Upcoming SlideShare
-
Full NameComment goes here.Delete Reply Block
-
Adam Sheldon⇒ www.HelpWriting.net ⇐ is a good website if you’re looking to get your essay written for you. You can also request things like research papers or dissertations. It’s really convenient and helpful.Reply
Docker, what's next ?
- 1. DEVOPS INDONESIA 1 DEVOPS INDONESIA Jakarta, 20 August 2019 DevOps Community in Indonesia Docker, What’s next?
- 2. DEVOPS INDONESIA 2 DevSecOps enthusiasts Self proclaimed runner 4+ experience of DevOps in banking industry $rfebriya Riza F. Ariyanto
- 3. DEVOPS INDONESIA 3 Background
- 4. DEVOPS INDONESIA 4 Still Background
- 5. DEVOPS INDONESIA 5 Docker • 3.5 million applications have been placed in containers using Docker technology • 37 billion containerized applications have been downloaded. • 451 Research also sees Docker technology being wildly successful • Annual revenue is expected to increase by 4x, growing from $749 million in 2016 to more than $3.4 billion by 2021
- 6. DEVOPS INDONESIA 6 Docker • A container image format • A method for building container images (Dockerfile/docker build) • A way to manage container images (docker images, docker rmi, etc.) • A way to manage instances of containers (docker ps, docker rm, etc.) • A way to share container images (docker push/pull) • A way to run containers (docker run)
- 7. DEVOPS INDONESIA 7 Moby Source: Solomon Hykes @solomonstre
- 8. DEVOPS INDONESIA Moby https://github.com/moby/moby https://github.com/docker/cli
- 9. DEVOPS INDONESIA 9 The History of Containers 2008: KERNEL & USER NAMESPACES 2008: LINUX CONTAINER PROJECT (LXC) 2013: DOTCLOUD BECOMES DOCKER 2013: RED HAT ENTERPRISE LINUX 2000 2010 2005 2000: JAILS ADDED TO FREEBSD 2006: PROCESS CONFINEMENT 2007: GPC RENAMED CGROUPS 2014: GOOGLE KUBERNETES 2001: LINUX -VSERVER PROJECT 2003: SELINUX ADDED TO LINUX MAINLINE 2005: FULL RELEASE OF SOLARIS ZONES 2013: DOTCLOUD PYCON LIGHTNING TALK 1979: CHROOT SYSCALL ADDED 1979
- 10. DEVOPS INDONESIA 10 Container Important corrections ● Containers do not run ON docker. Containers are processes - they run on the Linux kernel. Containers are Linux. ● The docker daemon is one of the many user space tools/libraries that talks to the kernel to set up containers
- 11. DEVOPS INDONESIA 11 Container Engine 1. Provide API/User Interface ○ We really want to use a simple API and/or command line tool. That’s how the docker command line interface and API were developed. 2. Pulling/Expanding images to disk ○ The container engine has to pull the images to a local cache. ○ Extracting the image layers to disk when a container is created. 3. Building a config.json ○ Container engine is responsible for creating a config.json and passing it to runc.
- 12. DEVOPS INDONESIA Container Runtime ● Consuming the container mount point provided by the Container Engine ● Consuming the container metadata (config.json) provided by the Container Engine ● Communicating with the kernel to start containerized processes (clone system call) ● Setting up cgroups ● Setting up SELinux Policy ● Setting up App Armor rules
- 13. DEVOPS INDONESIA You guys should read this https://www.ianlewis.org/en/container-runtimes-part-1-introduction-container-r
- 14. DEVOPS INDONESIA So what is actually Docker? Source:https://www.aquasec.com/wiki/display/containers/Docker+Architecture
- 15. DEVOPS INDONESIA So what is actually Docker nowadays? ● Docker contributed that libary to the OCI standards body as a reference implementation called runc. ● runC is a lightweight tool that does one thing and does it well: it runs a container. ● Containerd is a simple daemon that uses runC to manage containers and exposes ● Docker Engine exposes not only containers, but also images, volumes, networks, builds, etc. using a full-blown HTTP API
- 16. DEVOPS INDONESIA Is not Finished 2017: Moby project Announced 2018: CRI-O is GA and powers OpenShfit Online 2017 2016 2018 2015: Tectonic Announced 2016: Docker engine 1.12 adds swarm 2016: CRI-O project launched under the name OCID 2017: Buildah released and ships in RHEL 2018: Podman released and ships in RHEL 2017: Kata merges Clear & RunV projects 2017: Docker includes the new containerd 2016: Containerd project launched 2017: V1.0 of image & runtime spec 2018: V1.0 of distribution spec 2016: Skopeo project launched under the name OCID 2015 2015: RED HAT CONTAINER PLATFORM 3.0 2015: STANDARDS VIA OCI AND CNCF
- 17. DEVOPS INDONESIA 18 Standardise Container • The goal of the OCI is to avoid a “balkanization” of the container ecosystem, and ensure that containers built with one engine can run on another • Runtime spec (runc = Reference implementation) • Image Spec • Distribution Spec
- 18. DEVOPS INDONESIA 19 Use API/Interfaces to Container Runtimes
- 19. DEVOPS INDONESIA 21 How a container gets created in a Kubernetes environment At a high level, conceptually here is what is happening: Orchestration API -> Container Engine API -> Kernel API Digging one level deeper: Kubernetes Master -> Kubelet -> Docker Engine -> containerd -> runc -> Linux kernel
- 20. DEVOPS INDONESIA 22 Next In OpenShift 4 they are moving to this architecture: Kubernetes Master -> Kubelet -> CRI-O -> runc -> Linux kernel In the coming months, theoretically, some Kubernetes deployments could like this, with containerd: Kubernetes Master -> Kubelet -> containerd -> runc -> Linux kernel
- 21. DEVOPS INDONESIA Does It Matter? CRI-O vs Containerd? Which one should we use?
- 22. DEVOPS INDONESIA Does It Matter?
- 23. DEVOPS INDONESIA 25 Docker alternative • A method for building container images (Dockerfile/docker build) • A way to manage container images (docker images, docker rmi , etc.) • A way to manage instances of containers (docker ps, docker rm , etc.) • A way to share container images (docker push/pull) • A way to run containers (docker run)
- 24. DEVOPS INDONESIA 26 CRI-O
- 25. DEVOPS INDONESIA 27 CRI-O Open source & Open governance Lean, Stable, Secure and BORING! ● Tied to the CRI ● Shaped around Kubernetes ● Only supported user is Kubernetes ● Versioning and Support are tied to Kubernetes
- 26. DEVOPS INDONESIA 28 Podman
- 27. DEVOPS INDONESIA 29 Podman Library (libpod) and CLI (podman) for managing OCI-based Pods, Containers, and Container Images • Replacement for docker cli (known CLI) • Integrated with CRI-O • No daemon running
- 28. DEVOPS INDONESIA 30 Demo Podman $ docker images $ sudo systemctl stop docker $ podman images $ podman run -it -d --rm -p 8080:80 nginx $ curl http://localhost:8080 $ podman ps $ podman logs <CONTAINER_ID> $ podman exec -t <CONTAINER_ID> ls /etc/nginx $ podman images $ podman run -t fedora echo "Hello Riza" $ podman ps -a
- 29. DEVOPS INDONESIA 31 Skopeo • Copy images from/to (multiple transports/storages) • Inspect images • Delete an image from a repository • Standalone binary / No daemon running • Perfect for pipelines (e.g. Jenkins)
- 30. DEVOPS INDONESIA Demo Skopeo COPY IMAGE $ skopeo copy docker://busybox:latest docker-daemon:riza/busybox:200819 $ skopeo copy docker://busybox:latest docker://rfebriya/busybox:200819 $ docker images $ docker run -it --rm -d riza/busybox:200819 $ docker ps -a $ docker rm $(docker ps -qa) $ skopeo inspect docker://busybox:latest
- 31. DEVOPS INDONESIA 33 Buildah • Build images • No daemon running • shell-like syntax • Build from Dockerfile(s)
- 32. DEVOPS INDONESIA 34 Demo Buildah $ container=$(buildah from fedora) $ buildah containers $ buildah config --author "rfebriya" --label "METADATA=Built with buildah" $container $ buildah inspect $container $ buildah run $container sh # echo “Hello Riza, built by Buildah” > /hello # ls / # cat /hello # exit $ buildah commit $container riza/example-buildah $ podman run -it riza/example-buildah cat /hello $ buildah bud -t riza/example-buildah-dockerfile:200819 -f 200819/Dockerfile . $ podman run -it riza/example-buildah-dockerfile:200819 cat /hello
- 33. DEVOPS INDONESIA 35 Dockerless Consume a Dockerfile, but build image without a docker daemon Pros: • Docker build-like experience (just write a Dockerfile) • Less configuration • Docker image best practices can be codified into tools Cons: • Dockerfile fidelity might make difficult some use cases • Different approaches to image layer construction; Very fragmented across vendors, no real standard
- 34. DEVOPS INDONESIA Conclusion 1. Docker still provides nice end-to-end experience when it comes to containers especially for developers 2. Docker engine doesn’t move at the same speed as Kubernetes. It’s on a totally different lifecycle (same with containerd). This makes it difficult to add features in the engine to support the Kubelet. 3. There’s some alternatives out there beside the Docker and it’s still far from finished yet.
- 35. DEVOPS INDONESIA 37 THANK YOU ! Quote by Steve