Build and run applications in a dockerless kubernetes world - DevConf India 18
1 like282 views
The document discusses the evolution and standardization of container management in a Kubernetes environment, emphasizing the Container Runtime Interface (CRI) introduced in Kubernetes 1.5 and its impact on container orchestration. It highlights the benefits and methodologies of building container images without relying on a Docker daemon through tools such as Buildah, Kaniko, and Podman. Additionally, various approaches to Dockerfile and Dockerfile-less builds are presented, showcasing their pros and cons in the context of developer experience and efficiency.
![skopeo
● Copy images from/to (multiple transports/storages):
○ containers-storage:docker-reference
○ dir:path
○ docker://docker-reference
○ docker-archive:path[:docker-reference]
○ docker-daemon:docker-reference
○ oci:path:tag
○ ostree:image[@/absolute/repo/path]
● Inspect images
● Delete an image from a repository
● Standalone binary / No daemon running
● Perfect for pipelines (e.g. Jenkins)
@jorgemoralespou](https://image.slidesharecdn.com/buildandrunapplicationsinadockerlesskubernetesworld-devconf-india-18-180805071518/85/Build-and-run-applications-in-a-dockerless-kubernetes-world-DevConf-India-18-29-320.jpg)
![“Our ancestors called it
magic, but you call it
[computer] science.
I come from a land where
they are one and the same.”
—THOR](https://image.slidesharecdn.com/buildandrunapplicationsinadockerlesskubernetesworld-devconf-india-18-180805071518/85/Build-and-run-applications-in-a-dockerless-kubernetes-world-DevConf-India-18-35-320.jpg)
Build and run applications in a dockerless kubernetes world - DevConf India 18
- 1. Build and run applications in a Dockerless Kubernetes world Jorge Morales OpenShift Developer Advocate DevConf India 2018 August 5th - 11:45 - Room 1
- 2. Me (aka Jorge Morales) ● Spanish by nature and by language ● Work at Red Hat ● OpenShift Developer Advocate ● Mostly Java developer ● Obsessed with improving the developer experience @jorgemoralespou github.com/jorgemoralespou http://jorgemoral.es
- 5. Kernel namespaces: sandboxing processes from one another Control Groups (cgroups): control process resource allocations Security: capabilities drop (seccomp), Mandatory access control (SELinux, Apparmor) Linux Containers @jorgemoralespou
- 10. @jorgemoralespou
- 11. With scale came complexity
- 13. OTHER ORCHESTRATORS (Cloud Foundry Diego, Nomad, Blox, etc.) 2 YEARS AGO Fragmented landscape TODAY Kubernetes consolidation OTHER ORCHESTRATORS CONTAINER ORCHESTRATION LANDSCAPE @jorgemoralespou
- 14. Why kubernetes? #1: Open source, backed by giants #2: Vibrant and fast growing community #3: Supported on all clouds #4: Great partnerships @jorgemoralespou
- 15. Started slow June 2014 Docker 1.0 Dec 2014 Kubernetes 1.0: Supports Docker containers Rkt 0.1.0 July 2015 @jorgemoralespou
- 16. then more runtimes showed up Rkt 1.0 Feb 2016 Kubernetes 1.3: Supports Docker and Rkt containers July 2016 June 2014 Docker 1.0 Dec 2014 Kubernetes 1.0: Supports Docker containers Rkt 0.1.0 July 2015 @jorgemoralespou
- 17. and code got messy @jorgemoralespou
- 18. “Change is the essential process of all of existence.” —SPOCK
- 19. Standardize containers ● Runtime spec (runc = Reference implementation) ● Image spec ● Distribution spec (proposal) @jorgemoralespou
- 20. Use API/Interfaces to Container Runtimes KUBELET FRAKTI OCI-RUNTIME RUNC DOCKERD RKT CONTAINER RUNTIME INTERFACE (CRI) DOCKERD RKT KUBELET @jorgemoralespou
- 21. Standardization became a fact Rkt 1.0 Feb 2016 Kubernetes 1.3: Supports Docker and Rkt containers July 2016 June 2014 Docker 1.0 Dec 2014 Kubernetes 1.0: Supports Docker containers Rkt 0.1.0 July 2015 Dec 2016 Kubernetes 1.5: Container Runtime Interface (CRI) alpha July 2017 Kubernetes 1.7: CRI support GA @jorgemoralespou
- 22. What is Container Runtime Interface (CRI)? ● A gRPC interface and a group of libraries ● Enables Kubernetes to use a wide variety of container runtimes ● Introduced in Kubernetes 1.5 ● GA in Kubernetes 1.7 @jorgemoralespou
- 24. CRI-O ● Open source & Open governance ● Lean, Stable, Secure and BORING! ○ Tied to the CRI ○ No features that can mine stability and performance ○ Shaped around Kubernetes ○ Only supported user is Kubernetes ○ Versioning and Support are tied to Kubernetes @jorgemoralespou
- 25. Man, this guy is so boring! When is the live demo? @jorgemoralespou
- 27. What if I want to try it? $ minikube start --network-plugin=cni --container-runtime=cri-o --bootstrapper=kubeadm @jorgemoralespou
- 28. @jorgemoralespou
- 29. skopeo ● Copy images from/to (multiple transports/storages): ○ containers-storage:docker-reference ○ dir:path ○ docker://docker-reference ○ docker-archive:path[:docker-reference] ○ docker-daemon:docker-reference ○ oci:path:tag ○ ostree:image[@/absolute/repo/path] ● Inspect images ● Delete an image from a repository ● Standalone binary / No daemon running ● Perfect for pipelines (e.g. Jenkins) @jorgemoralespou
- 30. @jorgemoralespou
- 31. buildah ● Build images ● No daemon running ● shell-like syntax ● Build from Dockerfile(s) @jorgemoralespou
- 32. @jorgemoralespou
- 33. libpod/podman Library (libpod) and CLI (podman) for managing OCI-based Pods, Containers, and Container Images ● Replacement for docker cli ○ known CLI ● Integrated with CRI-O (soon) ● No daemon running @jorgemoralespou
- 35. “Our ancestors called it magic, but you call it [computer] science. I come from a land where they are one and the same.” —THOR
- 36. @jorgemoralespou
- 37. @jorgemoralespou
- 38. Daemon-less Dockerfile builds ● Consume a Dockerfile, but build image without a docker daemon ● Pros ○ Docker build-like experience (just write a Dockerfile) ○ Potentially more control over image layers (combine or shard) ○ Aim is for greater security ● Cons ○ Dockerfile fidelity might make difficult some use cases ○ Different approaches to image layer construction @jorgemoralespou
- 39. Daemon-less Dockerfile builds ● Buildah ○ a tool that facilitates building OCI container images ● Img ○ Standalone, daemon-less, unprivileged Dockerfile and OCI compatible container image builder. ○ The commands/UX are the same as docker (drop-in replacement) ● Kaniko ○ kaniko is a tool to build OCI container images from a Dockerfile, inside a container or Kubernetes cluster ○ executes each command within a Dockerfile completely in userspace ● more... @jorgemoralespou
- 40. Dockerfile-less builds ● User input is source / intent: “I want to run a Node.js web server” ● Pros: ○ Less configuration ○ Tools can intelligently build layers, better/safe layer caching ○ Docker image best practices can be codified into tools ● Cons: ○ Less flexible - Opinionated builds ○ Very fragmented across vendors, no real standard @jorgemoralespou
- 41. Dockerfile-less builds ● Source to Image ○ User provides source, source gets built+layered into an application image ○ Dependent on ecosystem of framework/language builder images ● Buildpacks ○ Invented by Heroku, adopted by Cloud Foundry / Deis ○ User provides source, “build” produces “slug”, “export” produces container image ● FTL (Faster than light) ○ Purpose-built source to image builders per-language, goal is layer-per-dependency ○ Insight: turn build incrementality into deploy incrementality ● Bazel ○ Google’s OSS build system, supports declarative image builds ○ Used for user-mode Docker image builds for 3+ years @jorgemoralespou
- 42. And don’t forget to tweet if you liked it (or if you didn’t) @jorgemoralespou @jorgemoralespou