Interoperable Containers
-
Upload
docker-inc -
Category
Documents
-
view
105 -
download
0
description
Transcript of Interoperable Containers
Fabio, Runtime Systems at
I run linux containers.
http://12factor.net
“write once, run everywhere– Sun Microsystems (?)
“write once, debug everywhere– (?)
https://www.flickr.com/photos/tjblackwell/3545764529
Developers want apps...
https://www.flickr.com/photos/cyol/7642566946
PaaS wants scale...
https://www.flickr.com/photos/johngarghan/3401814659
Docker wants...
docker logo usage follows guidelines published at http://www.docker.com/marks_and_logos/
PaaS
You
dockerlxc
lmctfy...
background: https://www.flickr.com/photos/jdhancock/12397433023
Containershttps://www.flickr.com/photos/joshua/433354324
“trying to make Docker secure for multi-tenant scenarios is a can of worms
– darren0, at #docker-dev
1 vs 1M
https://www.flickr.com/photos/enerva/9068467267
Roothttps://www.flickr.com/photos/ashleyrosex/2861690380
apt-get install …
vi /etc/…
mount -t fancy …
modprobe something
iptables -A INPUT …
kernelspace abuse
https://www.flickr.com/photos/erlendaasland/4107345124
User NamespacesUnprivileged Containers
https://www.flickr.com/photos/ntr23/730371240
“(…) the kernel grants all capabilities to the initial process in a user namespace, this does not mean that process then has superuser privileges within the wider system. (It may, however, mean that unprivileged users now have access to exploits in kernel code that was formerly accessible only to root, ...)
– Michael Kerrisk, “Namespaces in operation, part 6: more on user namespaces", LWN.net
if (getuid() == 0) { // do root stuff}
just don't run as root?
also SUID
Restrictions
https://www.flickr.com/photos/mollivan_jon/10431164633
Networking
https://www.flickr.com/photos/emptyage/177466621
ephemeral disks
https://www.flickr.com/photos/pixeltree/4876732522
arch, OS, image size, …
containers/container-rfc · GitHub
“A vendor neutral format for Linux container images and runtime
https://www.flickr.com/photos/littlebiglens/6034320322
Image Size
Layers
https://www.flickr.com/photos/ralan808/11300490173
Updates?
noncommercial use
https://www.flickr.com/photos/doug88888/2801103568
Packages“slugs”
dotcloud/docker#332
docker load --rebase=new-base-image
Appshttps://www.flickr.com/photos/zoomar/338952152
Buildpacksapp source + base image
FROM heroku/cedar
ADD . /buildpackONBUILD ADD . /appONBUILD RUN /buildpack/bin/compile /appONBUILD ENV PORT 5000ONBUILD EXPOSE 5000
`ONBUILD ONBUILD`dotcloud/docker#5714
Buildstephttps://github.com/progrium/buildstep
https://github.com/radial/
#!/usr/bin/env make -f
buildpath := .buildbuildpackpath := $(buildpath)/packbuildpackcache := $(buildpath)/cache
build: $(buildpackpath)/bin $(buildpackpath)/bin/compile . $(buildpackcache)
$(buildpackcache): mkdir -p $(buildpath) mkdir -p $(buildpackcache) curl -O https://codon-buildpacks.s3.amazonaws.com/.../go.tgz mv go.tgz $(buildpath)
$(buildpackpath)/bin: $(buildpackcache) mkdir -p $(buildpackpath) tar -C $(buildpackpath) -zxf $(buildpath)/go.tgz
ruby = "https://codon-buildpacks.s3.amazonaws.com/.../ruby.tgz"
app_container "myapp" do buildpack ruby git_url "[email protected]:myapp.git"end
define :app_container, name: nil, buildpack: nil, git_url: nil do # ...
execute "#{name} buildpack compile" do command "#{dir}/.build/pack/bin/compile #{dir} .build/cache" endend
container centric: whole image
app centric: builds as a mapping layer
recap: the container revolution
Thank you!
All images used in this presentation are under a Creative Commons License, unless otherwise notedhttps://www.flickr.com/photos/compacflt/5948542359