Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Containers from Scratch

9a5b28c1bf706b9138017bf0fd23ac45?s=47 Eric Chiang
October 12, 2016
190

Containers from Scratch

9a5b28c1bf706b9138017bf0fd23ac45?s=128

Eric Chiang

October 12, 2016
Tweet

Transcript

  1. Containers from Scratch Eric Chiang Software Engineer @erchiang | github.com/ericchiang

  2. Agenda 1. Dive into containers! 2. Talk about the problems

    they solve.
  3. None
  4. None
  5. Containers Like a mini virtual machine.

  6. Virtual machines

  7. OS OS OS Virtual machines

  8. Virtual machines: Isolated operating systems.

  9. Virtual machines: problems

  10. Virtual machines: problems Expensive!

  11. Like mini virtual machines. What’s a container?

  12. Like mini virtual machines. Just an isolated process. No virtualizing

    a kernel. What’s a container?
  13. Like mini virtual machines. What’s a container? Hypervisor VM (kernel)

    VM (kernel) VM (kernel) Kernel
  14. Like mini virtual machines. What’s a container? Hypervisor VM (kernel)

    VM (kernel) VM (kernel) Kernel Kernel
  15. $ sudo chroot rootfs /bin/bash # Containers: chroot

  16. Containers: namespaces

  17. $ sudo unshare -p -f \ --mount-proc=$PWD/rootfs/proc \ chroot rootfs

    /bin/bash # Containers: namespaces
  18. $ sudo unshare -p -f \ --mount-proc=$PWD/rootfs/proc \ chroot rootfs

    /bin/bash # $ sudo nsenter --pid=/proc/7897/ns/pid \ chroot rootfs /bin/bash # Containers: namespaces
  19. Containers: cgroups

  20. $ ls /sys/fs/cgroup/ $ sudo # mkdir /sys/fs/cgroup/memory/demo # echo

    "100000000" > /sys/fs/cgroup/memory/demo/memory.limit_in_bytes # echo "0" > /sys/fs/cgroup/memory/demo/memory.swappiness # echo $$ > /sys/fs/cgroup/memory/demo/tasks (to clean up kill the process and run rmdir /sys/fs/cgroup/memory/demo) Containers: cgroups
  21. Containers: security • Capabilities: limit the power of root ◦

    sudo setcap CAP_NET_BIND_SERVICE+ep ./hello • seccomp: limit the syscalls you can make • SELinux: fine grained access control policies on processes
  22. Container runtimes

  23. Container runtimes

  24. $ sudo rkt run \ quay.io/ericchiang/python:3.5.2 \ --exec=python3 -- -m

    http.server Container runtimes: rkt
  25. Container runtimes • Metadata and tarball formats • Discovery of

    those tarballs ◦ rkt run quay.io/coreos/dex • Coordinates the underlying technologies
  26. Why containers? Amazingly good at moving applications around.

  27. $ tree . ├── bin │ └── my-awesome-app ├── server

    │ ├── app.py │ └── templates.py ├── public │ └── main.css └── README.md An app
  28. $ tree . ├── bin │ └── my-awesome-app ├── server

    │ ├── app.py │ └── templates.py ├── public │ └── main.css └── README.md An app python3 bin/my-awesome-app \ --port 80 \ --db postgres://db.com/mydb
  29. $ tree . ├── bin │ └── my-awesome-app ├── server

    │ ├── app.py │ └── templates.py ├── public │ └── main.css └── README.md An app python3 bin/my-awesome-app \ --port 80 \ --db postgres://db.com/mydb Additional code or resources.
  30. $ tree . ├── bin │ └── my-awesome-app ├── server

    │ ├── app.py │ └── templates.py ├── public │ └── main.css └── README.md An app How to run it python3 bin/my-awesome-app \ --port 80 \ --db postgres://db.com/mydb Additional code or resources.
  31. Problems: Dependencies Source code doesn’t tell us:

  32. Problems: Dependencies Source code doesn’t tell us: • What version(s)

    of Python can run it? • What third-party Python packages does it import? • What system packages does it depend on?
  33. Solutions: Package management Take your source code, add a bit

    of metadata, and put it on the internet.
  34. from distutils.core import setup setup( name = 'my-awesome-app', scripts =

    ['bin/my-awesome-app'], version = '0.1', description = 'That thing I wrote', author = 'Eric Chiang', url = 'https://github.com/ericchiang/app', download_url = 'https://github.com/ericcchiang/app/tarball/0.1', keywords = ['webapp', 'awesome'], install_requires = ["flask", "jinja2", "Psycopg2"], ) A PyPI example
  35. from distutils.core import setup setup( name = 'my-awesome-app', scripts =

    ['bin/my-awesome-app'], version = '0.1', description = 'That thing I wrote', author = 'Eric Chiang', url = 'https://github.com/ericchiang/app', download_url = 'https://github.com/ericcchiang/app/tarball/0.1', keywords = ['webapp', 'awesome'], install_requires = ["flask", "jinja2", "Psycopg2"], ) A PyPI example Package name How to run Where to download Dependencies
  36. $ pip install my-awesome-app A PyPI example

  37. Package management: problems Lots of potential conflicts: • What if

    two apps depend on different versions of the same package? • What if one app hogs memory or disk? • What if one gets hacked?
  38. Containers: easy deployments • What kind of problems do you

    run into when it’s extremely easy to deploy an app? • How do you manage a high number of apps on a single machine?
  39. Containers: easy deployments • What kind of problems do you

    run into when it’s extremely easy to deploy an app? • How do you manage a high number of apps on a single machine? (Hint: you should stay around for the next talk.)
  40. eric.chiang@coreos.com @erchiang QUESTIONS? Thanks! We’re hiring: coreos.com/careers Let’s talk! IRC

    More events: coreos.com/community LONGER CHAT?