Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Tectonic Summit Day 2 Keynote

Tectonic Summit Day 2 Keynote

Brandon Philips

December 12, 2016
Tweet

More Decks by Brandon Philips

Other Decks in Technology

Transcript

  1. Experts at Every Layer of the Stack Linux Container Engines

    & Runtime Specs Image Specs, Build, & Hosting Clustered Database Cloud Independence & Lifecycle Identity & Federation
  2. Experts at Every Layer of the Stack Linux Container Engines

    & Runtime Specs Container Image Build, Hosting, & Specs Clustered Database Cloud Independence & Lifecycle Identity & Federation
  3. Experts at Every Layer of the Stack Linux Container Engines

    & Runtime Specs Container Image Build, Hosting, & Specs Clustered Database Cloud Independence & Lifecycle Identity & Federation
  4. Open Container Initiative OCI Announced June 2015 OCI 1.0 Q1

    2017 rkt OCI support July 2016 OCI Image Spec Added April 2016 Quay, Kubernetes, etc Q2 2017 OCI 1.0 RC-1 July 2016
  5. rkt community traction • Laptop Kubernetes, minikube, can use rkt

    with a single flag • BlaBlaCar (Series D, $350m) rkt in prod and moving to Kubernetes • Container Linux services now run under rkt • Google GKE using rkt for Kubelet mount management
  6. Kubernetes & rkt integration via CRI Support all OCI standards

    as they reach 1.0 Continue innovation in design and security Roadmap for rkt
  7. Kubernetes & rkt integration via CRI Support all OCI standards

    as they reach 1.0 Continue innovation in design and security Roadmap for rkt
  8. Quick Reminder: Pod Lifecycle worker nodes controllers nodes EC2 VM

    EC2 VM EC2 VM EC2 VM EC2 VM EC2 VM EC2 VM EC2 VM EC2 VM
  9. Container Runtime Interface cache (pid 5) asset fetcher (pid 8)

    web server (pid 9) pod sandbox Health Check Fail
  10. Kubernetes & rkt integration via CRI Support all OCI standards

    as they reach 1.0 Continue innovation in design and security Roadmap for rkt
  11. rkt and runc cache (pid 5) asset fetcher (pid 8)

    web server (pid 8) runc runc runc pod sandbox
  12. Kubernetes & rkt integration via CRI Support all OCI standards

    as they reach 1.0 Continue innovation in design and security Roadmap for rkt
  13. rkt is the only container engine with both Linux native

    and VM isolation. We continue to explore new ideas.
  14. Normal rkt execution cache (pid 5) debug agent (pid 8)

    web server (pid 9) pod sandbox cache (pid 10) debug agent (pid 38) web server (pid 20) pod sandbox
  15. VM rkt execution cache (pid 5) debug agent (pid 8)

    web server (pid 9) pod sandbox cache (pid 5) debug agent (pid 8) web server (pid 9) pod sandbox
  16. bash (uid 1001, pid 8) Lifecycle of a process bash

    (uid 1001, pid 9) fork() identical perms su (uid 0, pid 9) exec() setuid binary elevate perms bash (uid 0, pid 9) exec() identical perms Normal Execution Path
  17. bash (uid 1001, pid 8) Lifecycle of a process bash

    (uid 1001, pid 9) fork() identical perms bash (uid 0, pid 9) open() kernel exploit elevate perms Exploit Execution Path Container Terminated
  18. VM rkt execution cache (pid 5) debug agent (pid 8)

    web server (pid 9) kvm virtual machine Privilege Escalation Validator pod sandbox Can PID 8 open /proc/9/environ it is uid 0?
  19. VM rkt execution Yes, valid elevation to uid 0 cache

    (pid 5) debug agent (pid 8) web server (pid 9) kvm virtual machine Privilege Escalation Validator pod sandbox
  20. cache (pid 5) debug agent (pid 8) web server (pid

    9) kvm virtual machine VM rkt execution rootkit payload Privilege Escalation Validator pod sandbox
  21. cache (pid 5) debug agent (pid 8) web server (pid

    9) kvm virtual machine VM rkt execution rootkit payload Privilege Escalation Validator pod sandbox Can PID 9 open /etc/shadow it is uid 0?
  22. cache (pid 5) debug agent (pid 8) web server (pid

    9) kvm virtual machine VM rkt execution rootkit payload No, invalid transition to uid 0 Privilege Escalation Validator pod sandbox
  23. cache (pid 5) debug agent (pid 8) web server (pid

    9) kvm virtual machine pod sandbox VM rkt execution Privilege Escalation Validator Container Terminated
  24. • Clients talk to Kubernetes API server • API is

    stateless and horizontally scales • State from API persisted to etcd DB Quick Reminder: Kubernetes Architecture
  25. • etcd introduced in 2013 by CoreOS • Persistent database

    of Kubernetes • Auto-leader election for availability etcd Overview
  26. Scaling Milestones of Kubernetes 100 Nodes 300 Pods June 2015

    2,000 Nodes 60,000 Pods November 2016 1,000 Nodes 30,000 Pods March 2016 5,000 Nodes 150,000 Pods December 2016
  27. • Google Chubby • etcd by CoreOS • ZooKeeper by

    Apache • Consul by Hashicorp Consistent Key-Value Database
  28. • Google Chubby (closed source) 1. etcd by CoreOS 2.

    ZooKeeper by Apache 3. Consul by Hashicorp Consistent Key-Value Database, Benchmark
  29. Scaling Milestones of Kubernetes 2,000 Nodes 60,000 Pods November 2016

    1,000 Nodes 30,000 Pods March 2016 5,000 Nodes 150,000 Pods December 2016 20,000 Nodes 600,000 Pods 2017
  30. Google. Amazon. Microsoft. etcd is Trusted by 100s of OSS

    Projects Including Projects From Teams At
  31. Self-Hosted Architecture worker nodes controllers nodes EC2 VM EC2 VM

    EC2 VM EC2 VM EC2 VM EC2 VM EC2 VM EC2 VM EC2 VM
  32. Toil is the kind of work tied to running a

    production service that tends to be manual, repetitive, automatable, tactical, devoid of enduring value, and that scales linearly as a service grows. Self-Driving Removes Toil
  33. OpenID Connect (OIDC) provider with LDAP plugin. Integrated into upstream

    Kubernetes. No external databases, simply use the Kubernetes API. Default in Tectonic.
  34. Experts at Every Layer of the Stack Linux Container Engines

    & Runtime Specs Container Image Build, Hosting, & Specs Clustered Database Cloud Independence & Lifecycle Identity & Federation