Make container without_docker_6-overlay-network_1 Sam Kim
분산환경에서 컨테이너 간의 통신은 어떻게 이루어 지는 것일까요? 3,4편에서는 호스트 안에 가상네트워크를 만들어보았습니다. 6편에서는 이를 바탕으로 분산환경에서 호스트 간에 가상 네트워크로 통신이 가능하도록 만들어 봅니다. 이 방법은 실제 쿠버네티스 flannel 등의 CNI에서 사용하고 있는 vxlan 기반의 오버레이 네트워크 구성을 다룹니다.
컨테이너를 이용할 때 어려운 것 중에 하나가 네트웍 문제입니다 .
가상 네트웍 환경에서 컨테이너 간의 통신이 어떻게 이루어지는지를 잘 이해하고 있다면 개발과 운영하는데 많은 도움이 됩니다
컨테이너 네트웍을 이해하기 위해서 나름 공을 많이 들였는데요
여전히 부족함을 많이 느끼고 있습니다 혼자 할 수 없는 것들이라는 생각이 들구요 공유해 주시는 내용들에서 배우고 인사이트도 얻고 있습니다
컨테이너 공부를 시작하는 분들.. 그리고 이미 업무로 하고 계신 분들에게도
도움이 될 것 같습니다
즐공 하세요
This talk outlines the features in containerd 1.1 smart client: I/O redirection from the client side, containerd namespaces to leverage a single runtime instance with a logical isolation from multiple clients (Kubernetes, Docker Engine, other systems), and containers as types in Golang when using containerd Go client library.
Additionally, it explains all the performance improvements brought by BuildKit, and the capabilities that it opens up because of it's modular architecture, enabling open source developers who create new build systems using BuildKit directly to create new front ends.
Hypervisors are becoming more and more widespread in embedded environments, from automotive to medical and avionics. Their use case is different from traditional server and desktop virtualization, and so are their requirements. This talk will explain why hypervisors are used in embedded, and the unique challenges posed by these environments to virtualization technologies.
Xen, a popular open source hypervisor, was born to virtualize x86 Linux systems for the data center. It is now the leading open source hypervisor for ARM embedded platforms. The presentation will show how the ARM port of Xen differs from its x86 counterpart. It will go through the fundamental design decisions that made Xen a good choice for ARM embedded virtualization. The talk will explain the implementation of key features such as device assignment and interrupt virtualization.
I gave this presentation on 5/17 to the New Mexico VMUG in Santa Fe. The presentation provides an overview of OpenStack, what it is (and isn't), and some things you might learn to get started with OpenStack.
Xen on ARM for embedded and IoT: from secure containers to dom0less systemsStefano Stabellini
Hypervisors are becoming increasingly widespread in embedded environments. Their use-case is different from server virtualization, and so are their requirements. The ability to run containerized applications is often a requirement. Xen on ARM is embracing the new challenges with innovative solutions.
This talk will discuss cutting-edge Xen on ARM features for embedded deployments, including dom0less, where multiple domains are started directly by Xen at boot. The presentation will explain the reasons why Xen is an excellent runtime environment for containerized apps and will introduce a new proposal for a Xen Project sub-project to create the ideal platform for secure containers in embedded.
Make container without_docker_6-overlay-network_1 Sam Kim
분산환경에서 컨테이너 간의 통신은 어떻게 이루어 지는 것일까요? 3,4편에서는 호스트 안에 가상네트워크를 만들어보았습니다. 6편에서는 이를 바탕으로 분산환경에서 호스트 간에 가상 네트워크로 통신이 가능하도록 만들어 봅니다. 이 방법은 실제 쿠버네티스 flannel 등의 CNI에서 사용하고 있는 vxlan 기반의 오버레이 네트워크 구성을 다룹니다.
컨테이너를 이용할 때 어려운 것 중에 하나가 네트웍 문제입니다 .
가상 네트웍 환경에서 컨테이너 간의 통신이 어떻게 이루어지는지를 잘 이해하고 있다면 개발과 운영하는데 많은 도움이 됩니다
컨테이너 네트웍을 이해하기 위해서 나름 공을 많이 들였는데요
여전히 부족함을 많이 느끼고 있습니다 혼자 할 수 없는 것들이라는 생각이 들구요 공유해 주시는 내용들에서 배우고 인사이트도 얻고 있습니다
컨테이너 공부를 시작하는 분들.. 그리고 이미 업무로 하고 계신 분들에게도
도움이 될 것 같습니다
즐공 하세요
This talk outlines the features in containerd 1.1 smart client: I/O redirection from the client side, containerd namespaces to leverage a single runtime instance with a logical isolation from multiple clients (Kubernetes, Docker Engine, other systems), and containers as types in Golang when using containerd Go client library.
Additionally, it explains all the performance improvements brought by BuildKit, and the capabilities that it opens up because of it's modular architecture, enabling open source developers who create new build systems using BuildKit directly to create new front ends.
Hypervisors are becoming more and more widespread in embedded environments, from automotive to medical and avionics. Their use case is different from traditional server and desktop virtualization, and so are their requirements. This talk will explain why hypervisors are used in embedded, and the unique challenges posed by these environments to virtualization technologies.
Xen, a popular open source hypervisor, was born to virtualize x86 Linux systems for the data center. It is now the leading open source hypervisor for ARM embedded platforms. The presentation will show how the ARM port of Xen differs from its x86 counterpart. It will go through the fundamental design decisions that made Xen a good choice for ARM embedded virtualization. The talk will explain the implementation of key features such as device assignment and interrupt virtualization.
I gave this presentation on 5/17 to the New Mexico VMUG in Santa Fe. The presentation provides an overview of OpenStack, what it is (and isn't), and some things you might learn to get started with OpenStack.
Xen on ARM for embedded and IoT: from secure containers to dom0less systemsStefano Stabellini
Hypervisors are becoming increasingly widespread in embedded environments. Their use-case is different from server virtualization, and so are their requirements. The ability to run containerized applications is often a requirement. Xen on ARM is embracing the new challenges with innovative solutions.
This talk will discuss cutting-edge Xen on ARM features for embedded deployments, including dom0less, where multiple domains are started directly by Xen at boot. The presentation will explain the reasons why Xen is an excellent runtime environment for containerized apps and will introduce a new proposal for a Xen Project sub-project to create the ideal platform for secure containers in embedded.
Tracing Summit 2014, Düsseldorf. What can Linux learn from DTrace: what went well, and what didn't go well, on its path to success? This talk will discuss not just the DTrace software, but lessons from the marketing and adoption of a system tracer, and an inside look at how DTrace was really deployed and used in production environments. It will also cover ongoing problems with DTrace, and how Linux may surpass them and continue to advance the field of system tracing. A world expert and core contributor to DTrace, Brendan now works at Netflix on Linux performance with the various Linux tracers (ftrace, perf_events, eBPF, SystemTap, ktap, sysdig, LTTng, and the DTrace Linux ports), and will summarize his experiences and suggestions for improvements. He has also been contributing to various tracers: recently promoting ftrace and perf_events adoption through articles and front-end scripts, and testing eBPF.
Kubernetes Helm makes application deployment easy, standardized and reusable. Use of Kubernetes Helm leads to better developer productivity, reduced Kubernetes deployment complexity and enhanced enterprise production readiness.
Enterprises using Kubernetes Helm can speed up the adoption of cloud native applications. These applications can be sourced from open-source community provided repositories, or from an organization’s internal repository of customized application blueprints.
Developers can use Kubernetes Helm as a vehicle for packaging their applications and sharing them with the Kubernetes community. Kubernetes Helm also allows software vendors to offer their containerized applications at “the push of a button.” Through a single command or a few mouse clicks, users can install Kubernetes apps for dev-test or production environments.
La solution idéale pour sécuriser les infrastructures de conteneurs modernes
- Zero Trust
- Kubernetes Native
- 100% open source
- S'intègre à SUSE Rancher
Agenda :
- Présentation & architecture
- Installation
- Premiers pas
Rook turns distributed storage systems into self-managing, self-scaling, self-healing storage services. It automates the tasks of a storage administrator: deployment, bootstrapping, configuration, provisioning, scaling, upgrading, migration, disaster recovery, monitoring, and resource management.
Rook uses the power of the Kubernetes platform to deliver its services via a Kubernetes Operator for each storage provider.
Oleg Chunikhin, Co-Founder and CTO @ Kublr.com, will present an introduction to storage management on k8s using Rook and Ceph.
Virtualization with KVM (Kernel-based Virtual Machine)Novell
As a technical preview, SUSE Linux Enterprise Server 11 contains KVM, which is the next-generation virtualization software delivered with the Linux kernel. In this technical session we will demonstrate how to set up SUSE Linux Enterprise Server 11 for KVM, install some virtual machines and deal with different storage and networking setups.
To demonstrate live migration we will also show a distributed replicated block device (DRBD) setup and a setup based on iSCSI and OCFS2, which are included in SUSE Linux Enterprise Server 11 and SUSE Linux Enterprise 11 High Availability Extension.
Virtual machines are generally considered secure. At least, secure enough to power highly multi-tenant, large-scale public clouds, where a single physical machine can host a large number of virtual instances belonging to different customers. Containers have many advantages over virtual machines: they boot faster, have less performance overhead, and use less resources. However, those advantages also stem from the fact that containers share the kernel of their host, instead of abstracting a new independent environment. This sharing has significant security implications, as kernel exploits can now lead to host-wide escalations.
We will show techniques to harden Linux Containers; including kernel capabilities, mandatory access control, hardened kernels, user namespaces, and more, and discuss the remaining attack surface.
How Linux Processes Your Network Packet - Elazar LeibovichDevOpsDays Tel Aviv
With buzz on eBPF, XDP, bpfilter etc,, it's important to get the basics right. We will show the route of a networ packet from kernel driver to TCP/IP stack to userspace socket and explain how and where it's processed en route.
Modern environment uses a lot of the Linux networking stack capability.
Every docker container requires a dedicated bridge, usually a few iptables entries to expose port, and a dnsmasq daemon, and masquarading to allow internet access.
It is hence important to understand Linux network fundumentals. From the driver interrupt/NAPI, to the network stack, the various filters it passes through and the various hooks you have at your disposal to alter and view the network packets flow.
We will first review the theory, and then present useful tools to apply the theory and debug problems in common situations.
We will survey common containers situations and see how packets move from the hardware to the container's veth.
In the Cloud Native community, eBPF is gaining popularity, which can often be the best solution for solving different challenges with deep observability of system. Currently, eBPF is being embraced by major players.
Mydbops co-Founder, Kabilesh P.R (MySQL and Mongo Consultant) illustrates on debugging linux issues with eBPF. A brief about BPF & eBPF, BPF internals and the tools in actions for faster resolution.
레드햇의 Etsuji Nakai 씨의 "OpenStack: Inside Out" 한글 번역본입니다.
다시 한번 좋은 문서를 공유해주신 Etsuji Nakai 씨에게 감사를 드립니다.
http://www.slideshare.net/enakai/open-stack-insideoutv10
Tracing Summit 2014, Düsseldorf. What can Linux learn from DTrace: what went well, and what didn't go well, on its path to success? This talk will discuss not just the DTrace software, but lessons from the marketing and adoption of a system tracer, and an inside look at how DTrace was really deployed and used in production environments. It will also cover ongoing problems with DTrace, and how Linux may surpass them and continue to advance the field of system tracing. A world expert and core contributor to DTrace, Brendan now works at Netflix on Linux performance with the various Linux tracers (ftrace, perf_events, eBPF, SystemTap, ktap, sysdig, LTTng, and the DTrace Linux ports), and will summarize his experiences and suggestions for improvements. He has also been contributing to various tracers: recently promoting ftrace and perf_events adoption through articles and front-end scripts, and testing eBPF.
Kubernetes Helm makes application deployment easy, standardized and reusable. Use of Kubernetes Helm leads to better developer productivity, reduced Kubernetes deployment complexity and enhanced enterprise production readiness.
Enterprises using Kubernetes Helm can speed up the adoption of cloud native applications. These applications can be sourced from open-source community provided repositories, or from an organization’s internal repository of customized application blueprints.
Developers can use Kubernetes Helm as a vehicle for packaging their applications and sharing them with the Kubernetes community. Kubernetes Helm also allows software vendors to offer their containerized applications at “the push of a button.” Through a single command or a few mouse clicks, users can install Kubernetes apps for dev-test or production environments.
La solution idéale pour sécuriser les infrastructures de conteneurs modernes
- Zero Trust
- Kubernetes Native
- 100% open source
- S'intègre à SUSE Rancher
Agenda :
- Présentation & architecture
- Installation
- Premiers pas
Rook turns distributed storage systems into self-managing, self-scaling, self-healing storage services. It automates the tasks of a storage administrator: deployment, bootstrapping, configuration, provisioning, scaling, upgrading, migration, disaster recovery, monitoring, and resource management.
Rook uses the power of the Kubernetes platform to deliver its services via a Kubernetes Operator for each storage provider.
Oleg Chunikhin, Co-Founder and CTO @ Kublr.com, will present an introduction to storage management on k8s using Rook and Ceph.
Virtualization with KVM (Kernel-based Virtual Machine)Novell
As a technical preview, SUSE Linux Enterprise Server 11 contains KVM, which is the next-generation virtualization software delivered with the Linux kernel. In this technical session we will demonstrate how to set up SUSE Linux Enterprise Server 11 for KVM, install some virtual machines and deal with different storage and networking setups.
To demonstrate live migration we will also show a distributed replicated block device (DRBD) setup and a setup based on iSCSI and OCFS2, which are included in SUSE Linux Enterprise Server 11 and SUSE Linux Enterprise 11 High Availability Extension.
Virtual machines are generally considered secure. At least, secure enough to power highly multi-tenant, large-scale public clouds, where a single physical machine can host a large number of virtual instances belonging to different customers. Containers have many advantages over virtual machines: they boot faster, have less performance overhead, and use less resources. However, those advantages also stem from the fact that containers share the kernel of their host, instead of abstracting a new independent environment. This sharing has significant security implications, as kernel exploits can now lead to host-wide escalations.
We will show techniques to harden Linux Containers; including kernel capabilities, mandatory access control, hardened kernels, user namespaces, and more, and discuss the remaining attack surface.
How Linux Processes Your Network Packet - Elazar LeibovichDevOpsDays Tel Aviv
With buzz on eBPF, XDP, bpfilter etc,, it's important to get the basics right. We will show the route of a networ packet from kernel driver to TCP/IP stack to userspace socket and explain how and where it's processed en route.
Modern environment uses a lot of the Linux networking stack capability.
Every docker container requires a dedicated bridge, usually a few iptables entries to expose port, and a dnsmasq daemon, and masquarading to allow internet access.
It is hence important to understand Linux network fundumentals. From the driver interrupt/NAPI, to the network stack, the various filters it passes through and the various hooks you have at your disposal to alter and view the network packets flow.
We will first review the theory, and then present useful tools to apply the theory and debug problems in common situations.
We will survey common containers situations and see how packets move from the hardware to the container's veth.
In the Cloud Native community, eBPF is gaining popularity, which can often be the best solution for solving different challenges with deep observability of system. Currently, eBPF is being embraced by major players.
Mydbops co-Founder, Kabilesh P.R (MySQL and Mongo Consultant) illustrates on debugging linux issues with eBPF. A brief about BPF & eBPF, BPF internals and the tools in actions for faster resolution.
레드햇의 Etsuji Nakai 씨의 "OpenStack: Inside Out" 한글 번역본입니다.
다시 한번 좋은 문서를 공유해주신 Etsuji Nakai 씨에게 감사를 드립니다.
http://www.slideshare.net/enakai/open-stack-insideoutv10
내컴에선 잘되던데? Vagrant로 서버와 동일한 개발환경 꾸미기소리 강
H3 2012 에서 발표했던 자료입니다.
"내 컴에선 잘되던데?" 개발자들이 로컬에서 개발 후 서버에 Deploy 했을 때 가장 많이 하는 말 중 하나입니다.
실제 개발환경과 프로덕션 환경의 차이는 다양한 오류들을 만들어 내는 주범입니다. 이를 위해 로컬 가상 머신을 손쉽게 관리하여 서버와 똑같은 개발환경을 만들어주는 Vagrant 를 소개합니다.
또한 DevOps 에서 가장 많이 얘기되는 Chef 를 이용하여 자신의 개발환경에서도 Configuration Management 를 하는 방법을 설명합니다.
[17.01.19] docker introduction (Korean Version)Ildoo Kim
Docker(도커) 소개를 위해 사용했던 자료입니다.
제가 속한 개발팀에서는 도커 컨테이너를 기반으로 개발부터 배포까지 가능한 환경 및 인프라를 구축하여 개발팀에서 대다수의 오퍼레이션까지 관여하면서 Devops 형태로 운영합니다.
Docker(도커)를 처음 사용하거나 개념적으로 익숙하지 않은 초보를 위해 만든 자료입니다.
슬라이드에서 사용된 스크립트/코드는 아래에 있습니다.
https://github.com/ildoonet/docker_introduction
----
김일두, Software Engineer @ Kakao
Github : https://github.com/ildoonet
Linkedin : https://www.linkedin.com/in/ildoo-kim-56962034/
가상 개발 환경 세팅(Virtual Development Environment Setting)
Studybee 2주차 스터디 - 가상의 개발 환경 세팅하기!
Vagrant, virtualenv를 이용해 가상 개발 환경 세팅하는 것을 다룹니다.
**http://www.studybee.kr 에서 운영하는 '초심자를 위한 웹개발' 클래스에서 만드는 교재이며,
장고를 이용해 간단하게 블로그를 만드는 것을 목표로 하고 있습니다.
2. 실습은 . . .
● 맥 환경에서 VirtualBox + Vagrant 기반으로 준비되었습니다
○ 맥 이외의 OS 환경도 괜찮습니다만
○ 원활한 실습을 위해서
○ “VirtualBox or VMware + Vagrant”는 권장드립니다.
● 실습환경 구성을 위한 Vagrantfile을 제공합니다.
실습을 위한 사전 준비 사항
4. # sudo -Es
실습 계정 (root)
# cd /tmp
실습 폴더
vagrant + virtual vm
ubuntu 18.04
docker 20.10.5 * 도커 이미지 다운로드 및 컨테이너 비교를 위한 용도로 사용합니다.
기타 설치된 툴
~ tree, jq, brctl, … 등 실습을 위한 툴
Vagrantfile 제공 환경
실습을 위한 사전 준비 사항
7. 컨테이너 ? 격리된 환경과 통제된 리소스에서 실행되는 프로세스 그룹 호스트 안에 따로 한 살림
차려준달까
시스템리소스
(cpu, mem, ..)
processes
processes
집 안의 집 ~ “컴퓨터 안 의 컴퓨터”
https://jessicagreben.medium.com/what-is-the-difference-between-a-process-a-container-and-a-vm-f36ba0f8a8f7
8. 컨테이너? VM 보다 가볍다
Infrastructure
OS
Hypervisor
Guest
OS
Guest
OS
Guest
OS
App App App
Strong
Isolation
가상머신(VM) 환경
Infrastructure
OS
Container Engine
App App App
container container container
Weak
Isolation
컨테이너 환경
9. 컨테이너? VM 보다 가볍다 왜 ? Guest OS가 없다 (호스트 OS를 공유)
Infrastructure
OS
Hypervisor
Guest
OS
Guest
OS
Guest
OS
App App App
스트롱 ~
Isolation
가상머신(VM) 환경
Infrastructure
OS
Container Engine
App App App
container container container
약한
Isolation
컨테이너 환경
12. chroot ? change root directory ‘ / ’
리눅스 파일시스템은
모든 파일 및 디렉토리가 “root (/)” 로 부터 시작된다.
bin
boot
chroot
etc
lib
proc
usr
var
/ (root filesystem)
13. chroot ? change root directory ‘ / ’
원격 유저(FTP 등)를 특정 디렉토리
경로에 가두기 위한 용도 등으로 사용됨
bin
boot
chroot
etc
lib
proc
usr
var
/ (root filesystem)
bin
lib
home
usr
/ (Fake root)
Hacker
In Jail
Hacker
따라서.. 특정 디렉토리 경로를 root로 지정할 수 있으면
해당 경로에 프로세스를 가둘 수 있다는 점에 착안 ~
14. chroot 실습 chroot로 컨테이너를 만들어 보자
bin
boot
chroot
etc
lib
proc
usr
var
/ (root filesystem)
bin
lib
home
usr
/ (Fake root)
Hacker
In Jail
15. chroot 실습 chroot는 새로운 경로(NEWROOT)와 실행할 커맨드를 인자로 받습니다.
# man chroot
~ 커맨드를 따로 지정하지 않으면 default 커맨드 (/bin/sh) 로 동작합니다.
17. # chroot new-root /bin/bash
chroot: failed to run command ‘/bin/bash’: No such file or directory
chroot 실습
~ chroot의 커맨드(/bin/bash)는 new-root 경로를 기준으로 합니다
즉, 실행할 커맨드가 경로에 없다고 에러 빽 ~
18. chroot 실습
# which bash
/bin/bash
# mkdir -p new-root/bin
# cp /bin/bash new-root/bin
/bin/bash 파일을 new-root/bin 으로 복사해주세요
19. # chroot new-root /bin/bash
chroot: failed to run command ‘/bin/bash’: No such file or directory
chroot 실습
왜 또 ~ ㅠ
다시 실행해 보지만 …
20. # ldd /bin/bash
ldd prints the shared libraries required
참고) man ldd (list dynamic dependencies)
/bin/bash에서 실행 시 참조하는 라이브러리들이 있었군요
chroot 실습
21. chroot 실습 bash 실행을 위한 라이브러리도 복사해주세요 한땀한땀 ~
# mkdir new-root/lib
# cp /lib/x86_64-linux-gnu/libtinfo.so.5 new-root/lib/
# cp /lib/x86_64-linux-gnu/libdl.so.2 new-root/lib/
# cp /lib/x86_64-linux-gnu/libc.so.6 new-root/lib/
# mkdir new-root/lib64
# cp /lib64/ld-linux-x86-64.so.2 new-root/lib64/
Q) linux-vdso.so.1 은 왜 복사안해요 ?
A) *-vdso 는 커널레벨에서제공되는 공유 라이브러리입니다.
참고) man vdso (virtual dynamic shared object)
22. chroot 실습
# chroot new-root /bin/bash
bash-4.4#
성공 ~
오.. 뭔가 다른 터미널에 들어온 기분이네요
31. chroot 실습 필요한 프로그램들은 이처럼 한땀한땀 복사해 넣어야 합니다.
저는 욕심을 좀 부려보았습니다. ps 를 해보기 위해 mount 까지 넣어보았습니다.
new-root
32. 그것이 바로 이미지(image) 입니다 :-)
흔히들, “도커 이미지”라고 부르는 그것 말이죠.
일종의 tarball 이라고 생각하면 됩니다.
nginx image
tarball
누군가 미리 필요한 것들을 모아 둔 것을 가져다 쓰면 편하겠죠 ?
chroot + 이미지 실습
33. 말 나온김에 이미지를 가져와 볼까요 ?
nginx-root
# cd /tmp
# mkdir nginx-root
일단, /tmp 에 “nginx-root” 라는 새로운 폴더를 하나 만들어 줍시다.
chroot + 이미지 실습
34. 새로 만든 nginx-root 라는 경로에 nginx 이미지를 풀어줄 건데요
이 명령은 아래의 단계를 수행합니다.
1. 이미지 저장소로 부터 nginx:latest 이미지를 가지고 와서
2. tarball로 export (압축) 한 것을
3. nginx-root 경로에 풀어줍니다.
말 나온김에 이미지를 가져와 볼까요 ?
nginx-root
nginx image
tarball
# docker export $(docker create nginx:latest) | tar -C nginx-root -xvf -
chroot + 이미지 실습
35. 이처럼 필요한 이미지를 풀어놓은 경로를 chroot 를 해주면 ~
# chroot nginx-root /bin/sh
#
ls 명령도 동작을 하네요 ~
누군가 필요한 것들을 잘 모아
놓았습니다.
chroot + 이미지 실습
36. nginx image tarball 의 내용과 동일합니다 … 압축을 풀어놓은 그대로죠 ㅎㅎ
nginx image
tarball
=
동일
chroot + 이미지 실습
38. 터미널창을 하나 더 열어서 실제 접속이 되는지 확인해 보세요
# curl localhost
터미널 #2
접속이 잘 되었다면 성공 ~
chroot + 이미지 실습
39. 지금까지 nginx 이미지와 chroot를 이용하여 nginx 웹서버를 실행해 보았습니다
nginx image
tarball
nginx-root
“실제 컨테이너 처럼” 프로그램 실행에 필요한 파일들을 모아놓고
해당 경로를 root로 하여 프로세스를 실행하는 것을 재현해 보았는데요
chroot + 이미지 실습