DockerCon 2014: Thoughts on interoperable containers
1 like1,822 views
The document discusses the use of interoperable containers, particularly focusing on Docker and its applications in platform-as-a-service (PaaS) environments. It touches on various technical aspects, including security concerns, user namespaces, buildpacks, and the architecture of containers. Additionally, it emphasizes the development and deployment of applications in a container-centric manner, highlighting the transition to a container revolution.
DockerCon 2014: Thoughts on interoperable containers
- 2. Please don't continue. Go see this instead: http://fabiokung.com/2014/06/11/my-dockercon-2014-talk
- 3. Fabio, Runtime Systems at I run linux containers.
- 5. “write once, run everywhere – Sun Microsystems (?)
- 10. Docker wants... docker logo usage follows guidelines published at http://www.docker.com/marks_and_logos/
- 14. “trying to make Docker secure for multi-tenant scenarios is a can of worms – darren0, at #docker-dev
- 18. vi /etc/…
- 19. mount -t fancy …
- 21. iptables -A INPUT …
- 24. “ (…) the kernel grants all capabilities to the initial process in a user namespace, this does not mean that process then has superuser privileges within the wider system. (It may, however, mean that unprivileged users now have access to exploits in kernel code that was formerly accessible only to root, ...) – Michael Kerrisk, “Namespaces in operation, part 6: more on user namespaces", LWN.net
- 25. if (getuid() == 0) { // do root stuff }
- 26. just don't run as root?
- 27. also SUID
- 31. arch, OS, image size, …
- 32. containers/container-rfc · GitHub “A vendor neutral format for Linux container images and runtime
- 39. Buildpacks app source + base image
- 40. FROM heroku/cedar ADD . /buildpack ONBUILD ADD . /app ONBUILD RUN /buildpack/bin/compile /app ONBUILD ENV PORT 5000 ONBUILD EXPOSE 5000
- 44. #!/usr/bin/env make -f buildpath := .build buildpackpath := $(buildpath)/pack buildpackcache := $(buildpath)/cache build: $(buildpackpath)/bin $(buildpackpath)/bin/compile . $(buildpackcache) $(buildpackcache): mkdir -p $(buildpath) mkdir -p $(buildpackcache) curl -O https://codon-buildpacks.s3.amazonaws.com/.../go.tgz mv go.tgz $(buildpath) $(buildpackpath)/bin: $(buildpackcache) mkdir -p $(buildpackpath) tar -C $(buildpackpath) -zxf $(buildpath)/go.tgz
- 45. ruby = "https://codon-buildpacks.s3.amazonaws.com/.../ruby.tgz" app_container "myapp" do buildpack ruby git_url "git@mycompany.com:myapp.git" end define :app_container, name: nil, buildpack: nil, git_url: nil do # ... execute "#{name} buildpack compile" do command "#{dir}/.build/pack/bin/compile #{dir} .build/cache" end end
- 46. container centric: whole image app centric: builds as a mapping layer recap: the container revolution
- 47. Thank you! fabio@heroku.com All images used in this presentation are under a Creative Commons License, unless otherwise noted https://www.flickr.com/photos/compacflt/5948542359