu and has on top of it an installation of the latest versions of rOCCI-cli (as available in rOCCI-cli AppDB entry) and VOMS clients (as available in UMD). You can run the commands easily with docker:

docker run -it egifedcloud/fedcloud-userinterface occi [args]


docker run -it egifedcloud/fedcloud-userinterface voms-proxy-init [args]

To ease the usage of the docker client, you can get the git repository https://github.com/enolfc/fedcloud-userinterface where you can find one helper script: occi. This script will check if you have a valid proxy and create one for you if not found (expects to find certificates under ~/.globus, check installation of certificate files for more information on certificates) and then runs the occi command against a endpoint defined in environment variable OCCI_ENDPOINT with any options passed, e.g.:

OCCI_ENDPOINT=http://server4-epsh.unizar.es:8787 ./occi --action list --resource compute

will execute action list on resource compute for endpoint http://server4-epsh.unizar.es:8787.

Current directory will be mounted as a volume in /data will be mounted at the container when using this script. For example, to use a context.sh file as user_data:

./occi -a create -r compute -T user_data="file:///data/context.sh"  [...]

Using Windows

In order to use the script on Windows follow this instructions (from the docker terminal):

  1. Follow the instructions below taking into account that in order to perform step 2 (copying the certificates to the machine) you can access your Windows home folder at /c/Users/<user name>/. For example of you have your YourCert.p12 file at your Desktop, you can use the following command (user name here is enol): cp /c/Users/enol/Desktop/YourCert.p12 ., all the other steps remain the same.
  2. Clone the git repository: git clone https://github.com/enolfc/fedcloud-userinterface.git
  3. cd into the git repo and start using the commands:
cd fedcloud-userinterface
OCCI_ENDPOINT=http://server4-epsh.unizar.es:8787 sh ./occi --action list --resource compute