SlideShare a Scribd company logo

Containment without Containers: Running Windows Microservices on Nomad

J
Justen Walker

The world is rapidly moving towards containerizing everything, mostly by using linux cgroups and namespaces. But, Windows has kind of been a second-class citizen in this ecosystem. While great progress has been made in the Windows Container space, it has only recently become generally available. In 2016, when we started our migration to Nomad as our Microservice scheduler, Windows containers were in still their infancy, and the only Nomad driver able to run .Net was raw_exec. In short, running and scheduling .NET Framework microservices isn't easy. In this talk, you'll learn: - A little more about Windows Containers and their limitations. - How we at Jet constrain our Windows raw executables running on Nomad without Container support. - A little bit about the Windows 32 API and how you can hook into it in your Go programs without resorting to cgo.

Software
1 of 34
Download to read offline
Containment without Containers Running Windows Microservices on Nomad Justen Walker
Justen Walker Software Engineer Microservice Platform Team Some stuff we work with @
Overview • Containment on Windows • What is a Job Object • Containing with Damon • Go + Win32 API • Lots of weird-looking Go WARNING: There are QR Codes in the slides Calibrate your sensors
Containment on Windows
What is a container Source: https://msdn.microsoft.com/en-us/magazine/mt797649 bit.ly/2ymVaVL
Containment on Windows • Windows Container Options • “Process” Containers (Windows Server Containers) • Hyper-V Containers Windows Server & Docker The Internals Behind Bringing Docker & Containers to Windows - John Starks & Taylor Brown @ DockerCon16 bit.ly/2QWMtIw
Windows Server Containers • Highly Integrated System • DLLS are the API, not syscalls • Tightly coupled dependencies • System Services + Hidden RPCs • Process Containers…
WSC Portability • Container Windows Build must match Host • Larger images • No FROM scratch Windows Container Version Compatibility bit.ly/2pVTnlC
Windows Hyper-V Containers • VM per container • Optimized to run containers • More Portable • More Overhead • Back to VMs • More supporting processes • Nested Virtualization Hypervisor Running your Cloud VM
Docker for Windows + + “Just Works”*
But, Wait! Do I need… - Overhead for isolation? - VM inception? - Painful Windows Upgrades?
Job Objects
Job Objects Job Objects “A job object allows groups of processes to be managed as a unit … enforcing limits such as working set size and process priority or terminating all processes associated with a job.” bit.ly/2CmG6Kz
Job Objects • Sort of like Linux cgroups • Used by Windows Server Containers • Do provide Resource Constraints • Do Not provide Isolation
Using Job Objects Win32 API (C, .NET, PowerShell?) • CreateJobObjectW => hJob • SetInformationJobObject(hJob, info) // Set Constraints • CreateProcessW(CREATE_SUSPENDED) => hProc + hThread // Suspended • AssignProcessToJobObject(hProc) • ResumeThread(hThread) Process constrained within Job!
Damon damon is a supervisor program to constrain windows exe that are run with raw_exec on nomad. • 100% Golang (no CGO) • JobObject Resource Limits • Restricted Tokens • Prometheus Metrics github.com/jet/damon AS SEEN ON GitHub
Damon + Nomad via raw_exec
Damon + Nomad + Prometheus
Go + Win32 API
Go + Win32 API without CGO • Creating a Job Object from Go • Loading Windows DLL • Discovering API Call Signature • Creating C strings and Wide Strings • Constructing a C-Compatible Go Structure • Calling the Windows API procedures Blog: Breaking all the rules: Using Go to call Windows API bit.ly/2AYJidz
Windows DLLs in Go var kernel32DLL = syscall.NewLazyDLL("kernel32.dll") var procCreateJobObjectA = kernel32DLL.NewProc("CreateJobObjectA") var procCreateJobObjectW = kernel32DLL.NewProc("CreateJobObjectW") Server Core Functions by DLL bit.ly/2PbkGXx
API Call Signatures #define LPCSTR const char* typedef struct _SECURITY_ATTRIBUTES { DWORD nLength; LPVOID lpSecurityDescriptor; BOOL bInheritHandle; } SECURITY_ATTRIBUTES, *PSECURITY_ATTRIBUTES, *LPSECURITY_ATTRIBUTES; HANDLE CreateJobObjectA( LPSECURITY_ATTRIBUTES lpJobAttributes, LPCSTR lpName ); CreateJobObjectA reference bit.ly/2yoPPgD
Creating C strings in Go func StringToCharPtr(str string) *uint8 { chars := append([]byte(str), 0) // null terminated return &chars[0] } import "unicode/utf16" func StringToUTF16Ptr(str string) *uint16 { wchars := utf16.Encode([]rune(str + "x00")) return &wchars[0] }
Creating a C Struct // C struct SECURITY_ATTRIBUTES { DWORD nLength; LPVOID lpSecurityDescriptor; BOOL bInheritHandle; }; // Go type SecurityAttributes struct { Length uint32 SecurityDescriptor uintptr InheritHandle uint32 } Windows Data Types Reference bit.ly/2lz2lXb
Calling API from Go func CreateJobObject(attr *syscall.SecurityAttributes, name string) (syscall.Handle, error) { ret, _, err := procCreateJobObjectA.Call( uintptr(unsafe.Pointer(attr)), uintptr(unsafe.Pointer(StringToCharPtr(name))), ) if err != syscall.Errno(0) { return 0, err } return syscall.Handle(ret), nil } godoc: unsafe.Pointer bit.ly/2q3Hmup
Recap • Docker + Nomad on Windows works* • Job Objects: light weight constraints • Use Damon to constrain exes on Nomad • DIY! Go + Win32 API hacking
Reach me at justenwalker @justenwalker Please check out github.com/jet/damon
Working with Raw Memory var (buflen int;buffer []byte;err error;ret uintptr) for { ret, _, err = procSomeWindowsAPI.Call( uintptr(unsafe.Pointer(&buffer[0])), uintptr(unsafe.Pointer(&buflen)), ) if err == syscall.ERROR_INSUFFICIENT_BUFFER { buffer = make([]byte, buflen) continue } break } // check err and ret before this result := (*WinAPIGoStruct)(unsafe.Pointer(&buffer[0]))
Working with Raw Memory
Working with ANY_SIZE arrays type GroupResult struct { Count uint32 Groups [1]Group } gr := (*GroupResult)unsafe.Pointer(&buffer[0]) groups := (*[1 << 30]Group) (unsafe.Pointer(&gr.Groups)) [0:gr.Count:gr.Count] offset Length = Capacity
Working with ANY_SIZE arrays
Thank You Again! Reach me at justenwalker @justenwalker Please check out github.com/jet/damon

Recommended

Nomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsNomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsIago López Galeiras
 
Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020Bas Meijer
 
Compliance as Code with terraform-compliance
Compliance as Code with terraform-complianceCompliance as Code with terraform-compliance
Compliance as Code with terraform-complianceEmre Erkunt
 
Cracking JWT tokens: a tale of magic, Node.js and parallel computing - Code E...
Cracking JWT tokens: a tale of magic, Node.js and parallel computing - Code E...Cracking JWT tokens: a tale of magic, Node.js and parallel computing - Code E...
Cracking JWT tokens: a tale of magic, Node.js and parallel computing - Code E...Luciano Mammino
 
SUPER-scaling E-Commerce with Magento
SUPER-scaling E-Commerce with MagentoSUPER-scaling E-Commerce with Magento
SUPER-scaling E-Commerce with MagentoAOE
 
Nomad, l'orchestration made in Hashicorp - Bastien Cadiot
Nomad, l'orchestration made in Hashicorp - Bastien CadiotNomad, l'orchestration made in Hashicorp - Bastien Cadiot
Nomad, l'orchestration made in Hashicorp - Bastien CadiotParis Container Day
 
An intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSAn intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSYevgeniy Brikman
 
bootstrapping containers with confd
bootstrapping containers with confdbootstrapping containers with confd
bootstrapping containers with confdm_richardson
 

Recommended

Nomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsNomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsIago López Galeiras
 
Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020Bas Meijer
 
Compliance as Code with terraform-compliance
Compliance as Code with terraform-complianceCompliance as Code with terraform-compliance
Compliance as Code with terraform-complianceEmre Erkunt
 
Cracking JWT tokens: a tale of magic, Node.js and parallel computing - Code E...
Cracking JWT tokens: a tale of magic, Node.js and parallel computing - Code E...Cracking JWT tokens: a tale of magic, Node.js and parallel computing - Code E...
Cracking JWT tokens: a tale of magic, Node.js and parallel computing - Code E...Luciano Mammino
 
SUPER-scaling E-Commerce with Magento
SUPER-scaling E-Commerce with MagentoSUPER-scaling E-Commerce with Magento
SUPER-scaling E-Commerce with MagentoAOE
 
Nomad, l'orchestration made in Hashicorp - Bastien Cadiot
Nomad, l'orchestration made in Hashicorp - Bastien CadiotNomad, l'orchestration made in Hashicorp - Bastien Cadiot
Nomad, l'orchestration made in Hashicorp - Bastien CadiotParis Container Day
 
An intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSAn intro to Docker, Terraform, and Amazon ECS
An intro to Docker, Terraform, and Amazon ECSYevgeniy Brikman
 
bootstrapping containers with confd
bootstrapping containers with confdbootstrapping containers with confd
bootstrapping containers with confdm_richardson
 
Altitude SF 2017: Stories from TED
Altitude SF 2017: Stories from TEDAltitude SF 2017: Stories from TED
Altitude SF 2017: Stories from TEDFastly
 
AWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultAWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultGrzegorz Adamowicz
 
Third Party Auth in WebObjects
Third Party Auth in WebObjectsThird Party Auth in WebObjects
Third Party Auth in WebObjectsWO Community
 
Consul - service discovery and others
Consul - service discovery and othersConsul - service discovery and others
Consul - service discovery and othersWalter Liu
 
Distributed Eventing in OSGi
Distributed Eventing in OSGiDistributed Eventing in OSGi
Distributed Eventing in OSGiCarsten Ziegeler
 
Docker Monitoring Webinar
Docker Monitoring WebinarDocker Monitoring Webinar
Docker Monitoring WebinarSematext Group, Inc.
 
Autoscaling with hashi_corp_nomad
Autoscaling with hashi_corp_nomadAutoscaling with hashi_corp_nomad
Autoscaling with hashi_corp_nomadBram Vogelaar
 
Security model for a remote company
Security model for a remote companySecurity model for a remote company
Security model for a remote companyPierre Mavro
 
OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at Netflix
OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at NetflixOSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at Netflix
OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at NetflixManish Pandit
 
How to improve ELK log pipeline performance
How to improve ELK log pipeline performanceHow to improve ELK log pipeline performance
How to improve ELK log pipeline performanceSteven Shim
 
Data manipulation for configuration management using Ansible
Data manipulation for configuration management using AnsibleData manipulation for configuration management using Ansible
Data manipulation for configuration management using AnsibleJoel W. King
 
Server Side Event Driven Programming
Server Side Event Driven ProgrammingServer Side Event Driven Programming
Server Side Event Driven ProgrammingKamal Hussain
 
Universal JavaScript - Frontend United Athens 2017
Universal JavaScript - Frontend United Athens 2017Universal JavaScript - Frontend United Athens 2017
Universal JavaScript - Frontend United Athens 2017Luciano Mammino
 
Altitude SF 2017: Advanced VCL: Shielding and Clustering
Altitude SF 2017: Advanced VCL: Shielding and ClusteringAltitude SF 2017: Advanced VCL: Shielding and Clustering
Altitude SF 2017: Advanced VCL: Shielding and ClusteringFastly
 
{{more}} Kibana4
{{more}} Kibana4{{more}} Kibana4
{{more}} Kibana4琛琳 饶
 
Building servers with Node.js
Building servers with Node.jsBuilding servers with Node.js
Building servers with Node.jsConFoo
 
DAST в CI/CD, Ольга Свиридова
DAST в CI/CD, Ольга СвиридоваDAST в CI/CD, Ольга Свиридова
DAST в CI/CD, Ольга СвиридоваMail.ru Group
 
Trac Project And Process Management For Developers And Sys Admins Presentation
Trac Project And Process Management For Developers And Sys Admins PresentationTrac Project And Process Management For Developers And Sys Admins Presentation
Trac Project And Process Management For Developers And Sys Admins Presentationguest3fc4fa
 
PostgreSQL High-Availability and Geographic Locality using consul
PostgreSQL High-Availability and Geographic Locality using consulPostgreSQL High-Availability and Geographic Locality using consul
PostgreSQL High-Availability and Geographic Locality using consulSean Chittenden
 
Presentation security automation (Selenium Camp)
Presentation security automation (Selenium Camp)Presentation security automation (Selenium Camp)
Presentation security automation (Selenium Camp)Artyom Rozumenko
 
Radu vunvulea building and testing windows 8 metro style applications using ...
Radu vunvulea building and testing windows 8 metro style applications using ...Radu vunvulea building and testing windows 8 metro style applications using ...
Radu vunvulea building and testing windows 8 metro style applications using ...Radu Vunvulea
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker IntroductionPeng Xiao
 

More Related Content

What's hot

Altitude SF 2017: Stories from TED
Altitude SF 2017: Stories from TEDAltitude SF 2017: Stories from TED
Altitude SF 2017: Stories from TEDFastly
 
AWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultAWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultGrzegorz Adamowicz
 
Third Party Auth in WebObjects
Third Party Auth in WebObjectsThird Party Auth in WebObjects
Third Party Auth in WebObjectsWO Community
 
Consul - service discovery and others
Consul - service discovery and othersConsul - service discovery and others
Consul - service discovery and othersWalter Liu
 
Distributed Eventing in OSGi
Distributed Eventing in OSGiDistributed Eventing in OSGi
Distributed Eventing in OSGiCarsten Ziegeler
 
Autoscaling with hashi_corp_nomad
Autoscaling with hashi_corp_nomadAutoscaling with hashi_corp_nomad
Autoscaling with hashi_corp_nomadBram Vogelaar
 
Security model for a remote company
Security model for a remote companySecurity model for a remote company
Security model for a remote companyPierre Mavro
 
OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at Netflix
OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at NetflixOSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at Netflix
OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at NetflixManish Pandit
 
How to improve ELK log pipeline performance
How to improve ELK log pipeline performanceHow to improve ELK log pipeline performance
How to improve ELK log pipeline performanceSteven Shim
 
Data manipulation for configuration management using Ansible
Data manipulation for configuration management using AnsibleData manipulation for configuration management using Ansible
Data manipulation for configuration management using AnsibleJoel W. King
 
Server Side Event Driven Programming
Server Side Event Driven ProgrammingServer Side Event Driven Programming
Server Side Event Driven ProgrammingKamal Hussain
 
Universal JavaScript - Frontend United Athens 2017
Universal JavaScript - Frontend United Athens 2017Universal JavaScript - Frontend United Athens 2017
Universal JavaScript - Frontend United Athens 2017Luciano Mammino
 
Altitude SF 2017: Advanced VCL: Shielding and Clustering
Altitude SF 2017: Advanced VCL: Shielding and ClusteringAltitude SF 2017: Advanced VCL: Shielding and Clustering
Altitude SF 2017: Advanced VCL: Shielding and ClusteringFastly
 
{{more}} Kibana4
{{more}} Kibana4{{more}} Kibana4
{{more}} Kibana4琛琳 饶
 
Building servers with Node.js
Building servers with Node.jsBuilding servers with Node.js
Building servers with Node.jsConFoo
 
DAST в CI/CD, Ольга Свиридова
DAST в CI/CD, Ольга СвиридоваDAST в CI/CD, Ольга Свиридова
DAST в CI/CD, Ольга СвиридоваMail.ru Group
 
Trac Project And Process Management For Developers And Sys Admins Presentation
Trac Project And Process Management For Developers And Sys Admins PresentationTrac Project And Process Management For Developers And Sys Admins Presentation
Trac Project And Process Management For Developers And Sys Admins Presentationguest3fc4fa
 
PostgreSQL High-Availability and Geographic Locality using consul
PostgreSQL High-Availability and Geographic Locality using consulPostgreSQL High-Availability and Geographic Locality using consul
PostgreSQL High-Availability and Geographic Locality using consulSean Chittenden
 
Presentation security automation (Selenium Camp)
Presentation security automation (Selenium Camp)Presentation security automation (Selenium Camp)
Presentation security automation (Selenium Camp)Artyom Rozumenko
 

What's hot (20)

Altitude SF 2017: Stories from TED
Altitude SF 2017: Stories from TEDAltitude SF 2017: Stories from TED
Altitude SF 2017: Stories from TED
 
AWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultAWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp Vault
 
Third Party Auth in WebObjects
Third Party Auth in WebObjectsThird Party Auth in WebObjects
Third Party Auth in WebObjects
 
Consul - service discovery and others
Consul - service discovery and othersConsul - service discovery and others
Consul - service discovery and others
 
Distributed Eventing in OSGi
Distributed Eventing in OSGiDistributed Eventing in OSGi
Distributed Eventing in OSGi
 
Docker Monitoring Webinar
Docker Monitoring WebinarDocker Monitoring Webinar
Docker Monitoring Webinar
 
Autoscaling with hashi_corp_nomad
Autoscaling with hashi_corp_nomadAutoscaling with hashi_corp_nomad
Autoscaling with hashi_corp_nomad
 
Security model for a remote company
Security model for a remote companySecurity model for a remote company
Security model for a remote company
 
OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at Netflix
OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at NetflixOSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at Netflix
OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at Netflix
 
How to improve ELK log pipeline performance
How to improve ELK log pipeline performanceHow to improve ELK log pipeline performance
How to improve ELK log pipeline performance
 
Data manipulation for configuration management using Ansible
Data manipulation for configuration management using AnsibleData manipulation for configuration management using Ansible
Data manipulation for configuration management using Ansible
 
Server Side Event Driven Programming
Server Side Event Driven ProgrammingServer Side Event Driven Programming
Server Side Event Driven Programming
 
Universal JavaScript - Frontend United Athens 2017
Universal JavaScript - Frontend United Athens 2017Universal JavaScript - Frontend United Athens 2017
Universal JavaScript - Frontend United Athens 2017
 
Altitude SF 2017: Advanced VCL: Shielding and Clustering
Altitude SF 2017: Advanced VCL: Shielding and ClusteringAltitude SF 2017: Advanced VCL: Shielding and Clustering
Altitude SF 2017: Advanced VCL: Shielding and Clustering
 
{{more}} Kibana4
{{more}} Kibana4{{more}} Kibana4
{{more}} Kibana4
 
Building servers with Node.js
Building servers with Node.jsBuilding servers with Node.js
Building servers with Node.js
 
DAST в CI/CD, Ольга Свиридова
DAST в CI/CD, Ольга СвиридоваDAST в CI/CD, Ольга Свиридова
DAST в CI/CD, Ольга Свиридова
 
Trac Project And Process Management For Developers And Sys Admins Presentation
Trac Project And Process Management For Developers And Sys Admins PresentationTrac Project And Process Management For Developers And Sys Admins Presentation
Trac Project And Process Management For Developers And Sys Admins Presentation
 
PostgreSQL High-Availability and Geographic Locality using consul
PostgreSQL High-Availability and Geographic Locality using consulPostgreSQL High-Availability and Geographic Locality using consul
PostgreSQL High-Availability and Geographic Locality using consul
 
Presentation security automation (Selenium Camp)
Presentation security automation (Selenium Camp)Presentation security automation (Selenium Camp)
Presentation security automation (Selenium Camp)
 

Similar to Containment without Containers: Running Windows Microservices on Nomad

Radu vunvulea building and testing windows 8 metro style applications using ...
Radu vunvulea building and testing windows 8 metro style applications using ...Radu vunvulea building and testing windows 8 metro style applications using ...
Radu vunvulea building and testing windows 8 metro style applications using ...Radu Vunvulea
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker IntroductionPeng Xiao
 
CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)Sam Bowne
 
Web technologies for desktop development
Web technologies for desktop developmentWeb technologies for desktop development
Web technologies for desktop developmentDarko Kukovec
 
CNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsCNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsSam Bowne
 
Ch 6: The Wild World of Windows
Ch 6: The Wild World of WindowsCh 6: The Wild World of Windows
Ch 6: The Wild World of WindowsSam Bowne
 
Dot net Online Training | .Net Training and Placement online
Dot net Online Training | .Net Training and Placement onlineDot net Online Training | .Net Training and Placement online
Dot net Online Training | .Net Training and Placement onlineGaruda Trainings
 
You're monitoring Kubernetes Wrong
You're monitoring Kubernetes WrongYou're monitoring Kubernetes Wrong
You're monitoring Kubernetes WrongSysdig
 
CI/CD usando Visual Studio Team Services para proyectos en Linux
CI/CD usando Visual Studio Team Services para proyectos en LinuxCI/CD usando Visual Studio Team Services para proyectos en Linux
CI/CD usando Visual Studio Team Services para proyectos en LinuxPlain Concepts
 
Porting tometro
Porting tometroPorting tometro
Porting tometrodogra09
 
Introduction to dot net framework by vaishali sahare [katkar]
Introduction to dot net framework by vaishali sahare [katkar]Introduction to dot net framework by vaishali sahare [katkar]
Introduction to dot net framework by vaishali sahare [katkar]vaishalisahare123
 
Node.js Development with Apache NetBeans
Node.js Development with Apache NetBeansNode.js Development with Apache NetBeans
Node.js Development with Apache NetBeansRyan Cuprak
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2Royce Davis
 
What's New in Kubernetes 1.18 Webinar Slides
What's New in Kubernetes 1.18 Webinar SlidesWhat's New in Kubernetes 1.18 Webinar Slides
What's New in Kubernetes 1.18 Webinar SlidesMirantis
 
Android 101 - Introduction to Android Development
Android 101 - Introduction to Android DevelopmentAndroid 101 - Introduction to Android Development
Android 101 - Introduction to Android DevelopmentAndy Scherzinger
 
Using IBM Blockchain Platform (November 2019)
Using IBM Blockchain Platform (November 2019)Using IBM Blockchain Platform (November 2019)
Using IBM Blockchain Platform (November 2019)Matt Lucas
 
Development with Qt for Windows CE
Development with Qt for Windows CEDevelopment with Qt for Windows CE
Development with Qt for Windows CEaccount inactive
 

Similar to Containment without Containers: Running Windows Microservices on Nomad (20)

Radu vunvulea building and testing windows 8 metro style applications using ...
Radu vunvulea building and testing windows 8 metro style applications using ...Radu vunvulea building and testing windows 8 metro style applications using ...
Radu vunvulea building and testing windows 8 metro style applications using ...
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker Introduction
 
CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)
 
Web technologies for desktop development
Web technologies for desktop developmentWeb technologies for desktop development
Web technologies for desktop development
 
CNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsCNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of Windows
 
Ch 6: The Wild World of Windows
Ch 6: The Wild World of WindowsCh 6: The Wild World of Windows
Ch 6: The Wild World of Windows
 
Dot net Online Training | .Net Training and Placement online
Dot net Online Training | .Net Training and Placement onlineDot net Online Training | .Net Training and Placement online
Dot net Online Training | .Net Training and Placement online
 
You're monitoring Kubernetes Wrong
You're monitoring Kubernetes WrongYou're monitoring Kubernetes Wrong
You're monitoring Kubernetes Wrong
 
Docker Basics
Docker BasicsDocker Basics
Docker Basics
 
CI/CD usando Visual Studio Team Services para proyectos en Linux
CI/CD usando Visual Studio Team Services para proyectos en LinuxCI/CD usando Visual Studio Team Services para proyectos en Linux
CI/CD usando Visual Studio Team Services para proyectos en Linux
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker Introduction
 
Porting tometro
Porting tometroPorting tometro
Porting tometro
 
Introduction to dot net framework by vaishali sahare [katkar]
Introduction to dot net framework by vaishali sahare [katkar]Introduction to dot net framework by vaishali sahare [katkar]
Introduction to dot net framework by vaishali sahare [katkar]
 
Node.js Development with Apache NetBeans
Node.js Development with Apache NetBeansNode.js Development with Apache NetBeans
Node.js Development with Apache NetBeans
 
Nodejs overview
Nodejs overviewNodejs overview
Nodejs overview
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
 
What's New in Kubernetes 1.18 Webinar Slides
What's New in Kubernetes 1.18 Webinar SlidesWhat's New in Kubernetes 1.18 Webinar Slides
What's New in Kubernetes 1.18 Webinar Slides
 
Android 101 - Introduction to Android Development
Android 101 - Introduction to Android DevelopmentAndroid 101 - Introduction to Android Development
Android 101 - Introduction to Android Development
 
Using IBM Blockchain Platform (November 2019)
Using IBM Blockchain Platform (November 2019)Using IBM Blockchain Platform (November 2019)
Using IBM Blockchain Platform (November 2019)
 
Development with Qt for Windows CE
Development with Qt for Windows CEDevelopment with Qt for Windows CE
Development with Qt for Windows CE
 

Recently uploaded

办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Software Coding for software engineering
Software Coding for software engineeringSoftware Coding for software engineering
Software Coding for software engineeringssuserb3a23b
 
cpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.pptcpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.pptrcbcrtm
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commercemanigoyal112
 

Recently uploaded (20)

Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Odoo Development Company in India | Devintelle Consulting Service
Odoo Development Company in India | Devintelle Consulting ServiceOdoo Development Company in India | Devintelle Consulting Service
Odoo Development Company in India | Devintelle Consulting Service
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Software Coding for software engineering
Software Coding for software engineeringSoftware Coding for software engineering
Software Coding for software engineering
 
cpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.pptcpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.ppt
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commerce
 

Containment without Containers: Running Windows Microservices on Nomad

  • 2. Justen Walker Software Engineer Microservice Platform Team Some stuff we work with @
  • 3. Overview • Containment on Windows • What is a Job Object • Containing with Damon • Go + Win32 API • Lots of weird-looking Go WARNING: There are QR Codes in the slides Calibrate your sensors
  • 5. What is a container Source: https://msdn.microsoft.com/en-us/magazine/mt797649 bit.ly/2ymVaVL
  • 6. Containment on Windows • Windows Container Options • “Process” Containers (Windows Server Containers) • Hyper-V Containers Windows Server & Docker The Internals Behind Bringing Docker & Containers to Windows - John Starks & Taylor Brown @ DockerCon16 bit.ly/2QWMtIw
  • 7. Windows Server Containers • Highly Integrated System • DLLS are the API, not syscalls • Tightly coupled dependencies • System Services + Hidden RPCs • Process Containers…
  • 8. WSC Portability • Container Windows Build must match Host • Larger images • No FROM scratch Windows Container Version Compatibility bit.ly/2pVTnlC
  • 9. Windows Hyper-V Containers • VM per container • Optimized to run containers • More Portable • More Overhead • Back to VMs • More supporting processes • Nested Virtualization Hypervisor Running your Cloud VM
  • 10. Docker for Windows + + “Just Works”*
  • 11. But, Wait! Do I need… - Overhead for isolation? - VM inception? - Painful Windows Upgrades?
  • 13. Job Objects Job Objects “A job object allows groups of processes to be managed as a unit … enforcing limits such as working set size and process priority or terminating all processes associated with a job.” bit.ly/2CmG6Kz
  • 14. Job Objects • Sort of like Linux cgroups • Used by Windows Server Containers • Do provide Resource Constraints • Do Not provide Isolation
  • 15. Using Job Objects Win32 API (C, .NET, PowerShell?) • CreateJobObjectW => hJob • SetInformationJobObject(hJob, info) // Set Constraints • CreateProcessW(CREATE_SUSPENDED) => hProc + hThread // Suspended • AssignProcessToJobObject(hProc) • ResumeThread(hThread) Process constrained within Job!
  • 16.
  • 17. Damon damon is a supervisor program to constrain windows exe that are run with raw_exec on nomad. • 100% Golang (no CGO) • JobObject Resource Limits • Restricted Tokens • Prometheus Metrics github.com/jet/damon AS SEEN ON GitHub
  • 18. Damon + Nomad via raw_exec
  • 19. Damon + Nomad + Prometheus
  • 20. Go + Win32 API
  • 21. Go + Win32 API without CGO • Creating a Job Object from Go • Loading Windows DLL • Discovering API Call Signature • Creating C strings and Wide Strings • Constructing a C-Compatible Go Structure • Calling the Windows API procedures Blog: Breaking all the rules: Using Go to call Windows API bit.ly/2AYJidz
  • 22. Windows DLLs in Go var kernel32DLL = syscall.NewLazyDLL("kernel32.dll") var procCreateJobObjectA = kernel32DLL.NewProc("CreateJobObjectA") var procCreateJobObjectW = kernel32DLL.NewProc("CreateJobObjectW") Server Core Functions by DLL bit.ly/2PbkGXx
  • 23. API Call Signatures #define LPCSTR const char* typedef struct _SECURITY_ATTRIBUTES { DWORD nLength; LPVOID lpSecurityDescriptor; BOOL bInheritHandle; } SECURITY_ATTRIBUTES, *PSECURITY_ATTRIBUTES, *LPSECURITY_ATTRIBUTES; HANDLE CreateJobObjectA( LPSECURITY_ATTRIBUTES lpJobAttributes, LPCSTR lpName ); CreateJobObjectA reference bit.ly/2yoPPgD
  • 24. Creating C strings in Go func StringToCharPtr(str string) *uint8 { chars := append([]byte(str), 0) // null terminated return &chars[0] } import "unicode/utf16" func StringToUTF16Ptr(str string) *uint16 { wchars := utf16.Encode([]rune(str + "x00")) return &wchars[0] }
  • 25. Creating a C Struct // C struct SECURITY_ATTRIBUTES { DWORD nLength; LPVOID lpSecurityDescriptor; BOOL bInheritHandle; }; // Go type SecurityAttributes struct { Length uint32 SecurityDescriptor uintptr InheritHandle uint32 } Windows Data Types Reference bit.ly/2lz2lXb
  • 26. Calling API from Go func CreateJobObject(attr *syscall.SecurityAttributes, name string) (syscall.Handle, error) { ret, _, err := procCreateJobObjectA.Call( uintptr(unsafe.Pointer(attr)), uintptr(unsafe.Pointer(StringToCharPtr(name))), ) if err != syscall.Errno(0) { return 0, err } return syscall.Handle(ret), nil } godoc: unsafe.Pointer bit.ly/2q3Hmup
  • 27. Recap • Docker + Nomad on Windows works* • Job Objects: light weight constraints • Use Damon to constrain exes on Nomad • DIY! Go + Win32 API hacking
  • 28. Reach me at justenwalker @justenwalker Please check out github.com/jet/damon
  • 29.
  • 30. Working with Raw Memory var (buflen int;buffer []byte;err error;ret uintptr) for { ret, _, err = procSomeWindowsAPI.Call( uintptr(unsafe.Pointer(&buffer[0])), uintptr(unsafe.Pointer(&buflen)), ) if err == syscall.ERROR_INSUFFICIENT_BUFFER { buffer = make([]byte, buflen) continue } break } // check err and ret before this result := (*WinAPIGoStruct)(unsafe.Pointer(&buffer[0]))
  • 32. Working with ANY_SIZE arrays type GroupResult struct { Count uint32 Groups [1]Group } gr := (*GroupResult)unsafe.Pointer(&buffer[0]) groups := (*[1 << 30]Group) (unsafe.Pointer(&gr.Groups)) [0:gr.Count:gr.Count] offset Length = Capacity
  • 34. Thank You Again! Reach me at justenwalker @justenwalker Please check out github.com/jet/damon