Building a Virtualized Continuum with Intel(r) Clear Containers
29
Manohar Castelino Amy Leeland Intel Open Source Technology Center
-
Upload
michelle-holley -
Category
Software
-
view
22 -
download
0
Transcript of Building a Virtualized Continuum with Intel(r) Clear Containers
Manohar Castelino
Amy Leeland
Intel Open Source Technology Center
Containers are...
Speedy Quick creation, update, and uninstall cycle
Request and provision in milliseconds
ManageableContainers take the complexity out of bundling, distributing and installing applications
EasySimple and easy to use and maintain
Secure? What about security and isolation? Can a container include hardware isolation like a Virtual Machine?
2
The word “Container” is used for different things
Containers =Linux* Kernel
Containers
3
App Containers
Packaging Deployment
Linux* Kernel Containers
Resource Allocation
Isolation
+
*Other names and brands may be claimed as the property of others.
Server hardware
Linux* Kernel
Container A Container CContainer B
Middleware
App App App
Middleware Middleware
4*Other names and brands may be claimed as the property of others.
While there are Many benefits to containers there are still security concerns
Server hardware
Linux* Kernel
Container A Container CContainer B
Middleware
App App App
Middleware Middleware
*Other names and brands may be claimed as the property of others. 6
Intel®clear containers
http://www.clearlinux.org/containers
Server hardware
Linux Kernel
Container A
Middleware (A)
App
Intel® VT-x
Linux* Kernel (A)
Container B
Middleware (de-duplicate of A)
App
Linux Kernel (de-duplicate of A)
Container C
Middleware (C)
App
Linux Kernel (C)
Intel® VT-x Intel® VT-x
Intel® Clear Containers and Intel® Virtualization Technology (Intel® VT-x)
8*Other names and brands may be claimed as the property of others.
Clear Containers, Create a continuum between containers and VMs
Before Intel® Clear Containers
“Hot”“Old & Stale”
Intel® Clear Container with Intel® Virtualization Technology
(Intel® VTx)
ContainerTechnology
After Intel Clear Container
9*Other names and brands may be claimed as the property of others. The nominative use of third party logos serves only the purposes of description and identification.
*
*
Industry engagement
https://github.com/clearcontainers
Intel® Clear Containers Are integrated within the ecosystem
1.12.1Switchable runtime in Docker
2.1 Intel® Clear Containers 2.1 Available on GitHub* and clearlinux.org
11*Other names and brands may be claimed as the property of others. The nominative use of third party logos serves only the purposes of description and identification.
1.5CRI compatible runtime
Rkt* 1.0AppCcompatible runtime
Intel® Clear Containers are packaged for multiple Linux* distributions
12
*
*
*
*
13
Upstream and Downstream Proliferation Goals
*Other names and brands may be claimed as the property of others. The nominative use of third party logos serves only the purposes of description and identification.
CNI CNM
ISV’s+
Integrators
* *
How we made them smaller and faster
14
Traditional Intel Clear Containers
rootfs
QEMU*
Intel® Clear Containers vs traditional VMs
KVM*Kernel <v4.0
Kernel
Clear Linuxrootfs
QEMU-lite
KVM*Kernel >=v4.0
Clear Linuxkernel
QEMU-lite is optimized for size and speed.
We use a recent KVM, it is optimized for memory sharing (KSM) and boot speed.
The Clear Linux kernel is optimized for container boot performance.
The Clear Linux user space is optimized for further container boot.S
tan
da
rd D
istr
o
CC
Min
i-O
S
Ho
stC
lie
nt/
Co
nta
ine
rOptimizations
15*Other names and brands may be claimed as the property of others.
Ho
st
Intel® Clear Containers Architecture – Docker*
16*Other names and brands may be claimed as the property of others.
Intel® Clear Containers adds a new runtime for Docker*
Intel Clear Containers
provide a plugin
replacement of runc with
cor, our OCI runtime.
17*Other names and brands may be claimed as the property of others. The nominative use of third party logos serves only the purposes of description and identification.
dockerd -D --add-runtime cor=/usr/bin/cc-oci-runtime --default-runtime=runc
cc-proxy hyperstart
cc-oci-runtime
cc-shim
VM
I/O
CTL
containerd-shim
Containerworkload
9pfs
containerd
Docker* Engine
*Other names and brands may be claimed as the property of others.
Intel® Clear Containers add a new runtime for Kubernetes*
19*Other names and brands may be claimed as the property of others.
Kubernetes* MasterCRI-O/ocid
cc-oci-runtime
Kubelet*
Kube-runtime
Kubernetes Node
Virtual Machine
hyperstart
Ctr 1
Ctr 2
Pod
Ctr 3
*Other names and brands may be claimed as the property of others.
Intel® Clear Containers Networking
21*Other names and brands may be claimed as the property of others.
22
VM
workload
Pod
QEMUT
A
P
Docker
Bridge
Clear
Containers
Bridge
veth pair
Container networking namespaceHost networking
namespace
HANDS ON
https://github.com/clearcontainers
24
Docker Swarm – Networking - Demo
Clear Containers – Quick start- Clear Containers can be run within privileged Docker* containers
- Images available with Fedora*, Ubuntu*, and Clear Linux as the host OS
- https://hub.docker.com/u/clearcontainers/
- Trying out the images:
sudo docker run -it --privileged clearcontainers/clearlinux
docker run -it debian
25*Other names and brands may be claimed as the property of others.
Clear Containers – Installing on fedora*dnf install cc-oci-runtime linux-container
- Configure clear containers to be the default runtime:
ExecStart=/usr/bin/dockerd --add-runtime cor=/usr/bin/cc-oci-runtime --default-runtime=cor
https://github.com/01org/cc-oci-runtime/wiki/Installing-Clear-Containers-on-Fedora-25
26*Other names and brands may be claimed as the property of others.
Clear Containers: Get Involved Start Here!
• https://clearlinux.org/containers
Check us out on GitHub*! Join the conversation!• https://github.com/clearcontainers• IRC: #clear-containers on Freenode*• Mailing list: https://lists.01.org/mailman/listinfo/cc-devel
27*Other names and brands may be claimed as the property of others.
28
Legal notices and disclaimersIntel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Learn more at intel.com, or from the OEM or retailer.
No computer system can be absolutely secure.
Tests document performance of components on a particular test, in specific systems. Differences in hardware, software, or configuration will affect actual performance. Consult other sources of information to evaluate performance as you consider your purchase. For more complete information about performance and benchmark results, visit http://www.intel.com/performance.
Intel, the Intel logo and others are trademarks of Intel Corporation in the U.S. and/or other countries.
The nominative use of third party logos serves only the purposes of description and identification. *Other names and brands may be claimed as the property of others.
© 2016 Intel Corporation.
