Advertisement
Advertisement

More Related Content

Advertisement
Advertisement

DockerCon 2014: Thoughts on interoperable containers

  1. interoperable containers Fabio Kung fabio@heroku.com https://www.flickr.com/photos/usnavy/8612337045
  2. Please don't continue. Go see this instead: http://fabiokung.com/2014/06/11/my-dockercon-2014-talk
  3. Fabio, Runtime Systems at I run linux containers.
  4. http://12factor.net
  5. “write once, run everywhere – Sun Microsystems (?)
  6. “write once, debug everywhere – (?)
  7. https://www.flickr.com/photos/tjblackwell/3545764529
  8. Developers want apps... https://www.flickr.com/photos/cyol/7642566946
  9. PaaS wants scale... https://www.flickr.com/photos/johngarghan/3401814659
  10. Docker wants... docker logo usage follows guidelines published at http://www.docker.com/marks_and_logos/
  11. PaaS You docker lxc lmctfy ... background: https://www.flickr.com/photos/jdhancock/12397433023
  12. Containers https://www.flickr.com/photos/joshua/433354324
  13. “trying to make Docker secure for multi-tenant scenarios is a can of worms – darren0, at #docker-dev
  14. 1 vs 1M https://www.flickr.com/photos/enerva/9068467267
  15. Root https://www.flickr.com/photos/ashleyrosex/2861690380
  16. apt-get install …
  17. vi /etc/…
  18. mount -t fancy
  19. modprobe something
  20. iptables -A INPUT
  21. kernelspace abuse https://www.flickr.com/photos/erlendaasland/4107345124
  22. User Namespaces Unprivileged Containers https://www.flickr.com/photos/ntr23/730371240
  23. “ (…) the kernel grants all capabilities to the initial process in a user namespace, this does not mean that process then has superuser privileges within the wider system. (It may, however, mean that unprivileged users now have access to exploits in kernel code that was formerly accessible only to root, ...) – Michael Kerrisk, “Namespaces in operation, part 6: more on user namespaces", LWN.net
  24. if (getuid() == 0) { // do root stuff }
  25. just don't run as root?
  26. also SUID
  27. Restrictions https://www.flickr.com/photos/mollivan_jon/10431164633
  28. Networking https://www.flickr.com/photos/emptyage/177466621
  29. ephemeral disks https://www.flickr.com/photos/pixeltree/4876732522
  30. arch, OS, image size, …
  31. containers/container-rfc · GitHub “A vendor neutral format for Linux container images and runtime
  32. https://www.flickr.com/photos/littlebiglens/6034320322 Image Size
  33. Layers https://www.flickr.com/photos/ralan808/11300490173
  34. Updates? noncommercial use
  35. https://www.flickr.com/photos/doug88888/2801103568 Packages “slugs”
  36. dotcloud/docker#332 docker load --rebase=new-base-image
  37. Apps https://www.flickr.com/photos/zoomar/338952152
  38. Buildpacks app source + base image
  39. FROM heroku/cedar ADD . /buildpack ONBUILD ADD . /app ONBUILD RUN /buildpack/bin/compile /app ONBUILD ENV PORT 5000 ONBUILD EXPOSE 5000
  40. `ONBUILD ONBUILD` dotcloud/docker#5714
  41. Buildstep https://github.com/progrium/buildstep
  42. https://github.com/radial/
  43. #!/usr/bin/env make -f buildpath := .build buildpackpath := $(buildpath)/pack buildpackcache := $(buildpath)/cache build: $(buildpackpath)/bin $(buildpackpath)/bin/compile . $(buildpackcache) $(buildpackcache): mkdir -p $(buildpath) mkdir -p $(buildpackcache) curl -O https://codon-buildpacks.s3.amazonaws.com/.../go.tgz mv go.tgz $(buildpath) $(buildpackpath)/bin: $(buildpackcache) mkdir -p $(buildpackpath) tar -C $(buildpackpath) -zxf $(buildpath)/go.tgz
  44. ruby = "https://codon-buildpacks.s3.amazonaws.com/.../ruby.tgz" app_container "myapp" do buildpack ruby git_url "git@mycompany.com:myapp.git" end define :app_container, name: nil, buildpack: nil, git_url: nil do # ... execute "#{name} buildpack compile" do command "#{dir}/.build/pack/bin/compile #{dir} .build/cache" end end
  45. container centric: whole image app centric: builds as a mapping layer recap: the container revolution
  46. Thank you! fabio@heroku.com All images used in this presentation are under a Creative Commons License, unless otherwise noted https://www.flickr.com/photos/compacflt/5948542359
Advertisement