Docker San Diego 2015-03-25
70
Tweet questions to @misterbisson
-
Upload
casey-bisson -
Category
Technology
-
view
83 -
download
0
Transcript of Docker San Diego 2015-03-25
Tweet questions to@misterbisson
Proprietary & Confidential Information © 2015 Joyent, Inc ‹#›.
Introducing Triton
A New Horizon in Container Infrastructure
Proprietary & Confidential Information © 2015 Joyent, Inc ‹#›.
Powering modern applicationsYour favorite code
Container optimized infrastructure
Your favorite tools
Proprietary & Confidential Information © 2015 Joyent, Inc ‹#›.
Our data center or yoursJoyent Public Cloud Joyent Container Service. We run our customer’s mission critical applications on container native infrastructure.
Private DataCenter SmartDataCenter is an on-premise, container run-time environment used by some of the world’s most recognizable companies.
Node.js enterprise supportAs the corporate steward of Node.js and one of the largest-scale production users, Joyent is uniquely equipped to deliver the highest level of enterprise support for this dynamic runtime. • Best practices guidance • Performance analysis • Core file analysis • Debugging support • Critical incident support
Proprietary & Confidential Information © 2015 Joyent, Inc ‹#›.
Docker container hostingThe original container infrastructure company loves the new container packaging standard … • Portability From laptop to any public or private cloud • Productivity Faster code, test, and deploy • Devops for everyone Large community building tools for
management, deployment, and scale
Docker + Joyent
Docker Joyent
Images• Application centric • Sharable, re-usable, versioned • Growing tool ecosystem
• Machine centric • Limited tool ecosystem
Infrastructure
• Laptop-centric • Known, complicated security • Networking challenges • Hampered by base OS limitations
• Data center-centric • Proven security • Fantastic networking • Optimized for containers at scale
Docker + Joyent
Docker Joyent
Images 👍 👎
Infrastructure 👎 👍
Docker + Joyent
Docker Joyent
Images 👍 👎
Infrastructure 👎 👍
Docker on a laptop is easy• Single host simplifies container communication
• Networking focused on localhost access
• Development focus often ignores security risks
• Management costs are hidden in development time
• Performance expectations limited by development context, traded for convenience
Docker security is hard
–Travis CI’s Sven Fuchs
–Docker's Jérôme Petazzoni
Proprietary & Confidential Information © 2015 Joyent, Inc ‹#›.
:5432
:7711
:80
:443
:81
:80 :3306:80
:11311
:81
:85
Docker networking is hardNetwork implementation is host-centric, requiring port mapping, and port collision avoidance, making it difficult to connect containers on different hosts
10.0.9.25 10.0.9.2 10.0.9.77
Proprietary & Confidential Information © 2015 Joyent, Inc ‹#›.
Docker host proliferation sucksTraditional Docker cloud deployments require managing multiple containers and hosts (hardware or VMs)
Whatcan wedo?
Proprietary & Confidential Information © 2015 Joyent, Inc ‹#›.
The future is nowFor me, the next step in containerization is treating the datacenter, with all its containers, like one giant computer or server. Many applications today are really just distributed systems: Applications aren’t necessarily confined to just one container. We might have an application that consists of ten containers running together. We could have 1,000 applications running across 10,000 containers. Or we might have a single big data job that involves multiple, interdependent applications.
– Andreessen Horowitz’s Peter Levine
“
”a16z.com/2015/01/22/containers/
We werethinking the exact
same thing
We werethinking the exact
same thinglast year
Container anatomy
Applicationpackage
Runtimeenvironment
Container anatomy
Applicationpackage
Executiondriver
Container anatomy
Applicationpackage
LXC
Container anatomy
Applicationpackage
libcontainer
Container anatomy
Applicationpackage
SmartOSZone
Whoadid he just saySmartOS?
Yes
Yesbut…
Linux + SmartOS
Linux SmartOS
Binary footprint
• Huge community of apps • Many apps are Linux-first or only • Problems are easy to Google
• Most of the same apps • Some apps have quirks • Problems are not easy to Google
Container optimization
• Known vulnerabilities • Poor filesystem • Limited networking support • Not built for containers
• Nearly ten years in production without incident
• Container-optimized filesystem: ZFS • Really sweet networking: Crossbow • Built for containers
Linux + SmartOS
Linux SmartOS
Binary footprint 👍 👎
Container optimization 👎 👍
Linux + SmartOS
Linux SmartOS
Binary footprint 👍 👎
Container optimization 👎 👍
LX branded zones
• The internet • Native Linux binaries • Linux syscall translation • SmartOS Kernel
it feelslike LinuxSmartOS
and runs like
container-nativepromised land
This is the
native?Container-
containerUnit of compute
containersProvision
VMs…not
bare metalContainers run on
VMs…not in
containersPay for
VMs…not
Our simple app
Nginx
PostgreSQL
Node
audiofprint
Deploy that app
Nginx
PostgreSQL
Node
audiofprint
Nginx
PostgreSQL
Node
audiofprint
VM: 2 vCPU / 7.5GB RAM
VM-native Container-Native
Now scale it
PostgreSQLPostgreSQL
Nginx Node
audiofprint
Nginx Node
audiofprint
VM: 2 vCPU / 7.5GB RAMVM: 2 vCPU / 7.5GB RAM
VM: 2 vCPU / 7.5GB RAMVM: 2 vCPU / 7.5GB RAM
VM-native Container-Native
Nginx
PostgreSQL
Node audiofprint
Nginx
PostgreSQL
Node audiofprint
What’s that bill?
VM-native 4 VMs
8 containers
$0.560/hour $403.20/month
Container-native 0 VMs
8 containers
$0.315/hour $226.66/month
Proprietary & Confidential Information © 2015 Joyent, Inc ‹#›.
SecurityManagement IntrospectionPerformance UtilizationNetworking
Elastic Container Infrastructure
Proprietary & Confidential Information © 2015 Joyent, Inc ‹#›.
Hardware
OS
The world todayBare Metal provides great performance, but no scalability. It is secure only as a single unit, as a single machine, for a single tenant.
Bare Metal: OS
Container
SecurityManagement Networking IntrospectionPerformance UtilizationSecurityManagement Networking Introspection UtilizationPerformancePerformance
Proprietary & Confidential Information © 2015 Joyent, Inc ‹#›.
Hardware
OS
Hardware
OS
The world todayVirtual machines (HVM) give you scale (multi-tenancy) but performance suffers because of overhead and resource cost.
Bare Metal: OS
Container
SecurityManagement Networking IntrospectionPerformance UtilizationSecurityManagement Networking Introspection UtilizationPerformance
HVM: Hypervisor
HVM
Guest OS
HVM
Guest OS
Performance
Proprietary & Confidential Information © 2015 Joyent, Inc ‹#›.
Hardware
OS
Hardware
OS
Bare Metal: OS
Hardware
OS
HVM: Hypervisor
HVM
Guest OS
HVM
Guest OS
Hardware
OS
The best of both worldsJoyent’s Triton Container Infrastructure delivers Bare metal performance and the scale of a virtual machine.
Bare Metal: OS
Container
SecurityManagement Networking IntrospectionPerformance UtilizationSecurityManagement Networking Introspection Utilization
Triton
Hardware
OS
HVM: Hypervisor
HVM
Guest OS
HVM
Guest OS
Proprietary & Confidential Information © 2015 Joyent, Inc ‹#›.
Hardware
OS
Bare Metal: OS
Hardware
OS
HVM: Hypervisor
HVM
Guest OS
HV
Guest OS
Performance at scaleContainers run with the same performance advantages of bare metal, including lower latency access to CPU, storage, and network resources, but at datacenter scale.
SecurityManagement Networking IntrospectionPerformance UtilizationSecurityManagement Networking Introspection Utilization
Hardware
OS
Triton
Proprietary & Confidential Information © 2015 Joyent, Inc ‹#›.
Hardware
OSHardware
OS
Bare Metal: OS
Triton
Hardware
OS
HVM: Hypervisor
HVM
Guest OS
HV
Guest OS
Performance at scaleContainers run with the same performance advantages of bare metal, including lower latency access to CPU, storage, and network resources, but at datacenter scale.
SecurityManagement Networking IntrospectionPerformance UtilizationSecurityManagement Networking Introspection Utilization
Datacenter
Proprietary & Confidential Information © 2015 Joyent, Inc ‹#›.
Datacenter as a single host
Triton
Triton virtualizes the entire datacenter as a single Docker host.
SecurityManagement Networking IntrospectionPerformance UtilizationSecurity Networking Introspection UtilizationPerformance
Hardware
OS
Datacenter
Proprietary & Confidential Information © 2015 Joyent, Inc ‹#›.
Datacenter as a single host
Triton
Triton virtualizes the entire datacenter as a single Docker host.
SecurityManagement Networking IntrospectionPerformance UtilizationSecurity Networking Introspection UtilizationPerformance
Datacenter
Proprietary & Confidential Information © 2015 Joyent, Inc ‹#›.
Hardware
OS
Hardware Hardware
OSOS
SecurityTriton’s container hypervisor provides full isolation per container in a multi-tenant environment.
HVM
Guest OS
HVM
Guest OS
Bare Metal: OS Triton HVM: Hypervisor
SecurityManagement Networking IntrospectionPerformance UtilizationManagement Networking Introspection UtilizationPerformance
Proprietary & Confidential Information © 2015 Joyent, Inc ‹#›.
NetworkingEach Triton Docker Container has it’s own unique IP address, isolated in our fully virtualized, container-aware infrastructure. This approach enables you to fully and discretely manage and network containers.
:60 :65
:16050 :16061
:16071 :50
:66 :56
:16060 :16053
:55 :66
:16059 :16054
:52 :15027
:16057 :61
:16074 :16073
:62 :54
:16051 :16062
:68 :67
:16052 :16070
:58 :59
:15026 :64
:15020 :16058
:60 :53
:16055 :16056
:16072 :15028
:51 :15029
:15022 :63 HVM
Guest OS
:11311 :80
:85 :11321
:11323 :83
:89 :86
:82 :11325
:11326 :88
:81 :11328
:11339 :84
HVM
Guest OS
10.0.9.115 10.0.9.19
10.0.9.136 10.0.9.137
10.0.9.140 10.0.9.16
10.0.9.18 10.0.9.155
10.0.9.165 10.0.9.25
10.0.9.35 10.0.9.175
10.0.9.185 10.0.9.45
10.0.9.50 10.0.9.200
10.0.9.60 10.0.9.210
10.0.9.70 10.0.9.225
10.0.9.230 10.0.9.245
10.0.9.108 10.0.9.14
10.0.9.08 10.0.9.135
10.0.9.138 10.0.9.139
10.0.9.17 10.0.9.141
10.0.9.160 10.0.9.20
10.0.9.30 10.0.9.170
10.0.9.180 10.0.9.40
10.0.9.90 10.0.9.195
10.0.9.55 10.0.9.205
10.0.9.65 10.0.9.215
10.0.9.75 10.0.9.80
:12546 :60
:61 :12542
:12548 :63
:12549 :65
:12540 :1260
:12542 :1265
:1265 :12540
:12541 :1299
10.0.9.14 10.0.9.15
10.0.9.25
Bare Metal: OS Triton HVM: Hypervisor
SecurityManagement Networking IntrospectionPerformance UtilizationSecurityManagement Introspection UtilizationPerformance
Hardware
OS
Hardware Hardware
OSOS
Proprietary & Confidential Information © 2015 Joyent, Inc ‹#›.
Docker + Triton advantages
Production grade security • Uncomplicated, proven secure environment for
Docker containers
High-speed, sophisticated networking • Wire-speed, user-defined VxLAN SDN overlay • Unique IP for each Docker container eliminates port
mapping and collisions • Virtualized on the server, no additional hardware
required
Simplified management and debugging • Focus on containers, rather than infrastructure,
with single, elastic Docker host
Bare metal performance at cloud scale • OS-virtualized performance in secure containers • High density container packing enables
unmatched utilization • Elastic resource usage allows bursting workloads
and vertical scaling without reboots
SecurityManagement Networking IntrospectionPerformance Utilization
Proprietary & Confidential Information © 2015 Joyent, Inc ‹#›.
The best place to run Docker containers, making Ops simple and scalable.
Triton
Triton
SecurityManagement Networking IntrospectionPerformance Utilization
Demotime
Thank you
Remember Joyent for…• Proven container security
Run containers securely on bare metal in multi-tenant environments
• Bare metal container performance Eliminate the hardware hypervisor tax
• Simplified container networking Each container has its own IP in a user-defined network (SDN)
• Simplified host management Eliminates Docker host proliferation
• Hybrid: your data center or ours Private cloud, public cloud, hybrid cloud
