Peter Sellars’ Personal Bliki

Managing Docker With Puppet

published in configuration management, docker, puppet

I have been using Puppet for a number of years now and it is the configuration management tool I feel most comfortable using. Recently I have been investigating how to utilise Docker during development and in Continous Delivery Pipelines.

Puppet offers a couple of ways to manage Docker itself and Docker Containers. PuppetLabs recently produced a webinar Puppet & Docker:Using Containers with Configuration Management featuring James Turnbull(Docker) and David Lutterkort(PuppetLabs)

The webinar had the following agenda:

  • Overview of Docker Containers
  • Puppetizing Docker Hosts
  • Authoring Docker Images with Puppet
    • without a master (puppet apply)
    • with a master (puppet agent)
  • Running Puppet within Containers

The overview of Docker Containers was provided by James Turnbull who outlined the difference between virtual machines and Docker virtualization. He emphasised the speed and performance benefits of Docker Containers vs virtual machines, the ease of use Docker provides compared to other container implementations and the view that Docker has a vital role to play in the developer workflow.

much more than a provisioning story…

James Turnball - Docker and the Developer Workflow

James also outlined the difference between mutable and immutable infrastructure and how Docker is well suited to mutable infrastructure. Docker has lightweight images compared to the traditional Golden Image and therefore the team had rehabilitated the image model. He also stressed the suitability of Docker for ephemeral instances, whilst configuration management is more suited for longer lived instances.

David Lutterkort then provided the Puppetizing Docker Hosts section. He recommened the use of Gareth Rushgrove’s Docker module. This module enables the installation of Docker, management of Docker Containers and the ability to run docker containers with Puppet.

class { 'docker':
  tcp_bind    => 'tcp://',
  socket_bind => 'unix:///var/run/docker.sock'

When authoring Docker Images with Puppet there are two options:

  1. Without a master (puppet apply)
  2. With a master (puppet agent)

When building the Docker container a puppet apply is used in the Dockerfile. This has the disadvantage of requiring a clean-up of the image to remove excess baggage once the configuration has been carried out. It also has some security implications.

When using a Puppet master a puppet directory is copied into the container which includes a puppet-docker script. This puts the SSL certificates in the right place, sets some facts and is promoted by David Lutterkort as the most natural way to build Docker Containers.

Running Puppet within Containers requires the need to install an init system into the Docker Container.

The Q & A session is well worth listening too, amongst other things discussed are the best tool to use for installing packages into containers, how to distribute private docker instances, how does Docker improve your architecture and when to use a DockerFile or a module.

Librarian-Puppet appears best suited to package installations into Containers, the Puppet module tool being overly simplistic whilst R10k is probably too heavyweight.

The Docker Hub service can be used for private repositories or behind a firewall you can run the Docker Registry - an image store. Architecture wise Docker can help provide more scalable Developer environments and even enable building out your own PAAS architecture.

A DockerFile is little more than a collection of directives. Large DockerFiles can soon start to display ‘Golden Image’ traits. Using Puppet modules addresses this issue…

David Lutterkort - On When To Use DockerFiles vs. Modules