Many enterprises adopt a PaaS platform such as CloudFoundry to enable easier scaling and management of applications. CloudFoundry is an open source project originally started by VMWare and now owned by Pivotal which is a joint venture of VMWare, GE and EMC. There are quite a few distributions of the open source platform such as Stackato from HP, Pivotal for example. PaaS platform such as CF enables developers to focus on development and provides entire platform at click of a button. Developers can simply deploy their binary archives and CF takes care of provisioning everything required for application to run. CF also provides additional components such as database, caches as a service which makes it a true platform.
Many organizations are also adopting containers and it is not uncommon to have a considerable chunk of applications deployed as containers. Docker is more or less the de facto standard when it comes to containers. Containers operate at a very different abstraction as compared to a PaaS platform although the boundaries are fast blurring with newer generation of CaaS (Container as a service) platforms.
PaaS platforms do support containers as workloads in addition to buildpack based applications. In order to reduce number of platforms to maintain, some organization might choose to deploy containers on CF PaaS. But the way CloudFoundry deploys docker images differs as compared to a container orchestration engines, so you should understand the process and be aware of constraints it poses.
How CloudFoundry handles Docker images?
Docker images are built from layers and each layer may contain first or both of the following:
- The layer binary, which forms the filesystem
- Metadata about the layer for example entrypoint, version, commands to be run etc. Such directives are stored in Dockerfile
Garden-linux fetches layers and creates Docker container with same kernel isolation features i.e. namespace and cgroups. It combines various layers and mounts them as root file system, as is needed by Linux containers. For actually running the container metadata of layers is used to retrieve the command and this command is then run by Cloud Controller.
Since a container can specify and mount root file system, it also presents a security challenge. CloudFoundry uses namespacing to ensure containers don’t get elevated privileges on host filesystem, even if privileges are available in container filesystem. Also it is recommended that users deploy docker images from trusted sources. Additionally we think it is a good idea to scan your images for security using tools such as Flawcheck, Docker image Scan or Clair.
Deploying image to CloudFoundry
By default running the Docker container is disabled on CloudFoundry and you can enable it with following command:
$ cf enable-feature-flag diego_docker
To push an image from Docker hub, you can use the following command (CLI v6.13 onward support the format shown below, earlier versions use command docker-push instead of push and there is no need for -o flag):
$ cf push rabbitmq -o cloudfoundry/rabbitmq
And to push from a trusted internal registry, you can use command:
$ cf push app_name -o REGISTRY_URL:5000/image_name/name:1.0
But there are some limitations currently which can be important factors based on the security requirements and architecture:
- There is no support for private registry. This means your registry will be open to the network/enterprise and anyone can pull the images.
- Only V2 API of docker registry is supported at the moment.
- When creating the instance in cloudfoundry, registry must be available, otherwise application will fail to start.
Other CloudFoundry Implementations
Stackato, a CloudFoundry implementation from HP supports pushing Docker images to its PaaS platform. You should enable the permission to push docker apps and sudo permission before pushing the image. Moreover Stackato supports pulling images from private repositories. For deploying a Docker image from a private registry you can use command:
$ stackato push --docker-image username:email@example.com/repo_name/image_name:version
3 things to consider
- Based on your CloudFoundry distribution, you may or may not be able to use a private docker registry for storing your images.
- Docker on CloudFoundry presents some challenges and is only good for smaller workloads and simple use cases.
- If you are using PaaS and also need to deploy containers at scale, consider alternative orchestration engines (Kubernetes, Mesos etc.) or platform built with native support for Docker (Redhat Openshift etc.)
We would love to hear about your experiences with PaaS platforms .For more in depth-comparisons of PaaS platforms and docker platforms write to me at firstname.lastname@example.org