containerization: more than the new virtualization

Similar documents
Engineering Robust Server Software

Introduction to Containers

Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING

Travis Cardwell Technical Meeting

Asterisk & the Docker revolution Some lessons from the trenches

Think Small to Scale Big

Splunk N Box. Splunk Multi-Site Clusters In 20 Minutes or Less! Mohamad Hassan Sales Engineer. 9/25/2017 Washington, DC

docker & HEP: containerization of applications for development, distribution and preservation

An introduction to Docker

Presented By: Gregory M. Kurtzer HPC Systems Architect Lawrence Berkeley National Laboratory CONTAINERS IN HPC WITH SINGULARITY

Kubernetes The Path to Cloud Native

Docker 101 Workshop. Eric Smalling - Solution Architect, Docker

[Docker] Containerization

Getting Started With Containers

Introduction to containers

Docker und IBM Digital Experience in Docker Container

Linux Containers Roadmap Red Hat Enterprise Linux 7 RC. Bhavna Sarathy Senior Technology Product Manager, Red Hat

ISLET: Jon Schipp, AIDE jonschipp.com. An Attempt to Improve Linux-based Software Training

Arup Nanda VP, Data Services Priceline.com

Cross platform enablement for the yocto project with containers. ELC 2017 Randy Witt Intel Open Source Technology Center

Con$nuous Deployment with Docker Andrew Aslinger. Oct

Container Adoption for NFV Challenges & Opportunities. Sriram Natarajan, T-Labs Silicon Valley Innovation Center

Logging, Monitoring, and Alerting

Best Practices for Developing & Deploying Java Applications with Docker

1 Virtualization Recap

Is it safe to run applications in Linux Containers?

Portable, lightweight, & interoperable Docker containers across Red Hat solutions

sottotitolo Network Administration Milano, XX mese 20XX A.A. 2016/17 Federico Reghenzani, Alessandro Barenghi

Leveraging Docker and CoreOS to provide always available Cassandra at Instaclustr

Who is Docker and how he can help us? Heino Talvik

Infrastructure Security 2.0

Deployment Patterns using Docker and Chef

4 Effective Tools for Docker Monitoring. By Ranvijay Jamwal

Community Enterprise Operating System (CentOS 7) Courses

Red Hat Atomic Details Dockah, Dockah, Dockah! Containerization as a shift of paradigm for the GNU/Linux OS

LXC(Linux Container) Lightweight virtual system mechanism Gao feng

minit Felix von Leitner September 2004 minit

The Post-Cloud. Where Google, DevOps, and Docker Converge

Introduction to virtualisation, hardware, cloud, containers, unikernels, microkernels. and everything else

Spring 2017 :: CSE 506. Introduction to. Virtual Machines. Nima Honarmand

Singularity: Containers for High-Performance Computing. Grigory Shamov Nov 21, 2017

I/O and virtualization

SQL Server inside a docker container. Christophe LAPORTE SQL Server MVP/MCM SQL Saturday 735 Helsinki 2018

ECE 550D Fundamentals of Computer Systems and Engineering. Fall 2017

Linux for Beginners. Windows users should download putty or bitvise:

Java Architectures A New Hope. Eberhard Wolff

PROCESSES. Jo, Heeseung

Processes. Jo, Heeseung

DevOps in the Cloud A pipeline to heaven?! Robert Cowham BCS CMSG Vice Chair

Quick Prototyping+CI with LXC and Puppet

Network softwarization Lab session 2: OS Virtualization Networking

Linux Systems Security. Logging and Network Monitoring NETS1028 Fall 2016

Przyspiesz tworzenie aplikacji przy pomocy Openshift Container Platform. Jarosław Stakuń Senior Solution Architect/Red Hat CEE

" Qué me estás container?" Docker for dummies

Offloading MySQL to Remote Server

Building A Better Test Platform:

commands exercises Linux System Administration and IP Services AfNOG 2015 Linux Commands # Notes

Dell Protected Workspace Management

Introduction to Docker. Antonis Kalipetis Docker Athens Meetup

Container-based virtualization: Docker

TECHNICAL BRIEF. Scheduling and Orchestration of Heterogeneous Docker-Based IT Landscapes. January 2017 Version 2.0 For Public Use

High Performance Containers. Convergence of Hyperscale, Big Data and Big Compute

Jenkins: A complete solution. From Continuous Integration to Continuous Delivery For HSBC

PVS Deployment in the Cloud. Last Updated: June 17, 2016

Mastering Linux. Paul S. Wang. CRC Press. Taylor & Francis Group. Taylor & Francis Croup an informa business. A CHAPMAN St HALL BOOK

CS-580K/480K Advanced Topics in Cloud Computing. Container III

CS197U: A Hands on Introduction to Unix

Midterm Presentation Schedule

Setting up PostgreSQL

Table of Contents 1.1. Introduction. Overview of vsphere Integrated Containers 1.2

Getting Started with Hadoop

P a g e 1. Teknologisk Institut. Online kursus k SysAdmin & DevOps Collection

Upgrade Guide. This document details the upgrade process for customers moving from the full version of OnApp Cloud v2.3.1 to v2.3.2.

INSTITUTE OF AERONAUTICAL ENGINEERING (Autonomous) Dundigal, Hyderabad

Oracle Corporation 1

A Hands on Introduction to Docker

Virtualization. ...or how adding another layer of abstraction is changing the world. CIS 399: Unix Skills University of Pennsylvania.

Unix Processes. What is a Process?

Investigating Containers for Future Services and User Application Support

Docker Deep Dive. Daniel Klopp

Linux Driver and Embedded Developer

CONTAINERS AND MICROSERVICES WITH CONTRAIL

LINUX CONTAINERS. Where Enterprise Meets Embedded Operating Environments WHEN IT MATTERS, IT RUNS ON WIND RIVER

Introduction to Virtualization and Containers Phil Hopkins

Introduction to the shell Part II

Raw Packet Capture in the Cloud: PF_RING and Network Namespaces. Alfredo

Outline Background Jaluna-1 Presentation Jaluna-2 Presentation Overview Use Cases Architecture Features Copyright Jaluna SA. All rights reserved

Department of Computer Science and Technology

ISSN (Online)

Contents in Detail. Acknowledgments

INSTITUTE OF AERONAUTICAL ENGINEERING (Autonomous) Dundigal, Hyderabad

Containers. Pablo F. Ordóñez. October 18, 2018

Topics. Operating System. What is an Operating System? Let s Get Started! What is an Operating System? Where in the Book are we?

What are some common categories of system calls? What are common ways of structuring an OS? What are the principles behind OS design and

What s Up Docker. Presented by Robert Sordillo Avada Software

Table of Contents 1.1. Overview. Containers, Docker, Registries vsphere Integrated Containers Engine

UNIT I Linux Utilities

@joerg_schad Nightmares of a Container Orchestration System

The failure of Operating Systems,

PYTHON TRAINING COURSE CONTENT

Transcription:

containerization: more than the new virtualization

Jérôme Petazzoni (@jpetazzo) Grumpy French DevOps - Go away or I will replace you with a very small shell script Runs everything in containers - Docker-in-Docker - VPN-in-Docker - KVM-in-Docker - Xorg-in-Docker -...

outline

Outline Containers as lightweight VMs Containers vs VMs Separation of operational concerns Benefits Conclusions

containers as lightweight VMs

It looks like a VM Private process space Can run stuff as root Private network interface and IP address Custom routes, iptables rules, etc. Can mount filesystems and more

Process tree in a machine container PID 1 104 105 108 106 109 117 119 135 107 110 TTY??????? pts/0 pts/0?? STAT Ss+ S+ Ss S Ss S Ss Ss R+ Ss S TIME COMMAND 0:00 /usr/bin/python3 -u /sbin/my_init --enable-insecure-key 0:00 /usr/bin/runsvdir -P /etc/service 0:00 \_ runsv syslog-ng 0:00 \_ syslog-ng -F -p /var/run/syslog-ng.pid --no-caps 0:00 \_ runsv sshd 0:00 \_ /usr/sbin/sshd -D 0:00 \_ sshd: root@pts/0 0:00 \_ -bash 0:00 \_ ps fx 0:00 \_ runsv cron 0:00 \_ /usr/sbin/cron -f

Faster to boot, less overhead than a VM $ time docker run ubuntu echo hello world hello world real 0m0.258s Disk usage: less than 100 kb Memory usage: less than 1.5 MB

Benchmark: infiniband

Benchmark: boot OpenStack instances

Benchmark: memory speed

impossibru!

containers vs virtual machines

Virtual Machines Emulate CPU instructions (painfully slow) Emulate hardware (storage, network...) (painfully slow) Run as a userland process on top of a kernel (painfully slow)

Virtual Machines Use native CPU (fast!) Paravirtualized storage, network... (fast, but higher resource usage) Run on top of a hypervisor (faster, but still some overhead)

Containers Processes isolated from each other Very little extra code path (in many cases, it's comparable to UID checking)

Virtual Machines vs Containers Native CPU Paravirtualized devices Hypervisor Native CPU Native syscalls Native kernel

Inter-VM communication Strong isolation, enforced by hypervisor + hardware - no fast-path data transfer between virtual machines - yes, there are PCI pass-throughs and things like xenbus, but that's not easy to use, very specific, not portable Most convenient method: network protocols (L2/L3) But: huge advantage from a security POV

Inter-container communication Tunable isolation - each namespace can be isolated or shared Allows normal Unix communication mechanisms - network protocols on loopback interface - UNIX sockets - shared memory - IPC... Reuse techniques that we know and love (?)

inter-container communication

Shared localhost Multiple containers can share the same localhost (by reusing the same network namespace) Communication over localhost is very very fast Also: localhost is a well-known address

Shared filesystem A directory can be shared by multiple containers (by using a bind-mount) That directory can contain: - named pipes (FIFOs) - UNIX sockets - memory-mapped files Bind-mount = zero overhead

Shared IPC Multiple containers can share IPC resources (using the special IPC namespace) Semaphores, Shared Memory, Message Queues... Is anybody still using this?

Host networking Containers can share the host's network stack (by reusing its network namespace) They can use the host's interfaces without penalty (high speed, low latency, no overhead!) Native performance to talk with external containers

Host filesystems Containers can share a directory with the host Example: use fast storage (SAN, SSD...) in container - mount it on the host - share it with the container - done! Native performance to use I/O subsystem

separation of operational concerns

...What? Ops functions (backups, logging...) can be performed in separate containers Application containers can run unchanged in various environments: dev, test, QA, prod...

logs

Old style ssh into container cd /var/log tail, grep, ack-grep, awk, sed, apachetop, perl, etc.

New style Create a data container to hold the logs docker run --name logs -v /var/log busybox true Start app container sharing that volume docker run --volumes-from logs myapp Inspect logs docker run -ti --volumes-from logs -w /var/log ubuntu bash Use fancy tools without polluting app container docker run -ti --volumes-from logs turbogrep...

Bonus points Ship logs to something else (logstash, syslog...) docker run --volumes-from logs pipestash Change logging system independently: - without rebuilding app container - without restarting app container - run multiple logging systems at the same time (e.g. for migration)

backups

Old style Prepare the tools - install things like rsync, s3cmd, boto, mysqldump... - get backup script Perform one-shot manual backup - SSH and run the backup script Set up routine backups - edit crontab

New style: setup Create a data container to hold the files to back up docker run --name mysqldata -v /var/lib/mysql busybox true Start app container sharing that volume docker run --volumes-from mysqldata mysql Create a separate image with backup tools - Dockerfile with apt-get install rsync s3cmd...

New style: one-shot manual backup Use the special backup image docker run --rm --volumes-from mysqldata mysqlbackup \ tar -cjf- /var/lib/mysql stream-it-to-the-cloud.py Of course, you can use something fancier than tar (e.g. rsync, tarsnap...)

New style: routine backups Option 1 - run crond in backup image - start backup image and keep it running Option 2 - start backup script from a crontab entry on the Docker host Option 3 - have a special cron container - give it access to the Docker API - let it start the backup container at regular intervals

network debugging

Old style ssh into container Install tcpdump, ngrep, Run them

New style Make a container image with tcpdump, ngrep... (let's call it netdebug ) Run it in the namespace of the application container docker run -ti --net container:<app_cid> netdebug bash Now run tcpdump, ngrep, etc. Want to copy a dump to see it with wireshark? docker run -ti --net container:... -v /tmp:/tmp netdebug \ tcpdump -s0 -peni eth0 -w/tmp/myapp.pcap

configuration tweaking

Old style ssh into container vi /etc/tomcat/something.xml (maybe) /etc/init.d/tomcat restart

New style Option 1 - set up /etc/tomcat to be a data container - start another container sharing this volume; install vi/emacs here Option 2 - set up /etc/tomcat to be on the host: docker run -v /etc/containers/myapp:/etc/tomcat If needed: restart the container - docker stop; docker start - docker kill -s HUP

epiphany

composition

Virtual Machine deployment Linux base system Libraries Application Logging Backups Metrics...

With configuration management node www { include include include include include } common web logstash backup graphite

Problems Conflicts between two components - example: logging and metrics systems use different Java versions Software certified for different distro - example: one component requires RHEL 6.4 but you run Ubuntu Migration from one component to another - example: from syslog to splunk

Container deployment Linux base system Docker Application container Logging container Backups container Metrics container...

benefits

Immutable infrastructure What's an immutable infrastructure? - re-create images each time you change a line of code - prevent (or track) modifications of running images Why is it useful? - no more rebellious servers after manual upgrades - no more oops, how do we roll back? after catastrophic upgrade - easier security audit (inspect images at rest) How can containers help? - container images are easier to create and manage than VM images

Micro-service architecture What's a micro-service architecture? - break your big application down into many small services Why is it useful? - it's easier to upgrade/refactor/replace a small service - encourages to have many small teams*, each owning a service (*small teams are supposedly better; see Jeff Bezos' two-pizza rule ) How can containers help? - problem: 10 micro-services instead of 1 big application = 10x more work to deploy everything - solution: need extremely easy deployment; hello containers!

thank you! questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback