OCI Runtime Tools for Container Standardization

Similar documents
MesosCon Qian Zhang (IBM China), Jie Yu (Mesosphere) OCI Support in Mesos Mesosphere, Inc. All Rights Reserved. 1

Container Security and new container technologies. Dan

The Open Container Initiative Establishing standards for an open ecosystem

How Container Runtimes matter in Kubernetes?

Replacing Docker With Podman. By Dan

CNI, CRI, and OCI - Oh My!

TEN LAYERS OF CONTAINER SECURITY. Kirsten Newcomer Security Strategist

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

The speed of containers, the security of VMs. KataContainers.io

Docker and Oracle Everything You Wanted To Know

TEN LAYERS OF CONTAINER SECURITY

State of Containers. Convergence of Big Data, AI and HPC

Next Generation Tools for container technology. Dan

Docker and Security. September 28, 2017 VASCAN Michael Irwin

THE STATE OF CONTAINERS

rkt and Kubernetes What's new (and coming) with Container Runtimes and Orchestration

Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING

InterSystems Cloud Manager & Containers for InterSystems Technologies. Luca Ravazzolo Product Manager

Who is Docker and how he can help us? Heino Talvik

Intel Clear Containers. Amy Leeland Program Manager Clear Linux, Clear Containers And Ciao

Linux Containers Roadmap Red Hat Enterprise Linux 7 RC. Bhavna Sarathy Senior Technology Product Manager, Red Hat

THE ROUTE TO ROOTLESS

Docker und IBM Digital Experience in Docker Container

Dockerized Tizen Platform

Amir Zipory Senior Solutions Architect, Redhat Israel, Greece & Cyprus

The meta-virtualization layer of OpenEmbedded

SQL Server inside a docker container. Christophe LAPORTE SQL Server MVP/MCM SQL Saturday 735 Helsinki 2018

The speed of containers, the security of VMs

BoF: Grafeas Using Artifact Metadata to Track and Govern Your Software Supply Chain

Cloud I - Introduction

TECHNICAL BRIEF. Scheduling and Orchestration of Heterogeneous Docker-Based IT Landscapes. January 2017 Version 2.0 For Public Use

Simple custom Linux distributions with LinuxKit. Justin Cormack

Harbor Registry. VMware VMware Inc. All rights reserved.

Welcome to Docker Birthday # Docker Birthday events (list available at Docker.Party) RSVPs 600 mentors Big thanks to our global partners:

Embedded lightweight unix

Beyond 1001 Dedicated Data Service Instances

Cloud Foundry Diego: The New Cloud Runtime. Heterogeneous Container Scheduling, Docker & More

Securing Containers on the High Seas. Jack OWASP Belgium September 2018

Docker CaaS. Sandor Klein VP EMEA

Introduction to Container Technology. Patrick Ladd Technical Account Manager April 13, 2016

[Docker] Containerization

CONTAINERS AND MICROSERVICES WITH CONTRAIL

Accelerate at DevOps Speed With Openshift v3. Alessandro Vozza & Samuel Terburg Red Hat

RDMA Container Support. Liran Liss Mellanox Technologies

Knative: Building serverless platforms on top of Kubernetes

Landlock LSM: toward unprivileged sandboxing

CNA1699BU Running Docker on your Existing Infrastructure with vsphere Integrated Containers Martijn Baecke Patrick Daigle VMworld 2017 Content: Not fo

IT S COMPLICATED: THE ENTERPRISE OPEN SOURCE VENDOR RELATIONSHIP. Red Hat s POV

OPENSTACK Building Block for Cloud. Ng Hwee Ming Principal Technologist (Telco) APAC Office of Technology

Container mechanics in Linux and rkt FOSDEM 2016

Red Hat Container Strategy Ahmed El-Rayess

VMworld 2017 Content: Not for publication #CNA1699BE CONFIDENTIAL 2

Implementing DPDK based Application Container Framework with SPP YASUFUMI OGAWA, NTT

Welcome to SUSE Expert Days 2017 Service Delivery with DevOps

OpenShift Cheat Sheet

CloudCenter for Developers

Docker Universal Control Plane Deploy and Manage On-Premises, Your Dockerized Distributed Applications

Geant4 on Azure using Docker containers

How to build and run OCI containers

Docker at Lyft Speeding up development Matthew #dockercon

Jenkins User Conference Israel. #jenkinsconf. CI / Liveperson. Gidi Samuels. July 16, #jenkinsconf

How to make your application into a Flatpak

Automating Security Practices for the DevOps Revolution

Rootless Containers with runc. Aleksa Sarai Software Engineer

Infrastructure Security 2.0

Container Pods with Docker Compose in Apache Mesos

The Path to GPU as a Service in Kubernetes Renaud Gaubert Lead Kubernetes Engineer

Deployment Patterns using Docker and Chef

What s Up Docker. Presented by Robert Sordillo Avada Software

Kubernetes made easy with Docker EE. Patrick van der Bleek Sr. Solutions Engineer NEMEA

DevOps and Continuous Delivery USE CASE

Container Detection and Forensics, Gotta catch them all!

RDO container registry Documentation

Oracle Application Container Cloud

Monitor your containers with the Elastic Stack. Monica Sarbu

Kata Containers The way to run virtualized containers. Sebastien Boeuf, Linux Software Engineer Intel Corporation

High Performance Containers. Convergence of Hyperscale, Big Data and Big Compute

Design and Implementation of Log Collection and System Statistics Model for Android Containers in OpenStack

Launching StarlingX. The Journey to Drive Compute to the Edge Pilot Project Supported by the OpenStack

Run containerized applications from pre-existing images stored in a centralized registry

Important DevOps Technologies (3+2+3days) for Deployment

TEN LAYERS OF CONTAINER SECURITY

SBB. Java User Group 27.9 & Tobias Denzler, Philipp Oser

Faculté Polytechnique

IoT usecase for Yocto Project

Creating a Reproducible Build System for Docker Images

OS Virtualization. Linux Containers (LXC)

Shipping Call of Duty at Infinity Ward Paul Haile Production 2018 Activision Publishing, Inc.

STATUS OF PLANS TO USE CONTAINERS IN THE WORLDWIDE LHC COMPUTING GRID

ovirt and Docker Integration

The Yocto Project. Chris Young S/W Specialist SILICA Europe. Harmonising Software Development across multiple Embedded ARM SOC targets

IBM Bluemix compute capabilities IBM Corporation

From Containers to Cloud with Linux on IBM Z. Utz Bacher STSM Linux and Containers on IBM Z

A DEVOPS STATE OF MIND WITH DOCKER AND KUBERNETES. Chris Van Tuin Chief Technologist, West

HyperFlex. Simplifying your Data Center. Steffen Hellwig Data Center Systems Engineer June 2016

IBM Cloud Developer Tools (IDT) and App Service Console Overview

CONTINUOUS DELIVERY WITH DC/OS AND JENKINS

Przyspiesz tworzenie aplikacji przy pomocy Openshift Container Platform. Jarosław Stakuń Senior Solution Architect/Red Hat CEE

Taming your heterogeneous cloud with Red Hat OpenShift Container Platform.

Unified Kubernetes CRI runtimes based on Kata Containers. Xu Wang hyper.sh

Transcription:

OCI Runtime Tools for Container Standardization Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>

Agenda Background OCI Introduction Runtime Tools Our Contribution Future Plans Q&A 1

Background Container-based solutions grow rapidly Almost all major IT vendors and cloud providers supply More and more people try to use There is a large ecosystem for container Infrastructure vendor Container runtime & orchestration Many container runtime technologies Docker Rocket/rkt LXD Hyper 2

Ecosystem and Containers Image From CNCF 3

Before A Standard No open industry standards exist Almost everyone has their own specs So, container technology seems to be fragmented Users hard to choose the best tools to build the best applications No standards to evaluate Not sure how to evaluate Users locked into a technology vendor in the long run Hard to fit difference High cost to transfer applications 4

Container Standardization Make open industry standards for container Unambiguous development direction Portability issue Promote development of container technology Help users to choose container-based solutions Users can be guided by choosing the best tools to build the best applications they can Users will not be locked into any technology vendor for the long run Get high quality services 5

Open Container Initiative What is OCI Open Container Initiative, launched on June 22nd 2015 a lightweight, open governance structure (project), formed under the auspices of the Linux Foundation 47 members, almost all major of IT vendors and cloud providers Mission of the OCI promote and promulgate a set of common, minimal, open standards and specifications around container technology Duties of OCI Creating a formal specification for container image formats and runtime Accepting, maintaining and advancing the projects associated with these standards Harmonizing the above-referenced standard with other proposed standards 6

Projects in GitHub runtime-spec specifications for standards on Operating System process and application containers http://github.com/opencontainers/runtime-spec runtime-tools a collection of tools for working with the OCI runtime specification. http://github.com/opencontainers/runtime-tools image-spec creates and maintains the software shipping container image format spec http://github.com/opencontainers/image-spec image-tools a collection of tools for working with the OCI image specification. http://github.com/opencontainers/image-tools

Projects in GitHub runc a CLI tool for spawning and running containers according to the OCI specification http://github.com/opencontainers/runc go-digest common digest package used across container ecosystem http://github.com/opencontainers/go-digest go-selinux common SELinux package used across container ecosystem http://github.com/opencontainers/go-selinux

Runtime Spec Main Content Runtime Spec Bundle Structure Configuration Runtime & Lifecycle Bundle Structure A format for encoding a container Configuration Including supported platforms and details the fields that enable the creation of a container Runtime & Lifecycle Execution environment and actions of container lifecycle 9

Runtime Spec Screenshot

Runtime Spec Screenshot

Runtime Spec Screenshot

Bundle & Container bundle rootfs config Load runtime Run Container A 13

Why Runtime Tools How to judge if a bundle is usable and what s the problem How to judge a container is portable How to judge if a runtime meets requirements of runtime spec 14

Runtime Tools Main Structure Config generation Bundle validation Runtime validation oci-runtime-tools Runtime Spec 15

Runtime Tools Usage & Relation Config generation bundle rootfs config Load runtime Runtime validation Run Bundle validation Container A 16

Configuration Generation Work Flow Convert json to Spec object Template check? Load default minimal temp Load user specified template Spec Version Platform - os - arch Path of rootfs Process: - cwd - args - user Convert Spec object to json Output config - to a file - to stdin Process user specified options Output generated config Parse options, like device=c:10:229:/dev /fuse:filemode=438:u id=0:gid=0 Add to Spec object 17

Configuration Generation Example $ oci-runtime-tool generate { "ociversion": "1.0.0-rc1-dev", "platform": { "os": "linux", "arch": "amd64" }, "process": { "user": { "uid": 0, "gid": 0 }, "args": [ "sh" ], "env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin 18

Bundle Validation Work Flow All Spec definitely request Check bundle Bundle structure Rootfs state Spec shema Must be SemVer v2.0.0 format Mounts order Platform os, arch Hook Path Load container config Check config against runtime-spec Config coding Rootfs state 19

Bundle Validation Example $ oci-runtime-tool --host-specific --log-level=debug validate --path ~/testdir/ DEBU[0000] check rootfs path DEBU[0000] check mandatory fields DEBU[0000] check semver DEBU[0000] check mounts DEBU[0000] check platform DEBU[0000] check process DEBU[0000] check os DEBU[0000] check linux DEBU[0000] check linux resources DEBU[0000] check linux seccomp DEBU[0000] check hooks Bundle validation succeeded. 20

Runtime Validation Work Flow runtimetest Do validation Compiled Put into runtime tools Generate bundle Run as container Used by Call &Validate runtime Create & Operate 21

Runtime Validation Detailed Validation Runtime validation Container inside Container outside rootfs mounts devices cgroup lifecycle 22

Runtime Validation Example $ make localvalidation RUNTIME=runc go test -tags "" -v github.com/opencontainers/runtime-tools/validation === RUN TestValidateBasicTAP version 13 ok 1 - root filesystem ok 2 hostname ok 3 - mounts ok 4 capabilities ok 5 - default symlinks ok 6 - default devices ok 7 - linux devices ok 8 - linux process ok 9 - masked paths ok 10 - oom score adj ok 11 - read only paths ok 12 rlimits ok 13 sysctls ok 14 - uid mappings 23

Current State of Runtime-tools Config Generation already finished 80% except blkio, hugepage, devices (but submitted patch) Bundle Validation already finished 70% except groups related, schema Runtime Validation reforming (container inside almost finished) cgroups, lifecycle 24

Our Contribution Runtime-tools: 117 commits Improve coverage of bundle & runtime tests Enhance functionality of runtime-spec generation Bug fix for code and document Runtime-spec: 54 commits Help specify spec entries Image-tools: 27 commits Enhance functionality Bug fix Image-spec: 24 commits Help specify spec entries 25

Future Plans Order of options problem oci-runtime-tools generate --rlimits-remove-all -- rlimits-add RLIMIT_NOFILE:10:10 Runtime validation improvement cgroup related validation container lifecycle validation Platform portability currently can only work on Linux cross validation, windows bundle on Linux? More tests and trials by runtime creators 26

Q&A Thank you! Q&A 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback