Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CoreOS rkt, appc, CNI: in pursuit of a platform

CoreOS rkt, appc, CNI: in pursuit of a platform

(Seattle Microservices Meetup, BlueBox Group: http://www.meetup.com/SEAMicroservices/events/228267067)

Josh Wood

March 30, 2016
Tweet

More Decks by Josh Wood

Other Decks in Technology

Transcript

  1. We’re hiring in all departments! Email: [email protected] Positions: coreos.com/ careers

    90+ Projects on GitHub, 1,000+ Contributors OPEN SOURCE CoreOS.com - @coreoslinux - github/coreos Secure solutions, support plans, training + more ENTERPRISE [email protected] - tectonic.com - quay.io CoreOS Runs the World’s Containers
  2. Bare-minimal containers Why? Clair: Open source container security analyzer: CVE-2014-0160,

    aka "Heartbleed" - threatened 80% of Docker images hosted on Quay last quarter Incessant updates the only answer (like CoreOS itself)
  3. Bare-minimal containers Reduce security surface and management surface Simplest: Write

    Go, link statically, package app solo in ACI More complex, dynamic linking required: Reduce the base. Alpine vs Ubuntu (Docker hub recently) See also: buildroot, Brian Harrington’s talk
  4. appc spec in a nutshell - Image Format (ACI) -

    what does an application consist of? - Image Discovery and Verification - how can an image be located? signed/validated? - Pods - how can applications be grouped and executed? - Executor (runtime) - what does the execution environment look like?
  5. appc image building - github.com/appc/acbuild - Driven by shell or

    Make - not an unspec’d DSL - No daemon and no “pushing to daemon” - Manifest declares container image, and groups those into Pods
  6. appc and OCI: Watch this space Open Container Initiative: participant

    with Docker This work has always been in pursuit of a community standard specification for a container image Docker v2.2 implements some aci concepts; convergence? Spur innovation between friendly rivals until shakes out
  7. rkt A modern, secure container runtime Simple CLI tool -

    exorcism (no daemon) - modular Implements AppC container spec
  8. rkt run • Isolates containers with the linux container primitives,

    systemd-nspawn • Container apps in a machine slice PID namespace • Composable: Manage with standard init tools; systemd • Network isolation
  9. $ rkt run quay.io/josh_wood/caddy rkt: using image from local store

    for image name coreos.com/rkt/stage1-coreos:0.15.0 rkt: using image from local store for image name quay.io/josh_wood/caddy [ 1161.330635] caddy[4]: Activating privacy features... done. [ 1161.333482] caddy[4]: :2015 $ rkt run
  10. Don’t reimplement init rkt leverages systemd infrastructure and tools: $

    systemctl status $ machinectl $ systemd-run - ephemeral or testing service handle Another minimization of surface and management tasks
  11. rkt fly • Leverages the packaging, discovery, distribution, and validation

    features of rkt/appc • Reduced isolation for privileged components • chroot file system isolation only • Has access to host-level mount, network, PID name spaces • Method for shipping k8s kubelet in CoreOS
  12. $ rkt run \ --stage1-image=/usr/share/rkt/stage1-fly.aci \ quay.io/josh_wood/caddy rkt: using image

    from local store for image name coreos.com/rkt/stage1-fly:0.15.0 rkt: using image from local store for image name quay.io/josh_wood/caddy [ 1161.333482] caddy[4]: :2015 $ rkt run stage1=fly
  13. CNI: What’s the problem? SDN, NFV is great -- all

    of them: Container engines and images, likewise...
  14. How to allocate IP addresses? - From a fixed block

    on a host - DHCP - IPAM system backed by SQL database - SDN assigned: e.g. Weave, flannel - Provider policy and API
  15. Container Network Interface (CNI) Part of the appc effort: •

    Open source • Open specification • Composable, tools philosophy • CNI == Kubernetes network plugin model
  16. CNI: A VFS for Container Networking - Abstraction layer for

    network configuration - Single API to multiple, extensible networks - Narrow, simple API - Plugins for third-party implementations
  17. Container Network Interface - Container can join multiple networks -

    Network described by JSON config - Plugin supports two commands - Add container to the network - Remove container from the network
  18. CNI Network Configuration $ cat /etc/cni/net.d/10-mynet.conf { "name": "mynet", "type":

    "bridge", "ipam": { "type": "host-local", "subnet": "10.10.0.0/16" } }
  19. rkt, CNI and Kubernetes on CoreOS • rkt fly executes

    kubelet: packaging and distribution of containers, ns at host level • rkt is container execution engine, runs cluster work • Pod :: Pod • CNI: Native k8s network plugin model • Write containers, pods, and CNI plugins!
  20. Distributed Trusted Computing - TPM-based cryptographic validation of boot, OS,

    and application runtime components - Hashes must match to boot and/or join cluster - rkt logs pod executions to tamper-resistant TPM facility - Chain of trust from TPM hardware up through the cluster application stack
  21. See also: • coreos.com/rkt • github.com/appc/cni • blog.kubernetes.io/2016/01/why-Kubernetes- doesnt-use-libnetwork.html •

    https://docs.google. com/presentation/d/1aFraZcWg5kXKTpuWwDs m4XBM__BVcP70P0X1sNGUTi0/edit? usp=sharing
  22. Thank you! Josh Wood @joshixisjosh9 | [email protected] | github.com/joshix We’re

    hiring in all departments! Email: [email protected] Positions: coreos.com/ careers