features of rkt/appc • Reduced isolation for privileged components • chroot file system isolation only • Has access to host-level mount, network, PID namespaces • Method for k8s bootstrap in CoreOS Linux
custom implementations for security, performance, architecture, … • KVM stage1 originated with Intel ClearContainers project and has seen at least two alternate external implementations
for image name coreos.com/rkt/stage1-coreos:0.15.0 rkt: using image from local store for image name quay.io/josh_wood/caddy [ 1161.330635] caddy[4]: Activating privacy features... done. [ 1161.333482] caddy[4]: :2015 $ rkt run (demo)
for the work in both rkt and kubernetes • rkt is container execution engine, runs cluster work on nodes • Add configuration to declare a node uses the rkt engine, or that a pod executes with rkt
the critical interface between the orchestrator and the execution engine • Spur innovation through community effects • In short: standards and interfaces
Externally modular: Refine runtime interface • Internally modular: Pluggable “stage1” isolation environments • Run pods as software-isolated (cgroups, ns) • Run pods as VMs with hypervisor isolation • OpenStack as a K8s app(s)
Kubernetes @ v1.3 • Bring up a cluster, node, or pod with rkt as the executor • Now/Next (K8s v1.4 & beyond): ◦ kubectl attach (CRI and pod mutability) ◦ Port-forwarding for alternate stage1s ◦ Your contributions, suggestions, and experiments!
OS ◦ Then you can upgrade them both, and each ◦ Containers: distribution and execution • Automate OS upgrades • Orchestrate the result as a unified resource ◦ Apps evolve -- are continuously deployed and scaled • Democratize access to utility computing ◦ #GIFEE