The document discusses containers and Kubernetes, covering their definition, advantages over virtual machines, and how they integrate into IT processes. It details how to work with Docker, including image preparation, container creation, storage management, networking, and the orchestration provided by Kubernetes. The text also highlights Kubernetes architecture, deployment concepts, and networking challenges that users may face.

1. Head First
container&kubernetes

2. hung-wei chiu
Microsoft MVP
Devops @ Thundertoken
Co-organizer of SDNDS-TW
Co-organizer of CNTUUG
Network/Kubernetes/SDN
https://blog.hwchiu.com

4. Container ?

5. What ?
Why ?
How ?

6. Container
✖Chroot
✖LXC (Linux Container)
✖Jail
✖Docker
✖Rkt
✖CRI-O
✖…

7. https://www.youtube.com/watch?v=YkBk52MGV0Y

8. https://www.youtube.com/watch?v=YkBk52MGV0Y

9. https://www.youtube.com/watch?v=YkBk52MGV0Y

10. Container / VM
https://blog.docker.com/2018/08/containers-replacing-
virtual-machines/

11. Container / VM
https://blog.docker.com/2018/08/containers-replacing-
virtual-machines/

12. Relationship between VMs/Containers
✖Containers Are More Agile then VMs
✖Containers Enable Hybrid and Multi-
Cloud Adoption
✖Integrate Containers with Your Existing
IT Process
✖Containers Save on VM Licensing
✖What About Bare Metal
✖What About Security
https://blog.docker.com/2018/08/containers-replacing-
virtual-machines/

13. Resource isolation
https://blog.docker.com/2018/08/containers-replacing-
virtual-machines/

14. How Docker Works
✖Mount namespaces
✖IPC namespaces
✖PID namespaces
✖Network namespace
✖User namespaces
✖UTS namespaces

15. How to start
✖Prepare docker image
○ Pull from internet
○ Build by yourself
✖Create container based on image.

16. How to start
✖Prepare docker image
○ Pull from internet
○ Build by yourself
✖Create container based on image.

17. Sudo docker images

18. Docker run
✖docker run -d --name ubuntu
hwchiu/netutils
✖docker run -d -p 6379:6379 --name
redis redis:5.0
✖ sudo bash kubeDemo/docker/run.sh

19. Docker exec
✖sudo docker exec –it ubuntu bash
✖Process
○ Ps auxw
✖Mount
○ Mount
✖Network
○ Ifconfig

20. Connect to other container.
✖ping 172.18.0.3
✖Ping 172.18.0.2
✖Ping 172.18.0.1
✖redis-cli -h 172.18.0.2
○ Connect to container directly
✖redis-cli -h 172.18.0.1
○ Connect to host and forward by iptables

21. Storage
✖Mount data from outside
○ -v source:dest
✖ sudo docker run -d --name test
-v ~/kubeDemo/:/kubeDemo hwchiu/netutils
✖sudo docker exec –it test bash
○ ls /kubeDemo

22. How to use docker
✖Prepare the image you want
✖Run container from the image
✖Connect to container by network
✖Mount directory/file

23. How Container Works ?

24. OS
Docker
BusyBox
b1
Docker run --name b1 hwchiu/netutils
OS
Docker
BusyBox
b2
touch …
apk add …
empty
Docker run --name b2 hwchiu/netutils

25. We Need To Know How Container
Works First

26. Image, series of read-only layers

27. DockerFile Image
RUN APK add ….
COPY
RUN Yarn …
a1b2c3d3xxxxx
a1b2c3d3xxxxx
a1b2c3d3xxxxx

28. Image Container
902b87aaaec9
4dcef5c50d60
c34ce3c1fcc0c
9a61b6b1315e
Read Only
902b87aaaec9
4dcef5c50d60
c34ce3c1fcc0c
9a61b6b1315e
https://docs.docker.com/glossary/?term=Union%20file
%20system
Container Layer
Read Write
Storage Driver
Storage Driver
Storage Driver
Storage Driver

29. Container
https://docs.docker.com/glossary/?term=Union%20file
%20system
Container Layer
Container
Container Layer
Container
Container Layer
Read Write
Read Write Read Write
Read Only
902b87aaaec9
4dcef5c50d60
c34ce3c1fcc0c
9a61b6b1315e

30. When the container is deleted, the
writable layer is also deleted.

31. The underlying image remains
unchanged

32. So, Persistent Data ?

33. https://docs.docker.com/storage/volumes/

34. Docker volume create vol
Docker run –d –v vol:/app nginx
Docker run –d -v /home/nginx:/app
nginx

35. How about advance storage functions ?

36. Storage feature
✖Snapshot ?
✖Dedup (de duplicated)
✖Replica
✖Redundant (RAID?)
✖FileSystem (EXT4/BTRFS/ZFS?)
✖Read/Write Cache ?
✖LVM ?

37. Networking

38. Container -> WAN
WAN -> Container
Container -> Container

39. OS
Docker
Nginx
OS
Docker
Nginx BusyBox
WAN
OS
Docker
Nginx
WAN

40. Docker Use Bridge Network To Provide
Network Connectivity by default.

41. Linux bridge/Kernel
Routing/Gateway/Iptables …

42. br0 br0
br0br0br0
Container
vth1
vth1vth1
Linux Host Linux Host Linux Host
Linux HostLinux HostLinux Host
ContainerContainerContainer
vth0vth0vth0

43. Network namespace demo
ns ns
eth0eth0
br0vth0 vth0
1.2.3.4
1.2.3.1
1.2.3.5

44. Docker run –p 6379:6379 nginx

45. ✖Sudo iptables-save –t nat | grep DOCKER

46. How About Advanced Networking
Features?

47. Docker provides the basic functionality
of storage/network

48. Docker-compose

49. Docker compose
✖Use a YAML to configure your
application’s services.
✖Running multi-container
applications.
✖Friendly for VCS/CI/CD

50. Docker-compose up
version: '3'
services:
app:
image: hwchiu/netutils:latest
networks:
- redis-net
depends_on:
- redis
redis:
image: redis:5.0
hostname: redis
networks:
- redis-net
networks:
redis-net:

51. Containers Cluster ?

52. OS
Docker
Nginx
OS
Docker
Redis
OS
Docker
Backend
1
OS
Docker
Backend
2
Network Connectivity

53. OS
Docker
Nginx
OS
Docker
Redis
OS
Docker
Backend
1
OS
Docker
Backend
2
Shared Storage
Data Sync

54. OS
Docker
Nginx
OS
Docker
Redis
OS
Docker
Backend
1
OS
Docker
Backend
2
Disaster Recovery
OS
Docker
Nginx
OS
Docker
Redis
OS
Docker
Backend
2
Backend
1

55. OS
Docker
Nginx
OS
Docker
Redis
OS
Docker
Backend
1
OS
Docker
Backend
2
Load Balancing/Virtual Hosting
Backend
1

56. Access Control
Service Discovery
Computing Resources (CPU/GPU)
Service Mesh
Container Deployment
……

57. Container Orchestrator ?

58. https://kubernetes.io/docs/home/

59. Kubernetes is becoming the Linux of the
cloud
Jim Zemlin, Linux Foundation

60. Before kubernetes
✖Google has been running
containerized workloads in
production.
○ Virtually everything runs as a container.
✖Borg: The predecessor to Kubernetes
○ Long-rumored internal container-
oriented cluster-management system.
○ Pod
○ Services
○ Label
https://kubernetes.io/blog/2015/04/borg-predecessor-to-
kubernetes/

61. Kubernetes architecture
Users Control Plane Nodes
https://www.flaticon.com/free-icon/boy_145867
API Server
Scheduler
Controller
Node (VM)
Node (Bare Metal)
Node (Container)
CLI DISPATCH

62. Kubernetes architecture
Users Control Plane Nodes
https://www.flaticon.com/free-icon/boy_145867
API Server
Scheduler
Controller
Node (VM)
Node (Bare Metal)
Node (Container)
CLI DISPATCH
I want to deploy a container

63. Kubernetes architecture
Users Control Plane Nodes
https://www.flaticon.com/free-icon/boy_145867
API Server
Scheduler
Controller
Node (VM)
Node (Bare Metal)
Node (Container)
CLI DISPATCH
Find a target node

64. Kubernetes architecture
Users Control Plane Nodes
https://www.flaticon.com/free-icon/boy_145867
API Server
Scheduler
Controller
Node (VM)
Node (Bare Metal)
Node (Container)
CLI DISPATCH
Dispatch Container

65. Kubernetes architecture
Users Control Plane Nodes
https://www.flaticon.com/free-icon/boy_145867
API Server
Scheduler
Controller
Node (VM)
Node (Bare Metal)
Node (Container)
CLI DISPATCH
Running Container

66. Scheduler

67. Host 1
Host 2
Host 3
Host 4
Host 5
Host 6
Host 7
Host 1
Host 2
Host 3
Host 4
Host 5
Host 6
Host 7
Host 2
Host 3
Host 4
Host 5
Host 6
Host 6
Predicate Priority Select

68. https://docs.google.com/presentation/d/1Gp-
2blk5WExI_QR59EUZdwfO2BWLJqa626mK2ej-
huo/edit#slide=id.g1e639c415b_0_56

69. Core Primitives

70. DaemonSet
Node
ConfigMap
StatefulSet
Job
Labels
Replica Set
Secret
Deployment
Ingress
Service
Network Policy
CRD
POD

71. Workloads
✖Pod
✖Deployment
✖Daemon Set
✖Job
✖Cron Job
✖Stateful Set
✖Replica Set

72. pod
✖A single instances of application in
Kubernetes
✖Group of containers
✖Those containers shares
○ IP address
○ File System
○ Network namespace

73. pod
https://kubernetes.io/docs/concepts/workloads/pods/po
d/

74. Pod
✖cd kubeDemo/services/application
✖kubectl apply –f ubuntu.yml
✖kubectl get pods –o wide
○ Get the IP address of that pod.
✖kubectl describe pod ubuntu
○ Show pod detail
✖kubectl exec –it ubuntu bash
○ Like `docker exec …`
✖kubectl delete pod ubuntu
○ kubectl get pods

75. replica Set
✖Maintain a stable set of replica Pods
running at any given time.
✖Guarantee the availability of a
specified number of identical Pods.

76. Replica Set
replica=3
Node Node Node Node
Pod Pod Pod

77. deployment
✖Rollouts as a Service
✖Update
○ Rolling update
○ Recreate
✖Manage Replica Set and Pod

78. Deployment
- replicas: 3
- version: v1
Replica Set
replica=3
Pod Pod Pod
Deployment

79. Deployment
- replicas: 3
- version: v1
Replica Set
replica=3
Pod Pod Pod
Deployment
Deployment
- replicas: 0
- version: v2
Replica Set
replica=0
Deployment

80. Deployment
- replicas: 3
- version: v1
Replica Set
replica=3
Pod Pod Pod
Deployment
Deployment
- replicas: 1
- version: v2
Replica Set
replica=1
Pod
Deployment

81. Deployment
- replicas: 2
- version: v1
Replica Set
replica=2
Pod Pod
Deployment
Deployment
- replicas: 1
- version: v2
Replica Set
replica=1
Pod
Deployment

82. Deployment
- replicas: 2
- version: v1
Replica Set
replica=3
Pod Pod
Deployment
Deployment
- replicas: 2
- version: v2
Replica Set
replica=2
Pod Pod
Deployment

83. Deployment
- replicas: 1
- version: v1
Replica Set
replica=1
Pod
Deployment
Deployment
- replicas: 2
- version: v2
Replica Set
replica=2
Pod Pod
Deployment

84. Deployment
- replicas: 1
- version: v1
Replica Set
replica=1
Pod
Deployment
Deployment
- replicas: 3
- version: v2
Replica Set
replica=3
Pod Pod Pod
Deployment

85. Deployment
- replicas: 0
- version: v1
Replica Set
replica=0
Deployment
Deployment
- replicas: 3
- version: v2
Replica Set
replica=3
Pod Pod Pod
Deployment

86. Deployment
✖cd kubeDemo/services/deployment
✖kubectl apply –f redis.yml
✖kubectl get pods –o wide
○ Get the IP address of all pod.
✖kubectl exec –it redis-xxx bash
○ Like `docker exec …`
✖kubectl delete pod redis-xxxx
○ kubectl get pods
✖kubectl get pods –o wide
○ Get the IP address of all pod.

87. Network

88. network
✖Network Connectivity
○ Container to Container (Same Node)
○ Container to Container (Cross Node)
✖Service
○ Wan to Container
✖Ingress
○ Wan to Container
✖Network Policy

89. Network connectivity
✖Container Network Plugin (CNI)
✖Container to Container (Same Node)
○ Simplest approach is bridge mode
○ Same as Docker default network
✖Container to Container (Cross Node)
○ Overlay Network (VXLAN/GRE)
○ L3 Routing
○ … etc

90. Pod network
✖Group of Containers share same
network environment
✖Communicate by localhost
○ Use same IP address
○ Port conflict
✖How does it works ?

91. Pod network
Container
Nginx
Container
Redis
Pod
eth0
172.17.17.2
:80 :1234

92. Pod infrastructure
Pod
172.17.17.2
PID/Network/UTC
Namespace
Container
Pause
eth0

93. Pod infrastructure
Pod
172.17.17.2
PID/Network/UTC
Namespace
Container
Pause
eth0
Container
Nginx
Container
Redis
All user-defined containers are attached to Pause container.

94. Kubernetes Service

95. Kubernetes Service

96. Before We Talk About Service, We Must
Know Why Service Exist.

97. Deployment
Node1
Nginx
Node2
Nginx
Node3
Nginx
Kubernetes Cluster
✖Deployment:
○ Ngnix
○ Replica: 3
10.123.234.56 10.123.234.57 10.123.234.58

98. Access
✖How does application access those
Nginx servers?
✖IP address
○ 10.123.234.56:80
○ 10.123.234.57:80
○ 10.123.234.58:80

99. Deployment
Node1
Nginx
Node2
Nginx
Node3
Nginx
Kubernetes Cluster
✖Deployment:
○ Ngnix
○ Replica: 3
10.123.234.56 10.123.234.57 10.123.234.58

100. Deployment
Node1
Nginx
Node2
Nginx
Node3
Nginx
Kubernetes Cluster
✖Deployment:
○ Ngnix
○ Replica: 3
10.123.234.56 10.123.234.57 10.123.234.75

101. That’s Why We Need Service

102. Service
Node1
Nginx
Node2
Nginx
Node3
Nginx
Kubernetes Cluster
10.123.234.56 10.123.234.57 10.123.234.58
App
Service Nginx

103. Service
✖Application to Service
○ We use the DNS to access the service.
○ $(service).$(namespace).cluster.local
✖Service to Pods
○ Service maintains all IP addresses of all
Pods.
○ We call it endpoints

104. services
✖cd kubeDemo/services/service
✖kubectl apply –f redis-cluster
✖kubectl get svc
○ Get service detail
✖kubectl exec –it ubuntu bash
○ Like `docker exec …`
○ nslookup redis-cluster

105. summary
✖Kubernetes use CNI to provide the
basic network function for Pods
✖Service provide a DNS entry for all
backend servers

106. Kubernetes Limitation

107. Ask Yourself Before Using it

108. Do I Really Need Kubernetes ?

109. How Powerful Kubernetes Is ?

110. Flexible Infrastructure
✖Plugin Based
○ Container Runtime Interface
○ Device Plugin
○ Container Storage Interface
○ Container Network Interface
✖Developing life cycle
✖Support by third-party

111. https://docs.google.com/presentation/d/1Gp-
2blk5WExI_QR59EUZdwfO2BWLJqa626mK2ej-
huo/edit#slide=id.g1e639c415b_0_56

112. Container Runtime Interface

113. CRI
✖Is container omniscient ?
✖Containerlized applications
○ Dockerfile ?
○ Refactor?
✖Treat container as Virtual Machine
✖Micro Service ?

114. Device Plugin
✖Third-party plugin
○ Nvidia GPU
○ RDMA
○ SRIOV
○ AMD GPU
○ Intel GPU/FPGA/Quick-Assist
✖Are those plugin production-ready ?
○ Stable?

115. GPU
✖GPU Device Plugin
✖GPU virtualization
✖GPU Dispatches
○ Node1: 1
○ Node2: 1
○ Node3: 0
✖Pod require 2 GPU
○ ?
✖Two Pods use 1 GPU in Node 1
○ ?

116. GPU
✖https://github.com/AliyunContainerS
ervice/gpushare-scheduler-extender
✖https://github.com/NVIDIA/k8s-
device-plugin

117. Storage
✖Container Storage Interface
✖Connect to storage provider
✖Can kubernetes handle all storage
issues ?

118. Storage
✖FileSystem
○ Zfs/ext4/btrfs/…etc
✖Block Device
✖Distributed FS
○ Ceph/GlusterFS/BeeGFS
✖RAID/LVM
✖Read/Write Cache

120. Summary
✖Kubernetes doesn’t provide any
storage function.
✖It rely on backend storage provider.
✖Choose a proper storage to meet your
requirement
✖Learn the concept/knowledge about
storage

121. Network
✖Container Container Interface
✖A binary to setup the networking
function
✖Can kubernetes handle all networking
issues ?

122. Network
✖Network Topology
○ Fat-Tree, Leaf-Spine,
○ LAG, MC-LAG, Bonding
✖Routing related
○ BGP, OSPF, DSR, RIP
○ ECMP
✖Network protocol
○ IPv4/IPv6/Multicast/Broadcast/TCP/UDP
/MPTCP/STCP/QUIC
✖Network tools
○ Iptables/tun/tap

123. Network
✖SDN concept
○ Switch
○ Controller
✖Logical Network
○ VLAN/VXLAN/GRE/NVGRE
✖High Performance Network
○ DPDK/RDMA/Smart NIC

124. What you want?
✖IPv4 Address
○ Multiple addresses?
✖Connect to Host
○ Veth
○ Host-local
○ SRIOV ?
✖Routing
○ Static/Dynamic
✖Overlay network

125. summary
✖CNI provide the network connectivity
✖Service/Ingress may conflict with CNI
✖Need experience to debug networking
issues

127. summary
✖Know what you want first
✖Evaluation
✖Check third-party solution
○ Production Ready?
○ Testing?
✖Check your resources

128. https://blog.coscup.org/2019/04/2019-cfp-open.html#sdncloudnativego