interoperable

containers

Fabio Kungfabio@heroku.com

https://www.flickr.com/photos/usnavy/8612337045

Fabio, Runtime Systems at

I run linux containers.

http://12factor.net

“write once, run everywhere– Sun Microsystems (?)

“write once, debug everywhere– (?)

https://www.flickr.com/photos/tjblackwell/3545764529

Developers want apps...

https://www.flickr.com/photos/cyol/7642566946

PaaS wants scale...

https://www.flickr.com/photos/johngarghan/3401814659

Docker wants...

docker logo usage follows guidelines published at http://www.docker.com/marks_and_logos/

PaaS

You

dockerlxc

lmctfy...

background: https://www.flickr.com/photos/jdhancock/12397433023

Containershttps://www.flickr.com/photos/joshua/433354324

“trying to make Docker secure for multi-tenant scenarios is a can of worms

– darren0, at #docker-dev

1 vs 1M

https://www.flickr.com/photos/enerva/9068467267

Roothttps://www.flickr.com/photos/ashleyrosex/2861690380

apt-get install …

vi /etc/…

mount -t fancy …

modprobe something

iptables -A INPUT …

kernelspace abuse

https://www.flickr.com/photos/erlendaasland/4107345124

User NamespacesUnprivileged Containers

https://www.flickr.com/photos/ntr23/730371240

“(…) the kernel grants all capabilities to the initial process in a user namespace, this does not mean that process then has superuser privileges within the wider system. (It may, however, mean that unprivileged users now have access to exploits in kernel code that was formerly accessible only to root, ...)

– Michael Kerrisk, “Namespaces in operation, part 6: more on user namespaces", LWN.net

if (getuid() == 0) { // do root stuff}

just don't run as root?

also SUID

Restrictions

https://www.flickr.com/photos/mollivan_jon/10431164633

Networking

https://www.flickr.com/photos/emptyage/177466621

ephemeral disks

https://www.flickr.com/photos/pixeltree/4876732522

arch, OS, image size, …

containers/container-rfc · GitHub

“A vendor neutral format for Linux container images and runtime

https://www.flickr.com/photos/littlebiglens/6034320322

Image Size

Layers

https://www.flickr.com/photos/ralan808/11300490173

Updates?

noncommercial use

https://www.flickr.com/photos/doug88888/2801103568

Packages“slugs”

dotcloud/docker#332

docker load --rebase=new-base-image

Appshttps://www.flickr.com/photos/zoomar/338952152

Buildpacksapp source + base image

FROM heroku/cedar

ADD . /buildpackONBUILD ADD . /appONBUILD RUN /buildpack/bin/compile /appONBUILD ENV PORT 5000ONBUILD EXPOSE 5000

`ONBUILD ONBUILD`dotcloud/docker#5714

Buildstephttps://github.com/progrium/buildstep

https://github.com/radial/

#!/usr/bin/env make -f

buildpath := .buildbuildpackpath := $(buildpath)/packbuildpackcache := $(buildpath)/cache

build: $(buildpackpath)/bin $(buildpackpath)/bin/compile . $(buildpackcache)

$(buildpackcache): mkdir -p $(buildpath) mkdir -p $(buildpackcache) curl -O https://codon-buildpacks.s3.amazonaws.com/.../go.tgz mv go.tgz $(buildpath)

$(buildpackpath)/bin: $(buildpackcache) mkdir -p $(buildpackpath) tar -C $(buildpackpath) -zxf $(buildpath)/go.tgz

ruby = "https://codon-buildpacks.s3.amazonaws.com/.../ruby.tgz"

app_container "myapp" do buildpack ruby git_url "git@mycompany.com:myapp.git"end

define :app_container, name: nil, buildpack: nil, git_url: nil do # ...

execute "#{name} buildpack compile" do command "#{dir}/.build/pack/bin/compile #{dir} .build/cache" endend

container centric: whole image

app centric: builds as a mapping layer

recap: the container revolution

Thank you!

fabio@heroku.com

All images used in this presentation are under a Creative Commons License, unless otherwise notedhttps://www.flickr.com/photos/compacflt/5948542359