![Demo
• J=$HOME/jail
• mkdir -p $J
• mkdir -p $J/{bin,lib64,lib}
• mkdir $J/lib/x86_64-linux-gnu/
• cd $J
• cp -v /bin/{bash,ls} $J/bin
• ldd /bin/bash
• list="$(ldd /bin/bash | egrep -o
'/lib.*.[0-9]')"; for i in $list; do
cp -v "$i" "${J}${i}"; done
• list="$(ldd /bin/ls | egrep -o
'/lib.*.[0-9]')"; for i in $list; do
cp -v "$i" "${J}${i}"; done
• chroot $J /bin/bash
• ls /](https://image.slidesharecdn.com/containershowdown-191120155350/85/Central-Iowa-Linux-Users-Group-November-Meeting-Container-showdown-15-320.jpg)
Central Iowa Linux Users Group: November Meeting -- Container showdown
- 2. Linux Container Showdown Andrew Denner Central Iowa Linux Users Group November Meeting
- 3. Welcome to LUG Meetings are on the third Wednesday of every month We have a website! http://www.cialug.org List Server IRC/Slack
- 5. About our presenter • Some say that he has no face, all we know is that he is the presenter…
- 6. About me (in all seriousness) • I write code, sometimes have to dabble in devops and by night I do linuxy things • These statements are my own, not those of anyone else including my employer and the commissioner of baseball • Twitter: adenner • Slides will be posted to http://denner.co
- 7. On with the show The Linux Container showdown
- 13. Early History
- 14. chroot • 1979 chroot on version 7 • “A chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name files outside the designated directory tree.” –Wikipedia • It isn’t perfect
- 15. Demo • J=$HOME/jail • mkdir -p $J • mkdir -p $J/{bin,lib64,lib} • mkdir $J/lib/x86_64-linux-gnu/ • cd $J • cp -v /bin/{bash,ls} $J/bin • ldd /bin/bash • list="$(ldd /bin/bash | egrep -o '/lib.*.[0-9]')"; for i in $list; do cp -v "$i" "${J}${i}"; done • list="$(ldd /bin/ls | egrep -o '/lib.*.[0-9]')"; for i in $list; do cp -v "$i" "${J}${i}"; done • chroot $J /bin/bash • ls /
- 16. Demo
- 17. BSD Jails First in 1999 Free BSD by Poul- Henning Kamp after use in a small hosting company Achieved three goals: Virtualization Security Ease of Delagation Each jail is custom rolled/built Single point of failure
- 18. Solaris Zones First relased 2004 in build 51 beta of Solaris 10 Can control what resources each zone gets and also can just give a fair share Still present in Illumonos (Open Solaris) and Solaris
- 19. openVZ • Open Virtuozzo • Soft memory allocation, can be shared if not being used • Old versions used chroot based disk isolation. Current version lets each container have it’s own file system • Requires Custom Kernel providing: • Virtualization • Isolation • Resource Management • checkpointing
- 20. LXC • Uses Linux cgroups and other namespace isolations • Much like jails • Works with the vanilla kernel unlike openVZ • Orriginally docker used
- 21. Modern history
- 22. Docker • Opensourced in 2013 • Building on the previous ideas • Image ecosystem • More ephemeral and portable across machines • Versioning • Overlayfs • Downsides: still single point of failure • Dockerd root—security concerns
- 27. Docker File
- 29. Rootless Docker • Thanks to Akihiro Suda of NTT Corp for all his work • See https://www.slideshare.net/AkihiroSuda/dockercon- 2019-hardening-docker-daemon-with-rootless-mode for deep dive • Works as sub-user and sub-group ids • Overlay fs doesn’t work yet • Can’t use protected ports • https://www.katacoda.com/courses/docker/rootless
- 30. CNCF • In the beginning there was docker… • Then came others and the CNCF is the vender nuteral home for the plumbing that runs containers • It is a part of the linux foundation • Think of like apache but for containerization • Home to • Kubernetes • Prometheus • Envoy • Containerd • Et. al.
- 32. Pouch • https://pouchcontainer.io • From Alibaba Group • Never had heard of them before • Distributes images via Dragonfly p2p • Rich container mode more hooks and magic available
- 33. Kata Containers • Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs. • https://katacontainers.io
- 35. Moby https://mobyproject.org An open framework to assemble specialized container systems without reinventing the wheel. Not for mere mortals
- 37. Docker Compose • Yaml tool for defining and running multiple docker applications at the same time • Useful for: • dev environments • Automated test environments • Single host deployments
- 39. Docker Swarm Joins a Pool of docker hosts into one virtual host YAML based definitions Networking via an overlay network Easier to set up than a K8 cluster
- 40. VHS vs Betamax
- 41. Kubernetes • Originally designed by Google engineers –Borg • Orchestrate containers across multiple hosts. • Make better use of hardware to maximize resources needed to run your enterprise apps. • Control and automate application deployments and updates. • Mount and add storage to run stateful apps. • Scale containerized applications and their resources on the fly. • Declaratively manage services, which guarantees the deployed applications are always running how you deployed them. • Health-check and self-heal your apps with autoplacement, autorestart, autoreplication, and autoscaling.
- 43. K3s • Kubernetes abrieated is K8… 5 less than that is k3s • K8 but only the good parts all in less than 40mb • Still rather experimental • Got rid of Legacy alpha and non-default code removed • Removed most in-tree plugins • Use sqlite 3 rather than etcd by default • Simple launcher
- 44. K3s cont. • Minimal requirements, leverages • containerd • Flannel • CoreDNS • CNI • Host utilities (iptables, socat, etc) • Install from https://github.com/rancher/k3s • Demo: https://asciinema.org/a/k6lHGEZ65 le2rxm5giAxJOR7C
- 45. Podman • New in Centos 8 • See presentation last month • Biggest thing to note is no need for the docker damon • Can handle Rootless same as docker, with same shortcomings • https://asciinema.org/a/oDxbleQ4q0ww6 WpS46JUy1dt0
- 47. Buildah • Container management and build program • Can build and use CNF protable images without a local docker • Better control of image layers • Ability to build images via bash • As well as building dockerfile images • Demo: https://asciinema.org/a/peZtZjTkeZHtUm AN5AdnWPp2i • https://asciinema.org/a/V4NZWIdV83CcOP DW4favh4vi3
- 48. Example script
Editor's Notes
- #11: https://xkcd.com/2221/
- #12: Cattle vs Pets Bill Baker 2012
- #13: You wouldn’t do this to your pet…
- #15: If you are root you can escape It doesn’t handle non file system isolations, i.e. processes etc
- #17: https://www.cyberciti.biz/faq/unix-linux-chroot-command-examples-usage-syntax/
- #18: Virtualization: Each jail is a virtual environment running on the host machine with its own files, processes, user and superuser accounts. From within a jailed process, the environment is almost indistinguishable from a real system. Security: Each jail is sealed from the others, thus providing an additional level of security. Ease of delegation: The limited scope of a jail allows system administrators to delegate several tasks which require superuser access without handing out complete control over the system
- #31: Kubernetes- Orchestration Prometheus monitoring Envoy network proxy Core dns service discovery Containerd Fluentd logging Jaeger distributed tracing Vitess storage
- #32: Daemon that manages complete lifecycle from image transfer and storage to execution and storage and beyond
- #34: It is a drop in additional OCI compatible container runtime, which can therefore be used with Docker and Kubernetes.
- #42: Redhat openshift Ranchr