CloudNative Days Spring 2021 ONLINE キーノートでの発表資料です。
https://event.cloudnativedays.jp/cndo2021/talks/1071
本セッションでは、DockerとKubernetesのもつ基本的な機能の概要を、コンテナの仕組みをふまえつつイラストを用いて紹介していきます。一般にあまり焦点をあてて取り上げられることは多くありませんが、コンテナの作成や管理を担う低レベルなソフトウェア「コンテナランタイム」も本セッションの中心的なトピックのひとつです。
本セッションは、拙著「イラストで分かるDockerとKubernetes」(技術評論社)の内容を参考にしています。
https://www.amazon.co.jp/dp/4297118378
CloudNative Days Spring 2021 ONLINE キーノートでの発表資料です。
https://event.cloudnativedays.jp/cndo2021/talks/1071
本セッションでは、DockerとKubernetesのもつ基本的な機能の概要を、コンテナの仕組みをふまえつつイラストを用いて紹介していきます。一般にあまり焦点をあてて取り上げられることは多くありませんが、コンテナの作成や管理を担う低レベルなソフトウェア「コンテナランタイム」も本セッションの中心的なトピックのひとつです。
本セッションは、拙著「イラストで分かるDockerとKubernetes」(技術評論社)の内容を参考にしています。
https://www.amazon.co.jp/dp/4297118378
CloudNative Days Tokyo 2020での、lazypullに関する発表資料です。https://event.cloudnativedays.jp/cndt2020/talks/16
Stargz Snapshotterのリポジトリ:
https://github.com/containerd/stargz-snapshotter
P2P Container Image Distribution on IPFS With containerd and nerdctlKohei Tokunaga
Talked at FOSDEM 2022 about IPFS-based P2P image distribution with containerd and nerdctl (Feburary 6, 2022).
https://fosdem.org/2022/schedule/event/container_ipfs_image/
nerdctl is a Docker-compatible CLI of containerd, developed as a subproject of containerd. nerdctl recently added support of P2P image distribution on IPFS. This enables to share container images among hosts without hosting or relying on the registry.
In this session, Kohei, one of the maintainers of nerdctl, will introduce IPFS-based P2P image distribution with containerd and nerdctl. This session will also show the combination of IPFS-based distribution with the existing image distribution techniques, focusing on lazy pulling (eStargz) and image encryption (OCIcrypt). The status of integration work with other tools including Kubernetes will also be shared.
Related blog post: "P2P Container Image Distribution on IPFS With Containerd" . https://medium.com/nttlabs/nerdctl-ipfs-975569520e3d
ゼロから作るKubernetesによるJupyter as a Service ー Kubernetes Meetup Tokyo #43Preferred Networks
Preferred Networksでは新物質開発や材料探索を加速する汎用原子レベルシミュレータを利用できるクラウドサービスを開発しています。 顧客毎に独立した環境にユーザがJupyter Notebookを立ち上げ、自社PyPIパッケージによりAPI経由で弊社独自技術を簡単に利用できます。Kubernetesの機能を駆使してマルチテナント環境を構築しており、各顧客に独立したAPIサーバを提供し、その負荷状況によりAPIサーバをスケーリングさせたり、顧客毎にNotebookに対する通信制限や配置Nodeの制御などを実現しています。
本発表ではKubernetesによるマルチテナントJupyter as a Serviceの実現方法を紹介します。
Build and Run Containers With Lazy Pulling - Adoption status of containerd St...Kohei Tokunaga
Talked about lazy pulling of container images with eStargz and Stargz Snapshotter at FOSDEM 2021.
Details: https://fosdem.org/2021/schedule/event/containers_lazy_pull/
Stargz Snapshotter: https://github.com/containerd/stargz-snapshotter
Remix of two other open source presentations along with my own content, 40 slides set to play at 20 seconds auto-timed (similar to Pecha-Kucha style timing). This was delivered via Caribbean Tech Dev forum's monthly Google Hangout in November 2015, and video can be viewed at https://www.youtube.com/watch?v=xANrsSin_-0
CloudNative Days Tokyo 2020での、lazypullに関する発表資料です。https://event.cloudnativedays.jp/cndt2020/talks/16
Stargz Snapshotterのリポジトリ:
https://github.com/containerd/stargz-snapshotter
P2P Container Image Distribution on IPFS With containerd and nerdctlKohei Tokunaga
Talked at FOSDEM 2022 about IPFS-based P2P image distribution with containerd and nerdctl (Feburary 6, 2022).
https://fosdem.org/2022/schedule/event/container_ipfs_image/
nerdctl is a Docker-compatible CLI of containerd, developed as a subproject of containerd. nerdctl recently added support of P2P image distribution on IPFS. This enables to share container images among hosts without hosting or relying on the registry.
In this session, Kohei, one of the maintainers of nerdctl, will introduce IPFS-based P2P image distribution with containerd and nerdctl. This session will also show the combination of IPFS-based distribution with the existing image distribution techniques, focusing on lazy pulling (eStargz) and image encryption (OCIcrypt). The status of integration work with other tools including Kubernetes will also be shared.
Related blog post: "P2P Container Image Distribution on IPFS With Containerd" . https://medium.com/nttlabs/nerdctl-ipfs-975569520e3d
ゼロから作るKubernetesによるJupyter as a Service ー Kubernetes Meetup Tokyo #43Preferred Networks
Preferred Networksでは新物質開発や材料探索を加速する汎用原子レベルシミュレータを利用できるクラウドサービスを開発しています。 顧客毎に独立した環境にユーザがJupyter Notebookを立ち上げ、自社PyPIパッケージによりAPI経由で弊社独自技術を簡単に利用できます。Kubernetesの機能を駆使してマルチテナント環境を構築しており、各顧客に独立したAPIサーバを提供し、その負荷状況によりAPIサーバをスケーリングさせたり、顧客毎にNotebookに対する通信制限や配置Nodeの制御などを実現しています。
本発表ではKubernetesによるマルチテナントJupyter as a Serviceの実現方法を紹介します。
Build and Run Containers With Lazy Pulling - Adoption status of containerd St...Kohei Tokunaga
Talked about lazy pulling of container images with eStargz and Stargz Snapshotter at FOSDEM 2021.
Details: https://fosdem.org/2021/schedule/event/containers_lazy_pull/
Stargz Snapshotter: https://github.com/containerd/stargz-snapshotter
Remix of two other open source presentations along with my own content, 40 slides set to play at 20 seconds auto-timed (similar to Pecha-Kucha style timing). This was delivered via Caribbean Tech Dev forum's monthly Google Hangout in November 2015, and video can be viewed at https://www.youtube.com/watch?v=xANrsSin_-0
Dev opsec dockerimage_patch_n_lifecyclemanagement_kanedafromparis
Lors de cette présentation, nous allons dans un premier temps rappeler la spécificité de docker par rapport à une VM (PID, cgroups, etc) parler du système de layer et de la différence entre images et instances puis nous présenterons succinctement kubernetes.
Ensuite, nous présenterons un processus « standard » de propagation d’une version CI/CD (développement, préproduction, production) à travers les tags docker.
Enfin, nous parlerons des différents composants constituant une application docker (base-image, tooling, librairie, code).
Une fois cette introduction réalisée, nous parlerons du cycle de vie d’une application à travers ses phases de développement, BAU pour mettre en avant que les failles de sécurité en période de développement sont rapidement corrigées par de nouvelles releases, mais pas nécessairement en BAU où les releases sont plus rares. Nous parlerons des diverses solutions (jfrog Xray, clair, …) pour le suivie des automatique des CVE et l’automatisation des mises à jour. Enfin, nous ferons un bref retour d’expérience pour parler des difficultés rencontrées et des propositions d’organisation mises en oeuvre.
Cette présentation bien qu’illustrée par des implémentations techniques est principalement organisationnelle.
Flutter provides an excellent way to build Android, iOS, web and desktop apps, but what about the back end services? Full stack Dart is all about using that investment in Dart programming to build the services used by applications, whether it's in the cloud or on the Internet of Things. This presentation will look at the tradeoffs between just in time (JIT) and ahead of time (AOT) compilation, Dart on Docker, the Functions Framework for Dart, Profiling and Performance Management. Choices of back end architecture (x86_64 vs Arm) will also be examined, along with some of the challenges this can present for Continuous Delivery.
Kubernetes is designed to be an extensible system. But what is the vision for Kubernetes Extensibility? Do you know the difference between webhooks and cloud providers, or between CRI, CSI, and CNI? In this talk we will explore what extension points exist, how they have evolved, and how to use them to make the system do new and interesting things. We’ll give our vision for how they will probably evolve in the future, and talk about the sorts of things we expect the broader Kubernetes ecosystem to build with them.
Comparing Next-Generation Container Image Building ToolsAkihiro Suda
http://sched.co/EaYe
Until recently, running `docker build` against Dockerfile had been the only way to build container images.
However, lots of opensource software are being proposed as successors/alternatives to `docker build`:
- BuildKit (Moby Project / Docker)
- img (Jessica Frazelle / Microsoft)
- Buildah (Project Atomic / Red Hat)
- umoci & Orca (SUSE)
- Bazel (Google)
- OpenShift S2I (Red Hat)
Akihiro Suda compares these new tools' advantages and disadvantages.
His evaluation basis would include but not be limited to:
- Performance (Cache efficiency, Concurrency, Distributed Execution)
- Secret management, e.g. SSH and AWS keys
- Support for non-Dockerfile
- Non-root execution
- UI & UX
- Governance of the community
He also proposes a unified interface for using these tools with Kubernetes in a vendor-neutral way.
Kubernetes Basis: Pods, Deployments, and ServicesJian-Kai Wang
Kubernetes is a container management platform and empowers the scalability to the container. In this repository, we address the issues of how to use Kubernetes with real cases. We start from the basic objects in Kubernetes, Pods, deployments, and Services. This repository is also a tutorial for those with advanced containerization skills trying to step into the Kubernetes. We also provide several YAML examples for those looking for quickly deploying services. Please enjoy it and let's start the journey to Kubernetes.
Docker Athens: Docker Engine Evolution & Containerd Use CasesPhil Estes
These slides are from a talk presented at the Docker Athens meetup on Thursday, May 31, 2018. They start by covering the evolution of the Docker engine of 2014/2015 into the separate components of OCI runc, (now) CNCF containerd, and the Docker client and daemon projects. Finally, various use cases for the CNCF containerd "core container runtime" project are detailed, from the Docker engine itself to serverless frameworks like OpenWhisk, to the container runtime interface (CRI) within Kubernetes.
Whose Job Is It Anyway? Kubernetes, CRI, & Container RuntimesPhil Estes
A talk given at Cloud Native London meetup, February 6, 2018 on the role of container runtimes in Kubernetes, the introduction of the Container Runtime Interface (CRI), and the history of containerd and it's use as a CRI implementing container runtime for Kubernetes.
We open-sourced LinuxKit in April 2017 at DockerCon in Austin. In this session, we'll take a detailed look at some advanced topics of LinuxKit ranging from the general read-only filesystem setup, multi-arch image support for x86_64 and arm64, custom network configuration, and kernel debugging and testing.
Managing Container Clusters in OpenStack Native WayQiming Teng
This is a presentation from the OpenStack Austin Summit. It talks about managing containers in an OpenStack native way where containers are treated as first class citizens.
DockerCon 2019 took place in San Francisco, from April 29th to May 2nd.
Open Source @ Dockercon Summit took place Thursday, May 2nd.
Dockercon 2019 was a success with 5000+ participants. We are planning a recap Meetup to highlight overall announcements, new features & news from the event:,
- new CLI plugins announcement (docker app, docker buildx, docker pipeline etc);
- features of Docker Enterprise 3.0 ( assemble, template etc)
- takeaways; useful links, demos, tips and tricks and of course all videos from all the sessions
- cool stuff from the Open summit, like the powerful buildkit
- Demo: Multi-arch Docker Builds
Under this Meetup, we'll discuss news / new feature announcements during Dockercon and their implications for the ecosystem and end user. In addition to the DockerCon recap, we'll have the usual opportunities for networking and Q&A. We will look to answer any questions you have about Dockercon at this meetup.
We invite all of our members to come -- whether you're a beginner or an experienced user of containers. Don't forget to RSVP for this event so we can make sure we have plenty of place for everyone. Save the date for Docker Timisoara Meetup on May 23th @ CoWork The Garden!
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...Phil Estes
A presentation given on Thursday, January 19th, 2017 at the Devops Remote Conf 2017. This talk details the history of the Docker engine architecture, focusing on the split in April 2016 into the containerd and runc layers, and talking through the December 2016 announcement of the *new containerd project and what it will bring for the Docker engine and other consumers.
In this video from the Blue Waters 2018 Symposium, Maxim Belkin presents a tutorial on Containers: Shifter and Singularity on Blue Waters.
Container solutions are a great way to seamlessly execute code on a variety of platforms. Not only they are used to abstract away from the software stack of the underlying operating system, they also enable reproducible computational research. In this mini-tutorial, I will review the process of working with Shifter and Singularity on Blue Waters.
Watch the video: https://wp.me/p3RLHQ-iXO
Learn more: https://bluewaters.ncsa.illinois.edu/blue-waters-symposium-2018
Sign up for our insideHPC Newsletter: http://insidehpc.com/newsletter
Il s’agit dans un premier temps de présenter Docker, ses cas d’usage et quelques bonnes pratiques d’utilisation.
Le but est de présenter Docker, son mode de fonctionnement et son écosystème.
Ce qu’il peut apporter et les pièges à éviter
https://github.com/kanedafromparis/prez-fabric8-dmp
Faster Container Image Distribution on a Variety of Tools with Lazy PullingKohei Tokunaga
Talked at KubeCon + CloudNativeCon North America 2021 Virtual about lazy pulling of container images with eStargz and nydus (October 14, 2021).
https://kccncna2021.sched.com/event/lV2a
Starting up Containers Super Fast With Lazy Pulling of ImagesKohei Tokunaga
Talked at Container Plumbing Days about speeding up container startup by lazy pulling images on Kubernetes, containerd, BuildKit, Podman and CRI-O with eStargz and zstd:chunked.
eStargz and Stargz Snapshotter: https://github.com/containerd/stargz-snapshotter
zstd:chunked proposal: https://github.com/containers/storage/pull/775
Patch set to enable lazy pulling on Podman and CRI-O (a.k.a. Additional Layer Store): https://github.com/containers/storage/pull/795
https://github.com/containerd/stargz-snapshotter/pull/281
Startup Containers in Lightning Speed with Lazy Image DistributionKohei Tokunaga
Talked about lazy container image distribution technologies including containerd + Stargz Snapshotter ( https://github.com/containerd/stargz-snapshotter ) at KubeCon+CloudNativeCon Europe 2020 Virtual.
Developing Distributed High-performance Computing Capabilities of an Open Sci...Globus
COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.
Software Engineering, Software Consulting, Tech Lead, Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Transaction, Spring MVC, OpenShift Cloud Platform, Kafka, REST, SOAP, LLD & HLD.
Listen to the keynote address and hear about the latest developments from Rachana Ananthakrishnan and Ian Foster who review the updates to the Globus Platform and Service, and the relevance of Globus to the scientific community as an automation platform to accelerate scientific discovery.
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Globus
The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.
May Marketo Masterclass, London MUG May 22 2024.pdfAdele Miller
Can't make Adobe Summit in Vegas? No sweat because the EMEA Marketo Engage Champions are coming to London to share their Summit sessions, insights and more!
This is a MUG with a twist you don't want to miss.
Understanding Globus Data Transfers with NetSageGlobus
NetSage is an open privacy-aware network measurement, analysis, and visualization service designed to help end-users visualize and reason about large data transfers. NetSage traditionally has used a combination of passive measurements, including SNMP and flow data, as well as active measurements, mainly perfSONAR, to provide longitudinal network performance data visualization. It has been deployed by dozens of networks world wide, and is supported domestically by the Engagement and Performance Operations Center (EPOC), NSF #2328479. We have recently expanded the NetSage data sources to include logs for Globus data transfers, following the same privacy-preserving approach as for Flow data. Using the logs for the Texas Advanced Computing Center (TACC) as an example, this talk will walk through several different example use cases that NetSage can answer, including: Who is using Globus to share data with my institution, and what kind of performance are they able to achieve? How many transfers has Globus supported for us? Which sites are we sharing the most data with, and how is that changing over time? How is my site using Globus to move data internally, and what kind of performance do we see for those transfers? What percentage of data transfers at my institution used Globus, and how did the overall data transfer performance compare to the Globus users?
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
Navigating the Metaverse: A Journey into Virtual Evolution"Donna Lenk
Join us for an exploration of the Metaverse's evolution, where innovation meets imagination. Discover new dimensions of virtual events, engage with thought-provoking discussions, and witness the transformative power of digital realms."
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteGoogle
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
✅Deploy AI expert bots in Any Niche With Just A Click
✅With one keyword, generate complete funnels, websites, landing pages, and more.
✅More than 85 AI features are included in the AI pilot.
✅No setup or configuration; use your voice (like Siri) to do whatever you want.
✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It…
✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
✅ZERO Limits On Features Or Usages
✅Use Our AI-powered Traffic To Get Hundreds Of Customers
✅No Complicated Setup: Get Up And Running In 2 Minutes
✅99.99% Up-Time Guaranteed
✅30 Days Money-Back Guarantee
✅ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
How to Position Your Globus Data Portal for Success Ten Good PracticesGlobus
Science gateways allow science and engineering communities to access shared data, software, computing services, and instruments. Science gateways have gained a lot of traction in the last twenty years, as evidenced by projects such as the Science Gateways Community Institute (SGCI) and the Center of Excellence on Science Gateways (SGX3) in the US, The Australian Research Data Commons (ARDC) and its platforms in Australia, and the projects around Virtual Research Environments in Europe. A few mature frameworks have evolved with their different strengths and foci and have been taken up by a larger community such as the Globus Data Portal, Hubzero, Tapis, and Galaxy. However, even when gateways are built on successful frameworks, they continue to face the challenges of ongoing maintenance costs and how to meet the ever-expanding needs of the community they serve with enhanced features. It is not uncommon that gateways with compelling use cases are nonetheless unable to get past the prototype phase and become a full production service, or if they do, they don't survive more than a couple of years. While there is no guaranteed pathway to success, it seems likely that for any gateway there is a need for a strong community and/or solid funding streams to create and sustain its success. With over twenty years of examples to draw from, this presentation goes into detail for ten factors common to successful and enduring gateways that effectively serve as best practices for any new or developing gateway.
5. Copyright(c)2021 NTT Corp. All Rights Reserved
containerd
l CNCF graduated 5
l Docker Docker
l Kubernetes
https://github.com/containerd/containerd
l GKE AWS Fargate AKS(preview) IKS
l Docker/moby BuildKit k3c PouchContainer
l K8s k3s kind minikube kubespray microk8s
l FaaS faasd
https://sysdig.com/blog/sysdig-
2021-container-security-usage-report/
7. Copyright(c)2021 NTT Corp. All Rights Reserved
3 containerd
OCI
kubelet
CRI
OCI
containerd API
dockerd
OCI
containerd API
CRI Docker
8. Copyright(c)2021 NTT Corp. All Rights Reserved
1: Kubernetes CRI
kubectl apply
Pod
CRI
OCI
runc, gVisor, Kata Containers
OCI
apiserver
kubelet
CRI
pull/push
9. Copyright(c)2021 NTT Corp. All Rights Reserved
2: Docker
docker run
containerd
runc, gVisor, Kata Containers
OCI
containerd API
dockerd
pull/push
Docker API
10. Copyright(c)2021 NTT Corp. All Rights Reserved
3:
runc, gVisor, Kata Containers
OCI
l Docker
l containerd
l containerd containerd
l containerd
containerd API
BuildKit faasd
Pouch
Container
nerdctl
12. Copyright(c)2021 NTT Corp. All Rights Reserved
OS
plugins
containerd
l
l
lDocker BuildKit
l unix socket
containerd API CRI
• /run/containred/containerd.sock
l OCI
• OCI Firecracker
l containerd
container image tasks
namespace
leases version
introspection
events diff
Server
runtimes
) () 2
CRI
Client
containerd
API
Kubelet
4 .1
13. Copyright(c)2021 NTT Corp. All Rights Reserved
OS
container image tasks
namespace
leases version
introspection
events diff
containerd API
l Smart Client
l containerd API
l
l pull/push
l
l OCI config
l
Go
containerd
container image …
namespace
leases content
snapshots
events tasks
OCI spec
Server
plugins runtimes
API
14. Copyright(c)2021 NTT Corp. All Rights Reserved
OS
Container
ctr: https://github.com/containerd/containerd
l containerd contianerd
CLI
l containerd API
nerdctl: https://github.com/AkihiroSuda/nerdctl
l Docker containerd CLI by Akihiro Suda, NTT
l Docker
l Lazy pulling containerd
containerd
containerd
l Docker BuildKit faasd Pouch Container
container image tasks
namespace
leases version
introspection
events diff
Server
plugins runtimes
ctr, nerdctl, Docker, etc
containerd
API
Client lib
crictl: https://github.com/kubernetes-sigs/cri-tools
l Kubernetes sig-node CRI
CLI containerd API
l Server CRI
15. Copyright(c)2021 NTT Corp. All Rights Reserved
containerd
l
•
l unix socket API
l /run/containerd/containerd.sock
l
• API Go plugin
•
Ø containerd
container image tasks
namespace
leases version
snapshots
CRI tasks
container image tasks
namespace
leases version
introspection
events diff
OCI spec
Client
OS
plugins
shim
OCI
16. Copyright(c)2021 NTT Corp. All Rights Reserved
containerd
container image …
namespace
leases content
snapshots
CRI tasks
Metadata store
OS
l
• API
l persistent
metadata store (bbolt;
https://github.com/etcd-io/bbolt)
l CRI
•
Ø
• Pod
CNI
shim
OCI
CRI
17. Copyright(c)2021 NTT Corp. All Rights Reserved
OS
containerd
Content store
l pull
l
Snapshotter
l
“snapshot”
l snapshot rootfs
l snapshotter
Overlayfs btrfs aufs FUSE…
Runtime shim OCI
l V2 shim
container image …
namespace
leases content
snapshots
CRI tasks
C
o
n
t
e
n
t
s
t
o
r
e
S
n
a
p
s
h
o
t
t
e
r
R
u
n
t
i
m
e
Content store snapshotter containerd
Docker Graph Driver
18. Copyright(c)2021 NTT Corp. All Rights Reserved
OS
containerd
containerd ”tightly scoped”
l unix socket
gRPC API containerd
l Go plugin
l containerd API
l
container image …
namespace
leases content
snapshots
CRI tasks
shim
OCI
l Proxy content store
IPFS
l Proxy snapshotter rootfs
lazy pulling
l Stream processor
l V2 shim OCI
Kata
s
h
i
m
19. Copyright(c)2021 NTT Corp. All Rights Reserved
containerd
firecracker-containerd https://github.com/firecracker-microvm/firecracker-containerd
l AWS Firecracker microVM containerd
l Snapshotter v2 runtime microVM API control API
Stargz Snapshotter https://github.com/containerd/stargz-snapshotter
l containerd non-core subproject
l eStargz lazy pulling snapshotter ”remote” snapshotter
imgcrypt https://github.com/containerd/imgcrypt
l containerd non-core subproject
l stream processor
OCI runtime V2 runtime
l Kata Containers
21. Copyright(c)2021 NTT Corp. All Rights Reserved
containerd 1.4.x
Lazy pulling: https://github.com/containerd/containerd/pull/3793
l pull
l Stargz Snapshotter https://github.com/containerd/stargz-snapshotter proxy snapshotter
OCI eStargz lazy pull
0 5 10 15 20 25 30 35 40 45
estargz
estargz-noopt
legacy
Start up time of python:3.7 (print “hello”)
pull create run
Host: EC2 Oregon (m5.2xlarge, Ubuntu 20.04)
Registry: GitHub Container Registry (ghcr.io)
Commit 7f45f74
(See detailed info in the later slides)
[sec]
Cgroups v2 : https://github.com/containerd/containerd/issues/3726
l Fedora (> 31) cgroup v2 containerd
l cgroup rootless docker
--pids-limit Docker 20.10
SELinux MCS (CRI): https://github.com/containerd/cri/pull/1487
l CRI SELinux MCS Multi Category Security
Pod
l Pod Pod
22. Copyright(c)2021 NTT Corp. All Rights Reserved
Stargz Snapshotter lazy pulling
l containerd non-core
l OCI eStargz lazy pulling proxy snapshotter
• pull
Kubernetes
l Prefetch content verification
l Kaniko, go-containerregistry, ko, nerdctl eStargz
Stargz
Snapshotter
rootfs FUSE
Lazy
pull
eStargz
pull
https://github.com/containerd/stargz-snapshotter
https://www.slideshare.net/KoheiTokunaga/stargz-snapshotter-pullcontainerd-238429575
2 ” Stargz Snapshotter: pull containerd ”. CNDT2020
23. Copyright(c)2021 NTT Corp. All Rights Reserved
containerd
l ctr containerd containerd
l nerdctl https://github.com/AkihiroSuda/nerdctl Docker
NRI(Node Resource Interface) (1.5 ): https://github.com/containerd/nri
l CNI
l CNI NW NRI cgroup namespace path
CPU pinning
Sandbox API: https://github.com/containerd/containerd/issues/4131
l containerd API Pod
Overlayfs volatile option: https://github.com/containerd/containerd/pull/4785
l Overlayfs volatile option (Linux 5.10) upper dir sync
Higher level API: CRI v2 embedded kubelet build
l containerd API
24. Copyright(c)2021 NTT Corp. All Rights Reserved
plugins
shim
OCI
C
o
n
t
e
n
t
s
t
o
r
e
S
n
a
p
s
h
o
t
t
e
r
R
u
n
t
i
m
e
container image tasks
namespac
e leases version
snapshots
CRI tasks
container image …
namespac
e leases content
snapshots
events tasks
OCI spec
API
Metadata store
Contained
l Kubernetes CRI
l Docker
l
containerd
l
l smart client
l
containerd
l Lazy pulling cgroup v2
l
(
)