Interoperable Containers

Click here to load reader

download Interoperable Containers

of 46

  • date post

  • Category


  • view

  • download


Embed Size (px)



Transcript of Interoperable Containers

  • 1. interoperable containers Fabio Kung

2. Fabio, Runtime Systems at I run linux containers. 3. 4. write once, run everywhere Sun Microsystems (?) 5. write once, debug everywhere (?) 6. 7. Developers want apps... 8. PaaS wants scale... 9. Docker wants... docker logo usage follows guidelines published at 10. PaaS You docker lxc lmctfy ... background: 11. Containers 12. trying to make Docker secure for multi-tenant scenarios is a can of worms darren0, at #docker-dev 13. 1 vs 1M 14. Root 15. apt-get install 16. vi /etc/ 17. mount -t fancy 18. modprobe something 19. iptables -A INPUT 20. kernelspace abuse 21. User Namespaces Unprivileged Containers 22. () the kernel grants all capabilities to the initial process in a user namespace, this does not mean that process then has superuser privileges within the wider system. (It may, however, mean that unprivileged users now have access to exploits in kernel code that was formerly accessible only to root, ...) Michael Kerrisk, Namespaces in operation, part 6: more on user namespaces", 23. if (getuid() == 0) { // do root stuff } 24. just don't run as root? 25. also SUID 26. Restrictions 27. Networking 28. ephemeral disks 29. arch, OS, image size, 30. containers/container-rfc GitHub A vendor neutral format for Linux container images and runtime 31. Image Size 32. Layers 33. Updates? noncommercial use 34. Packages slugs 35. dotcloud/docker#332 docker load --rebase=new-base-image 36. Apps 37. Buildpacks app source + base image 38. FROM heroku/cedar ADD . /buildpack ONBUILD ADD . /app ONBUILD RUN /buildpack/bin/compile /app ONBUILD ENV PORT 5000 ONBUILD EXPOSE 5000 39. `ONBUILD ONBUILD` dotcloud/docker#5714 40. Buildstep 41. 42. #!/usr/bin/env make -f buildpath := .build buildpackpath := $(buildpath)/pack buildpackcache := $(buildpath)/cache build: $(buildpackpath)/bin $(buildpackpath)/bin/compile . $(buildpackcache) $(buildpackcache): mkdir -p $(buildpath) mkdir -p $(buildpackcache) curl -O mv go.tgz $(buildpath) $(buildpackpath)/bin: $(buildpackcache) mkdir -p $(buildpackpath) tar -C $(buildpackpath) -zxf $(buildpath)/go.tgz 43. ruby = "" app_container "myapp" do buildpack ruby git_url "" end define :app_container, name: nil, buildpack: nil, git_url: nil do # ... execute "#{name} buildpack compile" do command "#{dir}/.build/pack/bin/compile #{dir} .build/cache" end end 44. container centric: whole image app centric: builds as a mapping layer recap: the container revolution 45. Thank you! All images used in this presentation are under a Creative Commons License, unless otherwise noted