All about rkt: Containers and Kubernetes at CoreOS

Transcript

1. All about rkt: Containers and K8s at CoreOS ContainerizeThis 2016

   Josh Wood DocOps • CoreOS @joshixisjosh9 | [email protected] | github.com/joshix

2. We’re hiring in all departments! Email: [email protected] Positions: coreos.com/ careers

   90+ Projects on GitHub, 1,000+ Contributors OPEN SOURCE CoreOS.com - @coreoslinux - github/coreos Secure solutions, support plans, training + more ENTERPRISE [email protected] - tectonic.com - quay.io CoreOS Runs the World’s Containers
3. None

4. A CLI for running app containers on Linux. Focuses on:

   • Security • Modularity • Standards/Compatibility

5. A CLI for running app containers on Linux. Focuses on:

   • Not reinventing the wheel: ◦Systemd - init ◦Overlayfs ◦CNI networking

6. A CLI for running app containers on Linux. Security: •

   Signed images • GPG detached sigs (ACI) • DTC integration with TPM

7. A CLI for running app containers on Linux. Modularity: External

   • “Fits in” • Systemd or other init • CNI and plugins

8. A CLI for running app containers on Linux. Modularity: Internal

   • Stages of execution • Fly, cgroups/ns, KVM vm ◦SAME CONTAINER

9. A CLI for running app containers on Linux. Standards/Compatibility: •

   Appc ACI format & sigs • rkt runs Docker images ◦OCI support as develops

10. rkt run: default stage1 • Isolates containers with the linux

    container primitives (cgroups, ns), systemd-nspawn • Container apps in a machine slice PID namespace • Manage with standard init tools: systemd • Network isolation

11. rkt run: KVM isolation • Isolates containers with the linux

    KVM hypervisor • Container apps in a machine slice PID namespace • Manage with standard init tools: systemd • Network isolation

12. rkt fly • Leverages the packaging, discovery, distribution, and validation

    features of rkt/appc • Reduced isolation for privileged components • chroot file system isolation only • Has access to host-level mount, network, PID namespaces • Method for k8s bootstrap in CoreOS Linux

13. rkt run: your stage1 • stage1 can be replaced with

    custom implementations for security, performance, architecture, … • KVM stage1 originated with Intel ClearContainers project and has seen at least two alternate external implementations

14. $ rkt run quay.io/josh_wood/caddy rkt: using image from local store

    for image name coreos.com/rkt/stage1-coreos:0.15.0 rkt: using image from local store for image name quay.io/josh_wood/caddy [ 1161.330635] caddy[4]: Activating privacy features... done. [ 1161.333482] caddy[4]: :2015 $ rkt run (demo)

15. Cluster-level container orchestration with #GIFEE baked in. Handles: • Scheduling/Upgrades

    • Failure recovery • Scaling Kubernetes

16. worker kubelet worker kubelet worker kubelet scheduler & API worker

    kubelet w ku t worker kubelet

17. What is rkt in Kubernetes? • “Rktnetes” was a nickname

    for the work in both rkt and kubernetes • rkt is container execution engine, runs cluster work on nodes • Add configuration to declare a node uses the rkt engine, or that a pod executes with rkt

18. What is rkt in Kubernetes?

19. Why rkt in Kubernetes? • Ensure cleanliness and modularity of

    the critical interface between the orchestrator and the execution engine • Spur innovation through community effects • In short: standards and interfaces

20. Why rkt in Kubernetes? • Obtain unique rkt features •

    Externally modular: Refine runtime interface • Internally modular: Pluggable “stage1” isolation environments • Run pods as software-isolated (cgroups, ns) • Run pods as VMs with hypervisor isolation • OpenStack as a K8s app(s)

21. What’s up and what’s next? • Rkt support in mainline

    Kubernetes @ v1.3 • Bring up a cluster, node, or pod with rkt as the executor • Now/Next (K8s v1.4 & beyond): ◦ kubectl attach (CRI and pod mutability) ◦ Port-forwarding for alternate stage1s ◦ Your contributions, suggestions, and experiments!

22. What’s it all about? • Decouple the Application from the

    OS ◦ Then you can upgrade them both, and each ◦ Containers: distribution and execution • Automate OS upgrades • Orchestrate the result as a unified resource ◦ Apps evolve -- are continuously deployed and scaled • Democratize access to utility computing ◦ #GIFEE

23. Linux Prometheus

24. None
25. None

26. Runs on any platform Consistency across clouds Trivial dev, test,

    & prod Faster time to market

27. Current Events • CNI as Kubernetes network plugin model •

    Docker refactor: runc, containerd • Appc and OCI: Standard for container images • ocid: Let 1000 runtimes bloom? ◦ ocid: Inherits runc: Pro and Con

28. See also: • coreos.com/rkt • kubernetes.io/docs/getting-started-guides/rkt/ • http://blog.kubernetes.io/2016/07/rktnetes-bri ngs-rkt-container-engine-to-Kubernetes.html •

    http://blog.kubernetes.io/2016/01/why-Kubern etes-doesnt-use-libnetwork.html

29. See also: • speakerdeck.com/joshix (these slides)

30. Thank you! Josh Wood @joshixisjosh9 | [email protected] | github.com/joshix We’re

    hiring! Email: [email protected] Positions: coreos.com/ careers