Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Containerd: Building a Container Supervisor by Michael Crosby

18,271 views

Published on

Containerd is a container supervisor that allows users to manage the lifecycle of a container as well as interact with the container while it is executing. Containerd was built to fulfill many of the requirements that we expect from a modern supervisor all while staying small and fast. In this talk, we will discuss some of the design decisions that shaped containerd’s architecture that allows it to reattach to running containers if it was killed and how it is designed to start 100s containers in seconds.

Published in: Technology

Containerd: Building a Container Supervisor by Michael Crosby

  1. 1. Building a Container Supervisor Michael Crosby
  2. 2. Docker since 0.3 - maintainer dockerui - author libcontainer - author nsinit - author runc - author OCI - maintainer containerd - author > whoami
  3. 3. containerd ● Fast, lightweight container supervisor ● runc (OCI) multiplexer ● Container lifecycle operations ● rm -rf docker/daemon/execdrivers > man containerd
  4. 4. ● runc integration ● Multiple runtime support ● Execution v2 ● Decouple Execution from filesystem ● daemonless containers ● cleaner development > why
  5. 5. ● lock free event loop ● concurrency control ○ 10 > 100 at a time ● easier to new developers > events
  6. 6. Benchmarks > ./benchmark -count 100 INFO[0001] 1.149902846 seconds
  7. 7. Managing state is easy when you don’t have any. Don’t keep anything in memory. > container state
  8. 8. Restore > containerd --debug DEBU[0000] containerd: container restored id=0 DEBU[0000] containerd: container restored id=1 DEBU[0000] containerd: container restored id=2 DEBU[0000] containerd: container restored id=3 DEBU[0000] containerd: container restored id=4 DEBU[0000] containerd: container restored id=5 DEBU[0000] containerd: container restored id=6 ...
  9. 9. ● Exit code ● TTY / STDIO ● Reparenting to sysinit > shim
  10. 10. ● Pipe + File ● O_CLOEXEC ● Multiple subscribers > exit status
  11. 11. O_CLOEXEC if (mkfifo("exit-fifo", 0666) != 0) { printf("%sn", strerror(errno)); exit(EXIT_FAILURE); } int fd = open("exit-fifo", O_WRONLY | O_CLOEXEC, 0);
  12. 12. ● FIFOs - the good, bad, and the stupid ● open() never blocks :trollface: ● fifos have a buffer ○ /proc/sys/fs/pipe-max-size > stdio reattach
  13. 13. ● prctl - PR_SET_CHILD_SUBREAPER ● system init > re-parenting
  14. 14. 1. Your parent is the process that forked you, your mommy 2. If your parent dies, your new parent is PID 1*, the creator 3. If the parent(s) of your parent has the subreaper set, they will become your parent not PID 1, your nana 4. If you die then your parent dies before doing a wait4(), you’re a zombie > re-parenting rules
  15. 15. PR_SET_CHILD_SUBREAPER > ./parent main() parent 27538 child process 27540 with parent 27539 parent 27539 exiting child process 27540 with new parent 2391 > ps x | grep 2391 2391 ? Ss 0:00 /sbin/upstart --user
  16. 16. PR_SET_CHILD_SUBREAPER > ./parent --subreaper main() parent 27543 child process 27545 with parent 27544 parent 27544 exiting child process 27545 with new parent 27543
  17. 17. How do you connect to OOM notifications before the user process starts? > The OOM Problem
  18. 18. ● create ○ initialize namespaces and config ● start ○ exec the user’s process ● delete ○ destroy the container > runtime workflow
  19. 19. 1. Create container 2. Register OOM handler 3. Exec the user's process > runtime workflow
  20. 20. https://github.com/crosbymichael/dockercon-2016 > code
  21. 21. Thank you!

×