CoreOS rkt and Kubernetes

Slide 1

Slide 1 text

rkt and Kubernetes Josh Wood DocOps at CoreOS [email protected] @joshixisjosh9

Slide 2

Slide 2 text

CoreOS is running the world’s containers We’re hiring: [email protected] [email protected] 90+ Projects on GitHub, 1,000+ Contributors coreos.com Support plans, training and more OPEN SOURCE ENTERPRISE

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

rkt A modern, secure container runtime Simple CLI tool - exorcism (no daemon) Composable with systemd, standard init systems

Slide 5

Slide 5 text

rkt Implements appc spec Cryptographic image validation, detached signatures Logs to sealed TPM facility on DTC systems

Slide 6

Slide 6 text

App Container (appc) github.com/appc [email protected]

Slide 7

Slide 7 text

$ actool discover coreos.com/etcd ACI: https://github.com/.../etcd-darwin-amd64.aci ASC: https://github.com/.../etcd-darwin-amd64.aci. asc Keys: https://coreos.com/dist/pubkeys/aci-pubkeys. gpg $ .aci: sigs and discovery

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

rkt run ● Isolates containers with the linux container primitives (cgroups, ns), systemd-nspawn ● Container apps in a machine slice PID namespace ● Manage with standard init tools: systemd ● Network isolation

Slide 10

Slide 10 text

$ rkt run quay.io/josh_wood/caddy rkt: using image from local store for image name coreos.com/rkt/stage1-coreos:0.15.0 rkt: using image from local store for image name quay.io/josh_wood/caddy [ 1161.330635] caddy[4]: Activating privacy features... done. [ 1161.333482] caddy[4]: :2015 $ rkt run

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

rkt fly ● Leverages the packaging, discovery, distribution, and validation features of rkt/appc ● Reduced isolation for privileged components ● chroot file system isolation only ● Has access to host-level mount, network, PID name spaces ● Method for shipping k8s kubelet in CoreOS

Slide 13

Slide 13 text

$ rkt run \ --stage1-path=/usr/share/rkt/stage1-fly.aci \ quay.io/josh_wood/caddy rkt: using image from local store for image name coreos.com/rkt/stage1-fly:0.15.0 rkt: using image from local store for image name quay.io/josh_wood/caddy [ 1161.333482] caddy[4]: :2015 $ rkt run stage1=fly

Slide 14

Slide 14 text

rkt and Kubernetes on CoreOS rkt fly executes kubelet: packaging and distribution of containers, access at host level rkt acts as container execution engine, runs cluster work

Slide 15

Slide 15 text

$ rkt run --stage1-path=stage1-fly.aci \ /usr/bin/kubelet -- --container-runtime=rkt rkt: using image from local store for image name coreos.com/rkt/stage1-fly:1.0.0 [...] $ rkt runs k8s runs rkt

Slide 16

Slide 16 text

rkt and Kubernetes on CoreOS ● rkt fly executes kubelet: packaging and distribution of containers, ns at host level ● rkt is container execution engine, runs cluster work ● Pod :: Pod ● CNI networking

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

Cf. coreos.com/rkt https://github. com/kubernetes/kubernetes/blob/master/docs/g etting-started-guides/rkt/ http://blog.kubernetes.io/2016/01/why-

Slide 19

Slide 19 text

May 9 & 10, 2016 | Berlin, Germany ● Early bird tickets ● Sponsorships are still available ● Submit a talk before February 29th! coreos.com/fest @coreosfest

Slide 20

Slide 20 text

[email protected] @joshixisjosh9 github.com/joshix QUESTIONS? Thanks! We’re hiring: coreos.com/careers Let’s talk! IRC More events: coreos.com/community LONGER CHAT?