This deck was used during Engage User Group to update people on recent Linux developments, as well as the changes coming with Kubernetes and Container based workloads. The target audience was Container newbies
1. Linux, 'Docker' and Kubernetes -
changing the perspective
Christian Holsing
Senior Product Manager – SLES for SAP Applications
Christian.Holsing@suse.com
2. 2
What I do these days
● Product managing SUSE distribution for SAP Applications
(SLES for SAP Applications), owning 75% of all Linux based
SAP installations
– New SAP tooling for clients
– CSP deployments and partners
– Deployment automation through SALT (and Ansible)
● Enablement of new technologies
– Intel Optane DCPMM
● Drive Container technology into SAP deployments
– SAP DataHub
● Worrying about mission critical systems and associated
requirements
5. 5
In the beginning ...
… was „the Box“.
SUSE services
● production („compile“)
● Assemble
● Documentation
● Sales
● Training
● Support
6. 6
Enterprise Linux
● from 1999 – Industry partnerships
● 2000-10-31 first Enterprise Linux
SuSE Linux Enterprise Server for S/390
● 2001
SuSE Linux Enterprise Server for 32bit „PC“
● 2003
64bit „PC“ Architektur (x86-64)
● 2006
Xen Open Source Virtualization
● 2012
Linux Container Support
...
● 2016
support of 64bit ARM Architectur
7. 7
From Unix to Linux (Unix to Linux)
Questions
● Is Linux capable of handling typical UNIX “mission critical” workloads?
● Does Linux scale sufficiently?
● What is missing?
Timing
● In discussion since 2000
● Strong impulse since 2008 / 2009
Today
● Linux is dominating
10. 10
How big is the largest Enterprise Linux System?
C.
RAM: 1 TiB
Cores:1024
B.
RAM: 64 GiB
Cores: 64
D.
RAM: 64 TiB
Cores: 4096
A.
RAM: 1 GiB
Cores: 4
11. 11
How big is the largest Enterprise Linux System?
C.
RAM: 1 TiB
Cores: 1024
B.
RAM: 64 GiB
Cores: 64
A.
RAM: 1 GiB
Cores: 4
D.
RAM: 64 TiB
Cores: 4096
12. 12
How small is the smallest Enterprise Linux
System?
C.
RAM: 1 TiB
Cores: 1024
B.
RAM: 64 GiB
Cores: 64
D.
RAM: 64 TiB
Cores: 4096
A.
RAM: 1 GiB
Cores: 4
13. 13
How small is the smallest Enterprise Linux
System?
C.
RAM: 1 TiB
Cores: 1024
B.
RAM: 64 GiB
Cores: 64
A.
RAM: 1 GiB
Cores: 4
D.
RAM: 64 TiB
Cores: 4096
15. 15
openSUSE Leap
Tumbleweed
Shared Core
8000 Packages>
Community
Developed
Rolling Updates
Rolling Base
System
openSUSE
Leap
Over 6000
Packages
Community
Developed
SUSE® Linux
Enterprise
Enterprise
Packages
SUSE Developed
Stable Base
System
Regular Updates
Stable Base
System
Regular Updates
Shared Core
16. 16
Upstream first!?
● Code changes are first shared with the larger open source communities
● Advantages
– Peer-Review
– Seek for best possible outcome
– Faster improvements (collective intelligence)
– Longterm maintainability and stability of interfaces
● challenges
– Differentiation not (only) possible through code and features
→ competition through
– Services
– Reassembly of function
19. 19
How do Container apply to me?
● Running applications?
● Providing services?
● …?
20. 20
The two brains of IT
Mode 2Mode 1
Agile, DevOpsWaterfall, ITIL
New & Uncertain ProjectsConventional Projects
Short Cycle (days, weeks)
Long-cycle Times
(months)
AgilityReliability
21. 21
45% of organizations claim to have some
form of bimodal capability today.
Traditional IT
Mode 1
Agile IT
Mode 2
Two Worlds of IT Need a Bridge
22. 22
Challenges in Context of Containers
Developers
Frequent releases vs. staged
production schedule.
“It works on my machine.”
• Manage growing services
• Reliability and uptime of new
applications
• Time to market
• Efficiency
New features;
Faster please!
Operations
24. 24
OS-level or application virtualization with Linux Containers (LXC) and
container engine. Support for Windows Subsystem for Linux (WSL).
Containers
25. 25
What are containers – two views
● Operations
● Components of Linux kernel and OS
● Image format, specific tools
● Isolation
● High density
● Smaller, lighter, faster
● Orchestration, management
● Applications
● Packaging
● Share easily
● Easily extensible
● Scale up/down
● Self-contained
● Micro-services
26. 26
Linux Containers
• System containers
– Full system in the container (no kernel)
– libvirt-lxc
• Application containers
– One process per container
– Docker, podman, ...
– Rich ecosystem
28. 28
Advantages of Linux Containers
Lightweight virtualization solution
● Isolated from the other processes
● 1 kernel to rule them all
● Normal I/O
● Dynamic changes possible without reboot
● Nested virtualization is not a problem
● No boot time or very short one
Isolate services (e.g. web server, ftp, …)
Much more (see furter)
...
29. 29
Linux Containers – Limitations
They cannot run a different OS/architecture
● Cannot run Windows containers on Linux
Risk of escaping from containers
● Solution: user namespaces
Shared kernel with the host
● Syscall exploits can be exploited from within the container
● Solution: seccomp2
Security measures
● Patch, don’t use root, kernel capabilities, confinement
● Use VMs
33. 33
Containers are standardized
• OCI runtime specification:
• Defines container runtime (API, data structures, …)
• How to start/stop/... containers
• OCI provides a reference implementation: runC
• OCI image format specification:
• Defines how a container image is structured
• Result:
• Avoid vendor lock-in
• Avoid fragmentation
• Containers are truly portable
• Foster innovation
34. 34
Pre-built images
• Docker HUB
– Community, handle with care!
• SUSE Registry (registry.suse.com)
– Enterprise contents, secure, verified, signed
– SUSE Products (CaaS Platform, Cloud Application Platform, …)
– What used to be in SLES Containers module (e.g.: Portus)
35. 35
New world, old problems
• Pulling images from an external registry can be expensive (time, bandwidth)
• Pulling isn’t even possible in some scenarios (air-gapped environments)
• The same applies to helm charts
• RPM world had the same problems: solved with tools like SMT (more
recently RMT)
Editor's Notes
Minimize planned and unplanned downtime; help meet Service Level Agreements (SLAs)
Protect your mission-critical workloads
In many senses SUSE engineering provides a research organization to the world, and everything we do - whether it’s working on snapshot technologies in BTRFS, developing Live Kernel Patching or HA for OpenStack – everything we do goes straight into the community projects *first*, rather than keeping new ideas to ourselves & then only releasing them to the community after our product is available.
It’s also only through this kind of openness with the development community that you build the level of trust needed to have long-term success in the open source world.
We also sponsor & participate in a wide range of oversight and steering groups, including important bodies and boards of many of those projects.
Lastly, with our contribution, we’re helping drive innovation in areas that help our customers but also the broader ecosystem.
[transition] So, how does SUSE deliver value to you?
<number>
<number>
Namespaces: provide isolation
Cgroups: limit host resources access