Docker provides an integrated and opinionated toolset to build, ship and run distributed applications. Over the past year, the Docker codebase has been refactored extensively to extract infrastructure plumbing components that can be used independently, following the UNIX philosophy of small tools doing one thing well: runC, containerd, swarmkit, hyperkit, vpnkit, datakit and the newly introduced InfraKit.
This talk will give an overview of these tools and how you can use them to build your own distributed systems without Docker.
Patrick Chanezon & David Chung, Docker & Phil Estes, IBM
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Building Distributed Systems without Docker, Using Docker Plumbing Projects - LinuxCon Berlin 2016
1. Patrick Chanezon, @chanezon, Docker Inc.
Building Distributed Systems without Docker
Using Docker Plumbing Projects
David Chung, @dchungsf, Docker Inc.
Phil Estes @estep, IBM
5. A commercial product,
built on
a development platform,
built on
infrastructure,
built on
standards.
Docker is building a stack to program the Internet
20. BUILD
Development Environments
SHIP
Registry: Secure Content &
Collaboration
RUN
Control Plane: Deploy,
Orchestrate, Manage, Scale
Networking Volumes MonitoringLoggingConfig MgtCI/CD
IT Operations
Developers IT Operations
Docker CaaS Workflow
21. Docker Containers as a Service platform
23
BUILD
Developer Workflows
SHIP
Registry Services
RUN
Management
Docker for Mac and Windows Docker Trusted Registry Docker Universal Control Plane
Docker Cloud
Docker Container Engine
Ecosystem Plugins and Integrations
25. Notary
“Let’s stop using curl|sh”
Trusted collections for any content
Transport-agnostic
Reliable updates, proof of origin, resistant to untrusted
transport, survivable key compromise
Build on industry-leading standards and research
35. Open Container Initiative (OCI)
An open governance
structure for creating
open industry
standards: a common
container runtime and
image format.
• A Linux Foundation Collaborative Project
• Free from control by any particular vendor’s
specific cloud stack or ecosystem
• Includes a specification, reference
runtime* and now, a specified image
format*seeded with runc + libcontainer by Docker
36. OCI Specs & Status
> Announced June
20th, 2015
> Charter signed on
December 8th, 2015
> 49 current member
companies
> Both specifications
nearing 1.0 release
targets
https://opencontainers.org
https://github.com/opencontainers
> Runtime specification: Release 1.0.0-rc2 / September
2016
https://github.com/opencontainers/runtime-spec/releases/tag/v1.0.0-rc2
1. Very close to an official 1.0 release of the runtime spec
2. Includes required core for Linux, Windows, and Solaris
> Image format specification: Release 0.5.0 / September
2016
https://github.com/opencontainers/image-spec/releases/tag/v0.5.0
1. Seeded with Docker registry v2.2 specification
2. v1.0.0-rc1 release being voted/approved on mailing list
37. Introduction to `runc`
> runc is a client wrapper around libcontainer
> Libcontainer is the OS level interface for containers
Other platforms and architectures can implement
the libcontainer API via their own
primitives/system-level container concepts
$ docker run -it --read-only -v /host:/hostpath alpine sh
/#
{
"ociVersion": "0.6.0-dev",
"platform": {
"os": "linux",
"arch": "amd64"
},
"process": {
"terminal": true,
"args": [
"sh"
],
"env": [
"PATH=/usr/local/sbin:/usr/local/bin:/bin”
config.json
38. ● CloudFoundry Garden OCI
implementation
● https://github.com/cloudfoundry-incubator/guardian
● Uses runc as a backend for container execution
● Docker 1.11 (and above)
● Switched from direct libcontainer API linkage to
calling runc as container executor
● Uses containerd as a gRPC daemon to
disconnect Docker daemon (API/mgmt) from
container execution (allows daemon restart in
future without container runtime impact)
runc in the “Wild”
runv - Hyper.sh; small & lightweight hypervisor wraps contained process
runz - Solaris zones implementation
> Ports/Implementations:
39. runc: An open innovation platform for containers
Implement low-level container features
Operating system level features should be defined in the OCI runtime specification
New capabilities (PID cgroup controls, checkpoint/restore, seccomp) implemented in
runC
INTEREST
OCI compliance/pluggable execution engine
Implement a OS/environment for containers via an OCI spec compliant binary
Examples: runz (Solaris zones), runv (hypervisor-based), Intel Clear Containers
Iterative container configuration test/debug
Simple variant of “Docker-like” containers with less friction for quick modifications
Low bar for dependencies: single binary + physical rootfs bundle + JSON config
INTEREST
INTEREST
40. How does Docker use runc?
Docker engine
containerd
gRPC
ctr-shim ctr-shim
runc runc
https://github.com/docker/docker
https://github.com/docker/containerd
https://github.com/opencontainers/runc
Docker client/API
HTTP/RES
T
41. OCI & runc Futures
● Entry point for OS-level container technology
implementations and added enhancements
• Recent examples: seccomp, user namespaces, checkpoint/restore
• Many smaller examples (lots of changes required for fully unprivileged
containers)
● More users and contributed implementations (for
runtime and image)
● What will you do with runc?
49. Declarative
• JSON configuration for desired infrastructure state:
• Specification of instances — vm image, instance type, etc.
• Group properties — size, logical identifiers, etc.
• Design patterns encourage
• encapsulation
• composition
• Config is input to all operations — system figures out what to do
52
50. Self-healing
• Composed of a set of active components / processes that
• monitor infrastructure state
• detect state divergence
• take actions
• Continuous monitoring and reconciliation — always on
• No downtime — rolling update
53
51. Toolkit
• Primitives for managing collections of resources
• create, scale, destroy
• rolling update
• Abstractions & Developer SPI
• Group - manages collection of resources
• Instance - describes the physical resource
• Flavor - extra semantics for handling instances
• A collection of executable, active components — plugins
• Initially, Go daemons in the toolkit
• Soon, easy management via Docker Plugins (runc)
53. Instance Plugin
• Spec: specification / model of an instance (e.g. vagrant, EC2):
• Logical ID, Init, Tags, and attachment
• Platform-specific properties
• Methods:
• /Instance.Validate
• /Instance.Provision
• /Instance.Destroy
• /Instance.DescribeInstances
• Examples: instance plugins for EC2, Azure VM, Vagrant, …56
54. Flavor Plugin
• Gives more context about the group members:
• Size, or list of Logical ID’s (e.g. IP addresses for ‘pets’)
• Application-specific notions of ‘health’
Is the node not only present but also joined a swarm?
• Methods:
• /Flavor.Validate
• /Flavor.Prepare
• /Flavor.Healthy
• Examples: flavor for Zookeeper members, Docker swarm
nodes57
55. Group Plugin
• Main entry point for user interaction:
• Create, describe update, update, destroy
• Config JSON is always the input
• Composed of Instance and Flavor — mix and match to
manage cattle (fungible) or pets (special)
• Methods:
• /Group.Watch
• /Group.Unwatch
• /Group.Inspect
58
• /Group.DescribeUpdate
• /Group.Update
• /Group.StopUpdate
• /Group.Destroy
57. Operations
• Make sure the plugins are running:
• infrakit/group &; infrakit/zookeeper &; infrakit/vagrant &;
• “Watch” the group starts management:
• infrakit/cli group watch zk.conf
• Update the config, e.g. change size or add IP address
• Describe changes before committing —
infrakit/cli group describe zk.conf
• Begin update —
infrakit/cli group update zk.conf
60
59. Today
62
• InfraKit is just getting started… only
primitives for working with groups like
clusters of hosts
• But we have big plans
• Improve group management strategies
• More resource types — networking, load
balancers, storage…
• A cohesive framework for active
management of infrastructure — physical,
virtual, or containers
60. Get Involved
• Help define and implement new and interesting plugins
• Instance plugins for different infrastructure providers
• Flavor plugins for systems like etcd or mysql clusters
• Group controller plugins — metrics-driven auto scaling
and more
• Help define interfaces and implement new infrastructure
resource types — load balancers, networks and storage
volume provisioners
63
62. Booth D38 @ LinuxCon + ContainerCon
Tues Oct 4th
• Build Distributed Systems without Docker, using Docker Plumbing Projects - Patrick Chanezon, David Chung and Captain Phil
Estes
• Getting Started with Docker Services - Mike Goelzer
• Swarmkit: Docker’s Simplified Model for Complex Orchestration - Stephen Day
• User Namespace and Seccomp Support in Docker Engine - Paul Novarese
• Build Efficient Parallel Testing Systems with Docker - Docker Captain Laura Frank
Wed Oct 5th
• How Secure is your Container? A Docker Engine Security Update - Phil Estes
• Docker Orchestration: Beyond the Basics - Aaron Lehmann
• When the Going gets Tough, get TUF Going - Riyaz Faizullabhoy and Lily Guo
Thurs Oct 6th
• Orchestrating Linux Containers while Tolerating Failures - Drew Erny
• Unikernels: When you Should and When you Shouldn’t - Amir Chaudhry
• Berlin Docker Meetup
Friday Oct 7th
• Tutorial: Comparing Container Orchestration Tools - Neependra Khare
• Tutorial: Orchestrate Containers in Production at Scale with Docker Swarm - Jerome Petazzoni
Local development environments
Self service app images
Build, Test, Deploy applications
Define app behavior and infra needs
Registry services for image storage, management and distribution
IT Ops maintains library of secure base content
Manage role based access to repos/images
Management consoles
Provision, manage infrastructure resources
Monitor, manage, scale infrastructure and applications
Docker for Mac is super easy to use. It self-updates. But how to do you do that for other platforms??
Infrastructure management holds an interesting position — it has to prepare the environment for the container engine.
Infrastructure management sets up the environment for the container engine. It then collaborates with it to service the user’s needs.
integration in the future as Docker Plugins (as runc containers)
goes back to initial goal of simplifying user experience through a common Docker plugin install experience
InfraKit can be used set up to run with leader election (e.g. integrated with Docker swarm mode) to achieve high availability. Multiple plugin sets are running as hot standby but only one is active (the leader).
no method to update !!— opinionated immutable infrastructure
Prepare modifies the Spec for the instance. It can inject additional init scripts, tags.
Healthy goes beyond just presence — is a node present AND part of a swarm?
No operations to create: watching nodes that don’t exist —> will create them … declarative state
explain cases for using each. why explicit is better than implicit (use unwatch / destroy example)
Simple patterns
Compose them into a large configuration. Group is made up of Instance and Flavor
Note the config is used for all inputs.
The system figures out what needs to be done.
Only signals to system to start managing
Docker plugins in a future implementation