Tweet
Tweet

Slide 1

Slide 1 text

Containers from Scratch Eric Chiang Software Engineer @erchiang | github.com/ericchiang

Slide 2

Slide 2 text

Agenda 1. Dive into containers! 2. Talk about the problems they solve.

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

Containers Like a mini virtual machine.

Slide 6

Slide 6 text

Virtual machines

Slide 7

Slide 7 text

OS OS OS Virtual machines

Slide 8

Slide 8 text

Virtual machines: Isolated operating systems.

Slide 9

Slide 9 text

Virtual machines: problems

Slide 10

Slide 10 text

Virtual machines: problems Expensive!

Slide 11

Slide 11 text

Like mini virtual machines. What’s a container?

Slide 12

Slide 12 text

Like mini virtual machines. Just an isolated process. No virtualizing a kernel. What’s a container?

Slide 13

Slide 13 text

Like mini virtual machines. What’s a container? Hypervisor VM (kernel) VM (kernel) VM (kernel) Kernel

Slide 14

Slide 14 text

Like mini virtual machines. What’s a container? Hypervisor VM (kernel) VM (kernel) VM (kernel) Kernel Kernel

Slide 15

Slide 15 text

$ sudo chroot rootfs /bin/bash # Containers: chroot

Slide 16

Slide 16 text

Containers: namespaces

Slide 17

Slide 17 text

$ sudo unshare -p -f \ --mount-proc=$PWD/rootfs/proc \ chroot rootfs /bin/bash # Containers: namespaces

Slide 18

Slide 18 text

$ sudo unshare -p -f \ --mount-proc=$PWD/rootfs/proc \ chroot rootfs /bin/bash # $ sudo nsenter --pid=/proc/7897/ns/pid \ chroot rootfs /bin/bash # Containers: namespaces

Slide 19

Slide 19 text

Containers: cgroups

Slide 20

Slide 20 text

$ ls /sys/fs/cgroup/ $ sudo # mkdir /sys/fs/cgroup/memory/demo # echo "100000000" > /sys/fs/cgroup/memory/demo/memory.limit_in_bytes # echo "0" > /sys/fs/cgroup/memory/demo/memory.swappiness # echo $$ > /sys/fs/cgroup/memory/demo/tasks (to clean up kill the process and run rmdir /sys/fs/cgroup/memory/demo) Containers: cgroups

Slide 21

Slide 21 text

Containers: security ● Capabilities: limit the power of root ○ sudo setcap CAP_NET_BIND_SERVICE+ep ./hello ● seccomp: limit the syscalls you can make ● SELinux: fine grained access control policies on processes

Slide 22

Slide 22 text

Container runtimes

Slide 23

Slide 23 text

Container runtimes

Slide 24

Slide 24 text

$ sudo rkt run \ quay.io/ericchiang/python:3.5.2 \ --exec=python3 -- -m http.server Container runtimes: rkt

Slide 25

Slide 25 text

Container runtimes ● Metadata and tarball formats ● Discovery of those tarballs ○ rkt run quay.io/coreos/dex ● Coordinates the underlying technologies

Slide 26

Slide 26 text

Why containers? Amazingly good at moving applications around.

Slide 27

Slide 27 text

$ tree . ├── bin │ └── my-awesome-app ├── server │ ├── app.py │ └── templates.py ├── public │ └── main.css └── README.md An app

Slide 28

Slide 28 text

$ tree . ├── bin │ └── my-awesome-app ├── server │ ├── app.py │ └── templates.py ├── public │ └── main.css └── README.md An app python3 bin/my-awesome-app \ --port 80 \ --db postgres://db.com/mydb

Slide 29

Slide 29 text

$ tree . ├── bin │ └── my-awesome-app ├── server │ ├── app.py │ └── templates.py ├── public │ └── main.css └── README.md An app python3 bin/my-awesome-app \ --port 80 \ --db postgres://db.com/mydb Additional code or resources.

Slide 30

Slide 30 text

$ tree . ├── bin │ └── my-awesome-app ├── server │ ├── app.py │ └── templates.py ├── public │ └── main.css └── README.md An app How to run it python3 bin/my-awesome-app \ --port 80 \ --db postgres://db.com/mydb Additional code or resources.

Slide 31

Slide 31 text

Problems: Dependencies Source code doesn’t tell us:

Slide 32

Slide 32 text

Problems: Dependencies Source code doesn’t tell us: ● What version(s) of Python can run it? ● What third-party Python packages does it import? ● What system packages does it depend on?

Slide 33

Slide 33 text

Solutions: Package management Take your source code, add a bit of metadata, and put it on the internet.

Slide 34

Slide 34 text

from distutils.core import setup setup( name = 'my-awesome-app', scripts = ['bin/my-awesome-app'], version = '0.1', description = 'That thing I wrote', author = 'Eric Chiang', url = 'https://github.com/ericchiang/app', download_url = 'https://github.com/ericcchiang/app/tarball/0.1', keywords = ['webapp', 'awesome'], install_requires = ["flask", "jinja2", "Psycopg2"], ) A PyPI example

Slide 35

Slide 35 text

from distutils.core import setup setup( name = 'my-awesome-app', scripts = ['bin/my-awesome-app'], version = '0.1', description = 'That thing I wrote', author = 'Eric Chiang', url = 'https://github.com/ericchiang/app', download_url = 'https://github.com/ericcchiang/app/tarball/0.1', keywords = ['webapp', 'awesome'], install_requires = ["flask", "jinja2", "Psycopg2"], ) A PyPI example Package name How to run Where to download Dependencies

Slide 36

Slide 36 text

$ pip install my-awesome-app A PyPI example

Slide 37

Slide 37 text

Package management: problems Lots of potential conflicts: ● What if two apps depend on different versions of the same package? ● What if one app hogs memory or disk? ● What if one gets hacked?

Slide 38

Slide 38 text

Containers: easy deployments ● What kind of problems do you run into when it’s extremely easy to deploy an app? ● How do you manage a high number of apps on a single machine?

Slide 39

Slide 39 text

Containers: easy deployments ● What kind of problems do you run into when it’s extremely easy to deploy an app? ● How do you manage a high number of apps on a single machine? (Hint: you should stay around for the next talk.)

Slide 40

Slide 40 text

[email protected] @erchiang QUESTIONS? Thanks! We’re hiring: coreos.com/careers Let’s talk! IRC More events: coreos.com/community LONGER CHAT?