Success of CRI: Bringing Hypervisor based Container to Kubernetes

Transcript

1. Success of CRI: Bringing Hypervisor based Container to Kubernetes Harry

   Zhang, @resouer


2. About Me ✓Previous: ✓ VMware (Pivotal), Assistant Research Scientist @ZJU

   ✓HyperCrew: ✓https://hyper.sh ✓PM & feature maintainer of Kubernetes project

3. A survey about “boundary” ✓Are you comfortable with Linux containers

   as an effective boundary? ✓Yes, I use containers in my private/safe environment ✓No, I use containers to serve the public cloud

4. As long as we care security… ✓We have to wrap

   containers inside full-blown virtual machines ✓But we lose Cloud Native Deployment ✓slow startup time ✓huge resources wasting ✓memory tax for every container ✓ …

5. HyperContainer ✓being secure ✓while keep Cloud Native

6. Revisit container ✓Container Runtime ✓The dynamic view and boundary of

   your running process ✓Container Image ✓The static view of your program, data, dependencies, files and directories namespace cgroups FROM busybox ADD temp.txt / VOLUME /data CMD [“echo hello"] Read-Write Layer & /data “echo hello” read-only layer /bin /dev /etc /home /lib / lib64 /media /mnt /opt /proc / root /run /sbin /sys /tmp / usr /var /data /temp.txt /etc/hosts /etc/hostname /etc/resolv.conf read-write layer /tem p.txt json json init layer FROM busybox ADD temp.txt / VOLUME /data CMD [“echo hello"] e.g. Docker Container

7. HyperContainer ✓Container runtime: hypervisor ✓RunV • https://github.com/hyperhq/runv • The OCI

   compatible hypervisor based runtime implementation ✓Control daemon • hyperd: https://github.com/hyperhq/hyperd ✓ Init service (PID=1) • hyperstart: https://github.com/hyperhq/hyperstart/ ✓Container image: docker image ✓OCI Image Spec (next candidate)

8. Combine the best parts ✓Portable and behaves like a Linux

   container ✓$ hyperctl run -t busybox echo helloworld • sub-second startup time* • only cost ~12MB extra memory ✓Hardware level virtualization, with independent guest kernel ✓$ hyperctl exec -t busybox uname -r • 4.4.12-hyper (or your provided kernel) ✓HyperContainer naturally match to the design of Pod * More details: http://hypercontainer.io/why-hyper.html

9. Bring HyperContainer to Kubernetes? ✓hypernetes <= 1.5 ✓a volatile internal

   interface (same as rkt) rebase nightmare

10. Bring HyperContainer to Kubernetes? ✓hypernetes 1.6+ ✓C/S mode runtime •

    CRI ✓no fork • hypernetes repo will only contain plugins and TPRs

11. Container Runtime Interface (CRI) ✓Describe what kubelet expects from container

    runtimes ✓Imperative container-centric interface ✓why not pod-centric? • Every container runtime implementation needs to understand the concept of pod. • Interface has to be changed whenever new pod-level feature is proposed. ✓Extensibility ✓Feature Velocity ✓Code Maintainability More details: kubernetes/kubernetes#17048 (by @feiskyer)

12. CRI Spec ✓Sandbox ✓ How to isolate Pod environment? •

    Docker: infra container + pod level cgroups • Hyper: light-weighted VM ✓Container ✓ Docker: docker container ✓ Hyper: namespace containers controlled by hyperstart

13. How CRI Works with HyperContainer? ✓Just implement the interface!

14. Frakti ✓kubernetes/frakti project ✓Released with Kubernetes 1.6 ✓Already passed 96%

    of node e2e conformance test ✓Use CNI network ✓Pod level resource management ✓Mixed runtimes ✓Can be used with kubeadm ✓Unikernels Support (GSoC 2017)

15. Management kubelet How Frakti Works? Workloads Orchestration kubelet SyncLoop Scheduling

    api-server Etcd bind pod, node list pod GenericRuntime SyncPod CRI grpc dockershim remote (no-op) Sandbox Create Delete List Container Create Start Exec Image Pull List frakti client api dockerd hyperd pod CRI Spec

16. How to Write a Runtime Shim? ✓dockershim ✓frakti ✓cri-o ✓rktlet

    ✓…

17. NODE 1. Lifecycle Pod foo container A container B 1.

    RunPodSandbox(foo) Created Running Exited null null CreatContainer() StartContainer() StopContainer() RemoveContainer() $ kubectl run foo … A B foo foo (vm) A B 2. CreatContainer(A) 3. StartContainert(A) 4. CreatContainer(B) 5. StartContainer(B) docker runtime hyper runtime

18. 2.1 Streaming (old version) ✴kubelet becomes bottleneck ✴runtime shim in

    critical path ✴code duplication among runtimes/ shims kubectl apiserver kubelet runtime shim 1. kubectl exec -i 2. upgrade connection 3 stream api see: Design Doc

19. 2.2 Streaming (CRI version) kubectl apiserver kubelet runtime shim 1.

    kubectl exec -i 2. upgrade connection 3. stream api serving process 4. launch a http2 server 6. URL: <ip>:<port> 7. redirect responce 8. update connection CRI see: Design Doc 5. response

20. 2.3 Streaming in frakti kubelet frakti Streaming Server Runtime apiserver

    url of streaming server CRI Exec() url Exec() request $ kubectl exec … "/exec/{token}" stream resp hyperd exec api Stream Runtime Exec() Attach() PortForward()

21. 3.1 Pod Level Resource Management ✓Enforce QoS classes and eviction

    ✓Guaranteed ✓Burstable ✓BestEffort ✓Resource accounting ✓Charge container overhead to the pod instead of the node • streaming server , containerd-shim (per-container in docker)

22. 3.2 Pod Level Resource Management in Frakti ✓Pod sandbox expects

    resource limits been set before start ✓Pod level cgroups values are used for pod sandbox’s resource spec ✓/sys/fs/cgroup/memory/kubepods/burstable/podID/ • Memory of VM = memory.limit_in_bytes ✓/sys/fs/cgroup/cpu/kubepods/burstable/podID/ • vCPU = cpu.cfs_quota_us/cpu.cfs_period_us ✓If not set: ✓1 vCPU, 64MB memory

23. 4. CNI Network in Frakti ✓Pod sandbox requires network been

    set before start ✓Workflow in frakti: 1. Create a network NS for sandbox 2. plugin.SetUpPod(NS, podID) to configure this NS 3. Read the network info from the NS and cache it 4. Also checkpoint the NS path for future usage (TearDown) 5. Use cached network info to configure sandbox VM 6. Keep scanning /etc/cni/net.d/xxx.conf to update cached info HyperContainer A B eth0 vethXXX

24. 5.1 More Than Hypervisor ✓There’s are some workload can not

    be handled by hypervisor … ✓privileged ✓host namespace (network, pid, ipc) ✓user prefer to run them in Linux containers ✓And kubelet does not want deal with multiple runtimes on same node ✴complicated ✴break the current model

25. Physical Server frakti 5.2 Frakti: Mixed Runtimes •Handled by build-in

    dockershim • host namespace, privileged, specially annotated •Use the same CNI network •Mixed run micro-services & legacy applications •hyper: independent kernel •High resource efficiency • Remember the core idea of Borg? •When workload classes meet QoS tiers • Guaranteed VS Best-Effort job hyper runtime dockershim CRI grpc HyperContainer A B HyperContainer A B docker docker docker docker docker

26. But frakti is Only Part of the Whole Picture ✓Hypernetes

    ✓HyperContainer ➡multi-tenancy ➡isolated network ➡persistent volume

27. Architecture of Hypernetes < v1.3 ✓Multi-tenant ✓Top level resource: Network

    ✓tenant 1: N Network ✓Network ✓Network -> Neutron “Port” ✓kubelet -SetUpPod() -> kubestack -> Neutron ✓build-in ipvs based kube-proxy ✓Persistent Volume ✓Directly attach block devices to Pod ✓https://hyper.sh Node Node Node kubestack Neutron L2 Agent kube-proxy kubelet Cinder Plugin v2 Pod Pod Pod Pod Master Object: Network Ceph Object: Pod Object: … KeyStone Neutron Cinder

28. Roadmap of Hypernetes 1.6 Node Node Node kubestack Neutron L2

    Agent kube-proxy kubelet Cinder Plugin v2 Pod Pod Pod Pod KeyStone Neutron Cinder Master Object: Network Ceph Object: Pod Object: … upgrade to frakti upgrade to TPR upgrade to CNI upgrade to flex volume plugin upgrade to RBAC + Keystone

29. Summary ✓CRI simplified the most tricky parts of container runtime

    integration work ✓eliminate pod centric runtime API ✓runtime lifecycle • PodSandbox & Container & Image API ✓Checkpoint • store the auxiliary data in runtime shim ✓streaming • leave to implementation to runtime shim • common streaming server library ✓Kubernetes plugins make re-innovation possible ✓Third Party Resource • for Network object management ✓CNI network • simple but powerful • while CNM is impossible to be used in runtime other than Docker ✓Enable more possibilities ✓Success of CRI is the success of orchestration project itself ✓think about containerd

30. END Harry Zhang, @resouer, HyperHQ Most of these CRI efforts

    owe to my co-worker @feiskyer and the #sig-node! Thank you!