RKT
12 likes11,529 views
This document discusses the app container runtime rkt. It provides an overview of rkt, including what it is, its goals, and how it differs from Docker. Key points include: - Rkt implements the Application Container (appc) specification and allows running containerized applications. - Its goals are fast downloads/starts, verifiable/cacheable images, composability, and using common technologies like DNS for discovery. - It differs from Docker in being more composable without a central daemon, focusing more on security through image verification, and using an open standard for images instead of Docker's format. - The document demonstrates downloading images, verifying signatures, running containers in pods with options like
![image manifest
{
”acKind”: ”ImageManifest”,
”acVersion”: ”0.5.1”,
”name”: ”xxxxx/xxxxxx”,
”app”: {
”exec”: [
”/usr/bin/reduce-worker”,
”--quiet”
],
”user”: ”100”,
”group”: ”300”,
”workingDirectory”: ”/opt/work”,
”environment”: [
{
”name”: ”REDUCE_WORKER_DEBUG”,
”value”: ”true”
}
],
},
}
11](https://image.slidesharecdn.com/rocket-150409013427-conversion-gate01/85/RKT-12-320.jpg)
![pod manifest
{
”acVersion”: ”0.5.1”,
”acKind”: ”PodManifest”,
”apps”: [
{
”name”: ”main”,
”image”: {
”name”: ”example.com/xxxxxx”,
},
”app”: {
”exec”: [
],
},
},
{
”name”: ”backup”,
”image”: {
”name”: ”example.com/zzzzzzzz”,
},
12](https://image.slidesharecdn.com/rocket-150409013427-conversion-gate01/85/RKT-13-320.jpg)
![run
$ sudo rkt --insecure-skip-verify --debug run --private-net docker://httpd
rkt: fetching image from file:///home/ma2/bin/stage1.aci
rkt: fetching image from docker://httpd
...
AH00557: httpd: apr_sockaddr_info_get() failed for rkt-50beacf8-d43d-4a79-8d40-a5938d71ddba
AH00558: httpd: Could not reliably determine the server’s fully qualified domain name,
using 127.0.0.1. Set the ’ServerName’ directive globally to suppress this message
AH00557: httpd: apr_sockaddr_info_get() failed for rkt-50beacf8-d43d-4a79-8d40-a5938d71ddba
AH00558: httpd: Could not reliably determine the server’s fully qualified domain name,
using 127.0.0.1. Set the ’ServerName’ directive globally to suppress this message
[Wed Apr 08 06:17:15.107888 2015] [mpm_event:notice] [pid 5:tid 139942464178048]
AH00489: Apache/2.4.12 (Unix) configured -- resuming normal operations
[Wed Apr 08 06:17:15.107956 2015] [core:notice] [pid 5:tid 139942464178048] AH00094: Command l
D FOREGROUND’
28](https://image.slidesharecdn.com/rocket-150409013427-conversion-gate01/85/RKT-29-320.jpg)
![port forward
Exposing container ports on the host
”ports”: [
{
”name”: ”http”,
”port”: 80,
”protocol”: ”tcp”
}
]
31](https://image.slidesharecdn.com/rocket-150409013427-conversion-gate01/85/RKT-32-320.jpg)
RKT
- 1. rkt Yutaka Matsubara April 9, 2015 CoreOS Meetup Tokyo #1
- 2. who ? Yutaka Matsubara Abby CTO twitter @mopemope github @mopemope 1
- 3. rkt
- 4. what is rkt ? App Container Runtime 3
- 5. rkt rkt implements the two runtime components of the App Container specification ∙ Application Container Executor (ACE) ∙ Metadata Service 4
- 7. what is app container ? App Container is a specification of an image format runtime, and discovery protocol for running applications in containers. 6
- 8. app container spec ∙ Building App Container ∙ Validating App Container ∙ Validating App Container Executors ∙ Discovery App Container Image Discovery 7
- 9. goal The core goals of the specification ∙ Designing for fast downloads and starts of App Containers ∙ Ensuring images are cryptographically verifiable and highly cacheable ∙ Designing for composability and independent implementations ∙ Using common technologies for cryptography, archiving, compression and transport ∙ Using the DNS namespace to name and discover images 8
- 10. keyword ∙ App Container Image ∙ App Container Image Discovery ∙ App Container Pod ∙ App Container Executor 9
- 11. manifest App Container Manifest is json format 10
- 12. image manifest { ”acKind”: ”ImageManifest”, ”acVersion”: ”0.5.1”, ”name”: ”xxxxx/xxxxxx”, ”app”: { ”exec”: [ ”/usr/bin/reduce-worker”, ”--quiet” ], ”user”: ”100”, ”group”: ”300”, ”workingDirectory”: ”/opt/work”, ”environment”: [ { ”name”: ”REDUCE_WORKER_DEBUG”, ”value”: ”true” } ], }, } 11
- 13. pod manifest { ”acVersion”: ”0.5.1”, ”acKind”: ”PodManifest”, ”apps”: [ { ”name”: ”main”, ”image”: { ”name”: ”example.com/xxxxxx”, }, ”app”: { ”exec”: [ ], }, }, { ”name”: ”backup”, ”image”: { ”name”: ”example.com/zzzzzzzz”, }, 12
- 14. diffrence docker
- 15. what is difference between rkt and docker? ∙ Composable ∙ Security ∙ Image disribution ∙ Open 14
- 16. composable ∙ central daemon ∙ pull image docker format ∙ push image docker format ∙ monolithic binary ∙ no daemon ∙ download common format ∙ upload common format ∙ independent and composable 15
- 17. security ∙ central daemon ∙ docker spec ∙ https certificate ∙ isolation ∙ crypto ∙ image auditing 16
- 18. image distribution ∙ docker spec ∙ docker hub ∙ docker registry ∙ standard and open spec ∙ simple ∙ without registry 17
- 19. open ∙ developed by a community ∙ docker spec ... ∙ developed by a community ∙ format and runtime specification 18
- 20. detail rkt
- 21. rkt ∙ Download ACI and Docker Image ∙ Verify Signatures ∙ Launching Container and Pod ∙ Enter Container ∙ Private Network ∙ Metadata Service 20
- 23. trust Get trusted key $ sudo rkt trust --prefix storage.coreos.com 22
- 24. fetch Download Container Image and Verify ∙ Localfile ∙ HTTP, HTTPS ∙ Docker Image 23
- 25. fetch $ sudo rkt --insecure-skip-verify fetch docker://httpd docker://mysql rkt: fetching image from docker://httpd sha512-73e53da5b22e08e3ebf5eeb47d8c3113 rkt: fetching image from docker://mysql sha512-8ea09fa7718553967e8b6fe50b72df68 24
- 26. prepare Holding an exclusive lock on the pod directory $ sudo rkt --insecure-skip-verify prepare docker://httpd rkt: fetching image from docker://httpd ea5cf47a-6b5b-4118-be9d-91d50e7258cb 25
- 27. prepare $ rkt list UUID ACI STATE NETWORKS ea5cf47a index.docker.io/httpd prepared 26
- 28. run Run Container run run container (prepare and run) run-prepared run prepared container ∙ set and override environment ∙ run interactively ∙ mount volume ∙ setup container network 27
- 29. run $ sudo rkt --insecure-skip-verify --debug run --private-net docker://httpd rkt: fetching image from file:///home/ma2/bin/stage1.aci rkt: fetching image from docker://httpd ... AH00557: httpd: apr_sockaddr_info_get() failed for rkt-50beacf8-d43d-4a79-8d40-a5938d71ddba AH00558: httpd: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ’ServerName’ directive globally to suppress this message AH00557: httpd: apr_sockaddr_info_get() failed for rkt-50beacf8-d43d-4a79-8d40-a5938d71ddba AH00558: httpd: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ’ServerName’ directive globally to suppress this message [Wed Apr 08 06:17:15.107888 2015] [mpm_event:notice] [pid 5:tid 139942464178048] AH00489: Apache/2.4.12 (Unix) configured -- resuming normal operations [Wed Apr 08 06:17:15.107956 2015] [core:notice] [pid 5:tid 139942464178048] AH00094: Command l D FOREGROUND’ 28
- 30. run $ rkt list UUID ACI STATE NETWORKS 50beacf8 index.docker.io/httpd running default:ip4=172.16.28.3 29
- 31. private network Support Private Network (only static) ∙ private (NAT) ∙ bridge ∙ macvlan 30
- 32. port forward Exposing container ports on the host ”ports”: [ { ”name”: ”http”, ”port”: 80, ”protocol”: ”tcp” } ] 31
- 33. port forward Exposing container ports on the host $ sudo rkt --insecure-skip-verify run --port=http:8888 --private-net docker://httpd 32
- 34. demo
- 35. DEMO 34
- 36. Questions? 35