stateless processes
9More
The Twelve-Factor App - 0 views
-
-
a production deploy of a sophisticated app may use many process types, instantiated into zero or more running processes.
-
Twelve-factor processes are stateless and share-nothing.
- ...6 more annotations...
-
Any data that needs to persist must be stored in a stateful backing service, typically a database.
-
The memory space or filesystem of the process can be used as a brief, single-transaction cache.
-
wipe out all local (e.g., memory and filesystem) state
-
compiling during the build stage
-
“sticky sessions” – that is, caching user session data in memory of the app’s process and expecting future requests from the same visitor to be routed to the same process.
-
Sticky sessions are a violation of twelve-factor and should never be used or relied upon
10More
The Twelve-Factor App - 1 views
-
separate build and run
-
The build stage is a transform which converts a code repo into an executable bundle known as a build.
-
the build stage fetches vendors dependencies and compiles binaries and assets.
- ...7 more annotations...
-
The release stage takes the build produced by the build stage and combines it with the deploy’s current config.
-
is ready for immediate execution in the execution environment.
-
The run stage (also known as “runtime”) runs the app in the execution environment
-
strict separation between the build, release, and run stages.
-
the Capistrano deployment tool stores releases in a subdirectory named releases, where the current release is a symlink to the current release directory.
-
Every release should always have a unique release ID
-
Releases are an append-only ledger and a release cannot be mutated once it is created.
5More
The Twelve-Factor App - 0 views
-
A backing service is any service the app consumes over the network as part of its normal operation.
-
A deploy of the twelve-factor app should be able to swap out a local MySQL database with one managed by a third party (such as Amazon RDS) without any changes to the app’s code.
-
only the resource handle in the config needs to change
- ...2 more annotations...
-
Each distinct backing service is a resource.
-
Resources can be attached to and detached from deploys at will.
西南航空:讓員工熱愛公司的瘋狂處方-凱文.傅萊伯、賈姬.傅萊伯 - 三民網路書店 - 1 views
19More
Baseimage-docker: A minimal Ubuntu base image modified for Docker-friendliness - 0 views
-
We encourage you to use multiple processes.
-
Baseimage-docker is a special Docker image that is configured for correct use within Docker containers.
-
A proper Unix system should run all kinds of important system services.
- ...16 more annotations...
-
You're not running them, you're only running your app.
-
You have Ubuntu installed in Docker. The files are there. But that doesn't mean Ubuntu's running as it should.
-
The only processes that will be running inside the container is the CMD command, and all processes that it spawns.
-
When your Docker container starts, only the CMD command is run.
-
Ubuntu is not designed to be run inside Docker
-
When a system is started, the first process in the system is called the init process, with PID 1. The system halts when this processs halts.
-
If your init process is your app, then it'll probably only shut down itself, not all the other processes in the container.
-
Docker runs fine with multiple processes in a container.
-
Baseimage-docker encourages you to run multiple processes through the use of runit.
-
Runit (written in C) is much lighter weight than supervisord (written in Python).
-
a Docker container, which is a locked down environment with e.g. no direct access to many kernel resources.
-
Used for service supervision and management.
-
A custom tool for running a command as another user.
-
add additional daemons (e.g. your own app) to the image by creating runit entries.
-
write a small shell script which runs your daemon, and runit will keep it up and running for you, restarting it when it crashes, etc.
-
the shell script must run the daemon without letting it daemonize/fork it.
Kubernetes 101: Pods, Nodes, Containers, and Clusters - 0 views
15More
Configuration - docker-sync 0.5.10 documentation - 0 views
-
Be sure to use a sync-name which is unique, since it will be a container name.
-
-
-
split your docker-compose configuration for production and development (as usual)
- ...9 more annotations...
-
production stack (docker-compose.yml) does not need any changes and would look like this (and is portable, no docker-sync adjustments).
-
docker-compose-dev.yml ( it needs to be called that way, look like this ) will override
-
開發版的 docker-compose-dev.yml 僅會覆寫 production docker-compose.yml 的 volumes 設定,也就接上 docker-sync.yml 的 volumes,其它都維持不變
-
-
nocopy # nocopy is important
-
nocopy # nocopy is important
-
docker-compose -f docker-compose.yml -f docker-compose-dev.yml up
-
add the external volume and the mount here
-
In case the folder we mount to has been declared as a VOLUME during image build, its content will be merged with the name volume we mount from the host
-
如果在 Dockerfile 裡面有宣告一個 volume,那麼在 docker build 的時候這個 volume mount point 會被記錄起來,在 container 跑起來的時候,會將 host (server) 上的同名的 volume 內容合併進來 (取代)。也就是說 container 跑起來的時候,會去接上已經存在的既有的 host (server) 上的 volume。
-
-
enforce the content from our host on the initial wiring
-
set your environment variables by creating a .env file at the root of your project
61More
phusion/baseimage-docker - 1 views
-
-
原始的 docker 在執行命令時,預設就是將傳入的 COMMAND 當成 PID 1 的程序,執行完畢就結束這個 docker,其他的 daemons 並不會執行,而 baseimage 解決了這個問題。
-
-
-
docker exec
-
Through SSH
- ...57 more annotations...
-
docker exec -t -i YOUR-CONTAINER-ID bash -l
-
Login to the container
-
Baseimage-docker only advocates running multiple OS processes inside a single container.
-
Password and challenge-response authentication are disabled by default. Only key authentication is allowed.
-
A tool for running a command as another user
-
The Docker developers advocate the philosophy of running a single logical service per container. A logical service can consist of multiple OS processes.
-
All syslog messages are forwarded to "docker logs".
-
Splitting your logical service into multiple OS processes also makes sense from a security standpoint.
-
Baseimage-docker provides tools to encourage running processes as different users
-
sometimes it makes sense to run multiple services in a single container, and sometimes it doesn't.
-
Baseimage-docker advocates running multiple OS processes inside a single container, and a single logical service can consist of multiple OS processes.
-
using environment variables to pass parameters to containers is very much the "Docker way"
-
add additional daemons (e.g. your own app) to the image by creating runit entries.
-
the shell script must run the daemon without letting it daemonize/fork it.
-
All executable scripts in /etc/my_init.d, if this directory exists. The scripts are run in lexicographic order.
-
variables will also be passed to all child processes
-
Environment variables on Unix are inherited on a per-process basis
-
there is no good central place for defining environment variables for all applications and services
-
centrally defining environment variables
-
One of the ideas behind Docker is that containers should be stateless, easily restartable, and behave like a black box.
-
a one-shot command in a new container
-
immediately exit after the command exits,
-
However the downside of this approach is that the init system is not started. That is, while invoking COMMAND, important daemons such as cron and syslog are not running. Also, orphaned child processes are not properly reaped, because COMMAND is PID 1.
-
Baseimage-docker provides a facility to run a single one-shot command, while solving all of the aforementioned problems
-
Nginx is one such example: it removes all environment variables unless you explicitly instruct it to retain them through the env configuration option.
-
Mechanisms for easily running multiple processes, without violating the Docker philosophy
-
Ubuntu is not designed to be run inside Docker
-
According to the Unix process model, the init process -- PID 1 -- inherits all orphaned child processes and must reap them
-
Syslog-ng seems to be much more stable
-
cron daemon
-
Rotates and compresses logs
-
/sbin/setuser
-
A tool for installing apt packages that automatically cleans up after itself.
-
a single logical service inside a single container
-
A daemon is a program which runs in the background of its system, such as a web server.
-
The shell script must be called run, must be executable, and is to be placed in the directory /etc/service/<NAME>. runsv will switch to the directory and invoke ./run after your container starts.
-
If any script exits with a non-zero exit code, the booting will fail.
-
If your process is started with a shell script, make sure you exec the actual process, otherwise the shell will receive the signal and not your process.
-
any environment variables set with docker run --env or with the ENV command in the Dockerfile, will be picked up by my_init
-
not possible for a child process to change the environment variables of other processes
-
they will not see the environment variables that were originally passed by Docker.
-
We ignore HOME, SHELL, USER and a bunch of other environment variables on purpose, because not ignoring them will break multi-user containers.
-
my_init imports environment variables from the directory /etc/container_environment
-
/etc/container_environment.sh - a dump of the environment variables in Bash format.
-
modify the environment variables in my_init (and therefore the environment variables in all child processes that are spawned after that point in time), by altering the files in /etc/container_environment
-
my_init only activates changes in /etc/container_environment when running startup scripts
-
environment variables don't contain sensitive data, then you can also relax the permissions
-
Syslog messages are forwarded to the console
-
syslog-ng is started separately before the runit supervisor process, and shutdown after runit exits.
-
RUN apt-get update && apt-get upgrade -y -o Dpkg::Options::="--force-confold"
-
/sbin/my_init --skip-startup-files --quiet --
-
By default, no keys are installed, so nobody can login
-
provide a pregenerated, insecure key (PuTTY format)
-
RUN /usr/sbin/enable_insecure_key
-
docker run YOUR_IMAGE /sbin/my_init --enable-insecure-key
-
RUN cat /tmp/your_key.pub >> /root/.ssh/authorized_keys && rm -f /tmp/your_key.pub
-
The default baseimage-docker installs syslog-ng, cron and sshd services during the build process
23More
你到底知不知道什麼是 Kubernetes? | Hwchiu Learning Note - 0 views
-
Storage(儲存) 實際上一直都不是一個簡單處理的問題,從軟體面來看實際上牽扯到非常多的層級,譬如 Linux Kernel, FileSystem, Block/File-Level, Cache, Snapshot, Object Storage 等各式各樣的議題可以討論。
-
DRBD
-
異地備援,容錯機制,快照,重複資料刪除等超多相關的議題基本上從來沒有一個完美的解法能夠滿足所有使用情境。
- ...20 more annotations...
-
管理者可能會直接在 NFS Server 上進行 MDADM 來設定相關的 Block Device 並且基於上面提供 Export 供 NFS 使用,甚至底層套用不同的檔案系統 (EXT4/BTF4) 來獲取不同的功能與效能。
-
Kubernetes 就只是 NFS Client 的角色
-
CSI(Container Storage Interface)。CSI 本身作為 Kubernetes 與 Storage Solution 的中介層。
-
基本上 Pod 裡面每個 Container 會使用 Volume 這個物件來代表容器內的掛載點,而在外部實際上會透過 PVC 以及 PV 的方式來描述這個 Volume 背後的儲存方案伺服器的資訊。
-
整體會透過 CSI 的元件們與最外面實際上的儲存設備連接,所有儲存相關的功能是否有實現,有支援全部都要仰賴最後面的實際提供者, kubernetes 只透過 CSI 的標準去執行。
-
在網路部分也有與之對應的 CNI(Container Network Interface). kubernetes 透過 CNI 這個介面來與後方的 網路解決方案 溝通
-
CNI 最基本的要求就是在在對應的階段為對應的容器提供網路能力
-
目前最常見也是 IPv4 + TCP/UDP 的傳輸方式,因此才會看到大部分的 CNI 都在講這些。
-
希望所有容器彼此之間可以透過 IPv4 來互相存取彼此,不論是同節點或是跨節點的容器們都要可以滿足這個需求。
-
容器間到底怎麼傳輸的,需不需要封裝,透過什麼網卡,要不要透過 NAT 處理? 這一切都是 CNI 介面背後的實現
-
外部網路存取容器服務 (Service/Ingress)
-
kubernetes 在 Service/Ingress 中間自行實現了一個模組,大抵上稱為 kube-proxy, 其底層可以使用 iptables, IPVS, user-space software 等不同的實現方法,這部分是跟 CNI 完全無關。
-
CNI 跟 Service/Ingress 是會衝突的,也有可能彼此沒有配合,這中間沒有絕對的穩定整合。
-
CNI 一般會處理的部份,包含了容器內的 網卡數量,網卡名稱,網卡IP, 以及容器與外部節點的連接能力等
-
CRI (Container Runtime Interface) 或是 Device Plugin
-
對於 kubernetes 來說,其實本身並不在意到底底下的容器化技術實際上是怎麼實現的,你要用 Docker, rkt, CRI-O 都無所謂,甚至背後是一個偽裝成 Container 的 Virtaul Machine virtlet 都可以。
-
去思考到底為什麼自己本身的服務需要容器化,容器化可以帶來什麼優點
-
太多太多的人都認為只要寫一個 Dockerfile 將原先的應用程式們全部包裝起來放在一起就是一個很好的容器 來使用了。
-
最後就會發現根本把 Container 當作 Virtual Machine 來使用,然後再補一句 Contaienr 根本不好用啊
-
容器化 不是把直接 Virtual Machine 的使用習慣換個環境使用就叫做 容器化,而是要從概念上去暸解與使用
3More
How To Benchmark HTTP Latency with wrk on Ubuntu 14.04 | DigitalOcean - 0 views
-
wrk, which measures the latency of your HTTP services at high loads.
-
Latency refers to the time interval between the moment the request was made (by wrk) and the moment the response was received (from the service).
-
Tests can't be compared to real users, but they should give you a good estimate of expected latency
11More
The Twelve-Factor App - 0 views
-
An app’s config is everything that is likely to vary between deploys (staging, production, developer environments, etc)
-
Resource handles
-
Credentials
- ...8 more annotations...
-
Per-deploy values
-
trict separation of config from code.
-
Config varies substantially across deploys, code does not.
-
he codebase could be made open source at any moment, without compromising any credentials.
-
“config” does not include internal application config
-
stores config in environment variables (often shortened to env vars or env).
-
env vars are granular controls, each fully orthogonal to other env vars
-
They are never grouped together as “environments”
11More
The Twelve-Factor App - 0 views
-
Libraries installed through a packaging system can be installed system-wide (known as “site packages”) or scoped into the directory containing the app (known as “vendoring” or “bundling”).
-
A twelve-factor app never relies on implicit existence of system-wide packages.
-
declares all dependencies, completely and exactly, via a dependency declaration manifest.
- ...8 more annotations...
-
The full and explicit dependency specification is applied uniformly to both production and development.
-
Bundler for Ruby offers the Gemfile manifest format for dependency declaration and bundle exec for dependency isolation.
-
Pip is used for declaration and Virtualenv for isolation.
-
No matter what the toolchain, dependency declaration and isolation must always be used together
-
requiring only the language runtime and dependency manager installed as prerequisites.
-
set up everything needed to run the app’s code with a deterministic build command.
-
If the app needs to shell out to a system tool, that tool should be vendored into the app.
-
do not rely on the implicit existence of any system tools
1More
Two Generals' Problem - Wikipedia - 0 views
-
"In computing, the Two Generals Problem is a thought experiment meant to illustrate the pitfalls and design challenges of attempting to coordinate an action by communicating over an unreliable link. In the experiment, two generals are only able to communicate with one another by sending a messenger through enemy territory. The experiment asks how they might reach an agreement on the time to launch an attack, while knowing that any messenger they send could be captured."
1More
二階段提交 - 維基百科,自由的百科全書 - 0 views
-
"二階段提交(英語:Two-phase Commit)是指在計算機網絡以及資料庫領域內,為了使基於分布式系統架構下的所有節點在進行事務提交時保持一致性而設計的一種演算法。通常,二階段提交也被稱為是一種協議(Protocol)。在分布式系統中,每個節點雖然可以知曉自己的操作時成功或者失敗,卻無法知道其他節點的操作的成功或失敗。當一個事務跨越多個節點時,為了保持事務的ACID特性,需要引入一個作為協調者的組件來統一掌控所有節點(稱作參與者)的操作結果並最終指示這些節點是否要把操作結果進行真正的提交(比如將更新後的數據寫入磁碟等等)。因此,二階段提交的算法思路可以概括為: 參與者將操作成敗通知協調者,再由協調者根據所有參與者的反饋情報決定各參與者是否要提交操作還是中止操作。 需要注意的是,二階段提交(英語:2PC)不應該與並發控制中的二階段鎖(英語:2PL)混淆。"
13More
SSL Certificate Features - 0 views
-
A certificate authority issues certificates in the form of a tree structure.
-
All certificates below the root certificate inherit the trustworthiness of the root certificate.
-
Any certificate signed by a trusted root certificate will also be trusted.
- ...9 more annotations...
-
the browser has all of the certificates in the chain to link it up to a trusted root certificate.
-
Any certificate in between your certificate and the root certificate is called a chain or intermediate certificate.
-
These must be installed to the web server with the primary certificate for your web site so that user's browers can link your certificate to a trusted authority.
-
Chain Certificate
-
Intermediate Certificate
-
Root Certificate
-
EV (Extended Validation) certificate
-
wildcard certificate
-
domain-validated certificate
12More
Public Key Infrastructure (PKI) Overview - 0 views
-
A PKI allows you to bind public keys (contained in SSL certificates) with a person in a way that allows you to trust the certificate.
-
Public Key Infrastructures, like the one used to secure the Internet, most commonly use a Certificate Authority (also called a Registration Authority) to verify the identity of an entity and create unforgeable certificates.
-
An SSL Certificate Authority (also called a trusted third party or CA) is an organization that issues digital certificates to organizations or individuals after verifying their identity.
- ...9 more annotations...
-
An SSL Certificate provides assurances that we are talking to the right server, but the assurances are limited.
-
In PKI, trust simply means that a certificate can be validated by a CA that is in our trust store.
-
An SSL Certificate in a PKI is a digital document containing a public key, entity information, and a digital signature from the certificate issuer.
-
it is much more practical and secure to establish a chain of trust to the Root certificate by signing an Intermediate certificate
-
A trust store is a collection of Root certificates that are trusted by default.
-
there are four primary trust stores that are relied upon for the majority of software: Apple, Microsoft, Chrome, and Mozilla.
-
a revocation system that allows a certificate to be listed as invalid if it was improperly issued or if the private key has been compromised.
-
Online Certificate Status Protocol (OCSP)
-
Certificate Revocation List (CRL)
9More
What is a CSR (Certificate Signing Request)? - 0 views
-
usually generated on the server where the certificate will be installed and contains information that will be included in the certificate such as the organization name, common name (domain name), locality, and country.
-
A private key is usually created at the same time that you create the CSR, making a key pair.
-
CSR or Certificate Signing request is a block of encoded text that is given to a Certificate Authority when applying for an SSL Certificate
- ...6 more annotations...
-
A certificate authority will use a CSR to create your SSL certificate, but it does not need your private key.
-
The certificate created with a particular CSR will only work with the private key that was generated with it.
-
Most CSRs are created in the Base-64 encoded PEM format.
-
generate a CSR and private key on the server that the certificate will be used on.
-
openssl req -in server.csr -noout -text
-
The bit-length of a CSR and private key pair determine how easily the key can be cracked using brute force methods.
11More
HTTPS 升级指南 - 阮一峰的网络日志 - 0 views
-
域名认证(Domain Validation):最低级别认证,可以确认申请人拥有这个域名。
-
公司认证(Company Validation):确认域名所有人是哪一家公司,证书里面会包含公司信息。
-
扩展认证(Extended Validation):最高级别的认证,浏览器地址栏会显示公司名。
- ...8 more annotations...
-
多域名
-
单域名
-
通配符
-
网站的响应头里面,加入一个强制性声明
-
Strict-Transport-Security: max-age=31536000; includeSubDomains
-
确保浏览器只在使用 HTTPS 时,才发送Cookie。
-
Set-Cookie:
-
; Secure
View AllMost Active Members
View AllTop 10 Tags
- 151system
- 133programming
- 102docker
- 101rails
- 89development
- 83devops
- 81kubernetes
- 80javascript
- 77database
- 71ruby
- 68linux
- 64web
- 61server
- 58networking
- 52security
- 49python
- 42mysql
- 42php
- 40framework
- 35performance