Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot...
Transcript of Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot...
![Page 1: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/1.jpg)
Linux Containers Overview & RoadmapBhavna SarathySenior Product Manager, Red Hat
Dan WalshSenior Principal Software Engineer, Red Hat
June 12 2013
![Page 2: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/2.jpg)
Key elements of Linux Containers
Process Isolation
SecurityResource Management
Management
![Page 3: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/3.jpg)
Linux Container Architecture
![Page 4: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/4.jpg)
Red Hat Enterprise LinuxContainer Architecture
Linux Kernel
Hardware
![Page 5: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/5.jpg)
Red Hat Enterprise LinuxContainer Architecture
Linux Kernel
Hardware (Intel, AMD)
Namespaces
![Page 6: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/6.jpg)
NamespacesProcess Isolation
Mount : mounting/unmounting filesystems UTS : hostname, domainnameIPC : SysV message queues, semaphore/shared memory segments Network: IPv4/IPv6 stacks, routing, firewallPID: Private /proc, multiple pid 1'sUser: (UID) Just showing up in the Kernel now.
– Not planning on supporting in RHEL7.
![Page 7: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/7.jpg)
Namespace Use
➢ pam_namespace - RHEL5/6➢ SELinux sandbox - RHEL6➢ SystemD - Fedora 17
➢ UnitFile: PrivateTmp, PrivateNetwork➢ Openshift - RHEL6
➢ Pam_namespace : Private /tmp
Process Isolation
![Page 8: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/8.jpg)
Red Hat Enterprise LinuxContainer Architecture
Linux Kernel
Hardware (Intel, AMD)
Namespaces Cgroups
![Page 9: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/9.jpg)
Namespaces
Resource Management with Cgroups
Memory Network
Block IOCPU
Linux Kernel
Hardware (Intel, AMD)
Cgroups
![Page 10: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/10.jpg)
Cgroup Use
➢Libvirt/qemu – RHEL6➢OpenShift - RHEL6➢ SystemD - Fedora 18
➢ UnitFile: ControlGroup*➢ Red Hat Storage Server
➢ Gluster - RHEL6
Resource Management
![Page 11: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/11.jpg)
Red Hat Enterprise LinuxContainer Architecture
Linux Kernel
Hardware (Intel, AMD)
Namespaces Cgroups SELinux
![Page 12: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/12.jpg)
SELinux Use
➢Targeted - RHEL4➢ MLS – RHEL5 ➢ Targeted/MCS - RHEL6
➢ sVirt➢ OpenShift➢ sandbox -X
Security
![Page 13: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/13.jpg)
Red Hat Enterprise LinuxContainer Architecture
Linux Kernel
Hardware (Intel, AMD)
Namespaces Cgroups SELinux
Libvirt
Network Devices
![Page 14: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/14.jpg)
Red Hat Enterprise LinuxContainer Architecture
Linux Kernel
Hardware (Intel, AMD)
Namespaces Cgroups SELinux
Libvirt
Network Devices
![Page 15: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/15.jpg)
Red Hat Enterprise LinuxContainer Architecture
Linux Kernel
Hardware (Intel, AMD)
Namespaces Cgroups SELinux
Libvirt
ContainersContainers
Network Devices
![Page 16: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/16.jpg)
Libvirt Use
➢Libvirt - RHEL5, RHEL6➢ Launch Virtual Machines
➢ Libvirt-lxc – RHEL6.4➢ Launch Containers
Management
![Page 17: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/17.jpg)
Linux ContainerUse Cases
Process Isolation
SecurityResource Management
Management
![Page 18: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/18.jpg)
Containers use cases
Shared RHEL Host Software➢ Generic Application Container➢ Systemd Application Container
![Page 19: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/19.jpg)
Containers use cases
Shared RHEL Host Software➢ Generic Application Container➢ Systemd Application Container
Unshared OS Software➢ Chroot Application Container➢ Booted OS Container
![Page 20: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/20.jpg)
Generic Application Container
virt-sandbox-service
Libvirt
libvirt-lxc
Any command
Planned for
RHEL 7.0
![Page 21: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/21.jpg)
Systemd Application Container
systemd
virt-sandbox-service
Libvirt
libvirt-lxc
systemd Unit file
Planned for
RHEL 7.0
![Page 22: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/22.jpg)
Chroot Application Container
virt-sandbox-service
Libvirt
libvirt-lxc
Any Command In Chroot
Support TBD
in RHEL 7.*
![Page 23: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/23.jpg)
Booted OS Container
virt-sandbox-service
Libvirt
libvirt-lxc
/sbin/init
![Page 24: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/24.jpg)
Booted OS Containers
virt-sandbox-service
Libvirt
libvirt-lxc
/sbin/init
Not supported!!! Use
KVM
![Page 25: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/25.jpg)
Containers vs KVM Virtualization
When should I use containers and when should I use KVM?
![Page 26: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/26.jpg)
Containers vs KVM Virtualization
✔ Startup and shutdown speed✔ Ease of Maintainance✔ Easy to create✔ System-wide changes visible in each container
✔ For RHEL Shared OS Containers✔ Scalability: Number of containers
✔ Process Memory Sharing
![Page 27: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/27.jpg)
KVM Virtualization vs Containers
✔ Boot multiple Different Operating Systems✔ Including Windows
✔ Separate kernel✔ Better Security✔ Kernel crash does not take down host
✔ Guest Isolation from host changes✔ Full Separation✔ Features such as live migration, live storage migration
![Page 28: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/28.jpg)
Linux Containers : Scalability
How many containers can you run?➢ Theoritical
➢ Scales to 6000 containers and 12000 bind mounts of root filesystem directories
➢ Practical➢ Running real workloads, containers doing work in
parallel
![Page 29: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/29.jpg)
Linux Containers Demo
![Page 30: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/30.jpg)
Future
➢ Seccomp – Linux syscall restriction
➢ Better audit support/logging support
➢ Working UnionFS.
➢ What's going to break?????
![Page 31: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/31.jpg)
Questions?
![Page 32: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/32.jpg)
Related Summit Sessions
Managing SELinux in the Enterprise
– Wed 4:50 pm, Rm 312
Secure Development Practices
– Thu 1:20 pm, Rm 306
Under the Hood of OpenShift, Turbocharged by RHEL
– Thu 3:40 pm, Rm 304
KVM Hypervisor Roadmap & Technology Update
– Thu 10:40am, Rm 304
Hypervisor Technology Comparison & Migration
– Fri 9:45am, Rm 313
![Page 33: Linux Containers Overview & Roadmap - Red Hat€¦ · KVM Virtualization vs Containers Boot multiple Different Operating Systems Including Windows Separate kernel Better Security](https://reader036.fdocuments.us/reader036/viewer/2022081515/5ee2166dad6a402d666cb81c/html5/thumbnails/33.jpg)
Contact Info
Dan Walsh
Email: [email protected]
Blog: danwalsh.livejournal.com
Twitter: @rhatdan
Bhavna Sarathy
Email: [email protected]