# Optimize your Docker Infrastructure with Python

## PyData NYC

November 11, 2015

Ryan J. O'Neil  
<ryanjoneil@gmail.com>  

### Intro

By Day: Lead Engineer @ Yhat, Inc.  

Formerly:
* Simulation, modeling, optimization @ MITRE
* Data Journo @ The Washington Post

By Night: PhD Candidate in SEOR @ George Mason University

Research:
* Combinatorial optimization
* Scheduling problems
* Cutting & packing problems

### Motivation

Consider the DevOps Engineer.

#### It's a noble group...

![](images/scotty.jpg)

### ...with grave responsibilities.

One of the important functions of DevOps is the creation of environments for:

* Software development
* Testing & quality assurance
* Running operational systems
* Whatever else you might need a computing environment for

#### There's even a Venn diagram about DevOps.

And we all know how much we like Venn diagrams.

![](images/devops-venn.svg)

#### A typical DevOps function

Say you work on _Yet Another Enterprise Java Application (TM)_. YAEJA generates lots of \$\$\$\$ for _Yet Another Enterprise Software Company_ and it keeps you gainfully employed!

Say you need to upgrade portions of the system YAEJA it runs _(and depends)_ on.

Youo don't want to just upgrade the production instances without testing first. So you need two environments from your DevOps person.

One for running the production instance:

|     | Command                                                        |
|-----|----------------------------------------------------------------|
| $A$ | Install the Java compiler and runtime environment.             |
| $B$ | Download a set of external dependencies.                       |
| $C$ | Set up a an EntepriseDB (TM) schema and populate it with data. |

And another for testing it with the new version of the utility:

|     | Command                                                        |
|-----|----------------------------------------------------------------|
| $A$ | Install the Java compiler and runtime environment.             |
| $B$ | Download a set of external dependencies.                       |
| $C$ | Set up a an EntepriseDB (TM) schema and populate it with data. |
| $D$ | Update the underlying system utility.                          |

If _Yet Another Enterprise Java Application (TM)_ integrates with a number of optional third party applications, you might need an additional test environment for each one.

If those interact in interesting ways, you may need test environments for different combinations of third party integrations.

#### Looks like your DevOps person will be working all weekend

![](images/saturday.png)

#### In the old days...

At a big software shop, devops may be responsible for the continual setup and teardown of dozens (or _hundreds_) of system configurations for a single software project.

This used to be done with physical hardware on _(sometimes)_ fresh operating system installs.

Most medium-to-large software shops had an air conditioned room that looked like this.

![](images/cable-spaghetti.jpg)

#### Environmental setup was often pretty manual

If you had to reproduce an environment, you had a few options:

* Start with a fresh install of the operating system


* Save the results of your setup to a CD and load that onto a box


* Hope that uninstalling and resintalling the relevant components is good enough  

    + A _lot_ of people did this
    + It's probably not good enough
    + Most software leaves behind relics
        - Logs...
        - Data files...
        - Configuration...

#### Nowadays...

![](images/cloud-docker.png)

### What's a container?

Docker is so hot right now.

Containers are lightweight virtualization. They make it seem like a process is in it own operating system on its own hardware, without loading up heavy stuff like a kernel.

Container architectures have been around since `chroot` jails in V7 Unix.

They're not exactly _new_...

But now they're so convenient they feel _(and are raising venture capital)_ that way!

#### A tiny bit of history

* 1979: `chroot` jails added to System 7 Unix at Bell Labs
    + Last version of Unix before it was commercializated by AT&T
    + Ran on a DEC PDP-11 minicomputer

* 1982: Bill Joy ports `chroot` to BSD

* 2005: Sun releases Solaris Containers
    + Zones provide fully isolated virtual servers on a single host

* 2007: Initial implementation of `cgroups` by Google for Linux Kernel 2.6.24
    + Isolation of system resources

* 2013: **Namespace isolation** introduced in Linux Kernels 3.15 & 3.16
    + Process IDs
    + Network interfaces, iptables, routing
    + Inter-Process Communication
    + etc...

#### Containers are about isolation...

Processes and system resources behave as if the are on their own computers.

##### Container 1

```
[ryan@localhost ~]$ docker run -it ubuntu:trusty /bin/bash
root@19867869f71d:/# echo spam and eggs > /ingredients.txt
root@19867869f71d:/# cat /ingredients.txt                         
spam and eggs
```

##### Container  2

```
[ryan@localhost ~]$ docker run ubuntu:trusty cat /ingredients.txt
cat: /ingredients.txt: No such file or directory
```

They have their own process spaces.

```
[ryan@localhost ~]$ docker run --cidfile=cid -it ubuntu:trusty
root@fc347d97db8c:/# echo $$
1
```

And they are convinced they have their own hardware resources.

```
[ryan@localhost ~]$ docker stats --no-stream=true $(cat cid)

CONTAINER
fc347d97db8c7d02b870eff3e2d1e92747e8c0fc1cb7f9b1c76bf534fcd21ba0

CPU %               MEM USAGE/LIMIT     MEM %               NET I/O
0.00%               524.3 kB/7.945 GB   0.01%               648 B/648 B
```

#### ...but containers are also about sharing.

And this is what we care about here.

Specifically, saving and retrieving the results of a computation from the Docker image cache.

Why?

Smart cache use == time saved building out environments!

![](images/scotty-approved.jpg)

### Docker cache mechanics

Maybe I should call this section UnionFS mechanics, but then Docker is so hot right now.

#### A Tale of Two Dockerfiles

Let's say I collect old or non-standard revision control systems.

Everyone needs a hobby.

I set up an environment with a few RCSs in it to play around with.

##### Dockerfile: rcs1
  
```
FROM ubuntu:trusty
RUN apt-get install -y bzr
RUN apt-get install -y cvs
```

#### Let's build out our non-standard RCS image!

```
[ryan@localhost dockerfiles]$ docker build --file=rcs1 --tag=rcs1 .
```

Step 0 would download the base Ubuntu image, but I've already got it.

```
Sending build context to Docker daemon 24.58 kB
Step 0 : FROM ubuntu:trusty
 ---> a5a467fddcb8
```

`bzr` require a number of dependencies...

```
Step 1 : RUN apt-get install -y bzr
 ---> Running in 7679f0a1525e
Reading package lists...
Building dependency tree...
Reading state information...
The following extra packages will be installed:
  ca-certificates dbus gir1.2-glib-2.0 libapparmor1 libassuan0
  libdbus-glib-1-2 libgirepository-1.0-1 libglib2.0-0 libglib2.0-data libgmp10
  [...snip...]
```

As does `cvs`.

```
Step 2 : RUN apt-get install -y cvs
 ---> Running in 54229eef94d2
Reading package lists...
Building dependency tree...
Reading state information...
The following extra packages will be installed:
  krb5-locales libedit2 libgssapi-krb5-2 libk5crypto3 libkeyutils1 libkrb5-3
  libkrb5support0 libx11-6 libx11-data libxau6 libxcb1 libxdmcp6 libxext6
  [...snip...]
```

At the end of this I have a tagged image. I can easily use this to spin up new containers.

```
[ryan@localhost dockerfiles]$ docker run rcs1 bash -c "which cvs && which bzr"
/usr/bin/cvs
/usr/bin/bzr
```

#### Oh snap.

I found an old RCS repository from the 1980s I want to look at.

![](images/rcs-sccs.jpg)

I don't have `rcs` installed. I guess I'll have to build a new image.

##### Dockerfile: rcs2
  
```
FROM ubuntu:trusty
RUN apt-get install -y bzr
RUN apt-get install -y cvs
RUN apt-get install -y software-properties-common
RUN add-apt-repository "deb http://archive.ubuntu.com/ubuntu trusty universe"
RUN apt-get update
RUN apt-get install -y rcs
```

```
[ryan@localhost dockerfiles]$ docker build --file=rcs2 --tag=rcs2 .
```


The first few steps have already been run before and can use the Docker cache!
```
Step 0 : FROM ubuntu:trusty
 ---> a5a467fddcb8

Step 1 : RUN apt-get install -y bzr
 ---> Using cache
 ---> ed8a8efd04cc

Step 2 : RUN apt-get install -y cvs
 ---> Using cache
 ---> 61fe05c24a19
```

After that it's business as usual.

```
Step 3 : RUN apt-get install -y software-properties-common
 ---> Running in 4adc2bb63a73
The following extra packages will be installed:
  iso-codes libasn1-8-heimdal libcurl3-gnutls libgssapi3-heimdal
  libhcrypto4-heimdal libheimbase1-heimdal libheimntlm0-heimdal
  [...snip...]

Step 4 : RUN add-apt-repository "deb http://archive.ubuntu.com/ubuntu trusty universe"
 ---> Running in 5a023435448c
 ---> 02439f270099
Removing intermediate container 5a023435448c

Step 5 : RUN apt-get update
 ---> Running in 449c25ee3537
Get:1 http://archive.ubuntu.com trusty-updates InRelease [64.4 kB]
[...snip...]

Step 6 : RUN apt-get install -y rcs
 ---> Running in 3574b94bbea3
The following NEW packages will be installed:
  rcs
```

#### Adding to my stable of random revision control.

_Also, why are they all three letters long?_

So now I have `rcs` in addition to `bzr` and `cvs`. Note that my `rcs2` image was built off of my `rcs1` image. I didn't have to do any extra work to recreate those shared parts of it.

```
[ryan@localhost dockerfiles]$ docker run rcs2 bash -c "which bzr && which cvs && which rcs"
/usr/bin/bzr
/usr/bin/cvs
/usr/bin/rcs
```

#### What happens if I rebuild the image again?

Omigosh everything is cached!

```
[ryan@localhost dockerfiles]$ docker build --file=rcs2 --tag=rcs2 .
Sending build context to Docker daemon 3.072 kB
Step 0 : FROM ubuntu:trusty
 ---> a5a467fddcb8
Step 1 : RUN apt-get install -y bzr
 ---> Using cache
 ---> ed8a8efd04cc
Step 2 : RUN apt-get install -y cvs
 ---> Using cache
 ---> 61fe05c24a19
Step 3 : RUN apt-get install -y software-properties-common
 ---> Using cache
 ---> 942207de6f7f
Step 4 : RUN add-apt-repository "deb http://archive.ubuntu.com/ubuntu trusty universe"
 ---> Using cache
 ---> 02439f270099
Step 5 : RUN apt-get update
 ---> Using cache
 ---> 220536dfc3ff
Step 6 : RUN apt-get install -y rcs
 ---> Using cache
 ---> 1a8cd22cb14d
Successfully built 1a8cd22cb14d
```

![](images/spock-logical-awesome.jpg)

#### What if I change the order of that Dockerfile?

I'd really rather have the commands to add `universe` at the top.

##### Dockerfile: rc3
  
```
FROM ubuntu:trusty
RUN apt-get install -y software-properties-common
RUN add-apt-repository "deb http://archive.ubuntu.com/ubuntu trusty universe"
RUN apt-get update
RUN apt-get install -y bzr
RUN apt-get install -y cvs
RUN apt-get install -y rcs
```

#### What happens when I build an image with the commands reordered?

Nothing except the base image is cached!

```
[ryan@localhost dockerfiles]$ docker build --file=rcs3 --tag=rcs3 .
Sending build context to Docker daemon 4.096 kB

Step 0 : FROM ubuntu:trusty
 ---> a5a467fddcb8

Step 1 : RUN apt-get install -y software-properties-common
 ---> Running in 713e49f1f323
Reading package lists...
Building dependency tree...
Reading state information...
The following extra packages will be installed:
  ca-certificates gir1.2-glib-2.0 iso-codes krb5-locales libasn1-8-heimdal
  libcurl3-gnutls libdbus-glib-1-2 libgirepository-1.0-1 libglib2.0-0
  libglib2.0-data libgssapi-krb5-2 libgssapi3-heimdal libhcrypto4-heimdal
  libheimbase1-heimdal libheimntlm0-heimdal libhx509-5-heimdal libidn11
  libk5crypto3 libkeyutils1 libkrb5-26-heimdal libkrb5-3 libkrb5support0
  libldap-2.4-2 libroken18-heim
  [...etc...]
```

#### So Docker can use the cache when...

It has seen the exact same commands in _the same order_.

If it sees something new, it stops using the cache.

Although certain commands, like `COPY`, break the cache entirely.

#### Docker caching examples

Building two images that share three commands:

![](images/fig01.png)

If we structure them as such, they share nothing:

![](images/fig02.png)

#### Once images diverge, they can never merge back together

This won't work:

![](images/fig03.png)

This is what would really happen:

![](images/fig04.png)

This would be better:

![](images/fig05.png)

### Problem formulation

Let's write this thing in LaTeX!

#### What are we trying to do again?

Given a set of Docker images to construct, each of which requires a series of commands, find the optimal order to run these commands such that we minimize required computing time.

_Could also read: maximize use of the Docker cache._

#### Say we know a priori the time required by each command

We could also use a prior.

$$C = \{\text{set of commmands}\}$$
$$t_c > 0 = \text{time required by command c}$$

We also know the images we need to create and the commands each one requires.

$$I = \{\text{set of images}\}$$
$$C_i = \{\text{commands requires for image I}\}$$

#### We need some decision variables

We define a set $P$ of (image set, command set) pairs, starting with each image $i \in I$ and, for each of these, every command $c \in C_i$.

In our first example we had two images, $I = \{1, 2\}$.

The commands for the images were: 

$$C_1 = \{A, B, C\}$$
$$C_2 = \{A, B, C, D\}$$

So our set $P$ initially contains:

$$P = \{(\{1\},\{A\}), (\{1\},\{B\}), (\{1\},\{C\}), (\{2\},\{A\}), (\{2\},\{B\}), (\{2\},\{C\}), (\{2\},\{D\})\}$$

Now define $x_p \in \{0,1\}$ for each $p \in P$. 

If $x_p = 1$, then we run the commands in $p$ for the images in $p$.

#### A first, misguided stab at our image construction model

Find the minimum cost schedule based on our set $P$ and the requirements of our images. 

$$
\begin{array}{r l}
    \min        & t_a x_{1,a} + t_b x_{1,b} + t_c x_{1,c} + t_a x_{2,a} + t_b x_{2,b} + t_c x_{2,c} + t_c x_{2,d} \\  
    \text{s.t.} & x_{1,a} = 1 \\
                & x_{1,b} = 1 \\
                & x_{1,c} = 1 \\
                & x_{2,a} = 1 \\
                & x_{2,b} = 1 \\
                & x_{2,c} = 1 \\
                & x_{2,d} = 1 \\
                & x_p \in \{0,1\}\, \forall\, p \in P
\end{array}
$$

Well that's just ridiculous.

The solution is trivially:

$$x_{1,a} =  x_{1,b} = x_{1,c} = x_{2,a} = x_{2,b} = x_{2,c} = x_{2,d} = 1$$

The cost of implementing this plan is actually the worst we could possibly do:

$$2 \left(t_a + t_b + t_c\right) + t_d$$

In fact it looks pretty much like we did this:

![](images/fig02.png)

#### We need a variable that allows us to use the Docker cache

In this problem, commands $\{A, B, C\}$ are shared between images $\{1,2\}$. So let's make a variable for that and add it to $P$.

$$x_{12,abc} \in \{0,1\}$$

Of course this changes the constraints.

$$x_{1,a} + x_{12,abc} = 1$$
$$x_{1,b} + x_{12,abc} = 1$$
$$x_{1,c} + x_{12,abc} = 1$$
$$x_{2,a} + x_{12,abc} = 1$$
$$x_{b,b} + x_{12,abc} = 1$$
$$x_{c,c} + x_{12,abc} = 1$$

#### This time, with feeling

This one actually allows us to share the time required to run commands between images.

$$
\begin{array}{r l}
    \min        & t_a x_{1,a} + t_b x_{1,b} + t_c x_{1,c} + t_a x_{2,a} + t_b x_{2,b} + t_c x_{2,c} + t_c x_{2,d} + \left(t_a + t_b + t_c\right) x_{12,abc}\\  
    \text{s.t.} & x_{1,a} + x_{12,abc} = 1 \\
                & x_{1,b} + x_{12,abc} = 1 \\
                & x_{1,c} + x_{12,abc} = 1 \\
                & x_{2,a} + x_{12,abc} = 1 \\
                & x_{2,b} + x_{12,abc} = 1 \\
                & x_{2,c} + x_{12,abc} = 1 \\
                & x_{2,d} = 1 \\
                & x_p \in \{0,1\}\, \forall\, p \in P
\end{array}
$$

This is much better. It gives us the correct solution.

$$x_{1,a} =  x_{1,b} = x_{1,c} = x_{2,a} = x_{2,b} = x_{2,c} = 0$$
$$x_{12,abc} = x_{2,d} = 1$$

The minimum time is:

$$t_a + t_b + t_c + t_d$$

Visually this could be represented as:

![](images/fig01.png)

#### But things are not always so simple.

We created the variable $x_{12,abc}$ because it was obvious. $I_1 \bigcap I_2 = \{A, B, C\}$, so it was the best possible option.

But consider this set of 4 images:

$$I_3 = \{A, B, C\}$$
$$I_4 = \{B, C, D\}$$
$$I_5 = \{A, C, E\}$$
$$I_6 = \{B, D, E\}$$

In this problem instance, the values $t_a, \dots, t_e$ are what drive our final schedule.

If $t_c$ is big enough, the optimal schedule might be:
    
```
    I3:  C B A
    I4:  C B D 
    I5:  C A E
    I6:  B D E
```

And if $t_a > t_b$ it might be:
    
```
    I3:  C A B
    I4:  C B D 
    I5:  C A E
    I6:  B D E
```

So if we set $x_{345,c} = 1$, we have the option to use two other variables to create our schedule:

$$x_{345,c,34,b} \in \{0,1\}$$
$$x_{345,c,35,a} \in \{0,1\}$$

But this can only happen if $x_{345,c} = 1$. That is, $x_{345,c,34,b}$ and $x_{345,c,35,a}$ are **dependent** on it.

$$x_{345,c,34,b} \le x_{345,c}$$
$$x_{345,c,35,a} \le x_{345,c}$$

We will represent these dependencies using another set, $R$. For all $\left(x_m, x_n\right) \in R$, any feasible solution requires that $x_m \le x_n$.

Note that dependencies have structure. We may have:

$$x_m \le x_n$$
$$x_n \le x_o$$

#### We also have to worry about intersections...

Recall our set of 4 images:

$$I_3 = \{A, B, C\}$$
$$I_4 = \{B, C, D\}$$
$$I_5 = \{A, C, E\}$$
$$I_6 = \{B, D, E\}$$

In addition to the variables $x_{3,a}$, $x_{3,b}$, $\dots$, $x_{6,e}$, we create $x_{345,c}$, $x_{34,bc}$, $\dots$, $x_{56,e}$ and add the appropriate $\left(\text{images}, \text{commands}\right)$ pairs to $P$.

For each image $i \in I$, and command $c \in C_i$, exactly one $x_p$ that provides $c$ for $i$ must be set to $1$. This restricts **intersections** in our schedule.

$$\sum_{p = \left(p_i,p_c\right) \in P,\, i \in p_i,\, c \in p_c} x_p = 1\, \forall\, i \in I,\, c \in C_i$$ 

Now we have everything we need to build our model!

$$
\begin{array}{r l l l}
    \min        & \sum_{p \in I} \sum_{c \in C_i} t_c x_p & \\
    \text{s.t.} & \sum_{p = \left(p_i,p_c\right) \in P,\, i \in p_i,\, c \in p_c} x_p = 1 & \forall & i \in I,\, c \in C_i \\
                & x_m \le x_n & \forall & \left(m, n\right) \in R \\
                & x_p \in \{0,1\} & \\
\end{array}
$$

All we have to do is generate $P$ and $R$!

Right?

### Finding maximal cliques with NetworkX

At some point, somebody is going to write some code.

So how do we generate $P$ and $R$?

Naive option:

* Make a graph with all images and commands
* Connect each image to its commands
* Connect images to each other
* Connect commands to each other
* Find maximal cliques!

Q: What's a maximal clique?

A: A subgraph where each pair of nodes is adjacent. If it can't be contained in another clique, it's maximal.

![](images/clique.png)
_A clique. Source: Wikipedia_

Creating a graph and connect every image to its commands.

![](images/graph_1.png)

Now connect every pair of image, and every pair of commands.

![](images/graph_2.png)

In [2]:
# Define the commands we have available.
commands = ['A','B','C','D','E']

# And the images we need to construct from them.
images = [3,4,5,6]
image_commands = {
    3: ['A','B','C'],
    4: ['B','C','D'],
    5: ['A','C','E'],
    6: ['B','D','E'],
}

In [16]:
# Construct the graph shown above.
# Prefix images with 'i' and commands with 'c'.

from itertools import combinations
import networkx as nx

g = nx.Graph()

for i, cmds in image_commands.items():
    for c in cmds:
        g.add_edge('i%d' % i, 'c%s' % c)

for i1, i2 in combinations(images, 2):
    g.add_edge('i%d' % i1, 'i%d' % i2)

for c1, c2 in combinations(commands, 2):
    g.add_edge('c%s' % c1, 'c%s' % c2)
    
g.nodes()

['i5', 'cA', 'i6', 'i4', 'cB', 'cE', 'cD', 'i3', 'cC']

In [21]:
# Generate all maximal cliques with > 1 image and >= 1 command.

from networkx.algorithms import find_cliques

max_cliques = []

for c in find_cliques(g):
    imgs = set([int(x.replace('i','')) for x in c if x.startswith('i')])
    cmds = set([x.replace('c','') for x in c if x.startswith('c')])
    if len(imgs) > 1 and cmds:
        max_cliques.append((imgs, cmds))
        
max_cliques

[({4, 6}, {'B', 'D'}),
 ({3, 4, 6}, {'B'}),
 ({3, 4}, {'B', 'C'}),
 ({3, 5}, {'A', 'C'}),
 ({3, 4, 5}, {'C'}),
 ({5, 6}, {'E'})]

Add each of these to $P$.

Now consider each maximal clique. Let's look at $\{3,4,5,C\}$.

$x_{345,c} = 1$ if images $\{3,4,5\}$ share command $C$. 

Can they share anything further?

Repeat the process with remaining commands for images $\{3,4,5\}$. Leave out $C$.

![](images/graph_3.png)

![](images/graph_4.png)

Max cliques:

$$\{3,4,B\}$$
$$\{3,5,A\}$$

Add variables to $P$:

$$x_{345,c,34,b} \in \{0,1\}$$
$$x_{345,c,35,a} \in \{0,1\}$$

Both depend on "parent" clique:

$$x_{345,c,34,b} \le x_{345,c}$$
$$x_{345,c,35,a} \le x_{345,c}$$

So add dependencies to $R$:

$$\left(x_{345,c,34,b}, x_{345,c}\right)$$
$$\left(x_{345,c,35,a}, x_{345,c}\right)$$

Maximal clique detection is NP-complete.

But it works _better than you might think!_ Why?

$$\text{THEORY} \ne \text{PRACTICE}$$

There are more efficient ways, but that's for another day.

### Partitioning sets with PuLP

"NP-Complete" is a term used to scare graduate students.

### Computational example

No, really. That's how we do this thing.