Linux Containers Roadmap Red Hat Enterprise Linux 7 RC. Bhavna Sarathy Senior Technology Product Manager, Red Hat

Similar documents
TEN LAYERS OF CONTAINER SECURITY

TEN LAYERS OF CONTAINER SECURITY. Kirsten Newcomer Security Strategist

Container Security. Marc Skinner Principal Solutions Architect

Container Adoption for NFV Challenges & Opportunities. Sriram Natarajan, T-Labs Silicon Valley Innovation Center

OS Virtualization. Linux Containers (LXC)

Red Hat Enterprise Virtualization Hypervisor Roadmap. Bhavna Sarathy Senior Technology Product Manager, Red Hat

Container mechanics in Linux and rkt FOSDEM 2016

TEN LAYERS OF CONTAINER SECURITY

RDMA Container Support. Liran Liss Mellanox Technologies

RED HAT ENTERPRISE LINUX 7 BETA

Container Management : First Looks

LXC(Linux Container) Lightweight virtual system mechanism Gao feng

Cisco Virtualized Infrastructure Manager

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

OS Containers. Michal Sekletár November 06, 2016

A Security State of Mind: Container Security. Chris Van Tuin Chief Technologist, West

Red Hat Roadmap for Containers and DevOps

Amir Zipory Senior Solutions Architect, Redhat Israel, Greece & Cyprus

Introduction to Container Technology. Patrick Ladd Technical Account Manager April 13, 2016

, Inc

Introduction to Virtualization and Containers Phil Hopkins

Przyspiesz tworzenie aplikacji przy pomocy Openshift Container Platform. Jarosław Stakuń Senior Solution Architect/Red Hat CEE

CONTAINERS AND MICROSERVICES WITH CONTRAIL

A Greybeard's Worst Nightmare

Investigating Containers for Future Services and User Application Support

CS-580K/480K Advanced Topics in Cloud Computing. Container III

Portable, lightweight, & interoperable Docker containers across Red Hat solutions

TRAINING AND CERTIFICATION UPDATE

Red Hat Atomic Details Dockah, Dockah, Dockah! Containerization as a shift of paradigm for the GNU/Linux OS

Building Kubernetes cloud: real world deployment examples, challenges and approaches. Alena Prokharchyk, Rancher Labs

1 Virtualization Recap

THE STATE OF CONTAINERS

SAINT LOUIS JAVA USER GROUP MAY 2014

개발자와운영자를위한 DevOps 플랫폼 OpenShift Container Platform. Hyunsoo Senior Solution Architect 07.Feb.2017

Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING

INTRODUCING CONTAINER-NATIVE VIRTUALIZATION

RED HAT'S CONTAINER STRATEGY. Lars Herrmann General Manager, RHEL, RHEV and Containers June 24, 2015

containerization: more than the new virtualization

Travis Cardwell Technical Meeting

Container in Production : Openshift 구축사례로 이해하는 PaaS. Jongjin Lim Specialist Solution Architect, AppDev

What You Need to Know About OpenStack + VMware

Think Small to Scale Big

RED HAT ENTERPRISE VIRTUALIZATION 3.0

Go Faster: Containers, Platforms and the Path to Better Software Development (Including Live Demo)

UNDER THE HOOD. ROGER NUNN Principal Architect/EMEA Solution Manager 21/01/2015

An introduction to Docker

OS Security III: Sandbox and SFI

Red Hat OpenShift Roadmap Q4 CY16 and H1 CY17 Releases. Lutz Lange Solution

S Implementing DevOps and Hybrid Cloud

Taming your heterogeneous cloud with Red Hat OpenShift Container Platform.

Container Security and new container technologies. Dan

Containers and isolation as implemented in the Linux kernel

Docker and Oracle Everything You Wanted To Know

Build an open hybrid cloud and paint it red and blue

LINUX CONTAINERS. Where Enterprise Meets Embedded Operating Environments WHEN IT MATTERS, IT RUNS ON WIND RIVER

The four forces of Cloud Native

OPENSHIFT GEARS. How to run arbitrary code on you servers and still sleep at night. MIKE McGrath

Table of Contents 1.1. Introduction. Overview of vsphere Integrated Containers 1.2

Multi-tenancy Virtualization Challenges & Solutions. Daniel J Walsh Mr SELinux, Red Hat Date

Deployment Patterns using Docker and Chef

Replacing Docker With Podman. By Dan

Docker for People. A brief and fairly painless introduction to Docker. Friday, November 17 th 11:00-11:45

Docker Deep Dive. Daniel Klopp

OPENSHIFT FOR OPERATIONS. Jamie Cloud Guy - US Public Sector at Red Hat

How Container Runtimes matter in Kubernetes?

Virtualizaton: One Size Does Not Fit All. Nedeljko Miljevic Product Manager, Automotive Solutions MontaVista Software

Merging Enterprise Applications with Docker* Container Technology

Spring 2017 :: CSE 506. Introduction to. Virtual Machines. Nima Honarmand

Learn. Connect. Explore.

State of Containers. Convergence of Big Data, AI and HPC

IEEE Sec Dev Conference

Red Hat Certified System Administrator (RHCSA) RHCSA 7 Requirements and Syllabus

Splunk N Box. Splunk Multi-Site Clusters In 20 Minutes or Less! Mohamad Hassan Sales Engineer. 9/25/2017 Washington, DC

Container Isolation at Scale (... and introducing gvisor) Dawn Chen and Zhengyu He

Cloud & container monitoring , Lars Michelsen Check_MK Conference #4

The speed of containers, the security of VMs. KataContainers.io

Convergence of VM and containers orchestration using KubeVirt. Chunfu Wen

Cauldron: A Framework to Defend Against Cache-based Side-channel Attacks in Clouds

What s New in Red Hat OpenShift Container Platform 3.4. Torben Jäger Red Hat Solution Architect

Red Hat Open Source Open Standards Cooperation and Freedom. Xander D Harkness Senior Enterprise Consultant, Red Hat May 2008

Docker and Security. September 28, 2017 VASCAN Michael Irwin

[Docker] Containerization

A REFERENCE ARCHITECTURE FOR DEPLOYING WSO2 MIDDLEWARE ON KUBERNETES

Docker Security. Mika Vatanen

Allowing Users to Run Services at the OLCF with Kubernetes

CSC 5930/9010 Cloud S & P: Virtualization

Hacking and Hardening Kubernetes

KVM Forum Vancouver, Daniel P. Berrangé

Zdeněk Kubala Senior QA

High Performance Containers. Convergence of Hyperscale, Big Data and Big Compute

EDGE COMPUTING & IOT MAKING IT SECURE AND MANAGEABLE FRANCK ROUX MARKETING MANAGER, NXP JUNE PUBLIC

Sandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018

ISLET: Jon Schipp, AIDE jonschipp.com. An Attempt to Improve Linux-based Software Training

Red Hat Enterprise Linux 8.0 Beta

Securing Containers on the High Seas. Jack OWASP Belgium September 2018

Cloud I - Introduction

How to Put Your AF Server into a Container

ACCELERATE APPLICATION DELIVERY WITH OPENSHIFT. Siamak Sadeghianfar Sr Technical Marketing Manager, April 2016

Table of Contents 1.1. Overview. Containers, Docker, Registries vsphere Integrated Containers Engine

Introduction to containers

Transcription:

Linux Containers Roadmap Red Hat Enterprise Linux 7 RC Bhavna Sarathy Senior Technology Product Manager, Red Hat Linda Wang Senior Eng. Manager, Red Hat Bob Kozdemba Principal Soln. Architect, Red Hat

Define the problem 1 Benefits Architecture 3 5 2 Use Cases Building Blocks Q&A 6 Demo 7

Defining the problem space How do you deploy this service? 400 users 1 quad core Service Server MongoDB Service

Defining the problem space Server w/ 4000 cores How do you deploy this service? 400,000 users 1 quad core Service MongoDB Service Server MongoDB Services

Containerize!

How about Red Hat Linux Containers? Value Proposition Server 1: 100 containers Application isolation mechanism for Light-weight multi-tenancy Server 2: 100 containers 400,000 users Server 40: 100 containers

RHEL 7 Linux Containers Use Case 1 Host Containers Identical Containers Host RHEL Host Containers RHEL 7 host carved into secure containers Each container running RHEL 7 userspace Pro : Security erratas can be applied easily with yum update Con : Limited to RHEL 7 runtimes

RHEL 7 Linux Containers Use Case 2 Image-based Containers Non-identical Containers Docker format RHEL 6 RHEL 7 RHSCL Fedora Image-based Containers Docker builds on Linux Containers and provides format for content distribution Docker includes the userspace runtime of an application

Image-based Containers with Docker technology App Layer Base Image Layered Image 2 App A SCL 1 RHEL 7 Runtime App B SCL 2 RHEL 6.5 Runtime App C SCL3 RHEL6.6 Runtime Layered Image 1 Base Image RHEL 7 Container Host

10 Early access information. To be shared under NDA only.

Linux Containers in Red Hat Enterprise Linux 7 Identical Containers Non-identical Containers Host Containers Image-based Containers Host RHEL Red Hat Enterprise Linux 7 RHEL 6 RHEL 7 RHSCL Fedora

RHEL 7 Deployment Models Containers can be deployed in baremetal or virtual RHEL 7 supports both Virtualization with KVM and Linux Containers App A App B App C Runtime Runtime Runtime A B C Service Mgmt Containers Containers Container Host OS & Central Shared Services App A App B App C Runtime A Runtime B Runtime C Service Containers Mgmt Containers Container Host OS & Central Shared Services Kernel & Virt Drivers Hypervisor Host OS Kernel & HW Drivers Kernel & HW Drivers Hardware Hardware

RHEL 7 Linux Containers Benefits Integrated application delivery w/ Image-based solutions Light weight Application Isolation RHEL 7 Linux Containers Application Mobility Minimal footprint Simplified application delivery

RHEL 7 Container Host App A Runtime A App B Runtime B Service Containers App C Runtime C Mgmt Containers Container Host OS & Central Shared Services Kernel & HW Drivers Hardware

RHEL 7 Linux Containers - Building Blocks Process Isolation Resource Management Security Management

Linux Containers Features and Architecture

Linux Containers Resource Management Process Isolation Resource Management Security Management 17 Early access information. To be shared under NDA only.

Resource Management Control Groups Memory Network CPU Block IO Cgroups Cgroups Linux Kernel Hardware (Intel, AMD)

Control Groups In a Container Environment

Control Groups Resource Control

Control Groups - Usability Improvements RHEL6 Any privileged process can manage Cgroups No coordination and with unexpected results Kernel moving to single writer mode Kernel does not enforce this yet... RHEL7 systemd will manage cgroups Recommended to use systemd APIs in RHEL7 New concept of Scopes/Slices https://www.youtube.com/watch?v=msg4jw187is http://www.freedesktop.org/wiki/software/systemd/controlgroupinterface

Control Groups - Usability Improvements: Scopes Systemd puts all related worker PIDs into cgroup called a scope. Services Apache processes in same services/apache scope Mysql processes in same services/mysql scope Apache/Mysql get an equal slice of the system Users accounts All users get an equal slice Machines All containers/vms get an equal slice No service/user/machine can dominate system

Control Groups Systemd s Scope

Control Groups Systemd s Slice

Control Groups - Usability Improvements: Slices Special unit file for assigning resource constraints Slices get assigned to scopes Systemd automatically assigns services to system.slice You can override resource with Unit file configuration MemoryLimit=1g Command Line #> systemctl set-property httpd.service CPUShares=524 MemoryLimit=500M Systemd will assign Containers to machine.slice You can override by editing /etc/systemd/system/big-machine.slice

Linux Containers Process Isolation Process Isolation Resource Management Security Management 26 Early access information. To be shared under NDA only.

Process Isolation - Namespaces

Process Isolation - Namespaces Isolate processes Create a new environment with a Subset of the resources Once set up, namespaces are transparent for processes Can be used in custom and complex scenarios Supported Namespaces ipc, pid, mnt, net, uts Future Red Hat Enterprise Linux 7: user namespace

Process Isolation - Namespaces Namespaces Mount PID (process ID) Network UTS IPC Functionality What does it mean? Isolate the set of FS mount points seen by processes Process can have same PID in different NS (include PID1) /tmp in container can be different in ns Remount / read only within namespace Process in NS can t see/interact with process outside All processes are visable in root PID NS Each NS has its own private loopback IF Commonly used with virtual ethernet IF pair No impact to the rest of the system Useful when combined with Network NS Resources are only accessible within the Namespace Isolate the networking stack: ip addr, routes, netfilter iptable rules Set a different host and domain names for NS Private inter-process communication environment: message queues, semaphores, shared memory

Process Isolation - User Namespace May be enabled in future releases... Mapping between UIDs and GIDs 5000-6100 on Root Namespace 0-1100 in User Namespace Super user (UID 0) possible inside the Namespace Configuring network on a network namespace Binding to ports < 1024 Treated as unprivileged UID 5000 outside namespace

Linux Containers - Security Process Isolation Resource Management Security Management 31 Early access information. To be shared under NDA only.

SELinux Security

SELinux - Security Web DNS Mail Linux Kernel Each container process is confined in its own sandbox Each process is confined in its own sandbox, distinct from the others. distinct from other the other processes

Web DNS Mail Linux Kernel When a process is attacked... Each process is confined in its own sandbox, distinct from the others.

Web DNS Mail Linux Kernel...and compromised, there is far less exposure. Only the...and compromised, there is far less exposure. You lose the process, not the container process is lost lose the process not the system. system.

Web DNS Secret Unclassified Mail Unclassified Linux Kernel Label the container process with multiple level using SELinux Multi We can label the sandboxes with a level of sensitivity and categories. Level Security (MLS)

SELinux and Docker SELinux Docker Image Docker Containers Resource Mgmt Namespaces RHEL Kernel

Linux Containers - Management Process Isolation Resource Management Security Management

System and Container Management

Docker CLI Docker format Tool to package an application and its runtime dependencies for deployment into a Linux Container Docker 0.9 includes libcontainer, native LXC implementation

Red Hat Enterprise Linux 7 Containers Architecture with Docker CLI Containers Cgroups Drivers Containers Containers DOCKER CLI Docker Image SYSTEMD Unit File Namespaces RHEL Kernel Hardware (Intel, AMD) SELinux

Systemd Cgroup Configuration passed to Docker Systemd httpd_container.service ExecStart: Docker start rhel7/httpd Docker MemLimit 500k Unit File httpd

Systemd Socket Activation of Docker Containers 80 Systemd httpd_container.service ExecStart: Docker start rhel7/httpd [socket] ListenStream=80 Unit File

Systemd Socket Activation of Docker Containers 80 Systemd httpd_container.service ExecStart: Docker start rhel7/httpd Docker [socket] ListenStream=80 Unit File 80 httpd

Red Hat Certification for Containerized Apps http://www.redhat.com/about/news/press-archive/2014/3/red-hat-announces-certification-for-containerized-applications-extends-customer-confidence-and-trust-to-the-cloud

Demo

Linux Containers in RHEL 7 - Key Takeways Application isolation mechanism for Light-weight multi-tenancy Application centric packaging w/ Docker image-based containers Linux Containers Productization Key kernel enablers full support in RHEL 7 GA Docker 1.0 shipped with RHEL 7 GA Linux Container Certification Red Hat and Docker partnership to build enterprise grade Docker containers

Linux Container Sessions, Demos and Labs Time Title Venue Wed 1:20 PM 2:20 PM Portable, lightweight and interoperable Docker containers across Red Hat Solutions Room 236 Wed 3:50 PM 5:50 PM Containers & resource management in Red Hat Enterprise Linux Room 105 7 Beta (Hand-on Lab) Wed 11:00 AM 1:00 PM Linux Containers and Application Isolation Demo Red Hat Booth (Infrastructure Pod 1) Wed 1:20 PM 3:20 PM Implementing & managing OpenShift Enterprise Labs II Wed 11:30 AM 2:00 PM Next Generation Container Management Demo Emerging Technologies Red Hat Booth ( Pod 31)

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback