5. About our presenter
• Some say that he has no face, all we know
is that he is the presenter…
6. About me (in all seriousness)
• I write code, sometimes have
to dabble in devops and by
night I do linuxy things
• These statements are my own,
not those of anyone else
including my employer and the
commissioner of baseball
• Twitter: adenner
• Slides will be posted to
http://denner.co
14. chroot
• 1979 chroot on version 7
• “A chroot on Unix operating systems is
an operation that changes the apparent
root directory for the current running
process and its children. A program that
is run in such a modified environment
cannot name files outside the
designated directory tree.” –Wikipedia
• It isn’t perfect
15. Demo
• J=$HOME/jail
• mkdir -p $J
• mkdir -p $J/{bin,lib64,lib}
• mkdir $J/lib/x86_64-linux-gnu/
• cd $J
• cp -v /bin/{bash,ls} $J/bin
• ldd /bin/bash
• list="$(ldd /bin/bash | egrep -o
'/lib.*.[0-9]')"; for i in $list; do
cp -v "$i" "${J}${i}"; done
• list="$(ldd /bin/ls | egrep -o
'/lib.*.[0-9]')"; for i in $list; do
cp -v "$i" "${J}${i}"; done
• chroot $J /bin/bash
• ls /
17. BSD Jails
First in 1999 Free BSD by Poul-
Henning Kamp after use in a small
hosting company
Achieved three
goals:
Virtualization
Security
Ease of Delagation
Each jail is custom rolled/built
Single point of failure
18. Solaris Zones
First relased 2004 in build
51 beta of Solaris 10
Can control what resources
each zone gets and also can
just give a fair share
Still present in Illumonos
(Open Solaris) and Solaris
19. openVZ
• Open Virtuozzo
• Soft memory allocation, can be shared if
not being used
• Old versions used chroot based disk
isolation. Current version lets each
container have it’s own file system
• Requires Custom Kernel providing:
• Virtualization
• Isolation
• Resource Management
• checkpointing
20. LXC
• Uses Linux cgroups and other namespace
isolations
• Much like jails
• Works with the vanilla kernel unlike
openVZ
• Orriginally docker used
22. Docker
• Opensourced in 2013
• Building on the previous ideas
• Image ecosystem
• More ephemeral and portable across
machines
• Versioning
• Overlayfs
• Downsides: still single point of failure
• Dockerd root—security concerns
29. Rootless Docker
• Thanks to Akihiro Suda of NTT Corp for all his work
• See
https://www.slideshare.net/AkihiroSuda/dockercon-
2019-hardening-docker-daemon-with-rootless-mode for
deep dive
• Works as sub-user and sub-group ids
• Overlay fs doesn’t work yet
• Can’t use protected ports
• https://www.katacoda.com/courses/docker/rootless
30. CNCF
• In the beginning there was docker…
• Then came others and the CNCF is the vender nuteral home for the
plumbing that runs containers
• It is a part of the linux foundation
• Think of like apache but for containerization
• Home to
• Kubernetes
• Prometheus
• Envoy
• Containerd
• Et. al.
31.
32. Pouch
• https://pouchcontainer.io
• From Alibaba Group
• Never had heard of them before
• Distributes images via Dragonfly p2p
• Rich container mode more hooks and magic available
33. Kata
Containers
• Kata Containers is an open source project
and community working to build a standard
implementation of lightweight Virtual
Machines (VMs) that feel and perform like
containers, but provide the workload
isolation and security advantages of VMs.
• https://katacontainers.io
37. Docker
Compose
• Yaml tool for defining and running multiple
docker applications at the same time
• Useful for:
• dev environments
• Automated test environments
• Single host deployments
38.
39. Docker Swarm
Joins a Pool of docker hosts into one
virtual host
YAML based definitions
Networking via an overlay network
Easier to set up than a K8 cluster
41. Kubernetes
• Originally designed by Google engineers –Borg
• Orchestrate containers across multiple hosts.
• Make better use of hardware to maximize
resources needed to run your enterprise apps.
• Control and automate application deployments and
updates.
• Mount and add storage to run stateful apps.
• Scale containerized applications and their
resources on the fly.
• Declaratively manage services, which guarantees
the deployed applications are always running how
you deployed them.
• Health-check and self-heal your apps with
autoplacement, autorestart, autoreplication, and
autoscaling.
42.
43. K3s
• Kubernetes abrieated is K8… 5 less than
that is k3s
• K8 but only the good parts all in less than
40mb
• Still rather experimental
• Got rid of Legacy alpha and non-default
code removed
• Removed most in-tree plugins
• Use sqlite 3 rather than etcd by default
• Simple launcher
45. Podman
• New in Centos 8
• See presentation last month
• Biggest thing to note is no need for the
docker damon
• Can handle Rootless same as docker, with
same shortcomings
• https://asciinema.org/a/oDxbleQ4q0ww6
WpS46JUy1dt0
46.
47. Buildah
• Container management and build program
• Can build and use CNF protable images
without a local docker
• Better control of image layers
• Ability to build images via bash
• As well as building dockerfile images
• Demo:
https://asciinema.org/a/peZtZjTkeZHtUm
AN5AdnWPp2i
• https://asciinema.org/a/V4NZWIdV83CcOP
DW4favh4vi3
Virtualization: Each jail is a virtual environment running on the host machine with its own files, processes, user and superuser accounts. From within a jailed process, the environment is almost indistinguishable from a real system.
Security: Each jail is sealed from the others, thus providing an additional level of security.
Ease of delegation: The limited scope of a jail allows system administrators to delegate several tasks which require superuser access without handing out complete control over the system
Kubernetes- Orchestration
Prometheus monitoring
Envoy network proxy
Core dns service discovery
Containerd
Fluentd logging
Jaeger distributed tracing
Vitess storage
Daemon that manages complete lifecycle from image transfer and storage to execution and storage and beyond
It is a drop in additional OCI compatible container runtime, which can therefore be used with Docker and Kubernetes.