Ian J, Salama A.B

Transcript

1. Containers: a deep dive Ian Juma(@ianjuma) Salama Balekage (@aksalj) Africa’s

   Talking Ltd.

2. Container? Like a lightweight VM It’s like chroot on steroids

3. Container? Like a lightweight VM Process namespace Network interface Run

   as root Install stuff Can mess up with routing

4. Implementing containers What containers are made of? ➔ cgroups Control

   groups constrain resource consumption ➔ namespaces Define isolation primitives ➔ fs hacks Provide a unique and isolated fs to be used by containers, they need a fs!

5. cgroups Resource metering and limiting - /sys/fs/cgroup/ memory cpu network

   - with netfilter blk i/o

6. memory cgroup - accounting Keep track of pages used by

   groups “Charge” pages to a group Pages can be shared across groups When pages are shared the groups are billed together

7. memory cgroup - limiting Each group can have optional hard/

   soft limits Soft limits are not enforced (no one dies; but under mem pressure they influence a reclaim) Hard limits trigger an OOM-killer You could also implement an OOM-notifier Limits can be set for physical, kernel, and total memory

8. cpu, cpuset cgroup - accounting Keep track of user/system cpu

   time Keep track of usage per CPU Allowing set of weights of CPU Pin groups to specific CPU’s - affinity Reserver a CPU to specific process groups

9. PID 1 is placed at the root of each hierarchy

   (think init) When a process is spawned, it is placed in the same groups as its parent cgroups are just files in linux - UNIX philosophy Groups are materialized by one or multiple pseudo-fs (typically mounted in /sys/fs/cgroup) Groups are created by mkdir in the pseudo-fs The cgroup wars: systemd vs cgmanager vs cgroupfs (libcontainer)

10. Namespaces - Resource isolation UTS - get/ set hostname fs

    net PID IPC User - UID

11. Container? process containers vs whole machine containers rkt/docker - lxc/openVZ

12. docker What is docker? Just cgroup, namespaces + high level

    API to manage images, distribution and packaging, client and resource allocation. Docker is a glorified .deb .tar distributor!! Container runtimes Rkt, docker - runC, containerd, openVZ, systemd-nspwan OCI - initiative to standardize container runtimes and images OCI - open image formats spec, OCR - open container runtime

13. Why docker? Mainstream containers for everyone Easy packaging of artifacts

    Easy distribution of artifacts (via an image registry) Consistent environment between dev and prod Treat infrastructure as immutable - containers as disposable environments Increased utilisation when multiple containers are run together

14. Docker Engine ❖ Docker runtime ❖ Manages containers, networks, volumes,

    images, etc. ❖ Runs on host (linux - support of MacOS through xhyve :) ) ❖ Provides nice REST API

15. Docker Client ❖ Simple cli tool with commands to: ➢

    Build images ➢ pull/push images to/from registry ➢ Create, run , stop, restart, kill containers ➢ Create, remove, link networks ➢ Create, remove volumes (storage) ❖ Very similar to git cli ❖ Dockerfile ➢ Blueprint for building images ➢ Used nicely with docker-compose for development

16. Docker Registry ❖ Hosts docker images ❖ A kind of

    git repository

17. Challenges with Docker Networking - host, overlay, bridge Service discovery

    Container orchestration Storage containers? DB Docker in production - storage drivers, logging Network isolation when running multiple container groups

18. Container orchestration Mesos/ marathon - platform/ orchestration Kubernetes - orchestrator

    Swarm - orchestrator

19. Mesos Container platform and orchestration with Marathon

20. Mesos Container platform and orchestration with Marathon

21. Solving growing pains Orchestration Service discovery Networking Container per IP

    Container networking and isolation with calico and FAN - SDN Replication of tasks - controllers init for the DC New problems with monitoring and partitions

22. references Mesos paper Docker official docs Marathon Open Container Initiative

    Container runtimes