Containers: a Basic Look Under The Hood

Transcript

1. Containers The basics David Julia - Jan 2015

2. Today’s Topics • What is containerization • Why/when to use

   Containers vs Vms • How to get Started

3. What are containers? Anyone…?

4. Containerization: Working Definition “Virtualization via resource management and user space

   isolation at an OS level”

5. Containerization Implies... Bye Goodbye, Hypervisor

6. Containerization Implies... OS support for containerization

7. None
8. None

9. Specifically LXC and Garden-Linux (Go Pivotal!) Let’s talk Linux **lmctfy

   (Google’s) and others are probably very similar!

10. Linux Containerization Technologies LXC, Garden-Linux cgroups namespaces Union File System

11. Cgroups - Resource Management Per-Group Limit, Control, and Monitoring of:

    • CPU, Memory utilization • Network Traffic priority • Block I/O (bandwidth, upper limits) • processes (checkpoint, freeze, restart)

12. Namespaces - Isolation • PID • Network - iptables rules,

    routing tables, etc ◦ Can connect network namespaces via veth • UTS - hostname • Mount - different fs layout, read-only mounts • IPC - per namespace system V IPC • User -uid isolation (prevents setuid exploits)

13. Union File Systems • Eg. Aufs, OverlayFS • Copy-On-Write File

    Systems

14. Process Virtual File System OverlayFS tmpfs (read only) EXT3, NFS,

    whateverFS (writable) dj@computer> echo “hello” > ~/hi hello dj@computer> ~/hi

15. Process Virtual File System OverlayFS tmpfs (read only) EXT3, NFS,

    whateverFS (writable) dj@computer> cat ~/hi XP 4 LYFE!!!! dj@computer> ~/hi Found it!

16. Process Virtual File System OverlayFS tmpfs (read only) EXT3, NFS,

    whateverFS (writable) dj@computer> cat ~/hi XP 4 LYFE!!!! dj@computer> ~/pi Found it! Didn’t find in highest priority fs!

17. Containers Divorce OS provisioning from machine provisioning Divorces app environment

    provisioning from OS provisioning Virtual Machines

18. Containers Virtualized devices (network, disk) -different OS entirely -kernel modules

    for guest additions Moderated access to devices -same kernel as host Virtual Machines

19. Containers Provisioning: 10 minutes Resource intensive Snapshotting: Minutes, disk intensive

    Provisioning: <1 sec, no real resource drain Snapshotting: Seconds Virtual Machines

20. WHY Containers vs VM? Startup Time/resources Lightweight Don't incur performance

    penalty of hypervisor Don't need hardware assisted virtualization enabled (run same container on aws, local) Self-service

21. So VM's are dead, right?! NO!!!

22. VMs + Containers = <3 Given heterogeneous OS requirements in

    the enterprise (legacy .Net anyone?) VMs + Containerization = Best of Both Worlds *with a slight performance penalty

23. How do I use it today?

24. cf push

25. DOCKER!

26. Docker User Friendly Layer! LXC, Garden-Linux cgroups namespaces Union File

    System

27. Docker • Application-centric, not server-centric • User/Deployment Friendly: ◦ Versioned

    Images ◦ Central Image Repo ◦ Useful/Easy CLI ◦ easy to mount shared writable volumes ◦ easy to pass in env vars from host

28. Docker: Build an Image locally: >docker build myImage >docker tag

    myImage:v1 >docker push myImage:v1

29. Docker: Deploy On server: >docker pull myImage:v1 >docker run myImage

    -e SECRET=”sauce” \ -e COOL_ENV_VAR_FROM_SERVER

30. Use Case For TODAY Test/Build Infrastructure! • CI pulls/runs the

    same docker images that devs use locally • Self-Service CI- No more waiting on ops • Builds can do crazy destructive things in containers, who cares!

31. Trends • OS independent Containerization APIs ◦ Warden -> Garden

    + Garden-Linux ◦ Docker’s libcontainer • Thin, Per-Application Containers • IAAS/PAAS support for Containerization • Container-native clouds ◦ Kubernetes, CoreOS, Lattice