Upgrade to Pro — share decks privately, control downloads, hide ads and more …

All about rkt: Containers and Kubernetes at CoreOS

Josh Wood
October 01, 2016

All about rkt: Containers and Kubernetes at CoreOS

ContainerizeThis! 2016, Dr Pepper Star Center, Farmer's Branch, TX: http://containerizethis.com/

Josh Wood

October 01, 2016
Tweet

More Decks by Josh Wood

Other Decks in Technology

Transcript

  1. All about rkt: Containers and K8s at CoreOS ContainerizeThis 2016

    Josh Wood DocOps • CoreOS @joshixisjosh9 | [email protected] | github.com/joshix
  2. We’re hiring in all departments! Email: [email protected] Positions: coreos.com/ careers

    90+ Projects on GitHub, 1,000+ Contributors OPEN SOURCE CoreOS.com - @coreoslinux - github/coreos Secure solutions, support plans, training + more ENTERPRISE [email protected] - tectonic.com - quay.io CoreOS Runs the World’s Containers
  3. A CLI for running app containers on Linux. Focuses on:

    • Security • Modularity • Standards/Compatibility
  4. A CLI for running app containers on Linux. Focuses on:

    • Not reinventing the wheel: ◦Systemd - init ◦Overlayfs ◦CNI networking
  5. A CLI for running app containers on Linux. Security: •

    Signed images • GPG detached sigs (ACI) • DTC integration with TPM
  6. A CLI for running app containers on Linux. Modularity: External

    • “Fits in” • Systemd or other init • CNI and plugins
  7. A CLI for running app containers on Linux. Modularity: Internal

    • Stages of execution • Fly, cgroups/ns, KVM vm ◦SAME CONTAINER
  8. A CLI for running app containers on Linux. Standards/Compatibility: •

    Appc ACI format & sigs • rkt runs Docker images ◦OCI support as develops
  9. rkt run: default stage1 • Isolates containers with the linux

    container primitives (cgroups, ns), systemd-nspawn • Container apps in a machine slice PID namespace • Manage with standard init tools: systemd • Network isolation
  10. rkt run: KVM isolation • Isolates containers with the linux

    KVM hypervisor • Container apps in a machine slice PID namespace • Manage with standard init tools: systemd • Network isolation
  11. rkt fly • Leverages the packaging, discovery, distribution, and validation

    features of rkt/appc • Reduced isolation for privileged components • chroot file system isolation only • Has access to host-level mount, network, PID namespaces • Method for k8s bootstrap in CoreOS Linux
  12. rkt run: your stage1 • stage1 can be replaced with

    custom implementations for security, performance, architecture, … • KVM stage1 originated with Intel ClearContainers project and has seen at least two alternate external implementations
  13. $ rkt run quay.io/josh_wood/caddy rkt: using image from local store

    for image name coreos.com/rkt/stage1-coreos:0.15.0 rkt: using image from local store for image name quay.io/josh_wood/caddy [ 1161.330635] caddy[4]: Activating privacy features... done. [ 1161.333482] caddy[4]: :2015 $ rkt run (demo)
  14. What is rkt in Kubernetes? • “Rktnetes” was a nickname

    for the work in both rkt and kubernetes • rkt is container execution engine, runs cluster work on nodes • Add configuration to declare a node uses the rkt engine, or that a pod executes with rkt
  15. Why rkt in Kubernetes? • Ensure cleanliness and modularity of

    the critical interface between the orchestrator and the execution engine • Spur innovation through community effects • In short: standards and interfaces
  16. Why rkt in Kubernetes? • Obtain unique rkt features •

    Externally modular: Refine runtime interface • Internally modular: Pluggable “stage1” isolation environments • Run pods as software-isolated (cgroups, ns) • Run pods as VMs with hypervisor isolation • OpenStack as a K8s app(s)
  17. What’s up and what’s next? • Rkt support in mainline

    Kubernetes @ v1.3 • Bring up a cluster, node, or pod with rkt as the executor • Now/Next (K8s v1.4 & beyond): ◦ kubectl attach (CRI and pod mutability) ◦ Port-forwarding for alternate stage1s ◦ Your contributions, suggestions, and experiments!
  18. What’s it all about? • Decouple the Application from the

    OS ◦ Then you can upgrade them both, and each ◦ Containers: distribution and execution • Automate OS upgrades • Orchestrate the result as a unified resource ◦ Apps evolve -- are continuously deployed and scaled • Democratize access to utility computing ◦ #GIFEE
  19. Current Events • CNI as Kubernetes network plugin model •

    Docker refactor: runc, containerd • Appc and OCI: Standard for container images • ocid: Let 1000 runtimes bloom? ◦ ocid: Inherits runc: Pro and Con