Introduction to Container Technology. Patrick Ladd Technical Account Manager April 13, 2016

Similar documents
Containers and isolation as implemented in the Linux kernel

OS Containers. Michal Sekletár November 06, 2016

Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING

Travis Cardwell Technical Meeting

For personnal use only

Docker Networking: From One to Many. Don Mills

Red Hat Container Strategy Ahmed El-Rayess

SAINT LOUIS JAVA USER GROUP MAY 2014

[Docker] Containerization

Introduction to Containers

TEN LAYERS OF CONTAINER SECURITY

RDMA Container Support. Liran Liss Mellanox Technologies

An introduction to Docker

High Performance Containers. Convergence of Hyperscale, Big Data and Big Compute

A Security State of Mind: Container Security. Chris Van Tuin Chief Technologist, West

OS Virtualization. Linux Containers (LXC)

Introduction to containers

LXC(Linux Container) Lightweight virtual system mechanism Gao feng

1 Virtualization Recap

, Inc

Seccomp, network and namespaces. Francesco Tornieri <francesco.tornieri AT kiratech.it>

Container's Anatomy. Namespaces, cgroups, and some filesystem magic 1 / 59

OS Security III: Sandbox and SFI

ISLET: Jon Schipp, AIDE jonschipp.com. An Attempt to Improve Linux-based Software Training

深 入解析 Docker 背后的 Linux 内核技术. 孙健波浙江 大学 SEL/VLIS 实验室

Quick Start Guide for Vmware. Version 2.5 Vmware vsphere Instance

Linux Containers Roadmap Red Hat Enterprise Linux 7 RC. Bhavna Sarathy Senior Technology Product Manager, Red Hat

Introduction to VMs & Containers

Container-based virtualization: Docker

Container Adoption for NFV Challenges & Opportunities. Sriram Natarajan, T-Labs Silicon Valley Innovation Center

OpenFlow Configuration Lab

Container Security. Marc Skinner Principal Solutions Architect

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

Container mechanics in Linux and rkt FOSDEM 2016

Red Hat Roadmap for Containers and DevOps

RED HAT'S CONTAINER STRATEGY. Lars Herrmann General Manager, RHEL, RHEV and Containers June 24, 2015

Portable, lightweight, & interoperable Docker containers across Red Hat solutions

PROCESS MANAGEMENT Operating Systems Design Euiseong Seo

The State of Rootless Containers

SOFT CONTAINER TOWARDS 100% RESOURCE UTILIZATION ACCELA ZHAO, LAYNE PENG

Docker Deep Dive. Daniel Klopp

OPENSHIFT FOR OPERATIONS. Jamie Cloud Guy - US Public Sector at Red Hat

Infrastructure at your Service. Oracle over Docker. Oracle over Docker

EE 660: Computer Architecture Cloud Architecture: Virtualization

Alternatives to Solaris Containers and ZFS for Linux on System z

Using Linux Containers as a Virtualization Option

A Greybeard's Worst Nightmare

Container Isolation at Scale (... and introducing gvisor) Dawn Chen and Zhengyu He

Docker und IBM Digital Experience in Docker Container

Software containers are likely to become a very important tool over the

TEN LAYERS OF CONTAINER SECURITY. Kirsten Newcomer Security Strategist

Neale Ferguson

Module 2 OpenFlow Configuration Lab

Faculté Polytechnique

Deep Dive into OpenStack Networking

Multi-Arch Layered Image Build System

Investigating Containers for Future Services and User Application Support

Making Applications Mobile

TRAINING AND CERTIFICATION UPDATE

On the Performance Impact of Virtual Link Types to 5G Networking

Infrastructure Security 2.0

OPENSTACK Building Block for Cloud. Ng Hwee Ming Principal Technologist (Telco) APAC Office of Technology

A DEVOPS STATE OF MIND WITH DOCKER AND KUBERNETES. Chris Van Tuin Chief Technologist, West

Introduction to Virtualization and Containers Phil Hopkins

THE STATE OF CONTAINERS

TEN LAYERS OF CONTAINER SECURITY

Lecture 5. Switching

Kubernetes Performance-Sensitive Application Platform

ovirt and Docker Integration

MODERN IT ARCHITECTURE

INTRODUCING CONTAINER-NATIVE VIRTUALIZATION

Building High-Performance NFV Solutions Using Containers

THE ROUTE TO ROOTLESS

What s Up Docker. Presented by Robert Sordillo Avada Software

WHEN CONTAINERS AND VIRTUALIZATION DO - AND DON T - WORK TOGETHER

LINUX CONTAINERS. Where Enterprise Meets Embedded Operating Environments WHEN IT MATTERS, IT RUNS ON WIND RIVER

Who is Docker and how he can help us? Heino Talvik

Cisco Virtual Update Container networking. Hans Donnerborg, Lars Granberg, Maj 2018

Resource Management with CGroups

Docker and Oracle Everything You Wanted To Know

Devops, Docker and Security. John

Kubernetes Essentials

Kubernetes The Path to Cloud Native

Docker Security. Mika Vatanen

Dockerize Your IT! Centrale Nantes Information Technology Department Yoann Juet Dec, 2018

Real world Docker applications

Getting Started With Containers

Dockerized Tizen Platform

Docker for HPC? Yes, Singularity! Josef Hrabal

Operating and managing an Atomic container-based infrastructure

The speed of containers, the security of VMs

KVM Forum Vancouver, Daniel P. Berrangé

Red Hat Enterprise Linux 8.0 Beta

Engineering Robust Server Software

An introduction to cgroups and cgroupspy tags = [ python, docker, coreos',

State of Containers. Convergence of Big Data, AI and HPC

Run containerized applications from pre-existing images stored in a centralized registry

ISSN (Online)

IT S COMPLICATED: THE ENTERPRISE OPEN SOURCE VENDOR RELATIONSHIP. Red Hat s POV

The Road to Digital Transformation: Increase Agility Building and Managing Cloud Infrastructure. Albert Law Solution Architect Manager

Transcription:

Introduction to Container Technology Patrick Ladd Technical Account Manager April 13, 2016

Container Technology

Containers 3 "Linux Containers" is a Linux kernel feature to contain a group of processes in an independent execution environment. Linux kernel provides an independent application execution environment for each container including: Independent filesystem Independent network interface and IP address. Usage limit for memory and CPU time. Linux containers are realized with integrating many existing Linux features. There are multiple container management tools such as lxctools, libvirt and docker. They may use different parts of these features.

Container History 4 2005: FULL RELEASE OF SOLARIS ZONES 2007: GPC RENAMED CONTROL GROUPS 2015: RHEL ATOMIC HOST 2008: KERNEL AND USER NAMESPACES 2013: RED HAT ENTERPRISE LINUX 2015: RHT CONTAINER PLATFORMS 2013: DOT CLOUD PYCON LIGHTNING TALK 2014: GOOGLE KUBERNETES 2015: STANDARDS VIA OCI AND CNCF 2015 2000 2001: LINUX -VSERVER PROJECT 2006: GENERIC PROCESS CONTAINERS 2013: DOTCLOUD BECOMES DOCKER 2010 2003: SELINUX ADDED TO LINUX MAINLINE 2005 2000: JAILS ADDED TO FREEBSD 2008: LINUX CONTAINER PROJECT (LXC)

CONTAINERS VIRTUALIZATION

TRADITIONAL OS CONTAINERS

Underlying Technology Enabling Technology in Linux has been present for many years 7 Namespaces Process Network Filesystem User IPC UTS (UNIX Technology Services) cgroups - Control Groups Union (overlay) Filesystems

Namespaces

Process Namespaces 1 Original UNIX Process Tree First process is PID 1 Process tree rooted at PID 1 PIDs with appropriate privilege may inspect or kill other processes in the tree 2 3 4 5,1 Linux Namespaces Multiple, nested process trees Nested trees cannot see parent tree Process has multiple PIDs 9 One for each namespace it is a member of 6,2 8,4,1 9,5,2 10,6,3 7,3

Network Namespaces Presents an entirely separate set of network interfaces to each namespace All interfaces including loopback are virtualized Ethernet bridges may be created ip link add name veth0 type veth peer name veth1 netns <pid> Routing process in global namespace to route packets Global Namespace Child net namespace P H Y S I N T F Routing Process V I R T Child net namespace V I R T Original Namespace: 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000 link/ether 00:24:8c:a1:ac:e7 brd ff:ff:ff:ff:ff:ff New Namespace: 1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 10

Filesystem Namespaces Clone / Replace list of mounted filesystems 11 Similar to chroot Allows isolation of all mount points, not just root Atrributes can be changed between namespaces (read only, for instance) Used properly, avoids exposing anything about underlying system

User Namespaces Replace / Extend UID / GID 12 Delete unneeded UID / GID from container Add / change UID / GID map inside container Use: root privilege in container, user privilege in base OS

IPC Namespaces Similar to network namespaces 13 Separate interprocess communications resources Sys V IPC POSIX messaging

UTS Namespaces UTS : UNIX Technology Services 14 Change inside container: Hostname Domain

Feature availability 15 Filesystem separation Mount namespace (kernel 2.4.19) Hostname separation UTS namespace (kernel 2.6.19) IPC separation IPC namespace (kernel 2.6.19) User (UID/GID) separation User namespace (kernel 2.6.23 kernel 3.8) Processtable separation PID namespace (kernel 2.6.24) Network separation Network Namespace (kernel 2.6.24) Usage limit of CPU/Memory Control groups

Namespaces Summary Isolation / Modification of Container processes from host PIDs Network Filesystems UID/GID IPC Hostname / Domain See documentation on clone() system call for more complete details on functionality (Warning: systems programmer jargon territory) 16

cgroups

cgroups Way to allocate resources to processes running on a system Hierarchical and can be dynamically added, changed and removed Made up of several subsystems also called Resource Controllers Part of RHEL 6 & 7 Kernel Upstream since 2.6.24 You must install userspace tools 18 Install libcgroup

19

20

Resource Controllers cpu this subsystem uses the scheduler to provide cgroup tasks access to the CPU. cpuacct this subsystem generates automatic reports on CPU resources used by tasks in a cgroup. cpuset this subsystem assigns individual CPUs (on a multicore system) and memory nodes to tasks in a cgroup. devices this subsystem allows or denies access to devices by tasks in a cgroup. freezer this subsystem suspends or resumes tasks in a cgroup. 21 blkio this subsystem sets limits on input/output access to and from block devices such as physical drives (disk, solid state, USB, etc.). memory this subsystem sets limits on memory use by tasks in a cgroup, and generates automatic reports on memory resources used by those tasks. net_cls this subsystem tags network packets with a class identifier (classid) that allows the Linux traffic controller ( tc) to identify packets originating from a particular cgroup task. net_prio this subsystem provides a way to dynamically set the priority of network traffic per network interface. ns the namespace subsystem.

Union (overlay) Filesystems

Union Filesystems 23 Stacked / Layered Storage Copy on write Many available underlying implementations Aufs OverlayFS btrfs LVM Device mapper

Container Security

CONTAINERS ARE NOT SECURE BY DEFAULT 6 MISCONCEPTIONS ABOUT CONTAINERS

Container Security ISOLATION OF HOSTS ARE SOURCES TRUSTED? WHAT S INSIDE CONTAINERS TRUST IS TEMPORAL Host OS + SELinux maintained by trusted kernel engineers and frequently updated. 36% of Docker Hub official images contain high priority security vulnerabilities.* Red Hat + Black Duck = secure, trusted model for validating container contents. New vulnerabilities are identified daily and containers become stale over time. *Source: Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities, Jayanth Gummaraju, Tarun Desikan, and Yoshio Turner, BanyanOps, May 2015 (http://www.banyanops.com/pdf/banyanops-analyzingdockerhub-whitepaper.pdf) 26

Container Isolation with SELinux SELINUX SELINUX CONTAINER APP CONTAINER APP RUNTIME RUNTIME OS OS CONTAINER APP CONTAINER APP RUNTIME RUNTIME OS OS HOST OS 27 SHARED SERVICE SELINUX SHARED SERVICE SELINUX SHARED SERVICE SELINUX SHARED SERVICE SELINUX

Red Hat Container Technology 28 Stock Red Hat Enterprise Linux ( RHEL ) Full OS image Docker packages added All combinations of use Red Hat Enterprise Linux Atomic Host ( Atomic ) Stripped down OS image Pre-installed docker packages Only for container deployment Limited additional packages Different upgrade / update process (no yum) Optimized settings for container deployment Separate subscription from RHEL subscription

Atomic Formats 29 Multiple environments available Cloud image (qcow2) RHEV (ova) Hyper-V (vhd) vsphere (ova) Installer (iso)

Installing Atomic on kvm Create overlay of image qemu-img create -f qcow2 -o backing_file=rhel-atomic-cloud-7.212.x86_64.rhevm.qcow2 atomic-instance0.qcow2 Set up VM Customize VM startup 30 meta-data & user-data files Host IP addresses Login credentials Start VM

Register & Update Atomic Register Atomic subscription-manager register username=myid subscription-manager attach subscription-manager list Upgrade Atomic atomic host upgrade Atomic upgrade status atomic host status Recover from failed upgrade atomic host rollback 31

Using Docker Getting help docker --help Information on docker install docker info docker network ls 32

Using Docker Images Download an image docker pull rhel7:latest Modify Dockerfile Update MAINTAINER Build image docker build -t webserver. Show images docker images Remove an image docker rmi myimage Show all images docker images -a 33

Using Containers Start a container docker run -d -p 80:80 --name=myweb webserver Change content Start another container docker run -d -p 80:80 --name=myweb webserver List containers docker ps Stop container docker stop myimage Restart container docker restart myimage Remove container docker rm myimage 34

Reference Materials 35 Atomic documentation https://access.redhat.com/documentation/en/red-hat-enterprise-linu x-atomic-host?version=7/ Atomic Download https://access.redhat.com/downloads/content/271/ver=/rhel---7/7.2.2-2/x86_64/product-software

THANK YOU plus.google.com/+redhat facebook.com/redhatinc linkedin.com/company/red-hat twitter.com/redhatnews youtube.com/user/redhatvideos

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback