Upgrade to Pro — share decks privately, control downloads, hide ads and more …

linuxkit bascis ContainerDays Hamburg 2017-06 Peter Rossbach

linuxkit bascis ContainerDays Hamburg 2017-06 Peter Rossbach

**Linuxkit Basics talk**
Here you can find my slide deck container from my "Build your Immutable Infrastructure with the LinuxKit" Container Days 2017.

- open slidefire presentation container with `docker run -d -p 8000:80 bee42/linuxkit-basics:cds2017`
- open your browser with `http :8000/linuxkit-basics`
- pdf [Linuxkit Basics][1] is now avaiable!
- see source and exampes at https://github.com/bee42/linuxkit-slides

Feedback welcome...

[Peter Rossbach][2]

[1]: https://speakerdeck.com/rossbachp/linuxkit-bascis-containerdays-hamburg-2017-06-peterrossbach
[2]: http://twitter.com/PRossbach

Peter Rossbach

June 23, 2017
Tweet

More Decks by Peter Rossbach

Other Decks in Programming

Transcript

  1. 1 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg
    [email protected]
    @PRossbach

    View full-size slide

  2. 2 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg
    Snow Flakes- vs. Phoenix- Server

    View full-size slide

  3. 3 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg
    A Snow Flakes Server is a server that,
    properly patched to keep it up to date,
    configuration and software change over time,
    long running instance

    View full-size slide

  4. 4 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg
    An Immutable Server is a server that
    once deployed,
    is never modified,
    merely replaced with a new updated instance.
    Since phoenixes start everytime from scratch!

    View full-size slide

  5. 5 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg
    Better DevProd Parity
    Better security: Lesser is More
    All is packaged inside the instance
    Reproduceablity of every component

    View full-size slide

  6. 6 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg
    Rebranding the Docker Open Source Project
    https://github.com/moby/moby

    View full-size slide

  7. 7 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg
    Library of 80+ components
    Package your own components as containers
    Reference assemblies deployed on millions of nodes
    Create your own assemblies or start from existing ones

    View full-size slide

  8. 8 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg
    Only works with containers
    Smaller attack surface
    Immutable infrastructure
    Create Phoenix Server
    Sandboxed system

    View full-size slide

  9. 9 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg
    Incubator for security innovations
    Wireguard, Landlock, KSPP
    MirageOS type safe system daemons
    okernel
    Community-first security process
    Linux is too big for a single company to secure it
    Participate in existing Linux security efforts

    View full-size slide

  10. 10 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg
    Secure defaults without compromising usability
    Everything is replaceable and customisable
    Immutable infrastructure applied to building Linux
    distributions
    Completely stateless, but persistent storage can be
    attached
    Easy tooling, with easy iteration
    Built with containers, for running containers

    View full-size slide

  11. 11 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg
    Designed for building and running clustered applications,
    including but not limited to container orchestration such
    as Docker or Kubernetes
    Designed from the experience of building Docker
    Editions, but redesigned as a general-purpose toolkit
    Designed to be managed by external tooling, such as
    Infrakit or similar tools
    Includes a set of longer-term collaborative projects in
    various stages of development to innovate on kernel and
    userspace changes, particularly around security
    A toolkit for building custom minimal, immutable Linux
    distributions.

    View full-size slide

  12. 12 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg
    Minimal size, minimal boot time
    All system services are containers
    Everything can be removed or replaced
    Build for different plattforms

    View full-size slide

  13. 13 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg
    $ brew tap linuxkit/linuxkit
    $ brew install --HEAD moby
    $ brew install --HEAD linuxkit

    View full-size slide

  14. 14 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg

    View full-size slide

  15. 15 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg
    kernel:
    image: "linuxkit/kernel:4.9.x"
    cmdline: "console=ttyS0 console=tty0 page_poison=1"

    View full-size slide

  16. 16 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg
    init:
    - linuxkit/init:781cec2360313a6d4aca25f5e90623294f8432f7
    - linuxkit/runc:3a4e6cbf15470f62501b019b55e1caac5ee7689f
    - linuxkit/containerd:b50181bc6e0084e5fcd6b6ad3cf433c4f66cae5a
    - linuxkit/ca-certificates:75cf419fb58770884c3464eb687ec8dfc704169d

    View full-size slide

  17. 17 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg
    onboot:
    - name: sysctl
    image: "linuxkit/sysctl:3aa6bc663c2849ef239be7d941d3eaf3e6fcc018"
    - name: sysfs
    image: linuxkit/sysfs:1244c5a86dfa2318c4e304af68d37e12367e1b7f
    - name: binfmt
    image: "linuxkit/binfmt:8ac5535f57f0c6f5fe88317b9d22a7677093c765"
    - name: format
    image: "linuxkit/format:180cb2dc1de5e60373385080f8148abf10a3afac"
    - name: mount
    image: "linuxkit/mount:ff5338822f20375b8913f5a80f9ed4f6ea9a592b"
    command: ["/mount.sh", "/var/lib/docker"]

    View full-size slide

  18. 18 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg
    services:
    - name: getty
    image: "linuxkit/getty:886d35fe30c47750e8cfbf2f73016e9d2cc6361a"
    env:
    - INSECURE=true
    - name: rngd
    image: "linuxkit/rngd:1fa4de44c961bb5075647181891a3e7e7ba51c31"
    - name: dhcpcd
    image: "linuxkit/dhcpcd:7d2b8aaaf20c24ad7d11a5ea2ea5b4a80dc966f1"
    - name: ntpd
    image: "linuxkit/openntpd:45deeb05f736162d941c9bf494983f655ab80aa5"
    - name: docker
    image: "linuxkit/docker-ce:dda71ff9fe5ebbfa794b98c57c32df286b212848"
    capabilities:
    - all
    net: host
    mounts:
    - type: cgroup
    options: ["rw","nosuid","noexec","nodev","relatime"]
    binds:
    - /etc/docker/daemon.json:/etc/docker/daemon.json
    - /var/lib/docker:/var/lib/docker
    - /lib/modules:/lib/modules
    files:
    - path: /etc/docker/daemon.json
    contents: '{"debug": true, "hosts": ["tcp://0.0.0.0:2375", "unix:///var/run/docker.sock"]}'
    trust:
    org:
    - linuxkit

    View full-size slide

  19. 19 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg
    ...
    "Labels": {
    "org.mobyproject.config": "{\"pid\": \"host\", \"readonly\": true,
    \"capabilities\": [\"CAP_SYS_ADMIN\"]}"
    }
    ...

    View full-size slide

  20. 20 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg
    $ moby build --output kernel+initrd docker.yml
    $ linuxkit run hyperkit \
    -ip 192.168.65.101 \
    -disk $PWD/disk-101,size=4G \
    -state $PWD/docker-state-101 \
    docker
    $ runc exec -t docker /bin/sh
    $ docker ps
    $ curl http://127.0.0.1:2375/v1.28/info

    View full-size slide

  21. 21 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg
    $ docker run --rm -i docker
    > export DOCKER_HOST=tcp://192.168.65.101:2375
    > docker info
    > docker run
    or
    $ cat >Dockerfile <FROM alpine:edge
    RUN apk add --no-cache socat
    ENTRYPOINT [ "/usr/bin/socat" ]
    EOF
    $ docker build -t socat .
    # Set PORT and MACHINE_IP
    $ PORT=2375
    $ MACHINE_IP=192.168.65.101
    $ docker run --rm -t -d -p $PORT:$PORT socat tcp-listen:$PORT,reuseaddr,fork tcp:${
    $ docker -H 127.0.0.1:2375 info

    View full-size slide

  22. 22 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg

    View full-size slide

  23. 23 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg

    View full-size slide

  24. 24 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg
    hyperkit
    qemu
    hyper-v
    vmware
    AWS
    GCE
    Azure
    packet.net

    View full-size slide

  25. 25 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg
    Desktop, Server, IoT, Mainframe
    Intel & ARM
    Bare Metal & Virtualized
    On prem & in the Cloud

    View full-size slide

  26. 26 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg
    4.4.x
    4.9.x
    4.11.x

    View full-size slide

  27. 27 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg
    https://speakerdeck.com/avsm/a-modern-services-sdk-for-linuxkit

    View full-size slide

  28. 28 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg

    View full-size slide

  29. 29 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg

    View full-size slide

  30. 30 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg
    Build your own linux distriubution
    Package all parts inside containers
    Build with secure in mind
    Speed up your boottime

    View full-size slide

  31. 31 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg
    Container DevOps Camp
    Kubernetes DevOps Lab
    Container for Java Lab
    Container GitLab/CI Lab
    https://bee42.com/trainings/docker-devops-camp/
    https://bee42.com/trainings/kubernetes-devops-lab/
    https://bee42.com/trainings/docker-for-java-lab/
    https://bee42.com/trainings/docker-gitlab-ci-lab/
    ContainerDays 2017 Rabattt 20% CDS17-20

    View full-size slide

  32. 32 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg

    View full-size slide

  33. 33 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg

    View full-size slide

  34. 34 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg
    Peter Rossbach
    DevOps and Container-enthusiast
    Infra-coder with passion
    System architect
    Java Developer
    Apache Tomcat Committer
    Member of the Apache Software Foundation
    Founder of the bee42 solutions gmbh
    CTO of the Setlog Gmbh

    View full-size slide

  35. 35 / 35
    © 2017 , @PRossbach, Container Days 06/2017 Hamburg
    https://github.com/linuxkit/linuxkit
    https://bee42.com/blog/linuxkit-with-initial-aws-support/
    https://blog.docker.com/2017/06/introduction-to-linuxkit/
    https://de.slideshare.net/Docker/introducing-linuxkit
    https://speakerdeck.com/avsm/a-modern-services-sdk-
    for-linuxkit
    https://blog.docker.com/2017/04/introducing-linuxkit-
    container-os-toolkit/
    http://training.play-with-docker.com/LinuxKit/

    View full-size slide