How to build and run OCI containers

Similar documents
OpenStack Magnum Pike and the CERN cloud. Spyros

Container Security and new container technologies. Dan

Singularity CRI User Documentation

Next Generation Tools for container technology. Dan

Replacing Docker With Podman. By Dan

How Container Runtimes matter in Kubernetes?

Bringing Security and Multitenancy. Lei (Harry) Zhang

What s Up Docker. Presented by Robert Sordillo Avada Software

State of Containers. Convergence of Big Data, AI and HPC

Code: Slides:

How to build scalable, reliable and stable Kubernetes cluster atop OpenStack.

Infoblox Kubernetes1.0.0 IPAM Plugin

Unified Kubernetes CRI runtimes based on Kata Containers. Xu Wang hyper.sh

Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING

Container Orchestration on Amazon Web Services. Arun

Cross platform enablement for the yocto project with containers. ELC 2017 Randy Witt Intel Open Source Technology Center

UP! TO DOCKER PAAS. Ming

CONTAINERS AND MICROSERVICES WITH CONTRAIL

OPENSTACK + KUBERNETES + HYPERCONTAINER. The Container Platform for NFV

Docker All The Things

Cloud I - Introduction

The speed of containers, the security of VMs

Infrastructure Security 2.0

Important DevOps Technologies (3+2+3days) for Deployment

Dockerized Tizen Platform

Containers 101. with Podman on Fedora 29. Alessandro Arrichiello. Solution Architect, Red Hat

THE ROUTE TO ROOTLESS

Rootless Containers with runc. Aleksa Sarai Software Engineer

Run containerized applications from pre-existing images stored in a centralized registry

A REFERENCE ARCHITECTURE FOR DEPLOYING WSO2 MIDDLEWARE ON KUBERNETES

An introduction to Docker

Think Small to Scale Big

CNI, CRI, and OCI - Oh My!

rkt and Kubernetes What's new (and coming) with Container Runtimes and Orchestration

Flatpak a technical walk-through. Alexander Larsson, Red Hat

Launching StarlingX. The Journey to Drive Compute to the Edge Pilot Project Supported by the OpenStack

Container mechanics in Linux and rkt FOSDEM 2016

Kubernetes. An open platform for container orchestration. Johannes M. Scheuermann. Karlsruhe,

Investigating Containers for Future Services and User Application Support

TEN LAYERS OF CONTAINER SECURITY

Cloud & container monitoring , Lars Michelsen Check_MK Conference #4

High Performance Containers. Convergence of Hyperscale, Big Data and Big Compute

The State of Rootless Containers

An Introduction to Kubernetes

Multi-Arch Layered Image Build System

THE STATE OF CONTAINERS

MesosCon Qian Zhang (IBM China), Jie Yu (Mesosphere) OCI Support in Mesos Mesosphere, Inc. All Rights Reserved. 1

Securing Containers on the High Seas. Jack OWASP Belgium September 2018

Kubernetes The Path to Cloud Native

agenda PAE Docker Docker PAE

Container Pods with Docker Compose in Apache Mesos

Building a Kubernetes on Bare-Metal Cluster to Serve Wikipedia. Alexandros Kosiaris Giuseppe Lavagetto

Kubernetes - Load Balancing For Virtual Machines (Pods)

Continuous Delivery of Micro Applications with Jenkins, Docker & Kubernetes at Apollo

The speed of containers, the security of VMs. KataContainers.io

WHITE PAPER. RedHat OpenShift Container Platform. Benefits: Abstract. 1.1 Introduction

Red Hat Enterprise Linux Atomic Host 7 Container Security Guide

Question: 2 Kubernetes changed the name of cluster members to "Nodes." What were they called before that? Choose the correct answer:

Kubernetes 101. Doug Davis, STSM September, 2017

Introduction to Containers

CIS Docker Community Edition Benchmark

Triangle Kubernetes Meet Up #3 (June 9, 2016) From Beginner to Expert

SAINT LOUIS JAVA USER GROUP MAY 2014

Infoblox IPAM Driver for Kubernetes User's Guide

Infoblox IPAM Driver for Kubernetes. Page 1

Containers. Pablo F. Ordóñez. October 18, 2018

STATUS OF PLANS TO USE CONTAINERS IN THE WORLDWIDE LHC COMPUTING GRID

OPENSHIFT FOR OPERATIONS. Jamie Cloud Guy - US Public Sector at Red Hat

VMware Fusion Tech Preview 2017: API/CLI Getting Started Guide

Container-based virtualization: Docker

Kata Containers The way to run virtualized containers. Sebastien Boeuf, Linux Software Engineer Intel Corporation

Microservices. Chaos Kontrolle mit Kubernetes. Robert Kubis - Developer Advocate,

Creating a Reproducible Build System for Docker Images

Kubernetes introduction. Container orchestration

Travis Cardwell Technical Meeting

Evolution of Kubernetes in One Year From Technical View

Blockchain on vsphere By VMware

Introduction to containers

DevOps Technologies. for Deployment

KUBERNETES ON NVIDIA GPUS

Kubernetes - Networking. Konstantinos Tsakalozos

VMware Integrated OpenStack with Kubernetes Getting Started Guide. VMware Integrated OpenStack 4.1

Orchestrating Docker containers at scale

Docker und IBM Digital Experience in Docker Container

Project Kuryr. Here comes advanced services for containers networking. Antoni Segura

SAMPLE CHAPTER. Marko Lukša MANNING

OpenStack Magnum Hands-on. By Saulius Alisauskas and Bryan Havenstein

Simple custom Linux distributions with LinuxKit. Justin Cormack

Dockerize Your IT! Centrale Nantes Information Technology Department Yoann Juet Dec, 2018

Kubernetes made easy with Docker EE. Patrick van der Bleek Sr. Solutions Engineer NEMEA

ovirt and Docker Integration

Blockchain on Kubernetes

Containerisation with Docker & Kubernetes

AGILE DEVELOPMENT AND PAAS USING THE MESOSPHERE DCOS

Package your Java Application using Docker and Kubernetes. Arun

Introduction to Container Technology. Patrick Ladd Technical Account Manager April 13, 2016

Contain your Desktop Applications with Flatpak

Blockchain on Kubernetes

Allowing Users to Run Services at the OLCF with Kubernetes

Continuous delivery while migrating to Kubernetes

Transcription:

How to build and run OCI containers A shallow dive on the OCI container configuration and an overview of the available tools

whoami Spyros Trigazis Computing Engineer at CERN s cloud team Project Team Lead of OpenStack/Magnum

OCI containers A linux container is just process controlled by linux kernel cgroups and namespaces. OCI containers: defined by the OCI specification Runtime-spec: defines the config.json file from which a runtime know to run a container Image-spec: defines an OCI Image, consisting of a manifest, an image index (optional), a set of filesystem layers, and a configuration Filesystem-bundle: consists of the config.json file and the container root filesystem

Why we need them? Containers need a supervisor, eg Docker daemon, kubelet, systemd etc Systemd -> dockerd -> container, doesn t play very well Kubernetes implemented its own cri specification cri-contianerd: cri implementation based on containerd cri-o: cri implementation based on on runc What if you need a service running that docker depends on it?

CERN container service Fosdem Brussels 2018 - Spyros Trigazis @strigazi

CERN Container Use Cases Batch Processing End user analysis / Jupyter Notebooks Machine Learning / TensorFlow / Keras Infrastructure Management Data Movement, Web servers, PaaS Continuous Integration / Deployment Run OpenStack :-) And many others

CERN Magnum Deployment Clusters are described by cluster templates Shared/public templates for most common setups, customizable by users $ openstack coe cluster create --name myswarmcluster --cluster-template swarm --node-count 100 ~ 5 mins later $ openstack coe cluster list +------+----------------+------------+--------------+----------------------------+ uuid name node_count master_count keypair status +------+----------------+------------+--------------+----------------------------+... myswarmcluster 100 1 mysshkey CREATE_COMPLETE +------+----------------+------------+--------------+----------------------------+ $ $(openstack coe cluster config myswarmcluster --dir magnum/myswarmcluster) $ docker info / ps /... $ docker service create --mount 'type=volume,volume-driver=cvmfs,source=cms.cern.ch@trunk-previous,destination=/cvmfs/cms.cer n.ch' busybox sleep 10000

Cluster node layout (swarm or kubernetes) Docker daemon Swarm agent CERN plugins OpenStack agent kubelet kube-proxy cri runtime OpenStack agent etcd CERN plugins flanneld

Building OCI containers

Building a system container Create: a dockerfile a systemd template a list of tmpfiles (if needed) a manifest.json for default values(if needed) the config.json https://github.com/projectatomic/atomic-system-containers/blob/master/files.md Fosdem Brussels 2018 - Spyros Trigazis @strigazi 10

Building a system container $ git clone https://github.com/projectatomic/atomic-system-containers.git $ sudo docker build -t strigazi/hello-system-container:latest.... $ sudo docker push strigazi/hello-system-container:latest $ sudo atomic install --system --name hello-world \ > strigazi/hello-system-container:latest... Copying config sha256:24908c0e3d9d78d43843834c549b918df24af3ee9bc91c5e8866e4af90f4ca4f 3.29 KB / 3.29 KB [========================================================] 0s Writing manifest to image destination Storing signatures Extracting to /var/lib/containers/atomic/hello-world.0 systemctl daemon-reload systemctl enable hello-world $ sudo systemctl start hello-world Fosdem Brussels 2018 - Spyros Trigazis @strigazi 11

Populating config.json Namespaces "namespaces": [ { "type": "mount" }, { "type": "ipc" }, { "type": "uts" } ], mount, cgroup, ipc, network, pid, user, uts http://man7.org/linux/man-pages/man7/namespaces.7.html

Populating config.json capabilities "capabilities": { "bounding": [ "CAP_CHOWN", "CAP_DAC_OVERRIDE", "CAP_DAC_READ_SEARCH", "CAP_FOWNER", "CAP_FSETID", ] http://man7.org/linux/man-pages/man7/capabilities.7.html # #get the docker container pid # grep ^Cap /proc/4037/status # grep ^Cap /proc/4037/status awk '{print $2}' xargs -I val capsh --decode=val

Populating config.json mounts "mounts": [ { "type": "bind", "source": "/srv/magnum", "destination": "/srv/magnum", "options": [ "rbind", "rw", "rprivate" ] },...

Links https://github.com/opencontainers/runtime-spec https://github.com/opencontainers/image-spec https://github.com/projectatomic/atomic-system-containers http://openstack-in-production.blogspot.be/ https://docs.openstack.org/magnum/latest/ Ping me: @strigazi strigazi on Freenode #openstack-containers #atomic #centos-devel #fedora-devel Fosdem Brussels 2018 - Spyros Trigazis @strigazi 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback