Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
interoperable
containers
Fabio Kung
fabio@heroku.com
https://www.flickr.com/photos/usnavy/8612337045
Please don't continue. Go
see this instead:
http://fabiokung.com/2014/06/11/my-dockercon-2014-talk
Fabio, Runtime Systems at
I run linux containers.
http://12factor.net
“write once, run
everywhere
– Sun Microsystems (?)
“write once, debug
everywhere
– (?)
https://www.flickr.com/photos/tjblackwell/3545764529
Developers want apps...
https://www.flickr.com/photos/cyol/7642566946
PaaS wants scale...
https://www.flickr.com/photos/johngarghan/3401814659
Docker wants...
docker logo usage follows guidelines published at http://www.docker.com/marks_and_logos/
PaaS
You
docker
lxc
lmctfy
...
background: https://www.flickr.com/photos/jdhancock/12397433023
Containers
https://www.flickr.com/photos/joshua/433354324
“trying to make Docker
secure for multi-tenant
scenarios is a can of worms
– darren0, at #docker-dev
1 vs 1M
https://www.flickr.com/photos/enerva/9068467267
Root
https://www.flickr.com/photos/ashleyrosex/2861690380
apt-get install …
vi /etc/…
mount -t fancy …
modprobe something
iptables -A INPUT …
kernelspace abuse
https://www.flickr.com/photos/erlendaasland/4107345124
User Namespaces
Unprivileged Containers
https://www.flickr.com/photos/ntr23/730371240
“
(…) the kernel grants all capabilities to the
initial process in a user namespace, this does
not mean that process then ...
if (getuid() == 0) {
// do root stuff
}
just don't run as root?
also SUID
Restrictions
https://www.flickr.com/photos/mollivan_jon/10431164633
Networking
https://www.flickr.com/photos/emptyage/177466621
ephemeral disks
https://www.flickr.com/photos/pixeltree/4876732522
arch, OS, image size, …
containers/container-rfc · GitHub
“A vendor neutral format for Linux
container images and runtime
https://www.flickr.com/photos/littlebiglens/6034320322
Image Size
Layers
https://www.flickr.com/photos/ralan808/11300490173
Updates?
noncommercial use
https://www.flickr.com/photos/doug88888/2801103568
Packages
“slugs”
dotcloud/docker#332
docker load --rebase=new-base-image
Apps
https://www.flickr.com/photos/zoomar/338952152
Buildpacks
app source + base image
FROM heroku/cedar
ADD . /buildpack
ONBUILD ADD . /app
ONBUILD RUN /buildpack/bin/compile /app
ONBUILD ENV PORT 5000
ONBUIL...
`ONBUILD ONBUILD`
dotcloud/docker#5714
Buildstep
https://github.com/progrium/buildstep
https://github.com/radial/
#!/usr/bin/env make -f
buildpath := .build
buildpackpath := $(buildpath)/pack
buildpackcache := $(buildpath)/cache
build: ...
ruby = "https://codon-buildpacks.s3.amazonaws.com/.../ruby.tgz"
app_container "myapp" do
buildpack ruby
git_url "git@mycom...
container centric: whole image
app centric: builds as a mapping layer
recap: the container revolution
Thank you!
fabio@heroku.com
All images used in this presentation are under a Creative Commons License, unless otherwise no...
DockerCon 2014: Thoughts on interoperable containers
Upcoming SlideShare
Loading in …5
×

DockerCon 2014: Thoughts on interoperable containers

1,411 views

Published on

Docker is driving the popularization of Linux containers, but there are many different container managers out there, such as LXC and lmctfy. Not to mention different PaaS being built on top of these technologies. How great would it be if applications were portable to all (or most of) those different providers and container managers with little or no effort? This talk will discuss some ideas of what needs to be done for it to happen and what the community can do to help.

Published in: Technology
  • Be the first to comment

DockerCon 2014: Thoughts on interoperable containers

  1. 1. interoperable containers Fabio Kung fabio@heroku.com https://www.flickr.com/photos/usnavy/8612337045
  2. 2. Please don't continue. Go see this instead: http://fabiokung.com/2014/06/11/my-dockercon-2014-talk
  3. 3. Fabio, Runtime Systems at I run linux containers.
  4. 4. http://12factor.net
  5. 5. “write once, run everywhere – Sun Microsystems (?)
  6. 6. “write once, debug everywhere – (?)
  7. 7. https://www.flickr.com/photos/tjblackwell/3545764529
  8. 8. Developers want apps... https://www.flickr.com/photos/cyol/7642566946
  9. 9. PaaS wants scale... https://www.flickr.com/photos/johngarghan/3401814659
  10. 10. Docker wants... docker logo usage follows guidelines published at http://www.docker.com/marks_and_logos/
  11. 11. PaaS You docker lxc lmctfy ... background: https://www.flickr.com/photos/jdhancock/12397433023
  12. 12. Containers https://www.flickr.com/photos/joshua/433354324
  13. 13. “trying to make Docker secure for multi-tenant scenarios is a can of worms – darren0, at #docker-dev
  14. 14. 1 vs 1M https://www.flickr.com/photos/enerva/9068467267
  15. 15. Root https://www.flickr.com/photos/ashleyrosex/2861690380
  16. 16. apt-get install …
  17. 17. vi /etc/…
  18. 18. mount -t fancy …
  19. 19. modprobe something
  20. 20. iptables -A INPUT …
  21. 21. kernelspace abuse https://www.flickr.com/photos/erlendaasland/4107345124
  22. 22. User Namespaces Unprivileged Containers https://www.flickr.com/photos/ntr23/730371240
  23. 23. “ (…) the kernel grants all capabilities to the initial process in a user namespace, this does not mean that process then has superuser privileges within the wider system. (It may, however, mean that unprivileged users now have access to exploits in kernel code that was formerly accessible only to root, ...) – Michael Kerrisk, “Namespaces in operation, part 6: more on user namespaces", LWN.net
  24. 24. if (getuid() == 0) { // do root stuff }
  25. 25. just don't run as root?
  26. 26. also SUID
  27. 27. Restrictions https://www.flickr.com/photos/mollivan_jon/10431164633
  28. 28. Networking https://www.flickr.com/photos/emptyage/177466621
  29. 29. ephemeral disks https://www.flickr.com/photos/pixeltree/4876732522
  30. 30. arch, OS, image size, …
  31. 31. containers/container-rfc · GitHub “A vendor neutral format for Linux container images and runtime
  32. 32. https://www.flickr.com/photos/littlebiglens/6034320322 Image Size
  33. 33. Layers https://www.flickr.com/photos/ralan808/11300490173
  34. 34. Updates? noncommercial use
  35. 35. https://www.flickr.com/photos/doug88888/2801103568 Packages “slugs”
  36. 36. dotcloud/docker#332 docker load --rebase=new-base-image
  37. 37. Apps https://www.flickr.com/photos/zoomar/338952152
  38. 38. Buildpacks app source + base image
  39. 39. FROM heroku/cedar ADD . /buildpack ONBUILD ADD . /app ONBUILD RUN /buildpack/bin/compile /app ONBUILD ENV PORT 5000 ONBUILD EXPOSE 5000
  40. 40. `ONBUILD ONBUILD` dotcloud/docker#5714
  41. 41. Buildstep https://github.com/progrium/buildstep
  42. 42. https://github.com/radial/
  43. 43. #!/usr/bin/env make -f buildpath := .build buildpackpath := $(buildpath)/pack buildpackcache := $(buildpath)/cache build: $(buildpackpath)/bin $(buildpackpath)/bin/compile . $(buildpackcache) $(buildpackcache): mkdir -p $(buildpath) mkdir -p $(buildpackcache) curl -O https://codon-buildpacks.s3.amazonaws.com/.../go.tgz mv go.tgz $(buildpath) $(buildpackpath)/bin: $(buildpackcache) mkdir -p $(buildpackpath) tar -C $(buildpackpath) -zxf $(buildpath)/go.tgz
  44. 44. ruby = "https://codon-buildpacks.s3.amazonaws.com/.../ruby.tgz" app_container "myapp" do buildpack ruby git_url "git@mycompany.com:myapp.git" end define :app_container, name: nil, buildpack: nil, git_url: nil do # ... execute "#{name} buildpack compile" do command "#{dir}/.build/pack/bin/compile #{dir} .build/cache" end end
  45. 45. container centric: whole image app centric: builds as a mapping layer recap: the container revolution
  46. 46. Thank you! fabio@heroku.com All images used in this presentation are under a Creative Commons License, unless otherwise noted https://www.flickr.com/photos/compacflt/5948542359

×