Upgrade to PRO for Only $50/Yearβ€”Limited-Time Offer! πŸ”₯

Containers from Scratch

Avatar for Eric Chiang Eric Chiang
October 12, 2016
1
310

Containers fromΒ Scratch

Avatar for Eric Chiang

Eric Chiang

October 12, 2016
Tweet

More Decks by Eric Chiang

See All by Eric Chiang
Securing a Kubernetes Distribution - Container Security Summit
Avatar for Eric Chiang ericchiang
0
300
KubeCon 2017: SIG auth update
Avatar for Eric Chiang ericchiang
0
270
CoreOS Fest 2017 - Containers from Scratch
Avatar for Eric Chiang ericchiang
3
1.1k
KubeCon 2016: Kubernetes Auth and Access Control
Avatar for Eric Chiang ericchiang
3
970
CoreOS Fest 2016: Kubernetes Access Control with dex
Avatar for Eric Chiang ericchiang
2
800
Kubernetes Access Control with dex
Avatar for Eric Chiang ericchiang
1
8.7k

Featured

See All Featured
Speed Design
Avatar for Sergey Chernyshev sergeychernyshev
33
1.4k
Easily Structure & Communicate Ideas using Wireframe
Avatar for Afnizar Nur Ghifari afnizarnur
194
17k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
Avatar for Michelle Schulp Hunt marktimemedia
31
2.6k
Fantastic passwords and where to find them - at NoRuKo
Avatar for Phil Nash philnash
52
3.5k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
Avatar for Sam Stephenson sstephenson
162
15k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
Avatar for mongodb mongodb
48
9.8k
Practical Orchestrator
Avatar for Shlomi Noach shlominoach
190
11k
How STYLIGHT went responsive
Avatar for nonsquared nonsquared
100
6k
What’s in a name? Adding method to the madness
Avatar for Product Marketing Alliance productmarketing
PRO
24
3.8k
Product Roadmaps are Hard
Avatar for C. Todd Lombardo iamctodd
PRO
55
12k
Build The Right Thing And Hit Your Dates
Avatar for Maggie C. maggiecrowley
38
3k
Being A Developer After 40
Avatar for Adrian Kosmaczewski akosma
91
590k

Transcript

  1. Containers from Scratch Eric Chiang Software Engineer @erchiang | github.com/ericchiang

  2. Agenda 1. Dive into containers! 2. Talk about the problems

    they solve.
  3. None
  4. None

  5. Containers Like a mini virtual machine.

  6. Virtual machines

  7. OS OS OS Virtual machines

  8. Virtual machines: Isolated operating systems.

  9. Virtual machines: problems

  10. Virtual machines: problems Expensive!

  11. Like mini virtual machines. What’s a container?

  12. Like mini virtual machines. Just an isolated process. No virtualizing

    a kernel. What’s a container?

  13. Like mini virtual machines. What’s a container? Hypervisor VM (kernel)

    VM (kernel) VM (kernel) Kernel

  14. Like mini virtual machines. What’s a container? Hypervisor VM (kernel)

    VM (kernel) VM (kernel) Kernel Kernel

  15. $ sudo chroot rootfs /bin/bash # Containers: chroot

  16. Containers: namespaces

  17. $ sudo unshare -p -f \ --mount-proc=$PWD/rootfs/proc \ chroot rootfs

    /bin/bash # Containers: namespaces

  18. $ sudo unshare -p -f \ --mount-proc=$PWD/rootfs/proc \ chroot rootfs

    /bin/bash # $ sudo nsenter --pid=/proc/7897/ns/pid \ chroot rootfs /bin/bash # Containers: namespaces

  19. Containers: cgroups

  20. $ ls /sys/fs/cgroup/ $ sudo # mkdir /sys/fs/cgroup/memory/demo # echo

    "100000000" > /sys/fs/cgroup/memory/demo/memory.limit_in_bytes # echo "0" > /sys/fs/cgroup/memory/demo/memory.swappiness # echo $$ > /sys/fs/cgroup/memory/demo/tasks (to clean up kill the process and run rmdir /sys/fs/cgroup/memory/demo) Containers: cgroups

  21. Containers: security β€’ Capabilities: limit the power of root β—¦

    sudo setcap CAP_NET_BIND_SERVICE+ep ./hello β€’ seccomp: limit the syscalls you can make β€’ SELinux: fine grained access control policies on processes

  22. Container runtimes

  23. Container runtimes

  24. $ sudo rkt run \ quay.io/ericchiang/python:3.5.2 \ --exec=python3 -- -m

    http.server Container runtimes: rkt

  25. Container runtimes β€’ Metadata and tarball formats β€’ Discovery of

    those tarballs β—¦ rkt run quay.io/coreos/dex β€’ Coordinates the underlying technologies

  26. Why containers? Amazingly good at moving applications around.

  27. $ tree . β”œβ”€β”€ bin β”‚ └── my-awesome-app β”œβ”€β”€ server

    β”‚ β”œβ”€β”€ app.py β”‚ └── templates.py β”œβ”€β”€ public β”‚ └── main.css └── README.md An app

  28. $ tree . β”œβ”€β”€ bin β”‚ └── my-awesome-app β”œβ”€β”€ server

    β”‚ β”œβ”€β”€ app.py β”‚ └── templates.py β”œβ”€β”€ public β”‚ └── main.css └── README.md An app python3 bin/my-awesome-app \ --port 80 \ --db postgres://db.com/mydb

  29. $ tree . β”œβ”€β”€ bin β”‚ └── my-awesome-app β”œβ”€β”€ server

    β”‚ β”œβ”€β”€ app.py β”‚ └── templates.py β”œβ”€β”€ public β”‚ └── main.css └── README.md An app python3 bin/my-awesome-app \ --port 80 \ --db postgres://db.com/mydb Additional code or resources.

  30. $ tree . β”œβ”€β”€ bin β”‚ └── my-awesome-app β”œβ”€β”€ server

    β”‚ β”œβ”€β”€ app.py β”‚ └── templates.py β”œβ”€β”€ public β”‚ └── main.css └── README.md An app How to run it python3 bin/my-awesome-app \ --port 80 \ --db postgres://db.com/mydb Additional code or resources.

  31. Problems: Dependencies Source code doesn’t tell us:

  32. Problems: Dependencies Source code doesn’t tell us: β€’ What version(s)

    of Python can run it? β€’ What third-party Python packages does it import? β€’ What system packages does it depend on?

  33. Solutions: Package management Take your source code, add a bit

    of metadata, and put it on the internet.

  34. from distutils.core import setup setup( name = 'my-awesome-app', scripts =

    ['bin/my-awesome-app'], version = '0.1', description = 'That thing I wrote', author = 'Eric Chiang', url = 'https://github.com/ericchiang/app', download_url = 'https://github.com/ericcchiang/app/tarball/0.1', keywords = ['webapp', 'awesome'], install_requires = ["flask", "jinja2", "Psycopg2"], ) A PyPI example

  35. from distutils.core import setup setup( name = 'my-awesome-app', scripts =

    ['bin/my-awesome-app'], version = '0.1', description = 'That thing I wrote', author = 'Eric Chiang', url = 'https://github.com/ericchiang/app', download_url = 'https://github.com/ericcchiang/app/tarball/0.1', keywords = ['webapp', 'awesome'], install_requires = ["flask", "jinja2", "Psycopg2"], ) A PyPI example Package name How to run Where to download Dependencies

  36. $ pip install my-awesome-app A PyPI example

  37. Package management: problems Lots of potential conflicts: β€’ What if

    two apps depend on different versions of the same package? β€’ What if one app hogs memory or disk? β€’ What if one gets hacked?

  38. Containers: easy deployments β€’ What kind of problems do you

    run into when it’s extremely easy to deploy an app? β€’ How do you manage a high number of apps on a single machine?

  39. Containers: easy deployments β€’ What kind of problems do you

    run into when it’s extremely easy to deploy an app? β€’ How do you manage a high number of apps on a single machine? (Hint: you should stay around for the next talk.)

  40. [email protected] @erchiang QUESTIONS? Thanks! We’re hiring: coreos.com/careers Let’s talk! IRC

    More events: coreos.com/community LONGER CHAT?