microcontainers and tools for hardcore container debugging
TRANSCRIPT
![Page 1: Microcontainers and Tools for Hardcore Container Debugging](https://reader033.vdocument.in/reader033/viewer/2022051404/5a66eda37f8b9a91298b4b3f/html5/thumbnails/1.jpg)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Microcontainers and Tools for Hardcore Container Debugging
Vish Ishaya Abrams, TJ Fontaine
September 7th, 2017Container Native Meetup
![Page 2: Microcontainers and Tools for Hardcore Container Debugging](https://reader033.vdocument.in/reader033/viewer/2022051404/5a66eda37f8b9a91298b4b3f/html5/thumbnails/2.jpg)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Who Are We?
• Former Maintainer of Node.js
• Authors of Oracle Open Source Container Utilities
• Founder of OpenStack at NASA
![Page 3: Microcontainers and Tools for Hardcore Container Debugging](https://reader033.vdocument.in/reader033/viewer/2022051404/5a66eda37f8b9a91298b4b3f/html5/thumbnails/3.jpg)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Agenda
What is a Container?
Intro to Microcontainers
Building Microcontainers
Container Debugging
Questions and Answers
![Page 4: Microcontainers and Tools for Hardcore Container Debugging](https://reader033.vdocument.in/reader033/viewer/2022051404/5a66eda37f8b9a91298b4b3f/html5/thumbnails/4.jpg)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
WHAT IS A CONTAINER?
![Page 5: Microcontainers and Tools for Hardcore Container Debugging](https://reader033.vdocument.in/reader033/viewer/2022051404/5a66eda37f8b9a91298b4b3f/html5/thumbnails/5.jpg)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
A container is:
1. An application bundled with its dependencies (also called a container image).
2. A running copy of that application that has been isolated from other system resources via a container runtime.
![Page 6: Microcontainers and Tools for Hardcore Container Debugging](https://reader033.vdocument.in/reader033/viewer/2022051404/5a66eda37f8b9a91298b4b3f/html5/thumbnails/6.jpg)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Container Workflow
Container Image Repository
Application ContainerImage
Build
Upload Download
ContainerImage
Container
Run
ContainerHost
BuildHost
Container OrchestratorContinuous Delivery System
![Page 7: Microcontainers and Tools for Hardcore Container Debugging](https://reader033.vdocument.in/reader033/viewer/2022051404/5a66eda37f8b9a91298b4b3f/html5/thumbnails/7.jpg)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Container Images
• Like a VM image
• Immutable Bundle
• Application code plus dependencies
• Portable across different hosts
![Page 8: Microcontainers and Tools for Hardcore Container Debugging](https://reader033.vdocument.in/reader033/viewer/2022051404/5a66eda37f8b9a91298b4b3f/html5/thumbnails/8.jpg)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Running Container
• Like a virtual machine
• Protected from host and other applications via:
– Isolation of Owned Resources – Namespaces
– Restriction of Actions – Capabilities
– Limits on Shared Resources – Cgroups
![Page 9: Microcontainers and Tools for Hardcore Container Debugging](https://reader033.vdocument.in/reader033/viewer/2022051404/5a66eda37f8b9a91298b4b3f/html5/thumbnails/9.jpg)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Isolation – Namespaces + Access Control
• Linux Namespaces
– User
– Ipc
– Uts
–Network
–Mount
– Process
• Access Control: SELinux/AppArmor
– Prevents access to other resources in the event of a namespace escape
![Page 10: Microcontainers and Tools for Hardcore Container Debugging](https://reader033.vdocument.in/reader033/viewer/2022051404/5a66eda37f8b9a91298b4b3f/html5/thumbnails/10.jpg)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Restriction – Capabilities + Setuid + Seccomp
• Drop linux capabilities
• Setuid Setgid to limited user and group
• Restrict access to syscalls via seccomp
![Page 11: Microcontainers and Tools for Hardcore Container Debugging](https://reader033.vdocument.in/reader033/viewer/2022051404/5a66eda37f8b9a91298b4b3f/html5/thumbnails/11.jpg)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Limits – Cgroups + Resource Limits
• Cgroups are primarily used to control
–Memory
– CPU
– Block IO
• Other Resource Limits
– Prevent filling up disk (quotas)
– Prevent overloading host daemons (rate limiting)
– Prevent network saturation (qos)
![Page 12: Microcontainers and Tools for Hardcore Container Debugging](https://reader033.vdocument.in/reader033/viewer/2022051404/5a66eda37f8b9a91298b4b3f/html5/thumbnails/12.jpg)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Container Orchestrator
• Primarily designed for stateless microservices
• Schedules work across a fleet of machines
• Keeps multiple copies of an application running
• Allows for dynamic scaling of application
• Defines how applications can communicate
![Page 13: Microcontainers and Tools for Hardcore Container Debugging](https://reader033.vdocument.in/reader033/viewer/2022051404/5a66eda37f8b9a91298b4b3f/html5/thumbnails/13.jpg)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Containerization Operational Changes
• Rebuild instead of security patch
• Different monitoring tools
• Deployment as immutable artifacts
• Build tooling vs configuration management
![Page 14: Microcontainers and Tools for Hardcore Container Debugging](https://reader033.vdocument.in/reader033/viewer/2022051404/5a66eda37f8b9a91298b4b3f/html5/thumbnails/14.jpg)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Worst Practices
• Developers without an operations mentality
• Multiple applications per container
• Lack of CI/CD automation
• Container Bloat
• Handling of security vulnerabilities
Confidential – Oracle Internal/Restricted/Highly Restricted 14
![Page 15: Microcontainers and Tools for Hardcore Container Debugging](https://reader033.vdocument.in/reader033/viewer/2022051404/5a66eda37f8b9a91298b4b3f/html5/thumbnails/15.jpg)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Oracle – Open Source Contributions
railcar
Alternative Docker runtime implemented in Rust following
the Open Container Initiative OCI-Runtime Spec
smith
A simple command line utility for building microcontainers from rpm
packages or Open Container Initiative images.
crashcart
A simple command line utility that lets you side load an image
with linux binaries into an existing container. Facilitates easier
debugging
![Page 16: Microcontainers and Tools for Hardcore Container Debugging](https://reader033.vdocument.in/reader033/viewer/2022051404/5a66eda37f8b9a91298b4b3f/html5/thumbnails/16.jpg)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
INTRO TO MICROCONTAINERS
![Page 17: Microcontainers and Tools for Hardcore Container Debugging](https://reader033.vdocument.in/reader033/viewer/2022051404/5a66eda37f8b9a91298b4b3f/html5/thumbnails/17.jpg)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 17
Microcontainers
![Page 18: Microcontainers and Tools for Hardcore Container Debugging](https://reader033.vdocument.in/reader033/viewer/2022051404/5a66eda37f8b9a91298b4b3f/html5/thumbnails/18.jpg)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
What’s wrong with big containers?
• Large images
–Often > 1GB in size
• Bloat
– I wanted a banana. I got the banana and a jungle and an 800lb Gorilla
• Privilege escalation
–whole Linux user space bigger attack surface
• Vulnerability management
–What files do I really need to patch?
![Page 19: Microcontainers and Tools for Hardcore Container Debugging](https://reader033.vdocument.in/reader033/viewer/2022051404/5a66eda37f8b9a91298b4b3f/html5/thumbnails/19.jpg)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
A Microcontainer
• Contains only
– Single executable
– Dependencies (of the executable)
• Runs with a read only root filesystem
• Files are all owned and read by a single user
![Page 20: Microcontainers and Tools for Hardcore Container Debugging](https://reader033.vdocument.in/reader033/viewer/2022051404/5a66eda37f8b9a91298b4b3f/html5/thumbnails/20.jpg)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Result
• Small image
– Eliminate layers reduce complexity
• Fast, easy distribution
• Smaller attack surface
• Certainty over vulnerabilities
![Page 21: Microcontainers and Tools for Hardcore Container Debugging](https://reader033.vdocument.in/reader033/viewer/2022051404/5a66eda37f8b9a91298b4b3f/html5/thumbnails/21.jpg)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
BUILDING MICROCONTAINERSDemo
![Page 22: Microcontainers and Tools for Hardcore Container Debugging](https://reader033.vdocument.in/reader033/viewer/2022051404/5a66eda37f8b9a91298b4b3f/html5/thumbnails/22.jpg)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Links
• https://blogs.oracle.com/developers/the-microcontainer-manifesto
• https://github.com/oracle/smith
• https://hackernoon.com/how-to-build-a-tiny-httpd-container-ae622c37db39
![Page 23: Microcontainers and Tools for Hardcore Container Debugging](https://reader033.vdocument.in/reader033/viewer/2022051404/5a66eda37f8b9a91298b4b3f/html5/thumbnails/23.jpg)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
CONTAINER DEBUGGINGDemo
![Page 24: Microcontainers and Tools for Hardcore Container Debugging](https://reader033.vdocument.in/reader033/viewer/2022051404/5a66eda37f8b9a91298b4b3f/html5/thumbnails/24.jpg)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Links
• https://blogs.oracle.com/developers/hardcore-container-debugging
• https://github.com/oracle/crashcart
• http://man7.org/linux/man-pages/man1/nsenter.1.html
![Page 25: Microcontainers and Tools for Hardcore Container Debugging](https://reader033.vdocument.in/reader033/viewer/2022051404/5a66eda37f8b9a91298b4b3f/html5/thumbnails/25.jpg)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
![Page 26: Microcontainers and Tools for Hardcore Container Debugging](https://reader033.vdocument.in/reader033/viewer/2022051404/5a66eda37f8b9a91298b4b3f/html5/thumbnails/26.jpg)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
QUESTIONS & ANSWERS
![Page 27: Microcontainers and Tools for Hardcore Container Debugging](https://reader033.vdocument.in/reader033/viewer/2022051404/5a66eda37f8b9a91298b4b3f/html5/thumbnails/27.jpg)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
More Information
• Contact Us:[email protected]@oracle.com