Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
What to Upload to SlideShare
What to Upload to SlideShare
Loading in …3
×
1 of 28

Let's Try Every CRI Runtime Available for Kubernetes

May. 23, 2019
8 likes 11,484 views

8

Share

Download to read offline

Software

A talk given at KubeCon/CloudNativeCon EU in Barcelona, Spain on May 23, 2019. In this talk Phil presented the explosion of OCI-compliant CRI-enabled runtimes that can be used underneath Kubernetes, and demonstrated several of them live.

Recommended

Related Books

Free with a 30 day trial from Scribd

See all
Hamlet's BlackBerry: A Practical Philosophy for Building a Good Life in the Digital Age William Powers
(4/5)
Free
In the Plex: How Google Thinks, Works, and Shapes Our Lives Steven Levy
(4.5/5)
Free
An Army of Davids: How Markets and Technology Empower Ordinary People to Beat Big Media, Big Government, and Other Goliaths Glenn Reynolds
(4/5)
Free
World Wide Mind: The Coming Integration of Humanity, Machines, and the Internet Michael Chorost
(4/5)
Free
Emergence: The Connected Lives of Ants, Brains, Cities, and Software Steven Johnson
(4.5/5)
Free
Tubes: A Journey to the Center of the Internet Andrew Blum
(4/5)
Free
The Impulse Economy: Understanding Mobile Shoppers and What Makes Them Buy Gary Schwartz
(4.5/5)
Free
Blog Schmog: The Truth About What Blogs Can (and Can't) Do for Your Business Robert W. Bly
(4/5)
Free
The End of Business As Usual: Rewire the Way You Work to Succeed in the Consumer Revolution Brian Solis
(5/5)
Free
Socialnomics: How Social Media Transforms the Way We Live and Do Business Erik Qualman
(3/5)
Free
The Nature of the Future: Dispatches from the Socialstructed World Marina Gorbis
(4/5)
Free
Public Parts: How Sharing in the Digital Age Improves the Way We Work and Live Jeff Jarvis
(3.5/5)
Free
Talking Back to Facebook: The Common Sense Guide to Raising Kids in the Digital Age James P. Steyer
(4.5/5)
Free
The Thank You Economy Gary Vaynerchuk
(4/5)
Free
Blog, Inc.: Blogging for Passion, Profit, and to Create Community Joy Deangdeelert Cho
(3.5/5)
Free
What Video Games Have to Teach Us About Learning and Literacy. Second Edition James Paul Gee
(4/5)
Free

Related Audiobooks

Free with a 30 day trial from Scribd

See all
New Dark Age: Technology and the End of the Future James Bridle
(4.5/5)
Free
Blockchain Revolution: How the Technology Behind Bitcoin Is Changing Money, Business, and the World Don Tapscott
(4/5)
Free
The Emperor's New Mind: Concerning Computers, Minds, and the Laws of Physics Roger Penrose
(3.5/5)
Free
The Death of Expertise: The Campaign Against Established Knowledge and Why it Matters Tom Nichols
(4.5/5)
Free
Alone Together: Why We Expect More from Technology and Less from Each Other Sherry Turkle
(4/5)
Free
Algorithms to Live By: The Computer Science of Human Decisions Tom Griffiths
(4.5/5)
Free
Kill All Normies: Online Culture Wars From 4Chan And Tumblr To Trump And The Alt-Right Angela Nagle
(4/5)
Free
The Art of Social Media: Power Tips for Power Users Guy Kawasaki
(4/5)
Free
An Introduction to Information Theory: Symbols, Signals and Noise John R. Pierce
(4.5/5)
Free
Who Owns the Future? Jaron Lanier
(4/5)
Free
The Dark Net: Inside the Digital Underworld Jamie Bartlett
(3.5/5)
Free
So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community that Will Listen Kristen Meinzer
(4.5/5)
Free
Cognitive Surplus: Creativity and Generosity in a Connected Age Clay Shirky
(3.5/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4.5/5)
Free
The New New Thing: A Silicon Valley Story Michael Lewis
(4.5/5)
Free
Once Upon an Algorithm: How Stories Explain Computing Martin Erwig
(4/5)
Free

Let's Try Every CRI Runtime Available for Kubernetes

  1. 1. Let’s Try Every CRI Runtime Available for Kubernetes Phil Estes, Distinguished Engineer IBM Cloud
  2. 2. Background: OCI @estesp OCI specifications Linux kernel Windows kernel Container registries Container runtimes Docker, containerd, cri-o, Kata, Firecracker, gVisor, Nabla, Singularity, ... DockerHub, OSS distribution project, Cloud registries, JFrog, ...
  3. 3. Background: CRI @estesp
  4. 4. K8s and CRI Responsibilities @estesp Kubernetes Container Runtime CRI ▧ K8s API ▧ Storage ▧ Networking (CNI) ▧ Healthchecks ▧ Placement ▧ Custom resources ▧ Pod container lifecycle ○ Start/stop/delete ▧ Image management ○ Pull/status ▧ Status ▧ Container interactions ○ attach, exec, ports, log
  5. 5. Background: CRI Runtimes @estesp kubelet dockershim dockerd kubelet cri-containerd containerd kubelet cri-o runc kubelet containerd Kata Firecracker kubelet --container-runtime {string} --container-runtime-endpoint {string} kubelet singularity-cri singularity
  6. 6. Caveats @estesp What I don’t have time to cover/demo... ▧ Windows containers & runtimes ▧ rkt (CNCF) ▧ Virtual Kubelet (CRI implementation) ▧ Nabla containers (IBM)
  7. 7. Caveats @estesp EXPECTATION REALITY
  8. 8. Setup GKE 2-node Docker Docker IKS 3-node containerd containerd containerd IBM Cloud BMI containerd Firecracker Kata gVisorSingle node VM cri-o IBM Cloud VSI cri-o cri-o cri-o okd 3-node @estesp
  9. 9. Docker @estesp
  10. 10. Docker @estesp ● Most common, original runtime for Kubernetes clusters ● Simplifies tooling for mixed use cluster node (e.g. applications relying on `docker …` commands “just work” ● Docker Enterprise customers get support and multi-orchestrator support (swarm + K8s in same cluster) ● “More than enough” engine for Kubernetes ● Concerns over mismatch/lack of release sync between Docker releases and Kubernetes releases (e.g. “certified” engine version) ● Extra memory/CPU use due to extra layer (docker->ctr->runc)
  11. 11. Containerd @estesp
  12. 12. Containerd @estesp ● Used in GKE (Google), IKS (IBM), & Alibaba public clouds ● Significant hardening/testing by nature of use in every Docker installation (tens of millions of engines) ● Lower memory/CPU use; clean API for extensibility/embedding ● No Docker API socket (tools/vendor support) ● Still growing in maturity/use ● Windows support in flight; soon at parity with Docker engine
  13. 13. CRI-O @estesp
  14. 14. CRI-O @estesp ● Used in RH OpenShift; SuSE CaaS; other customers/uses ● “all the runtime Kubernetes needs and nothing more” ● UNIX perspective on separating concerns (client, registry interactions, build) ● Not consumable apart from RH tools (design choice) ● Use/installation on non-RH distros can be complicated ● Extensibility limited (e.g. proposal from Kata to add containerd shim API to cri-o)
  15. 15. Sandboxes + RuntimeClass @estesp
  16. 16. Containerd v2 Shim API @estesp
  17. 17. Kata Containers @estesp
  18. 18. Kata Containers @estesp ● Lightweight virtualization via Intel Clear Containers + Hyper.sh predecessors ● Implemented via KVM/qemu-based VM isolation ● Works with Docker, cri-o, & containerd ● Solid and maturing project with Intel and others leading; governance under OpenStack Foundation ● Have added ability to drive Firecracker VMM as well ● Supports ARM, x86_64, AMD64, and IBM p and zSeries
  19. 19. AWS Firecracker @estesp
  20. 20. AWS Firecracker @estesp ● Lightweight virtualization via Rust-written VMM, originating from Google’s crosvm project; target serverless/functions area ● Open Sourced by Amazon in November 2018 ● Works standalone via API or via containerd ● cgroup + seccomp “jailer” to tighten down kernel access ● Integrated with containerd via shim and external snapshotter implementation ● Quickly moving & young project; packaging and delivery still in flux and requires quite a few manual steps today
  21. 21. gVisor @estesp
  22. 22. gVisor @estesp ● A kernel-in-userspace concept from Google; written in Golang ● Used in concert with GKE; for example with Google Cloud Run for increased isolation/security boundary ● Works standalone (OCI runc replacement) or via containerd shim implementation ● Reduced syscalls used against “real kernel”; applications run against gVisor syscall implementations ● Limited functionality; some applications may not work if syscall not implemented in gVisor ● Syscall overhead, network performance impacted (ref: KVM mode)
  23. 23. Singularity @estesp
  24. 24. Singularity @estesp ● An HPC/academic community focused container runtime ● Initially not implementing OCI, now has OCI compliant mode ● To meet HPC use model; not daemon-based, low privilege, user-oriented runtime (e.g. HPC end user workload scheduling) ● Sylabs, creator of Singularity have recently written a CRI implementation that drives Singularity runtime ● Uses OCI compliant mode; converts images to SIF, however ● Focused solely on the academic/HPC use case
  25. 25. Nabla @estesp
  26. 26. Nabla @estesp ● IBM Research created open source sandbox runtime ● Uses highly limited seccomp profile + unikernel implementation ● Similar to gVisor, but instead of user-mode kernel, uses unikernel+application approach ● Currently requires building images against special set of unikernel-linked runtimes (Node, Python, Java, etc.) ● IBM Research pursuing ways to remove this limitation; only runtime which doesn’t allow generic use of any container image
  27. 27. Summary @estesp ● OCI specs (runtime, image, distribution) have enabled a common underpinning for innovation that maintains interoperability ● CRI has enabled a “pluggable” model for container runtimes underneath Kubernetes ● Options are growing; most innovation is around sandboxes and enabled for easier use with RuntimeClass in K8s

×