Multi-Arch Layered Image Build System

Similar documents
Creating a Reproducible Build System for Docker Images

Creating a Reproducible Build System for Docker Images

TEN LAYERS OF CONTAINER SECURITY

TEN LAYERS OF CONTAINER SECURITY. Kirsten Newcomer Security Strategist

Red Hat OpenShift Roadmap Q4 CY16 and H1 CY17 Releases. Lutz Lange Solution

Accelerate at DevOps Speed With Openshift v3. Alessandro Vozza & Samuel Terburg Red Hat

Amir Zipory Senior Solutions Architect, Redhat Israel, Greece & Cyprus

ovirt and Docker Integration

Docker and Oracle Everything You Wanted To Know

ACCELERATE APPLICATION DELIVERY WITH OPENSHIFT. Siamak Sadeghianfar Sr Technical Marketing Manager, April 2016

Red Hat Roadmap for Containers and DevOps

[Docker] Containerization

Red Hat Atomic Details Dockah, Dockah, Dockah! Containerization as a shift of paradigm for the GNU/Linux OS

Container in Production : Openshift 구축사례로 이해하는 PaaS. Jongjin Lim Specialist Solution Architect, AppDev

WHITE PAPER. RedHat OpenShift Container Platform. Benefits: Abstract. 1.1 Introduction

UP! TO DOCKER PAAS. Ming

Containerizing GPU Applications with Docker for Scaling to the Cloud

TEN LAYERS OF CONTAINER SECURITY

THE STATE OF CONTAINERS

개발자와운영자를위한 DevOps 플랫폼 OpenShift Container Platform. Hyunsoo Senior Solution Architect 07.Feb.2017

A DEVOPS STATE OF MIND. Chris Van Tuin Chief Technologist, West

Getting Started With Containers

A Greybeard's Worst Nightmare

What s New in Red Hat OpenShift Container Platform 3.4. Torben Jäger Red Hat Solution Architect

Taming your heterogeneous cloud with Red Hat OpenShift Container Platform.

RED HAT GLUSTER TECHSESSION CONTAINER NATIVE STORAGE OPENSHIFT + RHGS. MARCEL HERGAARDEN SR. SOLUTION ARCHITECT, RED HAT BENELUX April 2017

OpenShift Roadmap Enterprise Kubernetes for Developers. Clayton Coleman, Architect, OpenShift

Security oriented OpenShift within regulated environments

SBB. Java User Group 27.9 & Tobias Denzler, Philipp Oser

S Implementing DevOps and Hybrid Cloud

AGILE RELIABILITY WITH RED HAT IN THE CLOUDS YOUR SOFTWARE LIFECYCLE SPEEDUP RECIPE. Lutz Lange - Senior Solution Architect Red Hat

Backup strategies for Stateful Containers in OpenShift Using Gluster based Container-Native Storage

Przyspiesz tworzenie aplikacji przy pomocy Openshift Container Platform. Jarosław Stakuń Senior Solution Architect/Red Hat CEE

Continuous Integration using Docker & Jenkins

A DEVOPS STATE OF MIND. Chris Van Tuin Chief Technologist, West

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

How to make your application into a Flatpak

A DEVOPS STATE OF MIND WITH DOCKER AND KUBERNETES. Chris Van Tuin Chief Technologist, West

Important DevOps Technologies (3+2+3days) for Deployment

OpenShift 3 Technical Architecture. Clayton Coleman, Dan McPherson Lead Engineers

Container Security and new container technologies. Dan

High Performance Containers. Convergence of Hyperscale, Big Data and Big Compute

Kuber-what?! Learn about Kubernetes

Building Kubernetes cloud: real world deployment examples, challenges and approaches. Alena Prokharchyk, Rancher Labs

Convergence of VM and containers orchestration using KubeVirt. Chunfu Wen

OpenShift Dedicated 3 Release Notes

Red Hat JBoss Middleware for OpenShift 3

Advanced Continuous Delivery Strategies for Containerized Applications Using DC/OS

How Container Runtimes matter in Kubernetes?

CONTAINERS AND MICROSERVICES WITH CONTRAIL

Travis Cardwell Technical Meeting

Secure Kubernetes Container Workloads

Cloud & container monitoring , Lars Michelsen Check_MK Conference #4

Sunil Shah SECURE, FLEXIBLE CONTINUOUS DELIVERY PIPELINES WITH GITLAB AND DC/OS Mesosphere, Inc. All Rights Reserved.

Go Faster: Containers, Platforms and the Path to Better Software Development (Including Live Demo)

Red Hat OpenShift Application Runtimes 1

Azure DevOps. Randy Pagels Intelligent Cloud Technical Specialist Great Lakes Region

LINUX CONTAINERS. Where Enterprise Meets Embedded Operating Environments WHEN IT MATTERS, IT RUNS ON WIND RIVER

Define Your Future with SUSE

Simple custom Linux distributions with LinuxKit. Justin Cormack

Container Orchestration on Amazon Web Services. Arun

I keep hearing about DevOps What is it?

Introduction to Docker. Antonis Kalipetis Docker Athens Meetup

Orchestrating the Continuous Delivery Process

Containers, Serverless and Functions in a nutshell. Eugene Fedorenko

Red Hat Containers Roadmap. Red Hat A panel of product directors

Agile CI/CD with Jenkins and/at ZeroStack. Kiran Bondalapati CTO, Co-Founder & Jenkins Admin ZeroStack, Inc. (

/ Cloud Computing. Recitation 5 February 14th, 2017

Frédéric Crozat SUSE Linux Enterprise Release Manager

EVERYTHING AS CODE A Journey into IT Automation and Standardization. Raphaël Pinson

OpenShift Hyper-Converged Infrastructure Bare Metal Deployment with Containerized Gluster

Introduction to the Open Service Broker API. Doug Davis

Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING

Introduction to Container Technology. Patrick Ladd Technical Account Manager April 13, 2016

VMWARE PIVOTAL CONTAINER SERVICE

FROM VSTS TO AZURE DEVOPS

The four forces of Cloud Native

InterSystems Cloud Manager & Containers for InterSystems Technologies. Luca Ravazzolo Product Manager

One year of Deploying Applications for Docker, CoreOS, Kubernetes and Co.

More Containers, More Problems

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

/ Cloud Computing. Recitation 5 September 26 th, 2017

Running MarkLogic in Containers (Both Docker and Kubernetes)

Container Management : First Looks

Container Deployment and Security Best Practices

Microservice Deployment. Software Engineering II Sharif University of Technology MohammadAmin Fazli

Openshift: Key to modern DevOps

Building Microservices with the 12 Factor App Pattern

Delivering Red Hat OpenShift at Ease on Red Hat OpenStack and RHV

Developing Kubernetes Services

SAINT LOUIS JAVA USER GROUP MAY 2014

Beyond 1001 Dedicated Data Service Instances

DevOps Technologies. for Deployment

WHEN CONTAINERS AND VIRTUALIZATION DO - AND DON T - WORK TOGETHER

Knative: Building serverless platforms on top of Kubernetes

Upcoming Services in OpenStack Rohit Agarwalla, Technical DEVNET-1102

Cloud I - Introduction

Dockerized Tizen Platform

Welcome to Docker Birthday # Docker Birthday events (list available at Docker.Party) RSVPs 600 mentors Big thanks to our global partners:

Docker Universal Control Plane Deploy and Manage On-Premises, Your Dockerized Distributed Applications

Transcription:

Multi-Arch Layered Image Build System PRESENTED BY: Adam Miller Fedora Engineering, Red Hat CC BY-SA 2.0

Today's Topics Define containers in the context of Linux systems Brief History/Background Container Implementations in Linux Base Image vs Layered Image Why Fedora Containers? Why Multi-Arch Containers? Fun history lesson What is OpenShift? Define Release Engineering How does this all work? How does it work today? How will it work with multi-arch?

Containers

What are containers? Operating-system-level Virtualization We (the greater Linux community) like to call them containers OK, so what is Operating-system-level Virtualization? The multitenant isolation of multiple user space instances or namespaces. Traditional OS APP A APP B LIBS A LIBS B Containers LIBS HOST OS HARDWARE LIBS CONTAINER CONTAINER APP A APP B LIBS A LIBS HOST OS HARDWARE

Containers are not new The concept of containers is not new chroot was the original container, introduced in 1982 Unsophisticated in many ways, lacking the following: COW Quotas I/O rate limiting cpu/memory constraint Network Isolation Brief (not exhaustive) history of sophisticated UNIX-like container technology: 2000 - FreeBSD jails 2001 Linux Vserver 2004 Solaris Zones 2005 - OpenVZ 2008 LXC (This is where things start to get interesting) 2011 - Systemd nspawn 2013 - dotcloud releases Docker (later renames itself to Docker Inc) 2015 - runc is released under the purview of Open Container Initiatives 2016 - containerd - runc orchestration daemon

Layered Images vs Base Images

Base vs Layered Images CONTAINER Fedora 25 BASE IMAGE Fedora 25 APP LAYER Fedora 25 APP Fedora 25 APP Fedora 25 APP Fedora 25 APP APP LIBS Fedora 25 Host Fedora 26 Host HARDWARE OR VM HARDWARE OR VIRTUAL MACHINE

Why?

Why.? Why Fedora Containers? Delivering Fedora Content faster to users Automatically generating release artifacts with security updates Lowering the barrier of entry for contributors Note: There are some obstacles here but plans in place to get past them Why Multi-Arch? Fedora isn t just a x86_64 distro Internet of Things (IoT) The Magical ARM Revolution Other architectures matter! We don t know what s next, best not to box ourselves in.

History Lesson

How FLIBS happened. Matt Miller, Fedora s Fearless Leader (Fedora Project Leader) There s this open source layered image build system I heard about, we should deploy one! (Paraphrasing) Initial discussions estimated about four weeks of work to deploy a new service in the Fedora Infra and tie it into various build, test, and messaging services. There was an incorrect assumption that it was a finished product

OSBS History Phase 1 Single-Node builder Finished in a few months Image Format v2, Registry v2, Manifest v2 - this broke the original implementation Phase 2 Scale-out deployment Fully compat with Image Format v2, Manifest v2, Registry v2 Automated tests can be tied to the output of OSBS RelEng is able to then "promote" images to a "production" or "stable" registry/tag/repository Phase 3 (Happening Now) Image Registry Scale-out - Done Search/Advertise image registry - In flight CVE/Security metadata for updates - Planning Phase 4 Orchestrator/Worker Architecture Multi-Arch

OpenShift

OpenShift OpenShift Container Platform built on top of Kubernetes Advanced Features Build Pipelines Image Streams Application Lifecycle Management CI/CD Integrations Binary Deployment Triggers (Event, Change, Image, Web, etc) REST API, Command line interface, IDE Integrations Web UI and Admin dashboard

OpenShift CONTAINER CONTAINER CONTAINER CONTAINER CONTAINER SELF-SERVICE SERVICE CATALOG (LANGUAGE RUNTIMES, MIDDLEWARE, DATABASES, ) BUILD AUTOMATION DEPLOYMENT AUTOMATION APPLICATION LIFECYCLE MANAGEMENT (CI / CD) CONTAINER ORCHESTRATION & CLUSTER MANAGEMENT (KUBERNETES) NETWORKING STORAGE REGISTRY LOGS & METRICS INFRASTRUCTURE AUTOMATION & COCKPIT CONTAINER RUNTIME & PACKAGING (DOCKER) ATOMIC HOST Fedora / CentOS / Red Hat Enterprise Linux SECURITY

OpenShift/Kubernetes Overview Node Client Pod Pod Container Container Container Container Container Container Pod Pod Container Container Container Container Container Container Pod...... Pod...... Master REST API Node Scheduler

Release Engineering

Release Engineering What is Release Engineering? Making a software production pipeline that is Reproducible, Auditable, Definable, and Deliverable It should also be able to be automated Definition (or the closest there really is) Release engineering is the difference between manufacturing software in small teams or startups and manufacturing software in an industrial way that is repeatable, gives predictable results, and scales well. These industrial style practices not only contribute to the growth of a company but also are key factors in enabling growth. - Boris Debic of Google Inc

Layered Image Build Service

OSBS OpenShift Build Service Takes advantage of OpenShift s built in Build primitive with a Custom Strategy and BuildConfig Relies on OpenShift for scheduling of build tasks throughout the cluster Presents this defined component to developers/builders as CLI and Python API osbs enforces that the inputs come from auditable sources. This defines what can be the inputs to a build Git repo for source Dockerfile, git commits and builds centrally logged BuildRoot - limited docker runtime Firewall constrained docker bridge interface Unprivileged container runtime with SELinux Enforcing Inputs are sanitized before reaching to build phase Unknown or unvetted sources are disallowed by the system Uses OpenShift ImageStreams as input sources to BuildRoot Planned utilization of OpenShift Triggers to spawn rebuild actions based on parent image changes Factory 2.0 will also launch new builds for when RPM content changes

OSBS - Continued atomic-reactor Single-pass Docker build tool used inside constrained buildroot in OSBS Automates tasks via plugins, such as: pushing images to a registry when successfully built injecting yum/dnf repositories inside Dockerfile (change source of your packages for input sanitization/gating) change base image (FROM) in your Dockerfile to match that of the registry available inside the isolated buildroot, run simple tests after image is built Gating of updates Automated tests can be tied to the output of OSBS RelEng is able to then "promote" images to a "production" or "stable" registry/tag/repository

Build System osbs cli Users OSBS Registry OpenShift Origin Candidate Images atomic-reactor Stable + Updates osbs-client API Server Deployments

Fedora s Implementation Fedora Layered Image Maintainers Registry Candidate Images Stable + Updates Koji RPM Builds Container-build DistGit Dockerfile ISO & Cloud Images fedpkg container-build Service init Scripts Tests Docs OSBS OpenShift Origin atomic-reactor osbs-client API Users

Multi-Arch Build System OSBS - Orchestrator OpenShift Origin atomic-reactor osbs-client API OSBS - x86_64 Worker OpenShift Origin atomic-reactor Users osbs-client API Koji RPM Builds OSBS - aarch64 Worker Container-build ISO & Cloud Images DistGit OpenShift Origin atomic-reactor fedpkg container-build Dockerfile Service init Scripts Tests Docs Fedora Layered Image Maintainers osbs-client API OSBS - ppc64le Worker OpenShift Origin atomic-reactor osbs-client API Registry Candidate Images Stable + Updates Server Deployments

Fedora s Implementation DistGit ( Distro Git ) Registry Each Branch = Fedora Release master branch is Devel (codename Rawhide ) Upload/download destination, point of distribution fedpkg Fedora Package Maintainer helper tool Manages distgit branches Initiate builds (local and remote, mock integration) Much more Orchestrator Koji Fedora s authoritative build system Everything for Fedora is built here or it s build is integrated here Live USB images, DVD ISOs, IaaS Cloud Images, RPMs, Docker This defines what can be the inputs to a build OpenShift Cluster that orchestrates the builds across the arch-specific Koji point of contact fedpkg Fedora Package Maintainer helper tool Manages distgit branches Initiate builds (local and remote, mock integration) Much more Koji-containerbuild Plugin to orchestrate builds between Koji and OSBS

Lessons Learned The OSBS Upstream Team is fantastic The OpenShift Team is also fantastic OpenShift is really powerful The container technology space moves *fast* Nothing is set in stone Don t expect APIs to remain relevant Don t expect backwards compatibility People are starting to care about architectures other than x86_64 (They have for a while, but now it s gaining traction)

Questions? CONTACT: maxamillion@fedoraproject.org @TheMaxamillion CC BY-SA 2.0

References https://en.wikipedia.org/wiki/operating-system-level_virtualization https://coreos.com/blog/rocket https://coreos.com/blog/appc-gains-new-support https://www.docker.com https://github.com/docker/distribution http://www.redhat.com/en/insights/containers http://www.projectatomic.io http://www.openshift.org https://www.openshift.com http://www.redhat.com/en/about/blog/red-hat-and-google-collaborate-kubernetes-manage-docker-containers-scale http://rhelblog.redhat.com/2014/04/15/rhel-7-rc-and-atomic-host http://opencontainers.org http://runc.io http://queue.acm.org/detail.cfm?id=2884038 http://containerd.tools https://drive.google.com/file/d/0b_jl94nmodqdsfvseuotqvb1rnc/view?usp=sharing http://valleyproofs.debic.net/2009/03/behind-scenes-production-pushes.html https://github.com/release-engineering/koji-containerbuild https://github.com/projectatomic/atomic-reactor https://pagure.io/koji https://fedorahosted.org/koji/wiki https://bugzilla.redhat.com/show_bug.cgi?id=1243736 https://fedoraproject.org/wiki/changes/layered_docker_image_build_service https://osbs.readthedocs.io/en/latest/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback