Introduction to containers

Similar documents
Introduction to Containers

An introduction to Docker

Travis Cardwell Technical Meeting

Engineering Robust Server Software

Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING

Deployment Patterns using Docker and Chef

Getting Started With Containers

Arup Nanda VP, Data Services Priceline.com

What s Up Docker. Presented by Robert Sordillo Avada Software

Container-based virtualization: Docker

CS-580K/480K Advanced Topics in Cloud Computing. Container III

Docker und IBM Digital Experience in Docker Container

Containers. Pablo F. Ordóñez. October 18, 2018

1 Virtualization Recap

Docker 101 Workshop. Eric Smalling - Solution Architect, Docker

[Docker] Containerization

Introduction to Container Technology. Patrick Ladd Technical Account Manager April 13, 2016

Container Adoption for NFV Challenges & Opportunities. Sriram Natarajan, T-Labs Silicon Valley Innovation Center

Cross platform enablement for the yocto project with containers. ELC 2017 Randy Witt Intel Open Source Technology Center

Investigating Containers for Future Services and User Application Support

Deploying a distributed application with OpenStack

Table of Contents 1.1. Introduction. Overview of vsphere Integrated Containers 1.2

Infoblox Kubernetes1.0.0 IPAM Plugin

Docker for HPC? Yes, Singularity! Josef Hrabal

Cloud & container monitoring , Lars Michelsen Check_MK Conference #4

Building A Better Test Platform:

Container mechanics in Linux and rkt FOSDEM 2016

Faculté Polytechnique

OS Virtualization. Linux Containers (LXC)

A Hands on Introduction to Docker

Harbor Registry. VMware VMware Inc. All rights reserved.

Midterm Presentation Schedule

Presented By: Gregory M. Kurtzer HPC Systems Architect Lawrence Berkeley National Laboratory CONTAINERS IN HPC WITH SINGULARITY

Zephyr Kernel Installation & Setup Manual

CONTAINERIZING JOBS ON THE ACCRE CLUSTER WITH SINGULARITY

Table of Contents 1.1. Overview. Containers, Docker, Registries vsphere Integrated Containers Engine

Run containerized applications from pre-existing images stored in a centralized registry

Portable, lightweight, & interoperable Docker containers across Red Hat solutions

Using DC/OS for Continuous Delivery

/ Cloud Computing. Recitation 5 September 26 th, 2017

Who is Docker and how he can help us? Heino Talvik

OS Containers. Michal Sekletár November 06, 2016

Index. Bessel function, 51 Big data, 1. Cloud-based version-control system, 226 Containerization, 30 application, 32 virtualize processes, 30 31

IBM Bluemix compute capabilities IBM Corporation

/ Cloud Computing. Recitation 5 February 14th, 2017

ovirt and Docker Integration

The Post-Cloud. Where Google, DevOps, and Docker Converge

Raw Packet Capture in the Cloud: PF_RING and Network Namespaces. Alfredo

Infrastructure at your Service. Oracle over Docker. Oracle over Docker

Code: Slides:

Splunk N Box. Splunk Multi-Site Clusters In 20 Minutes or Less! Mohamad Hassan Sales Engineer. 9/25/2017 Washington, DC

what is the problem to be solved

docker & HEP: containerization of applications for development, distribution and preservation

Docker & why we should use it

SQL Server inside a docker container. Christophe LAPORTE SQL Server MVP/MCM SQL Saturday 735 Helsinki 2018

RDMA Container Support. Liran Liss Mellanox Technologies

Important DevOps Technologies (3+2+3days) for Deployment

containerization: more than the new virtualization

Singularity CRI User Documentation

Kubernetes The Path to Cloud Native

agenda PAE Docker Docker PAE

PVS Deployment in the Cloud. Last Updated: June 17, 2016

Best Practices for Developing & Deploying Java Applications with Docker

Think Small to Scale Big

DevOps in the Cloud A pipeline to heaven?! Robert Cowham BCS CMSG Vice Chair

Docker and Security. September 28, 2017 VASCAN Michael Irwin

/ Cloud Computing. Recitation 5 September 27 th, 2016

Downloading and installing Db2 Developer Community Edition on Ubuntu Linux Roger E. Sanders Yujing Ke Published on October 24, 2018

DEPLOYMENT MADE EASY!

Docker Deep Dive. Daniel Klopp

Set up, Configure, and Use Docker on Local Dev Machine

深 入解析 Docker 背后的 Linux 内核技术. 孙健波浙江 大学 SEL/VLIS 实验室

LXC(Linux Container) Lightweight virtual system mechanism Gao feng

CIT 480: Securing Computer Systems. Operating System Concepts

Spring 2017 :: CSE 506. Introduction to. Virtual Machines. Nima Honarmand

TEN LAYERS OF CONTAINER SECURITY

Container Detection and Forensics, Gotta catch them all!

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

Infrastructure Security 2.0

CONTAINERS AND MICROSERVICES WITH CONTRAIL

HPC Cloud Burst Using Docker

Docker and the Database Factory

Red Hat Atomic Details Dockah, Dockah, Dockah! Containerization as a shift of paradigm for the GNU/Linux OS

Docker and Oracle Everything You Wanted To Know

Operating system hardening

HOW-TO-GUIDE: demonstrating Fabric Attach using OpenVSwitch

Buenos Aires 31 de Octubre de 2018

USING DOCKER FOR MXCUBE DEVELOPMENT AT MAX IV

CS 470 Spring Virtualization and Cloud Computing. Mike Lam, Professor. Content taken from the following:

NGC CONTAINER. DU _v02 November User Guide

INDIGO PAAS TUTORIAL. ! Marica Antonacci RIA INFN-Bari

OPENSTACK CLOUD RUNNING IN A VIRTUAL MACHINE. In Preferences, add 3 Host-only Ethernet Adapters with the following IP Addresses:

Przyspiesz tworzenie aplikacji przy pomocy Openshift Container Platform. Jarosław Stakuń Senior Solution Architect/Red Hat CEE

~Deep dive into Windows Containers and Docker~

ISLET: Jon Schipp, AIDE jonschipp.com. An Attempt to Improve Linux-based Software Training

A DEVOPS STATE OF MIND WITH DOCKER AND KUBERNETES. Chris Van Tuin Chief Technologist, West

VNS3 3.5 Container System Add-Ons

COMP 3430 Robert Guderian

Securing Microservices Containerized Security in AWS

ISSN (Online)

Transcription:

Introduction to containers Nabil Abdennadher nabil.abdennadher@hesge.ch 1

Plan Introduction Details : chroot, control groups, namespaces My first container Deploying a distributed application using containers 2

The pain How to get software to run reliably when moved from one computing environment to another: From a developer's laptop to a test environment, From a physical machine to a virtual machine in a cloud. 3

Containers are the solution A container consists of an entire runtime environment: an application, all its dependencies, libraries, binaries, configuration files bundled into one package. Containers encapsulate components of application logic. These components are provisioned only with the minimal resources needed to do their job. Unlike virtual machines (VM), containers have no need for embedded operating systems (OS); calls are made for OS resources via an application programming interface (API). 4

Virtualization vs. containerization 5

A virtual machine includes an entire operating system + application. A physical server running three virtual machines would have: a hypervisor, Virtualization vs. containerization three separate operating systems running on top of it. By contrast a server running three containerized applications runs a single operating system Each container shares the operating system kernel with the other containers. That means the containers are much more lightweight and use far fewer resources than virtual machines. 6

Virtualization vs. containerization A container may be only tens of megabytes in size A virtual machine with its own entire operating system may be several gigabytes in size. A single server can host far more containers than virtual machines. Virtual machines may take several minutes to boot up their operating systems and begin running the applications they host Containerized applications can be started almost instantly. 7

What about security? Container is a method that isolates processes and resources But... Containers are not as secure as virtual machines if there's a vulnerability in the kernel, it could provide a way into the containers that are sharing it That's also true with a hypervisor, but since a hypervisor provides far less functionality than the whole OS, it presents a much smaller attack surface. 8

Will containers eventually replace virtualization? That's unlikely in the short term for security reasons. The management tools that orchestrate large numbers of containers are nowhere near as comprehensive as software like Vmware. Virtualization and containers may come to be seen as complementary technologies rather than competing ones. 9

Plan Introduction Details : namespaces, control groups, chroot My first container Deploying a distributed application using containers 10

11

chroot Exists since 1979 #include <unistd.h> int chroot(const char *path); It s UNIX system call for changing the root directory of a process and it's children to a new location in the filesystem which is only visible to a given process. A chroot is a way to isolate a process and its children from the rest of the system create a directory tree copy all the system files needed for a process to run. Use the chroot() system call to change the root directory to be at the base of this new tree. The idea of chroot is to provide an isolated disk space for each process. 12

Control groups (cgroups) Provides a mechanism for easily managing and monitoring system resources, by partitioning them into groups, then assigning applications to those groups Resources are: cpu time, system memory, disk network bandwidth Application knows nothing about these limits, this is happening outside of the application 13

Control groups (cgroups) Once the group is created, applications are added to the group. This can happen on the fly, without system reboots, limits can be adjusted on the fly. Applications can consume outside the resource limit. However, if there is resource contention, the resources applications will be limited to the cgroup policy. 14

Namespace A Linux installation: maintains a single process tree. shares a single set of network interfaces and routing table entries. With namespaces, you can have different and separate network interfaces and routing tables that operate independent of each other: network namespace With namespaces, it became possible to have multiple nested process trees. a process running within a namespace can only see processes in the same namespace: process namespace 15

Process namespace https://www.toptal.com/linux/separation-anxiety-isolating-your-system-with-linux-namespaces 16

Process namespace Three system calls are used for namespaces: clone(): creates a new process and a new namespace; the process is attached to the new namespace. unshare(): does not create a new process; creates a new namespace and attaches the current process to it. setns(): join an existing namespace. 17

Process namespace (summary) The process namespace allows one to spin off a new tree, with its own PID 1 process. The process that does this, remains in the parent namespace (original tree), but makes the child the root of its own process tree. With process namespace isolation, processes in the child namespace have no way of knowing of the parent process s existence. Processes in the parent namespace have a complete view of processes in the child namespace 18

Network namespace 19

Network namespace Creating your namespace: ip netns add mynamespace Checking : ip netns list Creating virtual Ethernet interfaces: ip link add veth0 type veth peer name veth1 Checking : ip link list Connect the global namespace to mynamespace ip link set veth1 netns mynamespace Checking: ip netns exec mynamespace ip link list ip link list 20

Network namespace Configuring Interfaces in Network Namespaces: ip netns exec mynamespace ifconfig veth1 10.1.1.1/24 up Finding the list of pids in a specified network namespace ip netns pids mynamespace Finding the network namespace of a specified pid: ip netns identify #pid 21

Plan Introduction Details : namespaces, control groups, chroot My first container (Docker) Deploying a distributed application using containers 22

Docker Docker container is an open source software development platform. Its main benefit is to package applications in containers: Container as a Service (CaaS) 23

Why Docker? Portable deployment across machines Docker images can run unchanged on any platform supporting docker Automatic build: Create containers from build files Component re-use: Any container can be used as a base, specialized and saved Sharing: Support for public/private repositories of containers Tools: CLI / REST API for interacting with docker 24

Creating your first container with Docker sudo apt-get update sudo apt-get install docker.io # docker installation sudo addgroup ubuntu docker # add Ubuntu user to the docker group in order to avoid sudo reboot 25

Creating your first container with Docker: server.py #!/bin/python from flask import Flask app = Flask( name ) @app.route("/") def helloworld(): return "Hello world!\n" app.run(host="0.0.0.0",debug=false) 26

Creating your first container with Docker Create a folder (example: dockertest) In dockertest folder, create Dockefile file FROM ubuntu:latest RUN apt-get update && apt-get install -y python-pip RUN pip install flask COPY "server.py" "/tmp/server.py" EXPOSE 5000 CMD ["python","/tmp/server.py"] 27

Creating your first container with Docker docker build -t IMAGE_NAME. docker images docker run -p 10000:5000 -d IMAGE_NAME docker ps docker inspect ID docker stop ID docker rm ID 28

RUN, CMD, ENTRYPOINT When Docker runs a container, it runs an image inside it. This image is usually built by executing Docker instructions, which add layers on top of existing image or OS distribution. OS distribution is the initial image and every added layer creates a new image. Each RUN adds a new layer 29

RUN RUN instruction allows you to install your application and packages requited for it. RUN executes any commands on top of the current image and creates a new layer by committing the results. 30

RUN RUN apt-get update && apt-get install -y \ cvs \ git \ subversion 31

CMD CMD instruction allows you to set a default command, which will be executed only when you run container without specifying a command. If Docker container runs with a command, the default command will be ignored. If Dockerfile has more than one CMD instruction, all but last CMD instructions are ignored. 32

ENTRYPOINT Similar to CMD Used to transfer parameters (arguments) to the container 33

Plan Introduction Details : namespaces, control groups, chroot My first container (Docker) Deploying a distributed application using containers 34

Docker installation sudo apt-get update sudo apt-get install docker.io sudo ln -sf /usr/bin/docker.io /usr/local/bin/docker sudo groupadd docker sudo usermod -ag docker $USER sudo reboot 35

restclient s Dockerfile FROM ubuntu:latest RUN apt-get update && apt-get install -y python-pip RUN pip install pymongo RUN pip install requests COPY "restclient.py" "/tmp/restclient.py ENTRYPOINT ["python","/tmp/restclient.py ] 36

restserver s Dockerfile FROM ubuntu:latest RUN apt-get update && apt-get install -y python-pip RUN pip install flask RUN pip install pymongocopy "restserver.py" "/tmp/restserver.py EXPOSE 18000 ENTRYPOINT ["python","/tmp/restserver.py"] 37

cd client Deploying a distributed applications with docker: Creating images docker build -t restclient. cd../server docker build -t restserver. docker run --name mongodb -d mongodocker 38

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback