OCI and runCA developer’s guide for open container tools and projectsPhil Estes, IBM Cloud Open Technology and Architecture@estesp / estesp@gmail.com

Phil EstesSenior Technical Staff MemberIBM Cloud, Open Technologies

Container Strategy/Open Source Leader

Docker community core engine maintainer <Linux/open source expertise for 15 years @ IBM <

Community activities & accomplishments> Brought user namespace support to the Docker engine> Helped design v2.2 image specification with multi-platform support> Implemented first tool to create multi-platform images in Docker v2.3 registry> Member of the “Docker Captains” program

2

About Me

Open Container Initiative (OCI)

An open governance structure for creating

open industry standards: a common container

runtime and image format.

• A Linux Foundation Collaborative Project• Free from control by any particular vendor’s

specific cloud stack or ecosystem• Includes a specification, reference runtime*

and now, a specified image format

*seeded with runc + libcontainer by Docker

OCI Specs & Status

> Announced June 20th, 2015

> Charter signed on December 8th, 2015

> 49 current member companies

> Both specifications nearing 1.0 release targets

https://opencontainers.orghttps://github.com/opencontainers

> Runtime specification: Release 1.0.0-rc2 / September 2016

https://github.com/opencontainers/runtime-spec/releases/tag/v1.0.0-rc2

1. Very close to an official 1.0 release of the runtime spec 2. Includes required core for Linux, Windows, and Solaris

> Image format spec: Release 1.0.0-rc3 / October 2016

https://github.com/opencontainers/image-spec/releases/tag/v1.0.0-rc3

1. Seeded with Docker registry v2.2 specification 2. v1.0.0-rc3 approved and released last week

Introduction to `runc`> runc is a client wrapper around libcontainer> Libcontainer is the OS level interface for containers

Other platforms and architectures can implement the libcontainer API via their own primitives/system-level container concepts

$ docker run -it --read-only -v /host:/hostpath alpine sh/#

{ "ociVersion": "0.6.0-dev", "platform": { "os": "linux", "arch": "amd64" }, "process": { "terminal": true, "args": [ "sh" ], "env": [ "PATH=/usr/local/sbin:/usr/local/bin:/bin”

config.json

● CloudFoundry Garden OCI implementation

● https://github.com/cloudfoundry-incubator/guardian● Uses runc as a backend for container execution

● Docker 1.11 (and above)

● Switched from direct libcontainer API linkage to calling runc as container executor

● Uses containerd as a gRPC daemon to disconnect Docker daemon (API/mgmt) from container execution (allows daemon restart in future without container runtime impact)

runc in the “Wild”

runv - Hyper.sh; small & lightweight hypervisor wraps contained processrunz - Solaris zones implementation

> Ports/Implementations:

How does Docker use runc?

Docker engine

containerd

gRPC

ctr-shim ctr-shim

runc runc

https://github.com/docker/docker

https://github.com/docker/containerd

https://github.com/opencontainers/runc

Docker client/API

HTTP/REST

OCI Image Tools> Docker engine save/load support for OCI format underway

https://github.com/docker/docker/pull/26369

> `oci-fetch` tool being developed to pull OCI format images

https://github.com/containers/oci-fetch

> Official OCI project for image tooling (create/verify/etc.)

https://github.com/opencontainers/image-tools

> `acbuild` (ACI/rkt tooling) support for OCI image format

https://github.com/containers/build/issues/249

> `skopeo` image query/fetch tool has support for OCI image format

https://github.com/projectatomic/skopeo

@estesp

github.com/estesp

estesp@gmail.com

https://integratedcode.us

IRC: estesp

DEMO$ runc run alpine# /

/usr/bin/runc https://github.com/opencontainers/runc

/usr/bin/ocitools https://github.com/opencontainers/ocitools

/usr/local/bin/riddler https://github.com/jessfraz/riddler

/usr/local/bin/netns https://github.com/jessfraz/netns

OCI & runc Futures

● Entry point for OS-level container technology implementations and added enhancements○ Recent examples: seccomp, user namespaces, checkpoint/restore

○ Many smaller examples (lots of changes required for fully unprivileged

containers)

● More users and contributed implementations (for runtime and image)

● What will you do with runc and the OCI specifications?