Dojo given at ESEI, Uvigo.
The slides include a set of great slides from a presentation made by Elvin Sindrilaru at CERN.
Docker is an open platform for building, shipping and running distributed applications. It gives programmers, development teams and operations engineers the common toolbox they need to take advantage of the distributed and networked nature of modern applications.
Linux Container Brief for IEEE WG P2302Boden Russell
A brief into to Linux Containers presented to IEEE working group P2302 (InterCloud standards and portability). This deck covers:
- Definitions and motivations for containers
- Container technology stack
- Containers vs Hypervisor VMs
- Cgroups
- Namespaces
- Pivot root vs chroot
- Linux Container image basics
- Linux Container security topics
- Overview of Linux Container tooling functionality
- Thoughts on container portability and runtime configuration
- Container tooling in the industry
- Container gaps
- Sample use cases for traditional VMs
Overall, a bulk of this deck is covered in other material I have posted here. However there are a few new slides in this deck, most notability some thoughts on container portability and runtime config.
Presentation on the Linux namespaces and system calls used to provide container isolation with Docker. Presented in March 2015 at http://www.meetup.com/Docker-Phoenix/ in Tempe, Arizona.
Introduction to automated environment management with Docker Containers - for...Lucas Jellema
(presented at the AMIS Platform SIG session on October 1st 2015, Nieuwegein, The Netherlands)
Creating and managing environments for development and r&d activities can be cumbersome. Quickly spinning up databases and web servers, using physical resources in a smart way, installing application components and having everything talk to each other can take a lot of time. This presentation introduces Docker - the key aspects of build, ship and run. It discusses the main concepts and typical actions.
Next, it takes you by the hand and introduces you to Vagrant and Virtual Box for quickly provisioning VMs in which Docker containers run platform components, applications and microservices - all environments fine tuned using Puppet and interacting with Git(Hub). We start from zero on your laptop and end with local environments in which to develop, test and run various types of applications.
The presentation spends some time on Oracle 's position regarding Docker and containers.
Presented Docker in 15 minutes with two of my classmates at school.
Presentation covering topics:
Virtualization
Virtual Machines
Container Technology (Docker)
Docker Compose
Docker Swarm
The demo can be found at:
https://github.com/DanishKhakwani/SimpleDockerDemo
Linux Container Brief for IEEE WG P2302Boden Russell
A brief into to Linux Containers presented to IEEE working group P2302 (InterCloud standards and portability). This deck covers:
- Definitions and motivations for containers
- Container technology stack
- Containers vs Hypervisor VMs
- Cgroups
- Namespaces
- Pivot root vs chroot
- Linux Container image basics
- Linux Container security topics
- Overview of Linux Container tooling functionality
- Thoughts on container portability and runtime configuration
- Container tooling in the industry
- Container gaps
- Sample use cases for traditional VMs
Overall, a bulk of this deck is covered in other material I have posted here. However there are a few new slides in this deck, most notability some thoughts on container portability and runtime config.
Presentation on the Linux namespaces and system calls used to provide container isolation with Docker. Presented in March 2015 at http://www.meetup.com/Docker-Phoenix/ in Tempe, Arizona.
Introduction to automated environment management with Docker Containers - for...Lucas Jellema
(presented at the AMIS Platform SIG session on October 1st 2015, Nieuwegein, The Netherlands)
Creating and managing environments for development and r&d activities can be cumbersome. Quickly spinning up databases and web servers, using physical resources in a smart way, installing application components and having everything talk to each other can take a lot of time. This presentation introduces Docker - the key aspects of build, ship and run. It discusses the main concepts and typical actions.
Next, it takes you by the hand and introduces you to Vagrant and Virtual Box for quickly provisioning VMs in which Docker containers run platform components, applications and microservices - all environments fine tuned using Puppet and interacting with Git(Hub). We start from zero on your laptop and end with local environments in which to develop, test and run various types of applications.
The presentation spends some time on Oracle 's position regarding Docker and containers.
Presented Docker in 15 minutes with two of my classmates at school.
Presentation covering topics:
Virtualization
Virtual Machines
Container Technology (Docker)
Docker Compose
Docker Swarm
The demo can be found at:
https://github.com/DanishKhakwani/SimpleDockerDemo
Rooting Out Root: User namespaces in DockerPhil Estes
This talk on the progress to bring user namespace support into Docker was presented by Phil Estes at LinuxCon/ContainerCon 2015 on Wednesday, Aug. 19th, 2015
Christian Kniep from Docker Inc. gave this talk at the Stanford HPC Conference.
"This talk will recap the history of and what constitutes Linux Containers, before laying out how the technology is employed by various engines and what problems these engines have to solve. Afterward, Christian will elaborate on why the advent of standards for images and runtimes moved the discussion from building and distributing containers to orchestrating containerized applications at scale. In conclusion, attendees will get an update on what problems still hinder the adoption of containers for distributed high performance workloads and how Docker is addressing these issues."
Christian Kniep is a Technical Account Manager at Docker, Inc. With a 10 year journey rooted in the HPC parts of the german automotive industry, Christian Kniep started to support CAE applications and VR installations. When told at a conference that HPC can not learn anything from the emerging Cloud and BigData companies, he became curious and was leading the containerization effort of the cloud-stack at Playstation Now. Christian joined Docker Inc in 2017 to help push the adoption forward and be part of the innovation instead of an external bystander. During the day he helps Docker customers in the EMEA region to fully utilize the power of containers; at night he likes to explore new emerging trends by containerizing them first and seek application in the nebulous world of DevOps.
Watch the video: https://wp.me/p3RLHQ-i4X
Learn more: http://docker.com
and
http://hpcadvisorycouncil.com
Sign up for our insideHPC Newsletter: http://insidehpc.com
This presentation session will go through the basics of Docker and illustrate its importance in modern DevOps. It will also go through a step-by-step demo of setting up a Docker image for the LAMP stack (Linux, Apache, MySQL, PHP) together with a working sample application.
Slides & codes: http://bit.ly/thomasdocker
runC: The little engine that could (run Docker containers) by Docker Captain ...Docker, Inc.
With the announcement of the OCI by Solomon Hykes at last summer's DockerCon, a Docker-contributed reference implementation of the OCI spec, called runC, was born. While some of you may have tried runC or have a history of poking at the OS layer integration library to Linux namespaces, cgroups and the like (known as libcontainer), many of you may not know what runC offers. In this talk Phil Estes, Docker engine maintainer who has also contributed to libcontainer and runC, will show what's possible using runC as a lightweight and fast runtime environment to experiment with lower-level features of the container runtime. Phil will introduce a conversion tool called "riddler", which can inspect and convert container configurations from Docker into the proper OCI configuration bundle for easy conversion between the two environments. He'll also demonstrate how to make custom configurations for trying out security features like user namespaces and seccomp profiles.
Linux Containers(LXC) allow running multiple isolated Linux instances (containers) on the same host.
Containers share the same kernel with anything else that is running on it, but can be constrained to only use a defined amount of resources such as CPU, memory or I/O.
A container is a way to isolate a group of processes from the others on a running Linux system.
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityPhil Estes
A Docker security talk that Salman Baset and Phil Estes presented at the Tokyo OpenStack Summit on October 29th, 2015. In this talk we provided an overview of the security constraints available to Docker cloud operators and users and then walked through a "lessons learned" from experiences operating IBM's public Bluemix container cloud based on Docker container technology.
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Jérôme Petazzoni
Linux containers are different from Solaris Zones or BSD Jails: they use discrete kernel features like cgroups, namespaces, SELinux, and more. We will describe those mechanisms in depth, as well as demo how to put them together to produce a container. We will also highlight how different container runtimes compare to each other.
This talk was delivered at DockerCon Europe 2015 in Barcelona.
Most people think "adopting containers" means deploying Docker images to production. In practice, adopting containers in the continuous integration process provides visible benefits even if the production environment are VMs.
In this webinar, we will explore this pattern by packaging all build tools inside Docker containers.
Container-based pipelines allow us to create and reuse building blocks to make pipeline creation and management MUCH easier. It's like building with Legos instead of clay.
This not only makes pipeline creation and maintenance much easier, it also solves a myriad of classic CI/CD problems such as:
Putting an end to version conflicts in build machines
Eliminating build machine management in general
Step portability and maintenance
In a very real sense, Docker-based pipelines reflect lessons learned from microservices in CI/CD pipelines. We will share tips and tricks for running these kinds of pipelines while using Codefresh as a CI/CD solution as it fully supports pipelines where each build step is running on its own Docker image.
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
A conference talk at ContainerCon Europe in Berlin, Germany, given on October 5th, 2016. This is a slightly modified version of my talk first used at Docker London in July 2016.
Rooting Out Root: User namespaces in DockerPhil Estes
This talk on the progress to bring user namespace support into Docker was presented by Phil Estes at LinuxCon/ContainerCon 2015 on Wednesday, Aug. 19th, 2015
Christian Kniep from Docker Inc. gave this talk at the Stanford HPC Conference.
"This talk will recap the history of and what constitutes Linux Containers, before laying out how the technology is employed by various engines and what problems these engines have to solve. Afterward, Christian will elaborate on why the advent of standards for images and runtimes moved the discussion from building and distributing containers to orchestrating containerized applications at scale. In conclusion, attendees will get an update on what problems still hinder the adoption of containers for distributed high performance workloads and how Docker is addressing these issues."
Christian Kniep is a Technical Account Manager at Docker, Inc. With a 10 year journey rooted in the HPC parts of the german automotive industry, Christian Kniep started to support CAE applications and VR installations. When told at a conference that HPC can not learn anything from the emerging Cloud and BigData companies, he became curious and was leading the containerization effort of the cloud-stack at Playstation Now. Christian joined Docker Inc in 2017 to help push the adoption forward and be part of the innovation instead of an external bystander. During the day he helps Docker customers in the EMEA region to fully utilize the power of containers; at night he likes to explore new emerging trends by containerizing them first and seek application in the nebulous world of DevOps.
Watch the video: https://wp.me/p3RLHQ-i4X
Learn more: http://docker.com
and
http://hpcadvisorycouncil.com
Sign up for our insideHPC Newsletter: http://insidehpc.com
This presentation session will go through the basics of Docker and illustrate its importance in modern DevOps. It will also go through a step-by-step demo of setting up a Docker image for the LAMP stack (Linux, Apache, MySQL, PHP) together with a working sample application.
Slides & codes: http://bit.ly/thomasdocker
runC: The little engine that could (run Docker containers) by Docker Captain ...Docker, Inc.
With the announcement of the OCI by Solomon Hykes at last summer's DockerCon, a Docker-contributed reference implementation of the OCI spec, called runC, was born. While some of you may have tried runC or have a history of poking at the OS layer integration library to Linux namespaces, cgroups and the like (known as libcontainer), many of you may not know what runC offers. In this talk Phil Estes, Docker engine maintainer who has also contributed to libcontainer and runC, will show what's possible using runC as a lightweight and fast runtime environment to experiment with lower-level features of the container runtime. Phil will introduce a conversion tool called "riddler", which can inspect and convert container configurations from Docker into the proper OCI configuration bundle for easy conversion between the two environments. He'll also demonstrate how to make custom configurations for trying out security features like user namespaces and seccomp profiles.
Linux Containers(LXC) allow running multiple isolated Linux instances (containers) on the same host.
Containers share the same kernel with anything else that is running on it, but can be constrained to only use a defined amount of resources such as CPU, memory or I/O.
A container is a way to isolate a group of processes from the others on a running Linux system.
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityPhil Estes
A Docker security talk that Salman Baset and Phil Estes presented at the Tokyo OpenStack Summit on October 29th, 2015. In this talk we provided an overview of the security constraints available to Docker cloud operators and users and then walked through a "lessons learned" from experiences operating IBM's public Bluemix container cloud based on Docker container technology.
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Jérôme Petazzoni
Linux containers are different from Solaris Zones or BSD Jails: they use discrete kernel features like cgroups, namespaces, SELinux, and more. We will describe those mechanisms in depth, as well as demo how to put them together to produce a container. We will also highlight how different container runtimes compare to each other.
This talk was delivered at DockerCon Europe 2015 in Barcelona.
Most people think "adopting containers" means deploying Docker images to production. In practice, adopting containers in the continuous integration process provides visible benefits even if the production environment are VMs.
In this webinar, we will explore this pattern by packaging all build tools inside Docker containers.
Container-based pipelines allow us to create and reuse building blocks to make pipeline creation and management MUCH easier. It's like building with Legos instead of clay.
This not only makes pipeline creation and maintenance much easier, it also solves a myriad of classic CI/CD problems such as:
Putting an end to version conflicts in build machines
Eliminating build machine management in general
Step portability and maintenance
In a very real sense, Docker-based pipelines reflect lessons learned from microservices in CI/CD pipelines. We will share tips and tricks for running these kinds of pipelines while using Codefresh as a CI/CD solution as it fully supports pipelines where each build step is running on its own Docker image.
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
A conference talk at ContainerCon Europe in Berlin, Germany, given on October 5th, 2016. This is a slightly modified version of my talk first used at Docker London in July 2016.
Paper presented at the 12th International Conference on Digital Preservation, November 2-6, 2015. University of North Carolina at Chapel Hill.
Abstract: Web resources are increasingly interactive, resulting in resources that are increasingly difficult to archive. The archival difficulty is based on the use of client-side technologies (e.g., JavaScript) to change the client-side state of a representation after it has initially loaded. We refer to these representations as deferred representations. We can better archive deferred representations using tools like headless browsing clients. We use 10,000 seed Universal Resource Identifiers (URIs) to explore the impact of including PhantomJS – a headless browsing tool – into the crawling process by comparing the performance of wget (the baseline), PhantomJS, and Heritrix. Heritrix crawled 2.065 URIs per second, 12.15 times faster than PhantomJS and 2.4 times faster than wget. However, PhantomJS discovered 531,484 URIs, 1.75 times more than Heritrix and 4.11 times more than wget. To take advantage of the performance benefits of Heritrix and the URI discovery of PhantomJS, we recommend a tiered crawling strategy in which a classifier predicts whether a representation will be deferred or not, and only resources with deferred representations are crawled with PhantomJS while resources without deferred representations are crawled with Heritrix. We show that this approach is 5.2 times faster than using only PhantomJS and creates a frontier (set of URIs to be crawled) 1.8 times larger than using only Heritrix.
Content? We've Forgotten About Social Media BehaviourPhilippa Dunjay
Talking about the forgotten side of social media: the social media 'behaviour'. Social media behaviour is the polar opposite to content, and it's been forgotten in recent social strategy.
It's time to coin the term for what the 'not really content' is online, and begin to encourage social media behaviour too.
Open Source Cloud Sync and Share software provides synchronisation layer on top of a variety of backend storages such as local filesystems and object storage. In case of some software stacks, such as ownCloud, a SQL database is used to support the synchronisation requirements.
We tested how different technology stacks impact the ownCloud HTTP-based Synchronisation Protocol. Efficiency and scalability analysis was performed based on benchmarking results. The results have been produced using the ClawIO framework prototype.
ClawIO is a Cloud Synchronisation Benchmarking Framework. The software provides a base
architecture to stress different storage solutions against different cloud synchronisation protocols.
Such architecture is based on the IETF Storage Sync draft specification and CERN EOS.
The synchronisation logic is divided into control and data servers.
This separation is done by the use of highly-decoupled micro services connected to each other using high performance communication protocols such a gRPC and HTTP/2.
Docker is an operating system virtualization tool making waves across cloud technology operations. Ahsan Ullah (Director of Server Engineering) put together a presentation and held a talk / Q & A session to introduce Docker to our engineering division.
History and Basics of containers, LXC, Docker and Kubernetes. This presentation is given to Engineering colleage students at VIT DevFest 2018. Beginner to Intermediate level.
Docker is a tool designed to make it easier to create, deploy, and run applications
by using containers. Containers allow a developer to package up
an application with all of the parts it needs, such as libraries and other dependencies,
and ship it all out as one package. By doing so, thanks to the
container, the developer can rest assured that the application will run on
any other Linux machine regardless of any customized settings that machine
might have that could differ from the machine used for writing and testing
the code.
In a way, Docker is a bit like a virtual machine. But unlike a virtual
machine, rather than creating a whole virtual operating system, Docker allows
applications to use the same Linux kernel as the system that they’re
running on and only requires applications be shipped with things not already
running on the host computer. This gives a significant performance boost
and reduces the size of the application.
Learn about the advantages of Docker technology, how it enables Informix users and developers to quickly start using Informix. Informix docker image available on docker hub requires no initial setup and/or configuration.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...JeyaPerumal1
A cellular network, frequently referred to as a mobile network, is a type of communication system that enables wireless communication between mobile devices. The final stage of connectivity is achieved by segmenting the comprehensive service area into several compact zones, each called a cell.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
1. Hugo González Labrador
Docker is an open platform for building, shipping and running
distributed applications. It gives programmers, development
teams and operations engineers the common toolbox they need
to take advantage of the distributed and networked nature of
modern applications.
Hugo González Labrador
Miércoles 7 de Octubre en el aula SO3 a las 17:00
3. “I once heard that hypervisors are
the living proof of operating system's incompetence”
Glauber Costa's talk at LinuxCon Europe 2012
https://lwn.net/Articles/524952/
4. Hypervisor
Physical Resources (RAM, CPU, Network …)
Kernel
HOST OS
OS Apps
VM
Kernel
OS Apps
Hypervisor
OS Apps
VM
Kernel
Hypervisor
OS Apps
VM
Kernel
5. Physical Resources (RAM, CPU, Network …)
Kernel
HOST OS
Container
OS Apps
Container
OS Apps
Container
OS Apps
Container
OS Apps
Container
OS Apps
Container
OS Apps
9. Docker containers and orchestration
Elvin Sindrilaru
IT Data and Storage Services Group
10. Outline
• Understanding Linux containers
• Linux namespaces
• Linux cgroups
• Docker containers
• Containers orchestration
• Security considerations
• Benefits
4/16/2015 Docker containers and orchestration 3
11. What is a container?
4/16/2015 Docker containers and orchestration 4
"Cmglee Container City 2" by Cmglee - Own work. Licensed under CC BY-SA 3.0 via Wikimedia Commons
12. Linux containers
• Based on two technologies
• Linux namespaces
• Linux control groups (cgroups)
4/16/2015 Docker containers and orchestration 5
13. Linux namespace (1)
• The purpose of a namespace is to wrap a particular
global system resource in an abstraction that makes
it appear to the process within the namespace that they
have their own isolated instance of the global
resource.
4/16/2015 Docker containers and orchestration 6
14. Linux namespace (2)
• Currently there are 6 namespaces implemented in the Linux
Kernel:
• Mount namespaces – isolate the set of file-system mount points
seen by a group of processes (Linux 2.6.19)
• UTS namespaces – isolate two system identifiers – nodename
and domainname. (UNIX Time-sharing System)
• IPC namespaces – isolate inter-process communication
resources e.g. POSIX message queues
4/16/2015 Docker containers and orchestration 7
15. Linux namespace (3)
• Network namespaces – provides isolation of system resources
associated with networking. Each network namespace has its
own network devices, IP addresses, port numbers etc.
• PID namespaces – isolate process ID number space. Processes
in different PID namespaces can have the same PID number.
• User namespace – isolates the process user and group ID
number spaces. A process’s UID and GID can be different inside
and outside a user namespace i.e a process can have full root
privileges inside a user namespace, but is unprivileged for
operations outside the namespace. (Linux 3.8)
4/16/2015 Docker containers and orchestration 8
16. Linux cgroups (1)
• Cgroups allow allocating resources to user-defined groups of
processes running on the system
• Cgroup subsystems (resources controllers) = kernel modules
aware of cgroups which allocate varying levels of system resources
to cgroups
• Everything is exposed through a virtual filesystem:
• /cgroups, /sys/fs/cgroup … - mountpoint may vary
• Currently up to 10 subsystems:
• blkio – set limits on input/output access to/from block devices such as
physical drives
• cpuset – assign individual CPUs and memory nodes to tasks in a cgroup
• memory – set limits on memory used by tasks in a cgroup
• etc …
4/16/2015 Docker containers and orchestration 9
17. Linux cgroups (2)
• libcgroup package provides command line utilities for
manipulating cgroups.
• lssubsys – list available subsystems
• lscgroup – list defined cgroups
• cgget – get parameters of cgroup
• cset – set parameters of cgroup
• cgexec – start a process in a particular cgroup
• cgclassify – move running task to one or more
cgroups
4/16/2015 Docker containers and orchestration 10
18. Linux containers a.k.a LXC
• Containers
• tool for lightweight virtualization
• provides a group of processes the illusion that they are
the only processes on the system
• Advantages in comparison to traditional VM:
• Fast to deploy - seconds
• Small memory footprint - MBs
• Complete isolation without a hypervisor
Namespaces + Cgroups => Linux containers
4/16/2015 Docker containers and orchestration 11
19. Linux containers – CLI
• lxc package contains tools to manipulate containers
• lxc-create
• Setup a container (rootfs and configuration)
• lxc-start
• Boot a container
• lxc-console
• Attach a console if started in background
• lxc-attach
• Start a process inside a container
• lxc-stop
• Shutdown a container
• lxc-destroy
• Destroy the container created with lxc-create
4/16/2015 Docker containers and orchestration 12
20. Docker containers
• “A container is a basic tool, consisting of any device
creating a partially or fully enclosed space that can be
used to contain, store and transport objects or materials.”
http://en.wikipedia.org/wiki/Container
• “Open-source project to easily create light-weight,
portable, self-sufficient containers from any application”
https://www.docker.com/whatisdocker/
• Docker motto: “Build, Ship and Run Any App, Anywhere”
4/16/2015 Docker containers and orchestration 13
21. Docker interaction
• Client-server model
• Docker daemon
• Process that manages the containers
• Creates files systems, assigns IP addresses, routes
packages, manages processes
=> needs root privileges
• Can bind to Unix or TCP sockets and supports TLS
• RESTful API
• Docker client
• Same binary as the daemon
• Makes GET and POST request to the daemon
4/16/2015 Docker containers and orchestration 14
23. VMs vs. Docker containers
• VMs are fully virtualized
• Containers are optimized for single applications,
but can also run a full system
4/16/2015 Docker containers and orchestration 16
24. Docker filesystem
• Typical Linux system needs two filesystems:
• Boot file system (bootfs)
• Root file system (rootfs) - /dev, /etc, /bin, /lib …
• Docker uses by default Another Unionfs (AUFS) which is copy-on-
write
• AUFS
• Helps sharing common portions of the fs among containers
• Layers are read-only and the merger of these layers is visible to the processes
• Any changes to the fs go into the rd/wr layer
4/16/2015 Docker containers and orchestration 17
25. Docker Images
• Image
• Never changes
• Stack of read-only fs layers
• Changes go in the topmost
writable layer created when the container starts
• Changes are discarded by default when the container is
destroyed
• Where to get Docker Images from?
• https://registry.hub.docker.com/
• Similar to what GitHub is for Git - think “git repository for
images”
• Use your own private registry e.g. pull the docker registry
image and run it in a container
4/16/2015 Docker containers and orchestration 18
26. Docker Containers
• Container
• Read-write layer
• Information about Parent Image (RO layers)
• Unique id + network configuration + resource limits
• Containers have state: running / exited
• Exited container
• preserves file system state
• does NOT preserve memory state
• Containers can be promoted to an Image using “docker
commit”
Takes a snapshot of the whole filesystem (RW+RO)
4/16/2015 Docker containers and orchestration 19
27. Docker paradigm shift
• Motto: “write-once-run-anywhere”
• Developers:
• Concentrate on building applications
• Run them inside containers
• Avoid the all too common: “But it works fine on my machine …”
• Sysadmins/operations/DevOps:
• Keep containers running in production
• No more “dependency hell” … almost … at least not traditional ones
⇒ Clean separation of roles
⇒ Single underlying tool which (hopefully) simplifies:
⇒ code management
⇒ deployment process
4/16/2015 Docker containers and orchestration 20
29. Docker workflow automation
• Dockerfile
• Repeatable method to build Docker images – makefile equivalent
• DSL(Domain Specific Language) representing instructions on setting up
an image
• Used together with the context by the “docker build” command to create a
new image
4/16/2015 Docker containers and orchestration 22
# Use the fedora base image
FROM fedora:20
MAINTAINER Elvin Sindrilaru, esindril@cern.ch, CERN 2015
# Add a file from the host to the container
ADD testfile.dat /tmp/testfile
# Install some packages
RUN yum -y --nogpg install screen emacs
# Command executed when container started
CMD /bin/bash
30. Containers orchestration
• Orchestration describes the automated
arrangement, coordination and management
of complex systems, middleware and
services.
• Library dependencies “sort of” become
container dependencies
4/16/2015 Docker containers and orchestration 23
31. Container data management using volumes
• Docker volume
• Directory separated from the container’s root filesystem
• Managed by the docker daemon and can be shared
among containers
• Changes to the volume are not captured by the image
• Used to mount a directory of the host system inside the
container
• A volume persists until the last container using it exits
• Data-only containers
• Expose a volume to other data-accessing containers
• Prevents volumes from being destroyed if containers stop
or crash
4/16/2015 Docker containers and orchestration 24
32. Linking containers
• Not all containers need to bind internal ports to host ports
• E.g. only front-end applications need to connect to backend services
• Linking within the same host
• Profit from the unified view that the docker daemon has over all
running containers
• Use the --link option:
• E.g. docker run --link CONTAINER_ID:ALIAS …
• Effectively alters the /etc/hosts file
• Cross host linking
• Requires a distributed, consistent discovery service
• Much more complicated
• Needs a distributed key-value store to keep info about running
containers e.g. etcd
• Application must be aware of the discovery service
4/16/2015 Docker containers and orchestration 25
33. Docker Machine & Compose
• Machine
• Creates Docker hosts on a variety of cloud providers
• Built-in support for: VirtualBox, OpenStack, GCE, AWS
etc.
• Manages the Docker daemon
• Configures the client to talk to the new Docker host
• Perfect starting point for OSX and Windows users
• Compose
• Define and run complex applications / multiple containers
• Provide the recipe in a YAML file
• Interact with the running containers
4/16/2015 Docker containers and orchestration 26
36. Security considerations
• Docker containers are started with a reduced capability set which
restricts:
• Mount/unmount devices
• Managing raw sockets
• Some fs operations
• Fine-grained control of capabilities using the docker --cap-add --
cap-drop options
• End-goal is to run even the Docker daemon as a non-root user and
delegate operations to dedicated subprocesses
• Run Docker daemon on:
• Unix socket for single-instance setup
• TCP socket with TLS for multi-instance setup
• Keep the host Kernel updated with latest security patches
4/16/2015 Docker containers and orchestration 29
37. Docker – Benefits
• Portable deployment across machines – overcomes machine specific
configuration issues
• Application-centric – optimized for deployment of applications and not
machines
• Automatic build – can use any configuration management system
(puppet, chef, ansible etc) to automate the build of containers
• Versioning - git like capabilities to track container versions
• Component reuse – any container can become a base image
• Sharing – use the public registry to distribute container images, just like a
git repository
4/16/2015 Docker containers and orchestration 30