DockerCon 2014: Thoughts on interoperable containers

805
-1

Published on

Docker is driving the popularization of Linux containers, but there are many different container managers out there, such as LXC and lmctfy. Not to mention different PaaS being built on top of these technologies. How great would it be if applications were portable to all (or most of) those different providers and container managers with little or no effort? This talk will discuss some ideas of what needs to be done for it to happen and what the community can do to help.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
805
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
14
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

DockerCon 2014: Thoughts on interoperable containers

  1. 1. interoperable containers Fabio Kung fabio@heroku.com https://www.flickr.com/photos/usnavy/8612337045
  2. 2. Please don't continue. Go see this instead: http://fabiokung.com/2014/06/11/my-dockercon-2014-talk
  3. 3. Fabio, Runtime Systems at I run linux containers.
  4. 4. http://12factor.net
  5. 5. “write once, run everywhere – Sun Microsystems (?)
  6. 6. “write once, debug everywhere – (?)
  7. 7. https://www.flickr.com/photos/tjblackwell/3545764529
  8. 8. Developers want apps... https://www.flickr.com/photos/cyol/7642566946
  9. 9. PaaS wants scale... https://www.flickr.com/photos/johngarghan/3401814659
  10. 10. Docker wants... docker logo usage follows guidelines published at http://www.docker.com/marks_and_logos/
  11. 11. PaaS You docker lxc lmctfy ... background: https://www.flickr.com/photos/jdhancock/12397433023
  12. 12. Containers https://www.flickr.com/photos/joshua/433354324
  13. 13. “trying to make Docker secure for multi-tenant scenarios is a can of worms – darren0, at #docker-dev
  14. 14. 1 vs 1M https://www.flickr.com/photos/enerva/9068467267
  15. 15. Root https://www.flickr.com/photos/ashleyrosex/2861690380
  16. 16. apt-get install …
  17. 17. vi /etc/…
  18. 18. mount -t fancy …
  19. 19. modprobe something
  20. 20. iptables -A INPUT …
  21. 21. kernelspace abuse https://www.flickr.com/photos/erlendaasland/4107345124
  22. 22. User Namespaces Unprivileged Containers https://www.flickr.com/photos/ntr23/730371240
  23. 23. “ (…) the kernel grants all capabilities to the initial process in a user namespace, this does not mean that process then has superuser privileges within the wider system. (It may, however, mean that unprivileged users now have access to exploits in kernel code that was formerly accessible only to root, ...) – Michael Kerrisk, “Namespaces in operation, part 6: more on user namespaces", LWN.net
  24. 24. if (getuid() == 0) { // do root stuff }
  25. 25. just don't run as root?
  26. 26. also SUID
  27. 27. Restrictions https://www.flickr.com/photos/mollivan_jon/10431164633
  28. 28. Networking https://www.flickr.com/photos/emptyage/177466621
  29. 29. ephemeral disks https://www.flickr.com/photos/pixeltree/4876732522
  30. 30. arch, OS, image size, …
  31. 31. containers/container-rfc · GitHub “A vendor neutral format for Linux container images and runtime
  32. 32. https://www.flickr.com/photos/littlebiglens/6034320322 Image Size
  33. 33. Layers https://www.flickr.com/photos/ralan808/11300490173
  34. 34. Updates? noncommercial use
  35. 35. https://www.flickr.com/photos/doug88888/2801103568 Packages “slugs”
  36. 36. dotcloud/docker#332 docker load --rebase=new-base-image
  37. 37. Apps https://www.flickr.com/photos/zoomar/338952152
  38. 38. Buildpacks app source + base image
  39. 39. FROM heroku/cedar ADD . /buildpack ONBUILD ADD . /app ONBUILD RUN /buildpack/bin/compile /app ONBUILD ENV PORT 5000 ONBUILD EXPOSE 5000
  40. 40. `ONBUILD ONBUILD` dotcloud/docker#5714
  41. 41. Buildstep https://github.com/progrium/buildstep
  42. 42. https://github.com/radial/
  43. 43. #!/usr/bin/env make -f buildpath := .build buildpackpath := $(buildpath)/pack buildpackcache := $(buildpath)/cache build: $(buildpackpath)/bin $(buildpackpath)/bin/compile . $(buildpackcache) $(buildpackcache): mkdir -p $(buildpath) mkdir -p $(buildpackcache) curl -O https://codon-buildpacks.s3.amazonaws.com/.../go.tgz mv go.tgz $(buildpath) $(buildpackpath)/bin: $(buildpackcache) mkdir -p $(buildpackpath) tar -C $(buildpackpath) -zxf $(buildpath)/go.tgz
  44. 44. ruby = "https://codon-buildpacks.s3.amazonaws.com/.../ruby.tgz" app_container "myapp" do buildpack ruby git_url "git@mycompany.com:myapp.git" end define :app_container, name: nil, buildpack: nil, git_url: nil do # ... execute "#{name} buildpack compile" do command "#{dir}/.build/pack/bin/compile #{dir} .build/cache" end end
  45. 45. container centric: whole image app centric: builds as a mapping layer recap: the container revolution
  46. 46. Thank you! fabio@heroku.com All images used in this presentation are under a Creative Commons License, unless otherwise noted https://www.flickr.com/photos/compacflt/5948542359
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×