containerd is an industry-standard container runtime with an emphasis on simplicity, robustness and portability. It is available as a daemon for Linux and Windows, which can manage the complete container lifecycle of its host system: image transfer and storage, container execution and supervision, low-level storage and network attachments, etc.
containerd is designed to be embedded into a larger system, rather than being used directly by developers or end-users.
Whose Job Is It Anyway? Kubernetes, CRI, & Container RuntimesPhil Estes
A talk given at Cloud Native London meetup, February 6, 2018 on the role of container runtimes in Kubernetes, the introduction of the Container Runtime Interface (CRI), and the history of containerd and it's use as a CRI implementing container runtime for Kubernetes.
Docker London Meetup: Docker Engine EvolutionPhil Estes
A meetup talk on the evolution of the Docker engine from 2014-2019, including the refactoring and spin out of OCI runc and CNCF containerd codebases. This talk was given at the Docker London meetup group on Thursday, 31st January, 2019.
An Open Source Story: Open Containers & Open CommunitiesPhil Estes
A talk given at All Thing Open's Open Source 101 event at NC State University, Raleigh, North Carolina on Saturday, 17th February, 2018.
This talk covered some interesting history lessons of the Docker open source project and inter-vendor tensions. If you were not at this talk do not read intent into these slides as this was truly an attempt at a "blame-free" post-mortem of the important topics of open source, governance, and foundations as it related to the extremely popular Docker open source project.
Presentation given on Sunday, February 4th, 2018 in the containers devroom at FOSDEM 2018. This presentation covers the containerd project background, history, architecture, and current status as a CNCF project used by Docker, Kubernetes, and other projects requiring a stable, performant core container runtime.
Docker Engine Evolution: From Monolith to Discrete ComponentsPhil Estes
A talk given on Tuesday and Wednesday the 27th and 28th of February 2018 at the Docker Mountain View and Docker SF meetup groups. In this talk, Docker Captain Phil Estes provides a history of the Docker engine from its early days as a single statically linked binary providing all the Docker engine functions to today's Moby and Docker CE projects comprising multiple projects and layers, including the Open Container Initiative (OCI) specifications and runC implementation, and the Cloud Native Computing Foundation (CNCF) containerd project. This talk also describes how these lower layer components spun out from Docker are being used to enhance other projects and offerings in the container ecosystem.
containerd is an industry-standard container runtime with an emphasis on simplicity, robustness and portability. It is available as a daemon for Linux and Windows, which can manage the complete container lifecycle of its host system: image transfer and storage, container execution and supervision, low-level storage and network attachments, etc.
containerd is designed to be embedded into a larger system, rather than being used directly by developers or end-users.
Whose Job Is It Anyway? Kubernetes, CRI, & Container RuntimesPhil Estes
A talk given at Cloud Native London meetup, February 6, 2018 on the role of container runtimes in Kubernetes, the introduction of the Container Runtime Interface (CRI), and the history of containerd and it's use as a CRI implementing container runtime for Kubernetes.
Docker London Meetup: Docker Engine EvolutionPhil Estes
A meetup talk on the evolution of the Docker engine from 2014-2019, including the refactoring and spin out of OCI runc and CNCF containerd codebases. This talk was given at the Docker London meetup group on Thursday, 31st January, 2019.
An Open Source Story: Open Containers & Open CommunitiesPhil Estes
A talk given at All Thing Open's Open Source 101 event at NC State University, Raleigh, North Carolina on Saturday, 17th February, 2018.
This talk covered some interesting history lessons of the Docker open source project and inter-vendor tensions. If you were not at this talk do not read intent into these slides as this was truly an attempt at a "blame-free" post-mortem of the important topics of open source, governance, and foundations as it related to the extremely popular Docker open source project.
Presentation given on Sunday, February 4th, 2018 in the containers devroom at FOSDEM 2018. This presentation covers the containerd project background, history, architecture, and current status as a CNCF project used by Docker, Kubernetes, and other projects requiring a stable, performant core container runtime.
Docker Engine Evolution: From Monolith to Discrete ComponentsPhil Estes
A talk given on Tuesday and Wednesday the 27th and 28th of February 2018 at the Docker Mountain View and Docker SF meetup groups. In this talk, Docker Captain Phil Estes provides a history of the Docker engine from its early days as a single statically linked binary providing all the Docker engine functions to today's Moby and Docker CE projects comprising multiple projects and layers, including the Open Container Initiative (OCI) specifications and runC implementation, and the Cloud Native Computing Foundation (CNCF) containerd project. This talk also describes how these lower layer components spun out from Docker are being used to enhance other projects and offerings in the container ecosystem.
The Notary project has officially been accepted in to the Cloud Native Computing Foundation (CNCF). It has moved to https://github.com/theupdateframework/notary. Any downstream consumers should update their Go imports to use this new location, which will be the canonical location going forward.
We have moved the repo in GitHub, which will allow existing importers to continue using the old location via GitHub's redirect.
What's Running My Containers? A review of runtimes and standards.Phil Estes
A talk given at Open Source Leadership Summit (OSLS) on Thursday, March 14th in Half Moon Bay, CA. In this talk the current status of the Open Container Initiative (OCI) standards as well as the Kubernetes Container Runtime Interface (CRI) were presented, with a view towards how these components have provided a level playing field with significant choice when it comes to container runtimes for use in Kubernetes, as well as interoperability per the OCI standards.
Let's Try Every CRI Runtime Available for KubernetesPhil Estes
A talk given at KubeCon/CloudNativeCon EU in Barcelona, Spain on May 23, 2019. In this talk Phil presented the explosion of OCI-compliant CRI-enabled runtimes that can be used underneath Kubernetes, and demonstrated several of them live.
LinuxKit, a toolkit for building custom minimal, immutable Linux distributions.
Secure defaults without compromising usability
Everything is replaceable and customisable
Immutable infrastructure applied to building Linux distributions
Completely stateless, but persistent storage can be attached
Easy tooling, with easy iteration
Built with containers, for running containers
Designed for building and running clustered applications, including but not limited to container orchestration such as Docker or Kubernetes
Designed from the experience of building Docker Editions, but redesigned as a general-purpose toolkit
Designed to be managed by external tooling, such as Infrakit or similar tools
Includes a set of longer-term collaborative projects in various stages of development to innovate on kernel and userspace changes, particularly around security
Docker Athens: Docker Engine Evolution & Containerd Use CasesPhil Estes
These slides are from a talk presented at the Docker Athens meetup on Thursday, May 31, 2018. They start by covering the evolution of the Docker engine of 2014/2015 into the separate components of OCI runc, (now) CNCF containerd, and the Docker client and daemon projects. Finally, various use cases for the CNCF containerd "core container runtime" project are detailed, from the Docker engine itself to serverless frameworks like OpenWhisk, to the container runtime interface (CRI) within Kubernetes.
CRI Runtimes Deep-Dive: Who's Running My Pod!?Phil Estes
A talk given at QCon NYC on Wednesday, June 27, 2018 in the Container track, focused on helping developers understand the inner workings of pluggable container runtimes in the Kubernetes world. The second half of this talk is not available in slide form, but should be available via QCon video. The non-slide talk content included hands-on-keyboard demonstrations of various tools which can be used to investigate and introspect kubelet and pod -> container runtime boundaries and details, all shown in IBM Cloud using the containerd runtime underneath a Kubernetes 1.11 cluster.
A talk given on December 6, 2017 at KubeCon/CloudNativeCon in Austin, Texas. In this talk, Phil talked briefly about containerd history and design, but the bulk of the talk was a live coding demo of creating a simple client for containerd to learn about the clean and simple API design for the client library and gRPC services. The GitHub project https://github.com/estesp/examplectr has the code and sample LinuxKit assembly used for the code and example client demo.
Kubernetes CRI containerd integration by Lantao Liu (Google)Docker, Inc.
The talk will firstly give a brief review of the runtime portability of Kubernetes, then talk about why containerd is attractive to Kubernetes, and then give a brief introduction and status update of Kubernetes Containerd Integration and a demo.
It's 2018. Are My Containers Secure Yet!?Phil Estes
A talk given at DevOps Pro Vilnius on March 15, 2018 about container security. In this talk we discussed the core topics around the container ecosystem (host, runtime, image) applicable to both Docker and Kubernetes, as well as discussing usable security/secure by default, and defense in depth principles. Also discussed were security futures like Project Grafeas, libentitlement, LinuxKit concepts, and trusted/untrusted container runtimes in Kubernetes.
CraftConf 2019: CRI Runtimes Deep Dive: Who Is Running My Pod?Phil Estes
A talk given at Craft Conf in Budapest, Hungary on May 10th, 2019. In this talk, Phil walked through the history of the need for a Container Runtime Interface (CRI) in Kubernetes, followed by an overview of all available CRI implementations, focusing on containerd, the CNCF core container runtime used in many clouds and projects. Phil demonstrated the "layers" of interaction from Kubernetes API, to CRI API to a container runtime's native API using an IBM Cloud Kubernetes cluster using containerd 1.2.6.
Enabling Security via Container RuntimesPhil Estes
A talk given at the Google-hosted Container Security Summit on Wednesday, February 12th, 2020 in Seattle, Washington. This talk covered the impact of work done at the lower-level runtimes layer and up through layers like cri-o, containerd, and Docker to bring specific security features to overall platforms like Kubernetes.
State of Builder and Buildkit by Tonis Tiigi (Docker)Docker, Inc.
"Overview of the new advancements added to Docker's builder feature in the newest releases and how to use these features to make your build jobs more powerful and efficient. Going to cover multi-stage builds, new dependency model, new performance features, added Dockerfile features etc.
Dive into the new buildkit architecture developed as part of the Moby project and the base for the future of `docker build`. Learn about how to start playing around with buildkit today and what kind of capabilities the new architecture exposes."
Extended and embedding: containerd update & project use casesPhil Estes
A talk given at FOSDEM 2020 in the containers devroom on the current status of the CNCF containerd project as well as a dive into the ways users are extending and embedding containerd in other platforms and projects.
Securing Containerized Applications: A PrimerPhil Estes
A talk given at Open Source Summit Europe in Lyon, France on Tuesday, October 29th, 2019. In this talk we try and focus on the key areas that an application developer can influence with regards to image and runtime security, focused on using Kubernetes as the orchestrator for a containerized application.
Cloud Native TLV Meetup: Securing Containerized Applications PrimerPhil Estes
A talk give on Tuesday, January 28th, 2020 at the Tel Aviv, Israel Cloud Native meetup covering the core concepts of how to secure containerized applications in a Kubernetes context.
Securing Containerized Applications: A PrimerPhil Estes
A talk given at Devoxx Morocco on Wednesday, November 13, 2019. In this talk a very insecure sample (demo) application is used to explain the various security principles application developers can apply when using containers and Kubernetes--from image sourcing, content, scanning to resource controls, attack surface mitigation, and reducing privilege for containers.
Container runtime and tooling has matured since Docker brought it to the mainstream a decade ago. There are multiple options for building and running containers available to the developers and system administrators. Oleg Chunikhin, CTO at Kublr, will provide a review and analysis of the popular options.
The Notary project has officially been accepted in to the Cloud Native Computing Foundation (CNCF). It has moved to https://github.com/theupdateframework/notary. Any downstream consumers should update their Go imports to use this new location, which will be the canonical location going forward.
We have moved the repo in GitHub, which will allow existing importers to continue using the old location via GitHub's redirect.
What's Running My Containers? A review of runtimes and standards.Phil Estes
A talk given at Open Source Leadership Summit (OSLS) on Thursday, March 14th in Half Moon Bay, CA. In this talk the current status of the Open Container Initiative (OCI) standards as well as the Kubernetes Container Runtime Interface (CRI) were presented, with a view towards how these components have provided a level playing field with significant choice when it comes to container runtimes for use in Kubernetes, as well as interoperability per the OCI standards.
Let's Try Every CRI Runtime Available for KubernetesPhil Estes
A talk given at KubeCon/CloudNativeCon EU in Barcelona, Spain on May 23, 2019. In this talk Phil presented the explosion of OCI-compliant CRI-enabled runtimes that can be used underneath Kubernetes, and demonstrated several of them live.
LinuxKit, a toolkit for building custom minimal, immutable Linux distributions.
Secure defaults without compromising usability
Everything is replaceable and customisable
Immutable infrastructure applied to building Linux distributions
Completely stateless, but persistent storage can be attached
Easy tooling, with easy iteration
Built with containers, for running containers
Designed for building and running clustered applications, including but not limited to container orchestration such as Docker or Kubernetes
Designed from the experience of building Docker Editions, but redesigned as a general-purpose toolkit
Designed to be managed by external tooling, such as Infrakit or similar tools
Includes a set of longer-term collaborative projects in various stages of development to innovate on kernel and userspace changes, particularly around security
Docker Athens: Docker Engine Evolution & Containerd Use CasesPhil Estes
These slides are from a talk presented at the Docker Athens meetup on Thursday, May 31, 2018. They start by covering the evolution of the Docker engine of 2014/2015 into the separate components of OCI runc, (now) CNCF containerd, and the Docker client and daemon projects. Finally, various use cases for the CNCF containerd "core container runtime" project are detailed, from the Docker engine itself to serverless frameworks like OpenWhisk, to the container runtime interface (CRI) within Kubernetes.
CRI Runtimes Deep-Dive: Who's Running My Pod!?Phil Estes
A talk given at QCon NYC on Wednesday, June 27, 2018 in the Container track, focused on helping developers understand the inner workings of pluggable container runtimes in the Kubernetes world. The second half of this talk is not available in slide form, but should be available via QCon video. The non-slide talk content included hands-on-keyboard demonstrations of various tools which can be used to investigate and introspect kubelet and pod -> container runtime boundaries and details, all shown in IBM Cloud using the containerd runtime underneath a Kubernetes 1.11 cluster.
A talk given on December 6, 2017 at KubeCon/CloudNativeCon in Austin, Texas. In this talk, Phil talked briefly about containerd history and design, but the bulk of the talk was a live coding demo of creating a simple client for containerd to learn about the clean and simple API design for the client library and gRPC services. The GitHub project https://github.com/estesp/examplectr has the code and sample LinuxKit assembly used for the code and example client demo.
Kubernetes CRI containerd integration by Lantao Liu (Google)Docker, Inc.
The talk will firstly give a brief review of the runtime portability of Kubernetes, then talk about why containerd is attractive to Kubernetes, and then give a brief introduction and status update of Kubernetes Containerd Integration and a demo.
It's 2018. Are My Containers Secure Yet!?Phil Estes
A talk given at DevOps Pro Vilnius on March 15, 2018 about container security. In this talk we discussed the core topics around the container ecosystem (host, runtime, image) applicable to both Docker and Kubernetes, as well as discussing usable security/secure by default, and defense in depth principles. Also discussed were security futures like Project Grafeas, libentitlement, LinuxKit concepts, and trusted/untrusted container runtimes in Kubernetes.
CraftConf 2019: CRI Runtimes Deep Dive: Who Is Running My Pod?Phil Estes
A talk given at Craft Conf in Budapest, Hungary on May 10th, 2019. In this talk, Phil walked through the history of the need for a Container Runtime Interface (CRI) in Kubernetes, followed by an overview of all available CRI implementations, focusing on containerd, the CNCF core container runtime used in many clouds and projects. Phil demonstrated the "layers" of interaction from Kubernetes API, to CRI API to a container runtime's native API using an IBM Cloud Kubernetes cluster using containerd 1.2.6.
Enabling Security via Container RuntimesPhil Estes
A talk given at the Google-hosted Container Security Summit on Wednesday, February 12th, 2020 in Seattle, Washington. This talk covered the impact of work done at the lower-level runtimes layer and up through layers like cri-o, containerd, and Docker to bring specific security features to overall platforms like Kubernetes.
State of Builder and Buildkit by Tonis Tiigi (Docker)Docker, Inc.
"Overview of the new advancements added to Docker's builder feature in the newest releases and how to use these features to make your build jobs more powerful and efficient. Going to cover multi-stage builds, new dependency model, new performance features, added Dockerfile features etc.
Dive into the new buildkit architecture developed as part of the Moby project and the base for the future of `docker build`. Learn about how to start playing around with buildkit today and what kind of capabilities the new architecture exposes."
Extended and embedding: containerd update & project use casesPhil Estes
A talk given at FOSDEM 2020 in the containers devroom on the current status of the CNCF containerd project as well as a dive into the ways users are extending and embedding containerd in other platforms and projects.
Securing Containerized Applications: A PrimerPhil Estes
A talk given at Open Source Summit Europe in Lyon, France on Tuesday, October 29th, 2019. In this talk we try and focus on the key areas that an application developer can influence with regards to image and runtime security, focused on using Kubernetes as the orchestrator for a containerized application.
Cloud Native TLV Meetup: Securing Containerized Applications PrimerPhil Estes
A talk give on Tuesday, January 28th, 2020 at the Tel Aviv, Israel Cloud Native meetup covering the core concepts of how to secure containerized applications in a Kubernetes context.
Securing Containerized Applications: A PrimerPhil Estes
A talk given at Devoxx Morocco on Wednesday, November 13, 2019. In this talk a very insecure sample (demo) application is used to explain the various security principles application developers can apply when using containers and Kubernetes--from image sourcing, content, scanning to resource controls, attack surface mitigation, and reducing privilege for containers.
Container runtime and tooling has matured since Docker brought it to the mainstream a decade ago. There are multiple options for building and running containers available to the developers and system administrators. Oleg Chunikhin, CTO at Kublr, will provide a review and analysis of the popular options.
Container runtime and tooling has matured since Docker brought it to the mainstream a decade ago. There are multiple options for building and running containers available to the developers and system administrators. Oleg Chunikhin, CTO at Kublr, will provide a review and analysis of the popular options.
containerd the universal container runtimeDocker, Inc.
containerd is an industry-standard core container runtime with an emphasis on simplicity, robustness and portability. It is available as a daemon for Linux and Windows, which can manage the complete container lifecycle of its host system: image transfer and storage, container execution and supervision, low-level storage and network attachments, etc..
containerd is designed to be embedded into a larger system, rather than being used directly by developers or end-users.
containerd includes a daemon exposing gRPC API over a local UNIX socket. The API is a low-level one designed for higher layers to wrap and extend. It also includes a barebone CLI (ctr) designed specifically for development and debugging purpose. It uses runC to run containers according to the OCI specification. The code can be found on GitHub, and here are the contribution guidelines.
containerd is based on the Docker Engine’s core container runtime to benefit from its maturity and existing contributors.
Kubernetes is designed to be an extensible system. But what is the vision for Kubernetes Extensibility? Do you know the difference between webhooks and cloud providers, or between CRI, CSI, and CNI? In this talk we will explore what extension points exist, how they have evolved, and how to use them to make the system do new and interesting things. We’ll give our vision for how they will probably evolve in the future, and talk about the sorts of things we expect the broader Kubernetes ecosystem to build with them.
Dev opsec dockerimage_patch_n_lifecyclemanagement_kanedafromparis
Lors de cette présentation, nous allons dans un premier temps rappeler la spécificité de docker par rapport à une VM (PID, cgroups, etc) parler du système de layer et de la différence entre images et instances puis nous présenterons succinctement kubernetes.
Ensuite, nous présenterons un processus « standard » de propagation d’une version CI/CD (développement, préproduction, production) à travers les tags docker.
Enfin, nous parlerons des différents composants constituant une application docker (base-image, tooling, librairie, code).
Une fois cette introduction réalisée, nous parlerons du cycle de vie d’une application à travers ses phases de développement, BAU pour mettre en avant que les failles de sécurité en période de développement sont rapidement corrigées par de nouvelles releases, mais pas nécessairement en BAU où les releases sont plus rares. Nous parlerons des diverses solutions (jfrog Xray, clair, …) pour le suivie des automatique des CVE et l’automatisation des mises à jour. Enfin, nous ferons un bref retour d’expérience pour parler des difficultés rencontrées et des propositions d’organisation mises en oeuvre.
Cette présentation bien qu’illustrée par des implémentations techniques est principalement organisationnelle.
Container Runtimes: Comparing and Contrasting Today's EnginesPhil Estes
A webinar presented for the {code} Community on August 30, 2017. In this talk, we looked at the sphere of modern container runtimes that start with Docker's emergence in 2013/2014 to today's additions of rkt, OCI's runc, containerd, cri-o, and Cloud Foundry's garden-runc project, many of them consolidating around the OCI standard for container runtime and image specifications.
GL DevOps Experts are committed to sharing with our community as much knowledge about Docker and Kubernetes as possible.
Thinking about Kubernetes?
Join Vadym Fabiianskiy and Andrii Mandubyra, GlobalLogic Lviv DevOps Experts and learn:
Container Runtime specifics
What are the building blocks of K8S?
How does Kubernetes work?
Deployment and release strategies
Speakers: Vic Iglesias, Benjamin Good, Karl Isenberg
Venue: Google Cloud Next '19
Video: https://www.youtube.com/watch?v=rt287-94Pq4
Continuous Integration and Delivery allows companies to quickly iterate on and deploy their ideas to customers. In doing so, they should strive to have environments that closely match production. Using Kubernetes as the target platform across cloud providers and on-premises environments can help to mitigate some difficulties when ensuring environment parity but many other concerns can arise.
In this talk we will dive into the tools and methodologies available to ensure your code and deployment artifacts can smoothly transition among the various people, environments, and platforms that make up your CI/CD process.
Installing and Using Kubernetes is hard, but Operating Kubernetes is even harder! This BOF is for Kubernetes Operators to get together and discuss our day to day Operations, and for people new to Kubernetes to learn more about how to operate it.
It’s almost been a year since the Open Container Initiative (OCI) and its reference OCI-compliant runtime for containers, runC, were announced last June. runC is now the container execution engine used both by Docker and Cloud Foundry’s Garden-Linux project. As the OCI community expands, and runC is used as an OCI spec compliant runtime in more container systems, innovation around container features and evolution of its capabilities are increasing all the time. It turns out that runC is a great lightweight container executor that makes for an easy playground for trying out new OS-level features around containers. In the past year, many features from higher-level environments like the Docker ecosystem—including seccomp, user namespaces, PID cgroups, and checkpoint/restore—all appeared in runC or its container library, libcontainer, first. Phil Estes explains how easy it is to utilize runC for testing new container capabilities or trying out different configurations in a much more lightweight model than running a complete container orchestration engine or even a Docker daemon and why runC and the OCI community are great places to innovate and develop new OS-level features for container execution environments. Phil demonstrates some of these capabilities live and compares using runC with an OCI configuration (based on the OCI spec) and running containers with higher-level tools.
Moby is an open source project providing a "LEGO set" of dozens of components, the framework to assemble them into specialized container-based systems, and a place for all container enthusiasts to experiment and exchange ideas.
One of these assemblies is Docker CE, an open source product that lets you build, ship, and run containers.
This talk will explain how you can leverage the Moby project to assemble your own specialized container-based system, whether for IoT, cloud or bare metal scenarios.
We will cover Moby itself, the framework, and tooling around the project, as well as many of it’s components: LinuxKit, InfraKit, containerd, SwarmKit, Notary.
Then we will present a few use cases and demos of how different companies have leveraged Moby and some of the Moby components to create their own container-based systems.
Video at https://www.youtube.com/watch?v=kDp22YkD6WY
A Comprehensive Introduction to Kubernetes. This slide deck serves as the lecture portion of a full-day Workshop covering the architecture, concepts and components of Kubernetes. For the interactive portion, please see the tutorials here:
https://github.com/mrbobbytables/k8s-intro-tutorials
OpenFaaS (Functions as a Service) is a framework for building serverless functions with Docker which has first class support for metrics. Any process can be packaged as a function enabling you to consume a range of web events without repetitive boiler-plate coding.
Declare your infrastructure: InfraKit, LinuxKit and MobyMoby Project
InfraKit is a toolkit for infrastructure orchestration. With an emphasis on immutable infrastructure, it breaks down infrastructure automation and management processes into small, pluggable components. These components work together to actively ensure the infrastructure state matches the user's specifications. InfraKit therefore provides infrastructure support for higher-level container orchestration systems and can make your infrastructure self-managing and self-healing.
LinuxKit, a toolkit for building custom minimal, immutable Linux distributions.
Secure defaults without compromising usability
Everything is replaceable and customisable
Immutable infrastructure applied to building Linux distributions
Completely stateless, but persistent storage can be attached
Easy tooling, with easy iteration
Built with containers, for running containers
Designed for building and running clustered applications, including but not limited to container orchestration such as Docker or Kubernetes
Designed from the experience of building Docker Editions, but redesigned as a general-purpose toolkit
Designed to be managed by external tooling, such as Infrakit or similar tools
Includes a set of longer-term collaborative projects in various stages of development to innovate on kernel and userspace changes, particularly around security
LinuxKit, a toolkit for building custom minimal, immutable Linux distributions.
Secure defaults without compromising usability
Everything is replaceable and customisable
Immutable infrastructure applied to building Linux distributions
Completely stateless, but persistent storage can be attached
Easy tooling, with easy iteration
Built with containers, for running containers
Designed for building and running clustered applications, including but not limited to container orchestration such as Docker or Kubernetes
Designed from the experience of building Docker Editions, but redesigned as a general-purpose toolkit
Designed to be managed by external tooling, such as Infrakit or similar tools
Includes a set of longer-term collaborative projects in various stages of development to innovate on kernel and userspace changes, particularly around security
Using linuxKit to build custom rancherOS systems Moby Project
LinuxKit, a toolkit for building custom minimal, immutable Linux distributions.
Secure defaults without compromising usability
Everything is replaceable and customisable
Immutable infrastructure applied to building Linux distributions
Completely stateless, but persistent storage can be attached
Easy tooling, with easy iteration
Built with containers, for running containers
Designed for building and running clustered applications, including but not limited to container orchestration such as Docker or Kubernetes
Designed from the experience of building Docker Editions, but redesigned as a general-purpose toolkit
Designed to be managed by external tooling, such as Infrakit or similar tools
Includes a set of longer-term collaborative projects in various stages of development to innovate on kernel and userspace changes, particularly around security
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
6. Container Runtime Interface
What is Container Runtime Interface - CRI ?
- A gRPC interface and a group of libraries
- Enables Kubernetes to use a wide variety of container runtimes
- Introduced in Kubernetes 1.5
Kubelet
CRI
gRPC
client
CRI shim
CRI
gRPC
server
container
runtime
container
container
container
container
container
10. Containerd scope is just right for Kubernetes.
Containerd Scope
(In/Out)
CRI Requirement
Container Lifecycle
Management
In
Container Create/Start/Stop/Delete/List/Inspect
(✔)
Image Management In Pull/List/Inspect (✔)
Networking
Out.
Network namespace.
Just enough. (✔)
CRI & Containerd
Containerd scope is just right for Kubernetes.
11. Containerd Scope
(In/Out)
CRI Requirement
Volumes
Out.
Host path mount.
Just enough. (✔)
Persistent Container
Logging
Out.
STDIO as FIFOs.
Decorate to CRI log format. (✔)
Metrics In.
Container memory/cpu usage; image filesystem
disk/inode usage. (✔)
CRI & Containerd
12. CRI & Containerd
Other alignments with Kubernetes:
- Decentralized container management - containerd-shim.
- Live restore.
- Overhead charge back to pod.
- Decoupled image and container management.
- Support other image formats (e.g. tarball).
- Support OCI image/runtime spec.
- CNCF project.
- ...
Other alignments with Kubernetes:
- Decentralized container management - containerd-shim.
- Live restore.
- Overhead charge back to pod.
- Decoupled image and container management.
- Support other image formats (e.g. tarball).
- Support OCI image/runtime spec.
- CNCF project.
- ...
14. CRI-Containerd
cri-containerd: A CRI implementation for containerd.
- https://github.com/kubernetes-incubator/cri-containerd
- Kubernetes incubator project.
- Started in April 2017.
container
containerKubelet dockershim docker containerd container
container
CRI
container
container
Kubelet cri-containerd containerd container
container
CRI
dockershim
cri-containerd
15. CRI-Containerd Architecture
Pod B
Pod A Cgroups
Pod A Namespaces
cri-containerd
sandbox
container
containerd
shim
image
service
runtime
service
Kubelet
CR
I
Client
containerd
shim
container A
ocicni
16. CRI-Containerd Status
CRI-Containerd 1.0.0-alpha.0
- Kubernetes 1.7+, Containerd v1.0.0-beta.1, CNI Spec v0.3.1.
- Feature Complete.
- 57/57 CRI validation tests passing.
- 188/188 regular node e2e tests passing.
- Use kubeadm to bring up Kubernetes cri-containerd cluster. (ansible,
custom)
- Kubernetes the hard way.
- Contributors from Google, IBM, Docker, ZTE, ZJU etc.
17. CRI-Containerd Roadmap
Q4: Additional testing, bug fixes and usability.
- FULL SET of e2e test in Kubernetes test infrastructure.
- Upstream Kubernetes kube-up.sh integration.
- Debug CLI crictl.
- 1.0.0-beta.0 by the end of 2017.
21. Recap
CRI is the standard way to integrate Container Runtime with
Kubernetes.
Containerd matches CRI and Kubernetes’ requirement very well.
CRI-Containerd is 1.0.0-alpha.0.
22. Links
- Github: https://github.com/kubernetes-incubator/cri-containerd
- Slack: https://kubernetes.slack.com/messages/sig-node
- Mailing List: https://groups.google.com/forum/#!forum/kubernetes-
sig-node
- Maintainers:
- Lantao Liu <lantaol@google.com> Ramdom-Liu@github
- Abhi Prativadi <abhi@docker.com> abhi@github
- Mike Brown <brownwm@us.ibm.com> mikebrow@github
Hi, everyone! I’m Lantao from Google Kubernetes team. Today, I’m going to talk about our work to integrate containerd with Kubernetes. We call this project CRI-Containerd.
I’ll firstly give a status update of cri-containerd. And then abhi is going to give a demo.
This is Abhi, he works in Docker, and he’s also a maintainer of cri-containerd.
I believe you have seen this picture for several times during the Dockercon.
Actually in this picture, there are 2 new things coming. The first one, of course, is that Docker is going to natively support Kubernetes. But actually there is a second one, that Kubernetes will be able to run on top of containerd directly, instead of the docker engine.
And it’s cri-containerd making this happen.
In this talk, we’ll firstly give a quick review of Kubernetes Container Runtime Interface, we call it CRI for short. It enables Kubernetes to support different container runtimes, including containerd.And then we’ll analyze the scope of containerd, and you’ll see that it matches CRI’s requirement pretty well.
After that, we’ll give a status update of CRI-Containerd, and Abhi will give the demo.
CRI is a gRPC interface with a group of libraries. It defines all the functionalities Kubernetes requires from the container runtime. In theory, any container runtime implements this interface could be used by Kubernetes.
CRI was introduced from Kubernetes 1.5. Today when you bring up a cluster, it’s talking with Docker engine through CRI.
There are several ongoing CRI container runtime work now.
cri-containerd is the one we are talking today, it’s a CRI implementation based on containerd.
Other than that, there is cri-o, a CRI implementation built directly from runC; Docker engine, the default one in upstream today; frakti, based on hyper, a VM-based container runtime solution; rktlet, based on rkt; virtlet, another VM based solution.
We also have a CRI project called CRI tools. It contains a series of debugging and validation tools for CRI. Including the CRI Validation Test, which is a test suite validates whether a CRI runtime meets the requirement; the CRI Command Line Tool, which is a portable command line tool talking with CRI directly. It’s mainly for troubleshooting.
And that’s the status of CRI today.
In short word, the scope of containerd is just right for Kubernetes.
As shown in the table, all required functionalities are provided, and no unnecessary functionalities are included.
For example, for container logging. CRI has specific requirement on container log format and path. Today, Docker engine manages container logs in a way incompatible with Kubernetes. By contrast, containerd doesn’t persist container output, container output is provided as FIFOs, which could be easily redirected and decorated as required by CRI.
Another example is metrics. Kubernetes expects container runtime to provide container metrics (cpu, memory usage) and image filesystem metrics (disk usage). Previously, we got these metrics from cadvisor for Docker. However, because different container runtimes have different cgroup hierarchy and disk layout, it’s hard to support them all. And for VM based container runtime and Windows container, it’s even harder. So we want container runtime itself to provide these information. Containerd provides all CRI required metrics as part of the API.
Other than the ones mentioned above, there are many more alignments with Kubernetes, such as decentralized container management, decoupling image management and container management, support OCI, it’s a CNCF project and so on.
Overall, technically, containerd is a very good alternative container runtime for Kubernetes.
CRI-Containerd is the containerd-based CRI implementation. It uses containerd to implement CRI. It’s a Kubernetes incubator project now, started in April.
Compared with today’s docker integration, we could see that `cri-containerd` eliminates one extra hop in the stack.
This is the architecture of CRI-Containerd.
Say now Kubernetes wants to create a new pod: Kubelet talks with CRI-Containerd though CRI to create a new sandbox and application containers inside;
CRI-containerd handles the request, and talks to containerd with containerd client, to create the sandbox container, and application container, and make sure them in the right namespaces and cgroups;
CRI-Containerd then calls CNI to configure the network namespace of the sandbox.
After all those are done, we have a running pod.
Please note that this is just a simplified process, just for demonstration, there are a lot of details not mentioned here.
CRI-Containerd is 1.0.0-alpha.0 now.
It supports kubernetes 1.7 and above, and is using containerd v1.0.0-beta.1.
It is feature complete. It means that you could try all existing Kubernetes features with it.
It has passed all CRI validation test, as is mentioned above, the test suite is used to validate whether a CRI implementation meets all the requirement.
It has also passed all regular node e2e test, which is the test suite we use in upstream to validate the node level functionalities.
We provide an ansible playbook to help you automatically bring up a Kubernetes cluster using cri-containerd as the container runtime. And we also have a document to help you customize you installation.
Other than that, you could also checkout kelsey’s Kubernetes the hard way. It is using cri-containerd as the container runtime now.
We have contributors from XXX. Thanks for the contribution!
In Q4, we are going to focus on testing, bug fix and usability improvement.
We’ll set up FULL SET of upstream e2e test in Kubernetes test infrastructure.
We’ll also integrate cri-containerd with `kube-up.sh` and also kops in the future, so that user could bring up a production quality cluster using cri-containerd as the container runtime.
We’ll also improve the debug CLI crictl, which should be the standard tool to trouble should CRI container runtime.
We are going to release 1.0.0-beta.0 version by the end of this year. It will be production ready as long as containerd itself is ready for production.
Show test grid.
I am one of the authors/owners of CRI, we really want to make Kubernetes runtime portable, not only Kubelet itself. It also includes the whole pipeline, including the test infrastructure, cluster bootstrapping etc.
Containerd is a very good opportunity for us to make the whole pipeline portable, e.g. for the node e2e test in the test grid I show, I need to make several upstream change to make it work. It will need more upstream change for cluster e2e test and cluster bootstrapping.
As mentioned by steve, the design is targeting for the future 10 years, we want to do things right, thus we are not in a hurry.