Docker-v3.pdf

Docker-v3.pdf
The Docker Ecosystem Definition,Architecture,Status March 2023 Bruno Cornec, HPE EG EMEA Open Source and Linux Strategist
Introducing myself ● Software engineering and Unices since 1988: – Mostly Configuration Management Systems (CMS), Build systems, quality tools, on multiple commercial Unix systems – Discovered Free, Libre, Open Source Software & Linux (FLOSS) & made first contributions in 1993 – Full time on OSL since 1995, first as HPE reseller then @HPE ● Currently: – WW FLOSS Technology Strategist in HPE, Grenoble, France – HPE FLOSS Advocate and Converged Infrastructure Ambassador – WW Linux Community Lead for the HPE Open Source Profession – AFUL and APRIL member. Mageia board member. FLOSSITA board chair. – Conferences at WW level at LinuxCon, Linux.conf.au, Fosdem, ... – MondoRescue, Project-Builder.org, python-redfish, UUWL and PUSK Project Lead – LinuxCOE, mrepo, tellico, rinse, fossology, collectl, Ironic contributor – FOSSBazaar/SPDX and FLOSS Governance enthusiast – Mageia (and Fedora) packager ● And also: – Amateur singer (Alto / Tenor), recorder player since 1976 and Choir director since 1987, CD collector (7000+), Concerts, Photography
Docker Architecture and Ecosystem
Container analogy Cargo transportation before the '60s: no standard way to transport goods – Multiplicity of goods and their security – Multiplicity of transportation methods The invention of the container allowed to – Support all type of goods – Can be loaded, unloaded, stacked – Support multiple transport mode – Sealed container – Standard transportation way leading to huge costs reduction
Container for software Computers before 2012 didn't had a standard way to transport IT workloads – Multiplicity of applications and their security – Multiplicity of transportation methods The invention of the container allowed to – Support all type of workload – Can be loaded, unloaded, stacked – Support multiple transport mode – Secure container – Standard transportation way leading to huge costs reduction
Bare-Metal vs VM vs Container Containerized application layer Bare metal application layer Virtualized application layer Container Network Storage Server Apps Host-OS Guest OS Apps Hypervisor Host-OS Infra structure Apps Apps Apps Apps Network Storage Server Network Storage Server
Docker In Brief • Vision: Build, Ship, and Run Any App Anywhere • Both: a company and an open source ecosystem (under the Apache license V2.0 since 2013) • Docker is a tool chain written in Go that simplifies the creation and management of containers. • Paradigm shift: “new” packaging model for deploying applications and services • Containers: A self-contained portable environment for packaging, deploying, and executing applications and services. Contains all execution dependencies for a service (one process == one container) • Better resource utilization: VMs virtualize the CPU, containers virtualize process(es) (lightweight) (launch in ms vs s, doesn't consume OS memory) • Application Lifecycle Management impact: – Build and configure once (integrated DevOps), and rebuild often ;-) – Deploy anywhere (laptop, server, cloud, …)
The Dev / Sec /Ops pipeline Agile development environment : Tested. Integrated. Portable. Optimized. Secured + + Ship Run Build From infrastructure to the cloud Composable Infrastructure Hybrid Cloud Cloud native & monolith Applications Developpers Communities enablement QA/Test Operations
What is Docker value-add ? Run applications in a neutral, lightweight and portable way Bundle: Everything packed together Layers: Images (ro) & containers (rw) using a union FS Registry: public/private registry of shared images Dockerfile: descriptive build of an image Volumes: loopback mounting host FS into container Ports: expose container services port to the host Portable: created once, run everywhere (on a given OS) Management: REST API/CLI Enterprise: Docker Enterprise (formerly DDC) Solomon Hykes, Docker Inc.
A layered approach Images Local or remote reference content to initiate a container Multiple images can be layered adding content at each time using Copy on Write FS Cache to speed up repeated operations Containers Last layer providing rw access to the cumulated set of images 1 application + its deps == 1 container
# List images $ docker images # Pull and run a container $ docker run -t -i repo:tag bash # List containers $ docker ps [-a] [-q] Demo 1: Managing images and containers
Basic Docker Workflow My computer Local Docker Engine Docker registry Images Containers Dockerfile FROM Ubuntu MAINTAINER pingouin@hpe.com RUN apt-get install apache2 ADD website /var/www/html/website EXPOSE 80 CMD /usr/bin/httpd }- Docker Hub
# Dockerfile $ cat Dockerfile FROM localhost:5000/pb:mageia-4-x86_64 RUN urpmi --force --auto apache ADD https://download.owncloud.org/community/owncloud- 7.0.3.tar.bz2 /var/www/html RUN urpmi --force --auto php php-dom php-mbstring php-pdo php-gd RUN chown -R apache:apache /var/www/html # Add persistent volume. VOLUME /data COPY run.sh /run.sh # Only 1 CMD! CMD /run.sh # Build image using the Dockerfile $ docker build . Demo 2: Dockerfile a receipe to build Docker images
Security • CTN Apps are more secured vs BM Apps • Docker has least priviledge principle • Different security isolation than VMs (Combine containers & VMs for improved security) • Uses cgroups, seccomp, namespaces, capabilities. Benefit from SELinux, apparmor, Grsecurity, PAX • Depends on choices and practices – Use of root privilege (only when necessary) – Disable SUID – Fine-grained privileges – Use advanced Docker configuration options • Trusted images / container secrets – Official images / Signed images – Vault –open source project to managing secrets • Container delivery pipeline can/should include security testing • Management of images and containers wrt security updates ● Container security continues to improve while its Understandably a hot topic
The Docker & Containers Ecosystem
Docker’s world Docker solutions and plumbling tools Plugin Extensibility Docker Libnetwork Networking Notary Security Docker Engine Creates & Runs containers Docker Machine Automated Provisioning Docker Compose Service Composition Docker Hub/Registry Package & Distribution Docker UCP Deploy & Manage Docker Swarm Native Host Clustering
Docker Compose – yaml file example weba: build: . expose: - 80 webb: build: . expose: - 80 haproxy: image: hypriot/rpi-haproxy volumes: - haproxy:/haproxy-override links: - weba - webb ports: - "80:80" - "70:70" expose: - "80" - "70"
Container Ecosystem – fantastic takeup Docker – Leader – Engine, Cluster, Build, Remote execution, ... Google – Open sourced Kubernetes container orchestration tool RedHat – integrated Docker into their RHEL7 releases. RH Atomic CaaS solution Redesigned OpenShift PaaS product to be based on Docker. SUSE – integrated Docker into their SLES 12 releases CaaS offering based on Docker, Kubernetes, Portus. PaaS on top based on CF to come CoreOS – Aim to be the best distribution to run Docker Goodies such as etcd, fleectl, rocket Mesosphere – Docker executor for Mesos (Chronos & Marathon) OpenStack – Nova & Glance drivers, Magnum (piloting Kubernetes/Swarm), Kolla and Kuryr Portainer.io – Management solution for docker engines or swarms
Container Ecosystem – fantastic takeup continued... IBM - integrated Docker into SoftLayer PaaS. Published KVM/Docker benchmarks Microsoft - made available Linux images in their Azure IaaS with Docker functionality Ongoing native Docker functionality for Windows Server VMWare – to integrate Docker functionality into vSphere. Joined Kubernetes initiative. Pivotal (CloudFoundry) – Replacing Warden by Docker (and Shipyard, Rancher, Panamax, ...)
Open Container Project • Standard specifications for a runtime and an image, vendor/architecture independent • Brings Docker and CoreOS back together (runC, appc, …) • https://www.opencontainers.org
The history of resources containment on Linux
Linux Resources management Support Linux Support Matrix OS minimal NUMA cgroups LXC KVM Namespace Upstream Kernel Linux 2.6.24 (Mar. 2008) 3.15/16 (2013) Linux 2.6.29 (2010) Linux 2.6.20 (Feb. 2007) Linux 2.6.19/24 (2007) 3.8 (2013) RHEL Yes (5.x) Yes (6.x) Yes (6.3) Yes (5.4) Yes (7.x) SLES Yes (10) Yes (11) Yes (11SP1) Yes (11) Yes (12) Fedora Yes Yes (F11) Yes (F12) Yes (F7) Yes (F19) Ubuntu Yes Yes (10.04) Yes (10.04) Yes (9.10) Yes (14.04)
– Help to manage groups of processes – Dedicated subsystems to manage specific resources: – Resource management: CPU shares, memory, blkio – Resource pools: CPU sets, ns, freezer, checkpoint/restart – Implemented as a special cgroup file system – Cgroup commands: cgcreate, cgexec, cgclear, cgclassify, ... – Cgroup services : ● cgconfig (/etc/cgconfig.conf), defines cgroups and mount points ● cgred (/etc/cgrules.conf), defines rules between tasks and cgroups – These are provided by libcgroup on top of the kernel cgroup virtual file system to allow persistence across reboot and ease of use. – Docker associates a cgroup to each container Linux Control Groups Share Dedicate
Linux workload management Shared resources example: ‘cpu’ cgroup subsystem – 'cpu' CGroup subsystem • cpu.shares – Shares default to 1024 – Customization example : Example of /etc/cgconfig.conf file: mount { cpu = /cgroup/cpu; } group default { cpu { cpu.shares = 1024; } } group db1 { cpu { cpu.shares = 3072; } } group db2 { cpu { cpu.shares = 6144; } } Share
Linux resource pools Dedicated resources example: ‘cpuset’ cgroup subsystem – CGroup subsystems: • cpuset −sets of CPU −sets of MEMORY (NUMA) • memory −limits the amount of RAM, RAM + SWAP −gives the current usage • blkio −change the behavior of Linux CFQ (Completely Fair Queue) Example of /etc/cgconfig.conf file: mount { cpuset = /cgroup/cpuset; } group default { cpuset { cpuset.cpus=0-2 ; cpuset.mem=0-2 } } group db2 { cpuset { cpuset.cpus=4-6 ; cpuset.mem=4-6 } } Dedicate
OS Virtualization (‘LXC / Docker’ containers) – Applications in a zone are isolated from the others (chroot on steroïds) • Security (as secure as your kernel) • Namespaces (root, UID, GID, network, PID, IPC, mount points, hostname/uts) • Cgroup Granularity • Single OS image manages HW accesses • Performance & transparency neither emulation nor full virtualization • Netfilter for network isolation (NAT and port fwd) • AuFS overlays isolated file systems on top of a physical file system – Other technos available • V-Server • Virtuozzo • OpenVZ Linux Containers OS Virt https://blog.docker.com/wp-content/uploads/2014/03/docker-execdriver-diagram.png
30/03/2023 Private | Confidential | Internal Use Only Project Build + metadata Use case: Continuous Packaging with Docker Docker Containers Local build Project Repository Local Build Server Packagers Developers
30/03/2023 Private | Confidential | Internal Use Only ”Changes are never easy to make. There is comfort and safety in tradition, but change must come, no matter how painful or expensive it may be.” Bill Hewlett Bruno.Cornec@hpe.com (Open Source and Linux Technology Strategist at the HP/Intel Solution Center) http://downloads.linux.hpe.com/ Linus Torvalds, Richard Stallman, Eric Raymond, Nat Makarevitch, René Cougnenc, Eric Dumas, Rémy Card, Bdale Garbee, Bryan Gartner, Craig Lamparter, Lee Mayes, Gallig Renaud, Andree Leidenfrost, Phil Robb, Bob Gobeille, Martin Michlmayr among others, for their work and devotion to the Open Source Software cause... and my family for their patience :-) THANK YOU

Check these out next

Docker-v3.pdf

Recommandé

Contenu connexe

Similaire à Docker-v3.pdf(20)

Plus de Bruno Cornec(20)

Dernier(20)

Docker-v3.pdf