Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Containers from Scratch

Eric Chiang
October 12, 2016
270

Containers from Scratch

Eric Chiang

October 12, 2016
Tweet

Transcript

  1. $ sudo unshare -p -f \ --mount-proc=$PWD/rootfs/proc \ chroot rootfs

    /bin/bash # $ sudo nsenter --pid=/proc/7897/ns/pid \ chroot rootfs /bin/bash # Containers: namespaces
  2. $ ls /sys/fs/cgroup/ $ sudo # mkdir /sys/fs/cgroup/memory/demo # echo

    "100000000" > /sys/fs/cgroup/memory/demo/memory.limit_in_bytes # echo "0" > /sys/fs/cgroup/memory/demo/memory.swappiness # echo $$ > /sys/fs/cgroup/memory/demo/tasks (to clean up kill the process and run rmdir /sys/fs/cgroup/memory/demo) Containers: cgroups
  3. Containers: security • Capabilities: limit the power of root ◦

    sudo setcap CAP_NET_BIND_SERVICE+ep ./hello • seccomp: limit the syscalls you can make • SELinux: fine grained access control policies on processes
  4. Container runtimes • Metadata and tarball formats • Discovery of

    those tarballs ◦ rkt run quay.io/coreos/dex • Coordinates the underlying technologies
  5. $ tree . ├── bin │ └── my-awesome-app ├── server

    │ ├── app.py │ └── templates.py ├── public │ └── main.css └── README.md An app
  6. $ tree . ├── bin │ └── my-awesome-app ├── server

    │ ├── app.py │ └── templates.py ├── public │ └── main.css └── README.md An app python3 bin/my-awesome-app \ --port 80 \ --db postgres://db.com/mydb
  7. $ tree . ├── bin │ └── my-awesome-app ├── server

    │ ├── app.py │ └── templates.py ├── public │ └── main.css └── README.md An app python3 bin/my-awesome-app \ --port 80 \ --db postgres://db.com/mydb Additional code or resources.
  8. $ tree . ├── bin │ └── my-awesome-app ├── server

    │ ├── app.py │ └── templates.py ├── public │ └── main.css └── README.md An app How to run it python3 bin/my-awesome-app \ --port 80 \ --db postgres://db.com/mydb Additional code or resources.
  9. Problems: Dependencies Source code doesn’t tell us: • What version(s)

    of Python can run it? • What third-party Python packages does it import? • What system packages does it depend on?
  10. Solutions: Package management Take your source code, add a bit

    of metadata, and put it on the internet.
  11. from distutils.core import setup setup( name = 'my-awesome-app', scripts =

    ['bin/my-awesome-app'], version = '0.1', description = 'That thing I wrote', author = 'Eric Chiang', url = 'https://github.com/ericchiang/app', download_url = 'https://github.com/ericcchiang/app/tarball/0.1', keywords = ['webapp', 'awesome'], install_requires = ["flask", "jinja2", "Psycopg2"], ) A PyPI example
  12. from distutils.core import setup setup( name = 'my-awesome-app', scripts =

    ['bin/my-awesome-app'], version = '0.1', description = 'That thing I wrote', author = 'Eric Chiang', url = 'https://github.com/ericchiang/app', download_url = 'https://github.com/ericcchiang/app/tarball/0.1', keywords = ['webapp', 'awesome'], install_requires = ["flask", "jinja2", "Psycopg2"], ) A PyPI example Package name How to run Where to download Dependencies
  13. Package management: problems Lots of potential conflicts: • What if

    two apps depend on different versions of the same package? • What if one app hogs memory or disk? • What if one gets hacked?
  14. Containers: easy deployments • What kind of problems do you

    run into when it’s extremely easy to deploy an app? • How do you manage a high number of apps on a single machine?
  15. Containers: easy deployments • What kind of problems do you

    run into when it’s extremely easy to deploy an app? • How do you manage a high number of apps on a single machine? (Hint: you should stay around for the next talk.)