Containers from Scratch

Transcript

1. Containers from Scratch Eric Chiang Software Engineer @erchiang | github.com/ericchiang

2. Agenda 1. Dive into containers! 2. Talk about the problems

   they solve.
3. None
4. None

5. Containers Like a mini virtual machine.

6. Virtual machines

7. OS OS OS Virtual machines

8. Virtual machines: Isolated operating systems.

9. Virtual machines: problems

10. Virtual machines: problems Expensive!

11. Like mini virtual machines. What’s a container?

12. Like mini virtual machines. Just an isolated process. No virtualizing

    a kernel. What’s a container?

13. Like mini virtual machines. What’s a container? Hypervisor VM (kernel)

    VM (kernel) VM (kernel) Kernel

14. Like mini virtual machines. What’s a container? Hypervisor VM (kernel)

    VM (kernel) VM (kernel) Kernel Kernel

15. $ sudo chroot rootfs /bin/bash # Containers: chroot

16. Containers: namespaces

17. $ sudo unshare -p -f \ --mount-proc=$PWD/rootfs/proc \ chroot rootfs

    /bin/bash # Containers: namespaces

18. $ sudo unshare -p -f \ --mount-proc=$PWD/rootfs/proc \ chroot rootfs

    /bin/bash # $ sudo nsenter --pid=/proc/7897/ns/pid \ chroot rootfs /bin/bash # Containers: namespaces

19. Containers: cgroups

20. $ ls /sys/fs/cgroup/ $ sudo # mkdir /sys/fs/cgroup/memory/demo # echo

    "100000000" > /sys/fs/cgroup/memory/demo/memory.limit_in_bytes # echo "0" > /sys/fs/cgroup/memory/demo/memory.swappiness # echo $$ > /sys/fs/cgroup/memory/demo/tasks (to clean up kill the process and run rmdir /sys/fs/cgroup/memory/demo) Containers: cgroups

21. Containers: security • Capabilities: limit the power of root ◦

    sudo setcap CAP_NET_BIND_SERVICE+ep ./hello • seccomp: limit the syscalls you can make • SELinux: fine grained access control policies on processes

22. Container runtimes

23. Container runtimes

24. $ sudo rkt run \ quay.io/ericchiang/python:3.5.2 \ --exec=python3 -- -m

    http.server Container runtimes: rkt

25. Container runtimes • Metadata and tarball formats • Discovery of

    those tarballs ◦ rkt run quay.io/coreos/dex • Coordinates the underlying technologies

26. Why containers? Amazingly good at moving applications around.

27. $ tree . ├── bin │ └── my-awesome-app ├── server

    │ ├── app.py │ └── templates.py ├── public │ └── main.css └── README.md An app

28. $ tree . ├── bin │ └── my-awesome-app ├── server

    │ ├── app.py │ └── templates.py ├── public │ └── main.css └── README.md An app python3 bin/my-awesome-app \ --port 80 \ --db postgres://db.com/mydb

29. $ tree . ├── bin │ └── my-awesome-app ├── server

    │ ├── app.py │ └── templates.py ├── public │ └── main.css └── README.md An app python3 bin/my-awesome-app \ --port 80 \ --db postgres://db.com/mydb Additional code or resources.

30. $ tree . ├── bin │ └── my-awesome-app ├── server

    │ ├── app.py │ └── templates.py ├── public │ └── main.css └── README.md An app How to run it python3 bin/my-awesome-app \ --port 80 \ --db postgres://db.com/mydb Additional code or resources.

31. Problems: Dependencies Source code doesn’t tell us:

32. Problems: Dependencies Source code doesn’t tell us: • What version(s)

    of Python can run it? • What third-party Python packages does it import? • What system packages does it depend on?

33. Solutions: Package management Take your source code, add a bit

    of metadata, and put it on the internet.

34. from distutils.core import setup setup( name = 'my-awesome-app', scripts =

    ['bin/my-awesome-app'], version = '0.1', description = 'That thing I wrote', author = 'Eric Chiang', url = 'https://github.com/ericchiang/app', download_url = 'https://github.com/ericcchiang/app/tarball/0.1', keywords = ['webapp', 'awesome'], install_requires = ["flask", "jinja2", "Psycopg2"], ) A PyPI example

35. from distutils.core import setup setup( name = 'my-awesome-app', scripts =

    ['bin/my-awesome-app'], version = '0.1', description = 'That thing I wrote', author = 'Eric Chiang', url = 'https://github.com/ericchiang/app', download_url = 'https://github.com/ericcchiang/app/tarball/0.1', keywords = ['webapp', 'awesome'], install_requires = ["flask", "jinja2", "Psycopg2"], ) A PyPI example Package name How to run Where to download Dependencies

36. $ pip install my-awesome-app A PyPI example

37. Package management: problems Lots of potential conflicts: • What if

    two apps depend on different versions of the same package? • What if one app hogs memory or disk? • What if one gets hacked?

38. Containers: easy deployments • What kind of problems do you

    run into when it’s extremely easy to deploy an app? • How do you manage a high number of apps on a single machine?

39. Containers: easy deployments • What kind of problems do you

    run into when it’s extremely easy to deploy an app? • How do you manage a high number of apps on a single machine? (Hint: you should stay around for the next talk.)

40. [email protected] @erchiang QUESTIONS? Thanks! We’re hiring: coreos.com/careers Let’s talk! IRC

    More events: coreos.com/community LONGER CHAT?