interoperable
containers
Fabio Kung
fabio@heroku.com
https://www.flickr.com/photos/usnavy/8612337045

Please don't continue. Go
see this instead:
http://fabiokung.com/2014/06/11/my-dockercon-2014-talk

Fabio, Runtime Systems at
I run linux containers.

http://12factor.net

“write once, run
everywhere
– Sun Microsystems (?)

“write once, debug
everywhere
– (?)

https://www.flickr.com/photos/tjblackwell/3545764529

Developers want apps...
https://www.flickr.com/photos/cyol/7642566946

PaaS wants scale...
https://www.flickr.com/photos/johngarghan/3401814659

Docker wants...
docker logo usage follows guidelines published at http://www.docker.com/marks_and_logos/

PaaS
You
docker
lxc
lmctfy
...
background: https://www.flickr.com/photos/jdhancock/12397433023

Containers
https://www.flickr.com/photos/joshua/433354324

“trying to make Docker
secure for multi-tenant
scenarios is a can of worms
– darren0, at #docker-dev

1 vs 1M
https://www.flickr.com/photos/enerva/9068467267

Root
https://www.flickr.com/photos/ashleyrosex/2861690380

apt-get install …

vi /etc/…

mount -t fancy …

modprobe something

iptables -A INPUT …

kernelspace abuse
https://www.flickr.com/photos/erlendaasland/4107345124

User Namespaces
Unprivileged Containers
https://www.flickr.com/photos/ntr23/730371240

“
(…) the kernel grants all capabilities to the
initial process in a user namespace, this does
not mean that process then has superuser
privileges within the wider system. (It may,
however, mean that unprivileged users now
have access to exploits in kernel code that
was formerly accessible only to root, ...)
– Michael Kerrisk, “Namespaces in operation, part 6: more on user namespaces", LWN.net

if (getuid() == 0) {
// do root stuff
}

just don't run as root?

also SUID

Restrictions
https://www.flickr.com/photos/mollivan_jon/10431164633

Networking
https://www.flickr.com/photos/emptyage/177466621

ephemeral disks
https://www.flickr.com/photos/pixeltree/4876732522

arch, OS, image size, …

containers/container-rfc · GitHub
“A vendor neutral format for Linux
container images and runtime

https://www.flickr.com/photos/littlebiglens/6034320322
Image Size

Layers
https://www.flickr.com/photos/ralan808/11300490173

Updates?
noncommercial use

https://www.flickr.com/photos/doug88888/2801103568
Packages
“slugs”

dotcloud/docker#332
docker load --rebase=new-base-image

Apps
https://www.flickr.com/photos/zoomar/338952152

Buildpacks
app source + base image

FROM heroku/cedar
ADD . /buildpack
ONBUILD ADD . /app
ONBUILD RUN /buildpack/bin/compile /app
ONBUILD ENV PORT 5000
ONBUILD EXPOSE 5000

`ONBUILD ONBUILD`
dotcloud/docker#5714

Buildstep
https://github.com/progrium/buildstep

https://github.com/radial/

#!/usr/bin/env make -f
buildpath := .build
buildpackpath := $(buildpath)/pack
buildpackcache := $(buildpath)/cache
build: $(buildpackpath)/bin
$(buildpackpath)/bin/compile . $(buildpackcache)
$(buildpackcache):
mkdir -p $(buildpath)
mkdir -p $(buildpackcache)
curl -O https://codon-buildpacks.s3.amazonaws.com/.../go.tgz
mv go.tgz $(buildpath)
$(buildpackpath)/bin: $(buildpackcache)
mkdir -p $(buildpackpath)
tar -C $(buildpackpath) -zxf $(buildpath)/go.tgz

ruby = "https://codon-buildpacks.s3.amazonaws.com/.../ruby.tgz"
app_container "myapp" do
buildpack ruby
git_url "git@mycompany.com:myapp.git"
end
define :app_container,
name: nil,
buildpack: nil,
git_url: nil do
# ...
execute "#{name} buildpack compile" do
command "#{dir}/.build/pack/bin/compile #{dir} .build/cache"
end
end

container centric: whole image
app centric: builds as a mapping layer
recap: the container revolution

Thank you!
fabio@heroku.com
All images used in this presentation are under a Creative Commons License, unless otherwise noted
https://www.flickr.com/photos/compacflt/5948542359