CoreOS rkt, appc, CNI: in pursuit of a platform

Transcript

1. CoreOS rkt Many ways to contain a container Josh Wood

   DocOps at CoreOS @joshixisjosh9
2. None

3. We’re hiring in all departments! Email: [email protected] Positions: coreos.com/ careers

   90+ Projects on GitHub, 1,000+ Contributors OPEN SOURCE CoreOS.com - @coreoslinux - github/coreos Secure solutions, support plans, training + more ENTERPRISE [email protected] - tectonic.com - quay.io CoreOS Runs the World’s Containers

4. Bare-minimal containers Why? Clair: Open source container security analyzer: CVE-2014-0160,

   aka "Heartbleed" - threatened 80% of Docker images hosted on Quay last quarter Incessant updates the only answer (like CoreOS itself)

5. Bare-minimal containers Reduce security surface and management surface Simplest: Write

   Go, link statically, package app solo in ACI More complex, dynamic linking required: Reduce the base. Alpine vs Ubuntu (Docker hub recently) See also: buildroot, Brian Harrington’s talk

6. App Container (appc) github.com/appc [email protected]

7. appc spec in a nutshell - Image Format (ACI) -

   what does an application consist of? - Image Discovery and Verification - how can an image be located? signed/validated? - Pods - how can applications be grouped and executed? - Executor (runtime) - what does the execution environment look like?

8. appc image building - github.com/appc/acbuild - Driven by shell or

   Make - not an unspec’d DSL - No daemon and no “pushing to daemon” - Manifest declares container image, and groups those into Pods

9. $ actool discover coreos.com/etcd ACI: https://github.com/.../etcd-darwin-amd64.aci ASC: https://github.com/.../etcd-darwin-amd64.aci. asc Keys:

   https://coreos.com/dist/pubkeys/aci-pubkeys. gpg $ .aci: signatures and discovery

10. appc and OCI: Watch this space Open Container Initiative: participant

    with Docker This work has always been in pursuit of a community standard specification for a container image Docker v2.2 implements some aci concepts; convergence? Spur innovation between friendly rivals until shakes out

11. rkt A modern, secure container runtime Simple CLI tool -

    exorcism (no daemon) - modular Implements AppC container spec
12. None

13. rkt run • Isolates containers with the linux container primitives,

    systemd-nspawn • Container apps in a machine slice PID namespace • Composable: Manage with standard init tools; systemd • Network isolation
14. None

15. $ rkt run quay.io/josh_wood/caddy rkt: using image from local store

    for image name coreos.com/rkt/stage1-coreos:0.15.0 rkt: using image from local store for image name quay.io/josh_wood/caddy [ 1161.330635] caddy[4]: Activating privacy features... done. [ 1161.333482] caddy[4]: :2015 $ rkt run

16. Don’t reimplement init rkt leverages systemd infrastructure and tools: $

    systemctl status $ machinectl $ systemd-run - ephemeral or testing service handle Another minimization of surface and management tasks

17. rkt fly • Leverages the packaging, discovery, distribution, and validation

    features of rkt/appc • Reduced isolation for privileged components • chroot file system isolation only • Has access to host-level mount, network, PID name spaces • Method for shipping k8s kubelet in CoreOS

18. $ rkt run \ --stage1-image=/usr/share/rkt/stage1-fly.aci \ quay.io/josh_wood/caddy rkt: using image

    from local store for image name coreos.com/rkt/stage1-fly:0.15.0 rkt: using image from local store for image name quay.io/josh_wood/caddy [ 1161.333482] caddy[4]: :2015 $ rkt run stage1=fly

19. CNI: What’s the problem? SDN, NFV is great -- all

    of them: Container engines and images, likewise...

20. SDN: So Darnmany Networks? linux-bridge macvlan ipvlan Open vSwitch Weave

    Project Calico flannel

21. What’s the problem(s)? Cloud, on-prem wiring: AWS GCP Azure Rackspace

22. How to allocate IP addresses? - From a fixed block

    on a host - DHCP - IPAM system backed by SQL database - SDN assigned: e.g. Weave, flannel - Provider policy and API

23. Container Network Interface (CNI) Part of the appc effort: •

    Open source • Open specification • Composable, tools philosophy • CNI == Kubernetes network plugin model

24. Container Runtime (Kubernetes, rkt, ...) veth macvlan ipvlan OVS Container

    Networking Interface (CNI)

25. CNI: A VFS for Container Networking - Abstraction layer for

    network configuration - Single API to multiple, extensible networks - Narrow, simple API - Plugins for third-party implementations

26. Container Network Interface - Container can join multiple networks -

    Network described by JSON config - Plugin supports two commands - Add container to the network - Remove container from the network

27. CNI Network Configuration $ cat /etc/cni/net.d/10-mynet.conf { "name": "mynet", "type":

    "bridge", "ipam": { "type": "host-local", "subnet": "10.10.0.0/16" } }

28. rkt, CNI and Kubernetes on CoreOS • rkt fly executes

    kubelet: packaging and distribution of containers, ns at host level • rkt is container execution engine, runs cluster work • Pod :: Pod • CNI: Native k8s network plugin model • Write containers, pods, and CNI plugins!

29. The smartest way to run your container infrastructure. tectonic.com @tectonic

30. Distributed Trusted Computing - TPM-based cryptographic validation of boot, OS,

    and application runtime components - Hashes must match to boot and/or join cluster - rkt logs pod executions to tamper-resistant TPM facility - Chain of trust from TPM hardware up through the cluster application stack

31. coreos.com/fest - @coreosfest May 9 & 10, 2016 - Berlin,

    Germany

32. See also: • coreos.com/rkt • github.com/appc/cni • blog.kubernetes.io/2016/01/why-Kubernetes- doesnt-use-libnetwork.html •

    https://docs.google. com/presentation/d/1aFraZcWg5kXKTpuWwDs m4XBM__BVcP70P0X1sNGUTi0/edit? usp=sharing

33. Thank you! Josh Wood @joshixisjosh9 | [email protected] | github.com/joshix We’re

    hiring in all departments! Email: [email protected] Positions: coreos.com/ careers