Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Containers: The What, Why, and How

1,767 views

Published on

In this presentation, I will be presenting the what, why, and how of containers at the Digital Ocean in Hyderabad.

Published in: Engineering
  • Be the first to comment

Containers: The What, Why, and How

  1. 1. @snehainguva
  2. 2. digitalocean.com containers the what, why, and how
  3. 3. digitalocean.com about me software engineer @DigitalOcean delivery team kubernetes, prometheus, terraform
  4. 4. digitalocean.com
  5. 5. digitalocean.com the plan: ● Build your own container ● Containers vs. VMs ● Container ecosystem
  6. 6. digitalocean.com what is a container?
  7. 7. digitalocean.com what is a container? “a lightweight OS-level virtualization method” “stand-alone piece of executable software” “NOT a virtual machine”
  8. 8. digitalocean.com build your own container 1. run input commands with arguments 2. add hostname limitations 3. add process ID limitations 4. add mount point/filesystem limitations
  9. 9. digitalocean.com let’s start with a basic “container” func main() { switch os.Args[1] { case "run": run() default: panic("what?") } } func run() { fmt.Printf("running %vn", os.Args[2:]) cmd := exec.Command(os.Args[2], os.Args[3:]...) cmd.Stdin = os.Stdin cmd.Stderr = os.Stderr cmd.Stdout = os.Stdout must(cmd.Run()) } func must(err error) { if err != nil { panic(err) } }
  10. 10. digitalocean.com let’s start with a basic “container”
  11. 11. digitalocean.com let’s start with a basic “container”
  12. 12. digitalocean.com how can we restrict hostname access?
  13. 13. digitalocean.com namespaces!!!
  14. 14. digitalocean.com func run() { fmt.Printf("running %vn", os.Args[2:]) cmd := exec.Command(os.Args[2], os.Args[3:]...) cmd.Stdin = os.Stdin cmd.Stderr = os.Stderr cmd.Stdout = os.Stdout cmd.SysProcAttr = &syscall.SysProcAttr{ Cloneflags: syscall.CLONE_NEWUTS, } must(cmd.Run()) } UTS namespace
  15. 15. digitalocean.com what about PID access?
  16. 16. digitalocean.com UTS + PID namespace: attempt 1 func run() { fmt.Printf("running %vn", os.Args[2:]) cmd := exec.Command(os.Args[2], os.Args[3:]...) cmd.Stdin = os.Stdin cmd.Stderr = os.Stderr cmd.Stdout = os.Stdout cmd.SysProcAttr = &syscall.SysProcAttr{ Cloneflags: syscall.CLONE_NEWUTS | syscall.CLONE_NEWPID, } must(cmd.Run()) }
  17. 17. UTS + PID namespace: attempt 2 func run() { cmd := exec.Command("/proc/self/exe", append([]string{"child"}, os.Args[2:]...)...) cmd.Stdin = os.Stdin cmd.Stderr = os.Stderr cmd.Stdout = os.Stdout cmd.SysProcAttr = &syscall.SysProcAttr{ Cloneflags: syscall.CLONE_NEWUTS | syscall.CLONE_NEWPID, } must(cmd.Run()) } func child() { fmt.Printf("running %v as pid %vn", os.Args[2:], os.Getpid()) cmd := exec.Command(os.Args[2], os.Args[3:]...) cmd.Stdin = os.Stdin cmd.Stderr = os.Stderr cmd.Stdout = os.Stdout must(cmd.Run()) }
  18. 18. UTS + PID namespace: attempt 2
  19. 19. UTS + PID + MNT namespace: attempt 1 func run() { md := exec.Command("/proc/self/exe", append([]string{"child"}, os.Args[2:]...)...) // link to currently running process cmd.Stdin = os.Stdin cmd.Stderr = os.Stderr cmd.Stdout = os.Stdout cmd.SysProcAttr = &syscall.SysProcAttr{ Cloneflags: syscall.CLONE_NEWUTS | syscall.CLONE_NEWPID | syscall.CLONE_NEWNS, } must(cmd.Run()) }
  20. 20. UTS + PID + MNT namespace: attempt 1 Initial mounts in MNT namespace inherited from creating namespace → filesystem same as host
  21. 21. next step: UTS + PID + MNT namespace + new root filesystem example func child() { fmt.Printf("running %v as pid%vn", os.Args[2:], os.Getpid()) cmd := exec.Command(os.Args[2], os.Args[3:]...) cmd.Stdin = os.Stdin cmd.Stderr = os.Stderr cmd.Stdout = os.Stdout must(syscall.Chroot("/home/rootfs")) must(os.Chdir("/")) must(syscall.Mount("proc", "proc", "proc", 0, "")) must(cmd.Run()) } TODO
  22. 22. digitalocean.com what is a container? process with isolation, shared resources, and layered filesystems
  23. 23. what is a container? namespace: linux kernel feature that isolates and virtualizes system resources for a collection of processes and their children ● PID: gives process own view of subset of system processes. ✔ ● MNT: gives process mount table and allows process to have own filesystem ✔ ● NET: gives process own network stack. (Container can have virtual ethernet pairs to link to host or other containers.) ● UTS: gives process own view of system hostname and domain name ✔ ● IPC: isolates inter-process communications (i.e. message queues) ● USER: newest namespace that maps process UIDs to different set of UIDs on host (can map containers root uid to unprivileged UID on host)
  24. 24. what is a container? cgroups: control groups collect set of process tasks IDS together and apply limits, such as for resource utilization ● Enforce fair/unfair resource sharing between processes ● Exposed by kernel as special file system to to mount ● Add a process or thread by adding process IDs to task file and read/configure values by editing subdirectory files
  25. 25. what is a container? layered filesystems: optimal way to make a copy of root filesystem for each container ● one of the reasons why it is easy to move containers around ● can “copy on write” (btrFS) ● can use “union mounts” (aufs, OverlayFS) - way of combining multiple directories
  26. 26. digitalocean.com Containers vs. VMs
  27. 27. digitalocean.com containers vs. VMS Source: http://electronicdesign.com/dev-tools/what-s-difference-between-containers-and-virtual-machines
  28. 28. digitalocean.com vms containers ● Hypervisors run software on physical servers to emulate a particular hardware system (aka a virtual machine) ● VM runs a fully copy of the operating system (OS) ● Hardware is also virtualized ● Can run multiple applications ● Run isolated process on a single server or host operating system (OS) ● Can migrate only to servers with compatiable OS kernels ● Best for a single application
  29. 29. digitalocean.com container ecosystem ● Container runtime ● Orchestration tools ● As-a-service
  30. 30. digitalocean.com Source: https://docs.docker.com/engine/understanding-docker/ https://coreos.com/rkt/docs/latest/rkt-vs-other-projects.html#rkt-vs-docker containers
  31. 31. digitalocean.com container orchestration Source: https://github.com/nkhare/container-orchestration/blob/master/kubernetes/README.md
  32. 32. digitalocean.com ___ as-a-service container service, managed clusters, etc. Source: https://coreos.com/tectonic/
  33. 33. sources ● Liz Rice: What is a Container, Really?, Liz Rice ● Building a Container in Less than a 100 Lines of Go, Julien Friedman ● My demo code

×