devoxx 2016: a developer's guide to oci and runc
TRANSCRIPT
OCI and runCA developer’s guide for open container tools and projectsPhil Estes, IBM Cloud Open Technology and Architecture@estesp / [email protected]
Phil EstesSenior Technical Staff MemberIBM Cloud, Open Technologies
Container Strategy/Open Source Leader
Docker community core engine maintainer <Linux/open source expertise for 15 years @ IBM <
Community activities & accomplishments> Brought user namespace support to the Docker engine> Helped design v2.2 image specification with multi-platform support> Implemented first tool to create multi-platform images in Docker v2.3 registry> Member of the “Docker Captains” program
2
About Me
Open Container Initiative (OCI)
An open governance structure for creating
open industry standards: a common container
runtime and image format.
• A Linux Foundation Collaborative Project• Free from control by any particular vendor’s
specific cloud stack or ecosystem• Includes a specification, reference runtime*
and now, a specified image format
*seeded with runc + libcontainer by Docker
OCI Specs & Status
> Announced June 20th, 2015
> Charter signed on December 8th, 2015
> 49 current member companies
> Both specifications nearing 1.0 release targets
https://opencontainers.orghttps://github.com/opencontainers
> Runtime specification: Release 1.0.0-rc2 / September 2016
https://github.com/opencontainers/runtime-spec/releases/tag/v1.0.0-rc2
1. Very close to an official 1.0 release of the runtime spec 2. Includes required core for Linux, Windows, and Solaris
> Image format spec: Release 1.0.0-rc3 / October 2016
https://github.com/opencontainers/image-spec/releases/tag/v1.0.0-rc3
1. Seeded with Docker registry v2.2 specification 2. v1.0.0-rc3 approved and released last week
Introduction to `runc`> runc is a client wrapper around libcontainer> Libcontainer is the OS level interface for containers
Other platforms and architectures can implement the libcontainer API via their own primitives/system-level container concepts
$ docker run -it --read-only -v /host:/hostpath alpine sh/#
{ "ociVersion": "0.6.0-dev", "platform": { "os": "linux", "arch": "amd64" }, "process": { "terminal": true, "args": [ "sh" ], "env": [ "PATH=/usr/local/sbin:/usr/local/bin:/bin”
config.json
● CloudFoundry Garden OCI implementation
● https://github.com/cloudfoundry-incubator/guardian● Uses runc as a backend for container execution
● Docker 1.11 (and above)
● Switched from direct libcontainer API linkage to calling runc as container executor
● Uses containerd as a gRPC daemon to disconnect Docker daemon (API/mgmt) from container execution (allows daemon restart in future without container runtime impact)
runc in the “Wild”
runv - Hyper.sh; small & lightweight hypervisor wraps contained processrunz - Solaris zones implementation
> Ports/Implementations:
How does Docker use runc?
Docker engine
containerd
gRPC
ctr-shim ctr-shim
runc runc
https://github.com/docker/docker
https://github.com/docker/containerd
https://github.com/opencontainers/runc
Docker client/API
HTTP/REST
OCI Image Tools> Docker engine save/load support for OCI format underway
https://github.com/docker/docker/pull/26369
> `oci-fetch` tool being developed to pull OCI format images
https://github.com/containers/oci-fetch
> Official OCI project for image tooling (create/verify/etc.)
https://github.com/opencontainers/image-tools
> `acbuild` (ACI/rkt tooling) support for OCI image format
https://github.com/containers/build/issues/249
> `skopeo` image query/fetch tool has support for OCI image format
https://github.com/projectatomic/skopeo
@estesp
github.com/estesp
https://integratedcode.us
IRC: estesp
DEMO$ runc run alpine# /
/usr/bin/runc https://github.com/opencontainers/runc
/usr/bin/ocitools https://github.com/opencontainers/ocitools
/usr/local/bin/riddler https://github.com/jessfraz/riddler
/usr/local/bin/netns https://github.com/jessfraz/netns
OCI & runc Futures
● Entry point for OS-level container technology implementations and added enhancements○ Recent examples: seccomp, user namespaces, checkpoint/restore
○ Many smaller examples (lots of changes required for fully unprivileged
containers)
● More users and contributed implementations (for runtime and image)
● What will you do with runc and the OCI specifications?