Build, Ship, and Run Any App, Anywhere

Transcript

1. Build, Ship, and Run Any App, Anywhere COEP FOSSMeet'18 Rahulkrishnan

   R A

2. About Me » Consultant @ Capgemini » Debian Contributor »

   Gopher » Organizer of kubernetes Meetup, Chennai Docker 101 LinkedIn linkedin.com/in/rahulkrishnanra/ Github https://github.com/rahulkrishnanfs Twitter https://twitter.com/rahulkrishnanra

3. 3 What is namespace? » Feature of the Linux kernel

   that partitions kernel resources » Limits what you can see » Namespaces are the fundamental aspect of containers on Linux

4. 4 Types of namespace o pid (processes) o net (network

   stack) o mnt (mount points, filesystems) o uts (hostname) o ipc (System V IPC) o user (UIDs) o cgroups

5. 5 What are they ? root@ip-172-31-43-99:/# ls -la /proc/4015/ns/ total

   0 lrwxrwxrwx 1 cgroup -> cgroup:[4026531835] lrwxrwxrwx 1 ipc -> ipc:[4026531839] lrwxrwxrwx 1 mnt -> mnt:[4026531840] lrwxrwxrwx 1 net -> net:[4026531993] lrwxrwxrwx 1 pid -> pid:[4026531836] lrwxrwxrwx 1 user -> user:[4026531837] lrwxrwxrwx 1 uts -> uts:[4026531838]

6. 6 PID namespace » Processes within a PID namespace only

   see processes in the same PID namespace » Each PID has its own numbering » Namespace will be killed if PID one goes away » Behavior like the “init” process » PID namespace can be nested, up to 32 nesting levels

7. 7 1 2 3 4, 1 5, 2 6, 3

   Child PID namespace parent PID namespace

8. Network Namespace » Logical copy of the network stack It

   has its own:  routes  firewall rules  network devices  IP address » It helps to separate application/process networking » You can move network interface across netns » Newly created network namespace includes only the loopback device

9. Child net namespace Child net namespace Global net namespace Interface

   Interface routing Network Interface

10. Mount namespace » Processes can have their own rootfs »

    Mounts can be totally private or shared » In the new mount namespace, all previous mounts will be visible » Mounts/unmounts in the global namespace are visible in that namespace

11. UTS namespace » Appears to have different host and domain

    names to different processes. » UTS namespace provides a way to get information about the system with commands like uname or hostname » Simple one to implement

12. UTS namespace Implementation func main() { cmd := exec.Command("/bin/sh") cmd.SysProcAttr

    = &syscall.SysProcAttr{ Cloneflags: syscall.CLONE_NEWUTS, } syscall.Sethostname([]byte("inner")) if err := cmd.Run(); err != nil { panic(err) } }

13. IPC namespace » Private set of IPC objects inside namespace

    eg: shm

14. User namespace » Allows to map UID/GID » Avoid extra

    configuration in containers » Security improvement

15. Container runtime - Docker

16. How containers looks like? Containers Virtual Machines

17. Interest on Docker – Google trends https://trends.google.co.in/trends/explore?date=today%205-y&q=docker

18. Docker Engine Docker Engine is a client-server application with these

    major components: » A REST API which specifies interfaces that programs can use to talk to the daemon and instruct it what to do » A command line interface (CLI) client ( the docker command) » A server which is a type of long-running program called a daemon process (the dockerd command)

19. Docker architecture

20. How docker access the linux kernel?

21. Docker Images vs Containers Images » Lightweight, stand-alone, executable package

    » Includes everything needed to run a piece of software, including the code, a runtime, libraries, environment variables, and config files. Container » Runtime instance of an image—what the image becomes in memory when actually executed.

22. Docker Image

23. Sharing the docker image

24. “ Demo 24

25. “ Questions 25

26. “ Thanks !!! Follow me @rahulkrishnanra 26