containers today and beyond
play

Containers Today and Beyond Michal Svec Flavio Castelli Product - PowerPoint PPT Presentation

Jun 02, 2023 •170 likes •692 views

Containers Today and Beyond Michal Svec Flavio Castelli Product Manager Engineering Manager msvec@suse.com fcastelli@suse.com Agenda How it all started Why should I care? What are containers? Gimme more! Show me! 2 How

  1. Containers Today and Beyond Michal Svec Flavio Castelli Product Manager Engineering Manager msvec@suse.com fcastelli@suse.com

  2. Agenda ● How it all started ● Why should I care? ● What are containers? ● Gimme more! ● Show me! 2

  3. How it all started 3

  4. Bimodal IT – Challenges & Opportunities Malcom McLean 4

  5. 5

  6. How does it apply to me? ● Running applications? ● Providing services? ● …? 6

  7. 7

  8. 8

  9. Why should I care? 9

  10. Bimodal IT – Challenges & Opportunities 10

  11. The two brains of IT Mode 1 Mode 2 Reliability Agility Waterfall, ITIL Agile, DevOps Conventional Projects New & Uncertain Projects Long-cycle Times Short Cycle (days, weeks) (months) 11

  12. Two Worlds of IT Need a Bridge Traditional IT Agile IT Mode 1 Mode 2 45% of organizatjons claim to have some form of bimodal capability today. 12

  13. Challenges in Context of Containers New features; Faster please! Developers Operations • Frequent releases vs. staged Manage growing services • production schedule. Reliability and uptime of new applications • “It works on my machine.” Time to market • Efficiency 13

  14. What are containers, really? 14

  15. Containers OS-level or application virtualization with Linux Containers (LXC) and container engine. Support for Windows Subsystem for Linux (WSL). 15

  16. What are containers – two views ● Operations ● Applications ● Components of Linux kernel and OS ● Packaging ● Image format, specific tools ● Share easily ● Isolation ● Easily extensible ● High density ● Scale up/down ● Smaller, lighter, faster ● Self-contained ● Orchestration, management ● Micro-services 16

  17. 17

  18. Linux Containers • System containers – Full system in the container (no kernel) – libvirt-lxc • Application containers – One process per container – Docker, podman, ... – Rich ecosystem 18

  19. Linux Containers App App App App System container A A' B B' Application container Bins/Libs Bins/Libs Bins/Libs Bins/Libs Guest OS Guest OS Guest OS Guest OS Kernel Kernel Hypervisor (Type 2) Host OS Server 19

  20. Advantages of Linux Containers Lightweight virtualization solution – Isolated from the other processes – 1 kernel to rule them all – Normal I/O – Dynamic changes possible without reboot – Nested virtualization is not a problem – No boot time or very short one Isolate services (e.g. web server, ftp, …) Much more (see furter) ... 20

  21. Linux Containers – Limitations They cannot run a different OS/architecture – Cannot run Windows containers on Linux Risk of escaping from containers – Solution: user namespaces Shared kernel with the host – Syscall exploits can be exploited from within the container – Solution: seccomp2 Security measures – Patch, don’t use root, kernel capabilities, confinement – Use VMs 21

  22. Containers and orchestration • Standalone container host – SLES, container engine, registry (Portus) • Orchestrated datacenter – SUSE CaaS Platform (Micro OS, K8s) – Containerized applications, micro services • Bi-modal datacenter – SUSE CaaS Platform + SUSE OpenStack Cloud – Combination of traditional IT + agile (containers) 23

  23. Bimodal IT – Challenges & Opportunities 25

  24. 26

  25. Too much going on, dive deeper! (And show me!) 27

  26. Containers are standardized • OCI runtime specification: • Defines container runtime (API, data structures, …) • How to start/stop/... containers • OCI provides a reference implementation: runC • OCI image format specification: • Defines how a container image is structured • Result: • Avoid vendor lock-in • Avoid fragmentation • Containers are truly portable • Foster innovation 28

  27. Running containers • Stand-alone node: • docker • podman • Container orchestration - kubernetes: • docker • containerd • CRI-O • ... 29

  28. Introducing podman • Drop-in replacement for docker • Focuses on single node operations, close to docker 1.13 • No daemon • Relies on runC • Network implemented using CNI 30

  29. podman extra features • Has the concept of "pods": • Works like with kubernetes • Allows to group several containers together • Remove some isolation features on purpose (namespaces, cgroups) • Can work in rootless mode: • Regular unprivileged users can create containers • Containers are visible only to the user who created them • Makes containers even more secure 31

  30. Building containers • Most of you are probably using "docker build" but... • Other ways to build container images exist • Images delivered by SUSE are not built using docker: • Base container images • Derived images, think about all the CaaS Platform ones How could that work? 32

  31. Repetition: standards matter! • Container images follow the OCI image specification • This is what grants image portability across container engines • Different ways to build OCI images: • docker • podman build • buildah • KIWI • ... 33

  32. Building with docker • Start from an existing container image (the "base" image) • Write a Dockerfile • Use Dockerfile directives to: • Execute commands: most used one "RUN" -> install/build software, ... • Write image metadata • ... 34

  33. Building with podman • Start from an existing container image (the "base" image) • Write a Dockerfile • Use Dockerfile directives to: • Execute commands: most used one "RUN" -> install/build software, ... • Write image metadata • … YES – it's like the previous slide, podman is a drop-in replacement for docker open-source engine! 35

  34. Building with buildah • Can build using a simple Dockerfile • Allows more flexible build mode: • Start from existing image, create a container • Mount the container rootfs on the host • Interact with the container rootfs from the host: cp, scripts, zypper,… • Can produce small images with zero external dependencies (no need to have zypper around or in the history of the image!) 36

  35. Building with KIWI • Appliance builder used at SUSE since a long time • Steeper learning curve compared to the others • Integrates nicely with the Open Build Service: • Automatic rebuilds of the images on package updates • Automatic rebuilds of derived image after base image is updated • Note well: OBS supports also builds using special Dockerfile 37

  36. Demo 38

  37. Pre-built images • Docker HUB Community, handle with care! – • SUSE Registry (registry.suse.com) Enterprise contents, secure, verified, signed – SUSE Products (CaaS Platform, Cloud Application Platform, …) – What used to be in SLES Containers module (e.g.: Portus) – 39

  38. Interacting with SUSE registry • SUSE publishes all its product images to registry.suse.com • SUSE products will automatically download images from there • This can be done in two ways: Manifest file – Helm charts – • SUSE’s helm charts are hosted on a public helm chart repository operated by SUSE 40

  39. New world, old problems • Pulling images from an external registry can be expensive (time, bandwidth) • Pulling isn’t even possible in some scenarios (air-gapped environments) • The same applies to helm charts • RPM world had the same problems: solved with tools like SMT (more recently RMT) 41

  40. Registry mirroring • Provide our customers a way to mirror the contents of an external registry into an on-premise one • Solution available since CaaS Platform v3 • More plans to improve it over the time 42

  41. Air-gapped scenario • Most complex case • Container hosts don’t have access to the internet • Nodes must be able to pull containers from local registry • We don’t want to change names of the container images registry.suse.com/caasp:1.0 should NOT change name (eg: my-registry.acme.lan/caasp:1.0) 43

  42. Architecture air-gapped network registry.suse.com mirror.local.lan mirror.secure.lan Secured drive with registry contents node1 node2 44

  43. Helm chart mirroring • Helm charts can be downloaded using “helm-mirror” • The charts can be copied to a local HTTP server • Charts are just static files 45

  44. Container images mirroring • Use “helm-mirror” to get a list of all the images referenced by the charts • Use “skopeo sync” to download all the images: Save the images into a local USB drive – Connect the drive to a machine inside of the air-gapped network – Use skopeo sync to import all the images into a local registry – • Configure the container engine to use the local registry as a mirror of registry.suse.com → no need to re-write image names 46

  45. Container engine: mirroring support • Out of the box docker supports mirroring only for the Docker Hub • We have a patch extending that, still going through upstream review • SUSE CaaS Platform v3+ have the patch applied • CRI-O patch is under review from upstream 47

Recommend

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are not going to be the answer to preventing your application from being compromised, but they can limit the damage from a compromise. How do

823 views • 25 slides
Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com

Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com

Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com Containers are great Containers are resource efficient Containers make deployment easy Containers can be monitored easily Containers are secure But are

508 views • 38 slides
Everything you need to know about Containers Security Track Containers Jos Manuel Ortega

Everything you need to know about Containers Security Track Containers Jos Manuel Ortega

Everything you need to know about Containers Security Track Containers Jos Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container

807 views • 57 slides
SUSE Containers as a Service Platform 53 53 Why Do You Want to Invest in Containers? 54 54

SUSE Containers as a Service Platform 53 53 Why Do You Want to Invest in Containers? 54 54

SUSE Containers as a Service Platform 53 53 Why Do You Want to Invest in Containers? 54 54 What are Containers? A package/image that can be deployed anywhere (thats running a Linux Kernel) Developers create a layered image of their

996 views • 53 slides
Herd of Containers Sad DIF Database Engineer Herd of Containers: PostgreSQL in containers at

Herd of Containers Sad DIF Database Engineer Herd of Containers: PostgreSQL in containers at

Herd of Containers Sad DIF Database Engineer Herd of Containers: PostgreSQL in containers at BlaBlaCar pgDay Paris, Mar 15, 2018 BlaBlaCar Overview Todays agenda PostgreSQL usage at BlaBlaCar Switching to a new implementation

844 views • 40 slides
Goals for Today Learning Objective: Understanding how operating systems support containers

Goals for Today Learning Objective: Understanding how operating systems support containers

Goals for Today Learning Objective: Understanding how operating systems support containers and modern cloud computing paradigms Announcements, etc: MP4 due May 6th Get started ASAP! HW1 available! Due May 8th Just an

869 views • 29 slides
Persistent storage for Containers Anil Degwekar What are we talking about? Containers have

Persistent storage for Containers Anil Degwekar What are we talking about? Containers have

Persistent storage for Containers Anil Degwekar What are we talking about? Containers have become popular replacing many Physical / Virtual Machine use cases But: The persistent storage problem for containers is still not fully solved

1.01k views • 17 slides
Containers in the Enterprise Avoiding the Kobayashi Maru Agenda Containers Bring Change

Containers in the Enterprise Avoiding the Kobayashi Maru Agenda Containers Bring Change

Containers in the Enterprise Avoiding the Kobayashi Maru Agenda Containers Bring Change An Approach Required Software Processes Cultural Changes Additional Concerns Lessons Learned Why This Talk? Containers are

678 views • 49 slides
Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs

Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs

Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs Google Wisdom: VMs and Containers are similar but different Try running containers in VMs for security Containers are best for scale-out

314 views • 17 slides
our container journey @beshippable shippable.com our container journey containers can

our container journey @beshippable shippable.com our container journey containers can

our container journey @beshippable shippable.com our container journey containers can make us way more efficient containers can save us money on hosting containers sound interesting company founded in 2013

848 views • 30 slides
The proposed containers are "Flat-pack" type. Disassembled and reduced as

The proposed containers are "Flat-pack" type. Disassembled and reduced as

CON-IMEX CONTAINERS 2009 AKAR Logistics 70 Beecham Court Owings Mills, MD 21117 USA Sophia Akar Tel: + 410-961-7232 / + 410-961-0327 Fax: + 410-356-8267 sophia@akarlogistics.com 1 / 20 GENERAL The proposed containers are

313 views • 20 slides
Fairport Containers Supporting the Charity Retail Sector www.fairportcontainers.co.uk

Fairport Containers Supporting the Charity Retail Sector www.fairportcontainers.co.uk

Fairport Containers Supporting the Charity Retail Sector www.fairportcontainers.co.uk Introductions David Porter Fairport Containers Director Steve Collinson Managing Director Fairport Containers Ltd Tam Unsworth Recycling Banks

552 views • 28 slides
Singularity - Containers for Scientific Computing ZID Workshop Michael Fink Universitt

Singularity - Containers for Scientific Computing ZID Workshop Michael Fink Universitt

Singularity - Containers for Scientific Computing ZID Workshop Michael Fink Universitt Innsbruck Innsbruck Nov 2018 Overview Preliminaries Why containers Understanding Containers vs. Virtual Machines Comparison of

482 views • 37 slides
Alm dos Containers na Nuvem QConSP - Containers & Devops 26 April 2017 Guilherme Rezende

Alm dos Containers na Nuvem QConSP - Containers & Devops 26 April 2017 Guilherme Rezende

Alm dos Containers na Nuvem QConSP - Containers & Devops 26 April 2017 Guilherme Rezende Globo.com About me Software Engineer at Globo.com/Tsuru @guilhermebr (GitHub) in/guilhermebr (LinkedIn) @gbrezende (Twitter) Agenda Cloud Native

636 views • 45 slides
100% Containers Powered Carpooling Maxime Fouilleul Database Reliability Engineer BlaBlaCar -

100% Containers Powered Carpooling Maxime Fouilleul Database Reliability Engineer BlaBlaCar -

100% Containers Powered Carpooling Maxime Fouilleul Database Reliability Engineer BlaBlaCar - Facts & Figures Infrastructure Ecosystem - 100% containers powered carpooling Todays agenda Stateful Services into containers - MariaDB as

463 views • 45 slides
Containers, VMs, and Clouds: Containers & Clouds & VMs: OH My Oh My! Mike Coleman,

Containers, VMs, and Clouds: Containers & Clouds & VMs: OH My Oh My! Mike Coleman,

Containers, VMs, and Clouds: Containers & Clouds & VMs: OH My Oh My! Mike Coleman, Technology Evangelist Docker @mikegcoleman Who Am I? Technology evangelist at Docker Former: Puppet, VMware, MSFT, Intel, and HP First

390 views • 25 slides
Unprivileged GPU containers on a LXD cluster GPU-enabled system containers at scale Stphane

Unprivileged GPU containers on a LXD cluster GPU-enabled system containers at scale Stphane

Unprivileged GPU containers on a LXD cluster GPU-enabled system containers at scale Stphane Graber Christian Brauner LXD project leader LXD maintainer @stgraber @brau_ner https://stgraber.org https://brauner.io

394 views • 12 slides
Cloud Native and Container Technology Landscape Chris Aniszczyk (@cra) Rise of Containers and

Cloud Native and Container Technology Landscape Chris Aniszczyk (@cra) Rise of Containers and

Cloud Native and Container Technology Landscape Chris Aniszczyk (@cra) Rise of Containers and Cloud Native Computing! Google running 2B+ containers per week! Internet scale companies are running containers too: Facebook, Twitter,

1.8k views • 49 slides
Co Conti tinuous De Delivery y with th Co Containers: Th The Good, the Bad, and the Ug

Co Conti tinuous De Delivery y with th Co Containers: Th The Good, the Bad, and the Ug

Co Conti tinuous De Delivery y with th Co Containers: Th The Good, the Bad, and the Ug Ugly ly Daniel Bryant @danielbryantuk Containers: Expectations versus reality DevOps 21/05/2018 @danielbryantuk @danielbryantuk

1.08k views • 86 slides
SERVERLESS + CONTAINERS = MODERN CLOUD APPLICATIONS Donna Malayeri Product Manager, Pulumi

SERVERLESS + CONTAINERS = MODERN CLOUD APPLICATIONS Donna Malayeri Product Manager, Pulumi

SERVERLESS + CONTAINERS = MODERN CLOUD APPLICATIONS Donna Malayeri Product Manager, Pulumi @PulumiCorp @lindydonna SERVERLESS AND CONTAINERS Tradeoff between control and productivity Containers give you full control over your compute

720 views • 40 slides
How containers have panned out Adrian Trenaman, Raconteur & SVP Engineering, Gilt / HBC

How containers have panned out Adrian Trenaman, Raconteur & SVP Engineering, Gilt / HBC

How containers have panned out Adrian Trenaman, Raconteur & SVP Engineering, Gilt / HBC Digital Q-Con, New York, June 2016 @gilttech @adrian_trenaman @hbc_tech What competitive advantage did containers give you? Gilt: luxury designer

603 views • 41 slides
Brought to you by... What is... Server for running and managing Linux containers. What are

Brought to you by... What is... Server for running and managing Linux containers. What are

in the belly of the Brought to you by... What is... Server for running and managing Linux containers. What are Linux containers? Para-virtualized Linux instances. Why not regular virtualization? slooooooow gigantic images

788 views • 34 slides
LXD Live Migration of Linux Containers Tycho Andersen, Canonical Ltd.

LXD Live Migration of Linux Containers Tycho Andersen, Canonical Ltd.

LXD Live Migration of Linux Containers Tycho Andersen, Canonical Ltd. tycho.andersen@canonical.com http://tycho.ws Sorry, no demos today :( Who is this guy? LXD LXC CRIU Kernel The history of LXC Over 6 years of Linux system

292 views • 26 slides
X-Containers: Breaking Down Barriers to Improve Performance and Isolation of Cloud-Native

X-Containers: Breaking Down Barriers to Improve Performance and Isolation of Cloud-Native

X-Containers: Breaking Down Barriers to Improve Performance and Isolation of Cloud-Native Containers Zhiming Shen Cornell University Joint work with Zhen Sun, Gur-Eyal Sela, Eugene Bagdasaryan, Christina Delimitrou, Robbert Van Renesse, Hakim

266 views • 26 slides

More recommend