Docker & Kubernetes: Container Orchestration Guide

Container technology đã revolutionize cách chúng ta deploy và manage applications. Trong bài viết này, chúng ta sẽ khám phá Docker và Kubernetes - hai tools quan trọng nhất trong ecosystem này.

Docker Fundamentals

Containers vs Virtual Machines

graph TB
    subgraph "Virtual Machines"
        VM1[App 1] --> OS1[Guest OS]
        VM2[App 2] --> OS2[Guest OS]
        OS1 --> HV[Hypervisor]
        OS2 --> HV
        HV --> HOST1[Host OS]
    end
    
    subgraph "Containers"
        C1[App 1] --> ENGINE[Docker Engine]
        C2[App 2] --> ENGINE
        ENGINE --> HOST2[Host OS]
    end

Basic Docker Commands

# Build image từ Dockerfile
docker build -t myapp:latest .

# Run container
docker run -d -p 8080:80 --name myapp-container myapp:latest

# List running containers
docker ps

# View logs
docker logs myapp-container

# Execute commands trong container
docker exec -it myapp-container /bin/bash

# Stop và remove container
docker stop myapp-container
docker rm myapp-container

Dockerfile Best Practices

# Use multi-stage builds
FROM node:18-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production

FROM node:18-alpine AS runtime
WORKDIR /app
COPY --from=builder /app/node_modules ./node_modules
COPY . .
EXPOSE 3000
USER node
CMD ["node", "server.js"]

Key principles:

• Use minimal base images (alpine)
• Multi-stage builds để reduce image size
• Run as non-root user
• Minimize layers
• Use .dockerignore

Kubernetes Architecture

Cluster Components

graph TB
    subgraph "Master Node"
        API[API Server]
        ETCD[etcd]
        SCHED[Scheduler]
        CM[Controller Manager]
    end
    
    subgraph "Worker Node 1"
        KUBELET1[kubelet]
        PROXY1[kube-proxy]
        RUNTIME1[Container Runtime]
    end
    
    subgraph "Worker Node 2"
        KUBELET2[kubelet]
        PROXY2[kube-proxy] 
        RUNTIME2[Container Runtime]
    end
    
    API --> KUBELET1
    API --> KUBELET2

Essential Kubernetes Objects

1. Pods

apiVersion: v1
kind: Pod
metadata:
  name: nginx-pod
  labels:
    app: nginx
spec:
  containers:
  - name: nginx
    image: nginx:1.21
    ports:
    - containerPort: 80
    resources:
      requests:
        memory: "64Mi"
        cpu: "250m"
      limits:
        memory: "128Mi"
        cpu: "500m"

2. Deployments

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.21
        ports:
        - containerPort: 80

3. Services

apiVersion: v1
kind: Service
metadata:
  name: nginx-service
spec:
  selector:
    app: nginx
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80
  type: LoadBalancer

4. ConfigMaps & Secrets

# ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
data:
  database_url: "mongodb://mongo:27017"
  log_level: "info"

---
# Secret
apiVersion: v1
kind: Secret
metadata:
  name: app-secrets
type: Opaque
data:
  db_password: cGFzc3dvcmQxMjM=  # base64 encoded

kubectl Essential Commands

# Cluster info
kubectl cluster-info
kubectl get nodes

# Working with pods
kubectl get pods
kubectl describe pod <pod-name>
kubectl logs <pod-name>
kubectl exec -it <pod-name> -- /bin/bash

# Apply manifests
kubectl apply -f deployment.yaml
kubectl apply -f https://raw.githubusercontent.com/example/k8s-manifests/main/

# Port forwarding
kubectl port-forward pod/<pod-name> 8080:80

# Scaling
kubectl scale deployment nginx-deployment --replicas=5

# Rolling updates
kubectl set image deployment/nginx-deployment nginx=nginx:1.22
kubectl rollout status deployment/nginx-deployment
kubectl rollout undo deployment/nginx-deployment

Monitoring & Logging

Prometheus + Grafana Stack

# Prometheus ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
  name: prometheus-config
data:
  prometheus.yml: |
    global:
      scrape_interval: 15s
    scrape_configs:
    - job_name: 'kubernetes-nodes'
      kubernetes_sd_configs:
      - role: node

ELK Stack for Logging

# Elasticsearch
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: elasticsearch
spec:
  serviceName: elasticsearch
  replicas: 1
  selector:
    matchLabels:
      app: elasticsearch
  template:
    metadata:
      labels:
        app: elasticsearch
    spec:
      containers:
      - name: elasticsearch
        image: elasticsearch:7.17.0
        env:
        - name: discovery.type
          value: single-node
        ports:
        - containerPort: 9200

CI/CD Pipeline với Kubernetes

GitLab CI Example

stages:
  - build
  - test
  - deploy

variables:
  IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA

build:
  stage: build
  script:
    - docker build -t $IMAGE_TAG .
    - docker push $IMAGE_TAG

deploy:
  stage: deploy
  script:
    - kubectl set image deployment/myapp myapp=$IMAGE_TAG
    - kubectl rollout status deployment/myapp
  only:
    - main

Security Best Practices

1. Network Policies

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

2. RBAC

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

3. Pod Security Standards

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    fsGroup: 2000
  containers:
  - name: app
    image: myapp:latest
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      readOnlyRootFilesystem: true

Troubleshooting Common Issues

1. Pod Stuck in Pending

# Check node resources
kubectl describe node <node-name>

# Check pod events
kubectl describe pod <pod-name>

# Check resource quotas
kubectl get resourcequota

2. Image Pull Errors

# Check image pull secrets
kubectl get secret

# Verify image exists
docker pull <image-name>

# Check node has access to registry
kubectl get events --sort-by=.metadata.creationTimestamp

3. Service Discovery Issues

# Test DNS resolution
kubectl run -it --rm debug --image=busybox --restart=Never -- nslookup <service-name>

# Check service endpoints
kubectl get endpoints <service-name>

# Verify label selectors
kubectl get pods --show-labels

Kết luận

Docker và Kubernetes là foundation của modern cloud infrastructure. Mastering những tools này là essential cho bất kỳ DevOps engineer hoặc system administrator nào.

Next steps:

• Practice với minikube hoặc kind
• Deploy một microservices application
• Implement monitoring và logging
• Explore service mesh (Istio/Linkerd)
• Learn about GitOps (ArgoCD/Flux)

Happy containerizing! 🐳⚓