containers & caas
TRANSCRIPT
Who am I?Yujie Du
About: https://about.me/Yujie.Du Twitter: @ben_duyujie Email: [email protected] Linkedin: https://www.linkedin.com/in/duyujie Download: https://www.slideshare.net/ben_duyujie/containers-caas/
One company has certainly found growth by injecting software into its industry.
source: http://thenewstack.io/uber-netflix-and-the-dreams-of-devops-and-microservices/
5
Uber's rumored net revenue
2013 2014 2015
2000
400108
Since2000,52%oftheFortune500arenolongeronthelist.Thepaceofchangehasincreased.
Docker will play a central role for every player in that market.
Private Hybrid Public
IT Pros DeploymentPackaging Architects Developers
Docker is also the contract between Developers and Operations. Developers and Operations often have very different attitudes when it comes to choosing tools and environments.
IT Pros DeploymentPackaging Architects Developers
Waterfall
Agile
DevOps
Monolithic
N-Tier
Microservices
Datacenter
Hosted
Cloud
Physical Servers
Virtual Servers
Containers
Cloud Native Application
Figure from M. Schwarzkopf, “Operating system support for warehouse-scale computing”, PhD thesis, University of Cambridge, 2015 (to appear).
Details & Bibliography: http://malteschwarzkopf.de/research/assets/google-stack.pdf
AppDev“Monolithic”
SystemsManagement1
VMwareMicrosoftLinux
Hardware
AppDev“Cloud-native”
SystemsManagement2
OpenStackCloudFoundry
AWSetc.
Hardware
SystemsManagement3
DockerMesosCoreOS
Kubernetesetc.
Hardware
Plain old virtualization Cloud, public and private
Management tools always(?) change
What runs everything, most of
attention is here
Hardware no longer eating the world - cheaper, faster
Shift from web, to web + mobile
A single API for managing applications on 4 infrastructures
Physical Processor
Virtual Processor
Operating System
Libraries
User Code Private Copy
Shared
Virtual Machines
Physical Processor
Virtual Processor
Operating System
Libraries
User Code
Containers
ISA
syscall
Containers: less overhead, enable more “magic”
Sandboxing(chroot jails)
Various projects... chroot (1979) jail Linux-VServer OpenVZ ...
Linux container(chroot + OS isolation)
brought into the kernel... namespaces cgroups SELinux AppArmor btrs/aufs/device mapper/etc ...
Docker (LXC + packaging)
and packaged up. systemd-nspawn LXC lmctfy libvirt-lxc Docker / libcontainer rkt / appc ...
Containers are isolated, portable environments where you can run applications along with all the libraries and dependencies they need.
User request
Linux Kernel
hardware
shell Application
Each user has a home directory and process directory
Run in memory
A paradigm shift for the O/S : Redefines “Kernel Space” & “User Space”
Better fit for distributed computing
Who built this image?
What’s its purpose? Was it created to support a demo?
Is it safe to consume? Who maintains it?
RED HAT CERTIFIED Trusted source for the host and the containers Trusted content inside the container with security Dxes available as part of an enterprise lifecycle Portability across hosts
HWHostOS
Containers
Certify
ProcessA
fork()
ProcessAcontinues
ProcessB
execev()
exit()
wait() ZOMBIE
SIGCHLD
cleanup
Child-newPID
executesadifferentprogram!
Parent-originalPID
Reference:http://www.lynx.com/the-fork-call-posix-processes-and-parent-child-relationships
1.
DockerDaemon
processfork
exec
dockerinit ENTRYPOINT CMD(yourapplication)2. 3.
newnamespaces
initnamespaces
theonlyprocess(samePID)
cgroupsapplied
DockerContainerprocess process process
process
DockerContainerisbornjustbysyscallforkandexecaprocess
1.
CGROUPS NAMESPACES IMAGES DOCKER CONTAINER
• Kernel Feature • Groups of Processes • Control Resource
Allocation • CPU, CPU Sets • Memory • Disk • Block I/O
• Not a File System • Not a VHD • Basically a tar file • Has a Hierarchy
• Arbitrary Depth • Fits into Docker Registry
• The real magic behind containers
• It creates barriers between processes
• Different Namespaces • PID Namespace • Net Namespace • IPC Namespace • MNT Namespace
• Linux Kernel Namespace introduced between kernel 2.6.15 – 2.6.26
docker run lxc-start
ACSACS
ACI
ID
Signed Encrypted
Archive
Manifest Rootfs
veth ipvlan macvlan raw dev
FS Volume
Environment
Logging
Isolators
Capabilities
Linux Isolators
Resource Isolators
block network
cpu memory
Runtime Env
Pods
UUID Manifest
Executor
Image Discovery
Simple Discovery
Meta Discovery
Network
loopback
ip
overlay
DM
cgroup
Application Containers
“An application container is a way of packaging and executing
processes on a computer system that isolates the application from
the underlying host operating system”
https://github.com/appc/spec, 2015.
https://www.ibm.com/developerworks/community/blogs/1ba56fe3-efad-432f-a1ab-58ba3910b073/entry/thoughts_on_future_of_resource_managers_and_schedulers_in_the_cloud?lang=en
IaaSCapacity (VM, Storage…)
PaaSApp (code)
CaaSApp container
CNCF & OCI Application definition and orchestration
Resource scheduling
Distributed system services
Container Runtime agent Container registryContainer repositoryComputing node OS
Software define network Software define storage
Infrastructure provisioning
Out of scopeApi specification
OCI and specification
Reference implementation
OCI api spec
. .….N