Docker: Hosting Small Sandboxed Applications

Transcript

1. DOCKER HOSTING SMALL SANDBOXED APPLICATIONS Created by / Simon Cross

   @hodgestar

2. THE PROBLEM Other people's logic ... you'd like to run

   it.

3. IDEA 1: SECURE LANGUAGE IMPLEMENTATION

4. Have to sacrifice features :( ... or start implementing your

   own filesystem API ... and networking stack.

5. Turing Completeness implies ... ... Halting Problem ... Rice's Theorem

6. Adding support for the second language is as much work.

7. Somewhat successful examples: some JVMs , PyPy , Rhino. Often

   end up looking like a VM ...

8. Utter failure: Retrofit sandbox to existing implementation E.g. CPython, Node.js

9. IDEA 2: VIRTUALIZATION If we're going to write a VM

   ... let's do it!

10. Hey! This is great!

11. Hmm. I need a VM per-person at least. The overhead

    to run a 100 lines of code is pretty big. Do I really need a complete OS and virtual machine for this?

12. Um. I wish I had some tools for managing stuff

    ... How do I talk to my original application?

13. DOCKER! ... and (GNU/)Linux containers.

14. INSTALLING (version 0.5.3) (version 0.6.1) (bleeding edge) Official dotCloud PPA

    http://get.docker.io/ Repo on GitHub

15. FIRST STEPS docker pull ubuntu ... wait a bit ...

    docker -i -t ubuntu:12.10 /bin/bash

16. CUSTOMIZING AN IMAGE C O N T A I N

    E R = $ ( d o c k e r r u n - d u b u n t u : 1 2 . 1 0 a p t - g e t i n s t a l l - y c u r l ) d o c k e r c o m m i t - m " I n s t a l l e d c u r l " $ C O N T A I N E R $ U S E R / b e t t e r b a s e d o c k e r p u s h $ U S E R / b e t t e r b a s e

17. IMPLEMENTING

18. So we have a container, now what?

19. We need to expose functionality.

20. STDIN / STDOUT

21. OUTSIDE Write a process that talks to sandboxed code. Write

    a framework so you can easily add new resources. Communicate with the sandbox using a simple protocol.

22. INSIDE Write a utility library to make the sandbox cooler.

    Write a good testing framework.

23. MY USER CASE Vumi SMSes arrive Javascript (Node.js)

24. HALT? BY SIMON CROSS / HODGESTAR.ZA.NET

25. OTHER REASONS TO USE CONTAINERS Avoiding dependency hell. Another layer

    of security. Being able to migrate processes between machines (tricky).

26. REFERENCES Docker on GitHub Docker PPA http://get.docker.io/ Vumi