How Container Runtimes matter in Kubernetes?

Similar documents
Unified Kubernetes CRI runtimes based on Kata Containers. Xu Wang hyper.sh

The speed of containers, the security of VMs

The speed of containers, the security of VMs. KataContainers.io

CONTAINERS AND MICROSERVICES WITH CONTRAIL

Kubernetes 1.9 Features and Future

Intel Clear Containers. Amy Leeland Program Manager Clear Linux, Clear Containers And Ciao

Bringing Security and Multitenancy. Lei (Harry) Zhang

Kata Containers The way to run virtualized containers. Sebastien Boeuf, Linux Software Engineer Intel Corporation

Multitenancy Deep Dive

Full Scalable Media Cloud Solution with Kubernetes Orchestration. Zhenyu Wang, Xin(Owen)Zhang

OPENSTACK + KUBERNETES + HYPERCONTAINER. The Container Platform for NFV

Kubernetes. An open platform for container orchestration. Johannes M. Scheuermann. Karlsruhe,

Kubernetes 101. Doug Davis, STSM September, 2017

TEN LAYERS OF CONTAINER SECURITY

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

LINUX CONTAINERS. Where Enterprise Meets Embedded Operating Environments WHEN IT MATTERS, IT RUNS ON WIND RIVER

TEN LAYERS OF CONTAINER SECURITY. Kirsten Newcomer Security Strategist

THE STATE OF CONTAINERS

rkt and Kubernetes What's new (and coming) with Container Runtimes and Orchestration

Containers, Serverless and Functions in a nutshell. Eugene Fedorenko

Convergence of VM and containers orchestration using KubeVirt. Chunfu Wen

Container Orchestration on Amazon Web Services. Arun

RUNNING VIRTUAL MACHINES ON KUBERNETES. Roman Mohr & Fabian Deutsch, Red Hat, KVM Forum, 2017

How to build and run OCI containers

Datacenter Network Solutions Group

More Containers, More Problems

An Introduction to Kubernetes

Oracle Container Natve Applicaton Development Platorm. Edgars Ruņģis Cloud Soluton Architect

TEN LAYERS OF CONTAINER SECURITY

State of Containers. Convergence of Big Data, AI and HPC

Cloud & container monitoring , Lars Michelsen Check_MK Conference #4

Infoblox Kubernetes1.0.0 IPAM Plugin

Cloud I - Introduction

Can we boost more HPC performance? Integrate IBM POWER servers with GPUs to OpenStack Environment

64-bit ARM Unikernels on ukvm

Container Isolation at Scale (... and introducing gvisor) Dawn Chen and Zhengyu He

Container Adoption for NFV Challenges & Opportunities. Sriram Natarajan, T-Labs Silicon Valley Innovation Center

Virtualization. ...or how adding another layer of abstraction is changing the world. CIS 399: Unix Skills University of Pennsylvania.

Using DC/OS for Continuous Delivery

Code: Slides:

Multi-Arch Layered Image Build System

Red Hat Atomic Details Dockah, Dockah, Dockah! Containerization as a shift of paradigm for the GNU/Linux OS

Buenos Aires 31 de Octubre de 2018

ovirt and Docker Integration

Simple custom Linux distributions with LinuxKit. Justin Cormack

EE 660: Computer Architecture Cloud Architecture: Virtualization

Containers for NFV Peter Willis March 2017

The Post-Cloud. Where Google, DevOps, and Docker Converge

WHITE PAPER. RedHat OpenShift Container Platform. Benefits: Abstract. 1.1 Introduction

Kubernetes made easy with Docker EE. Patrick van der Bleek Sr. Solutions Engineer NEMEA

Container Security and new container technologies. Dan

Leveraging the Serverless Architecture for Securing Linux Containers

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

개발자와운영자를위한 DevOps 플랫폼 OpenShift Container Platform. Hyunsoo Senior Solution Architect 07.Feb.2017

Kuber-what?! Learn about Kubernetes

OCI Runtime Tools for Container Standardization

Secure Kubernetes Container Workloads

Securing Microservices Containerized Security in AWS

SAMPLE CHAPTER. Marko Lukša MANNING

Container Networking and Openstack. Fernando Sanchez Fawad Khaliq March, 2016

Kubernetes - Load Balancing For Virtual Machines (Pods)

Travis Cardwell Technical Meeting

Launching StarlingX. The Journey to Drive Compute to the Edge Pilot Project Supported by the OpenStack

Microservices. Chaos Kontrolle mit Kubernetes. Robert Kubis - Developer Advocate,

Onto Petaflops with Kubernetes

High Performance Containers. Convergence of Hyperscale, Big Data and Big Compute

Next Generation Tools for container technology. Dan

Securing Containers on the High Seas. Jack OWASP Belgium September 2018

Kubernetes The Path to Cloud Native

[Docker] Containerization

Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING

Docker All The Things

MESOS A State-Of-The-Art Container Orchestrator Mesosphere, Inc. All Rights Reserved. 1

The meta-virtualization layer of OpenEmbedded

Singularity CRI User Documentation

Triangle Kubernetes Meet Up #3 (June 9, 2016) From Beginner to Expert

Oh.. You got this? Attack the modern web

OpenShift 3 Technical Architecture. Clayton Coleman, Dan McPherson Lead Engineers

Docker and Security. September 28, 2017 VASCAN Michael Irwin

Distributed Systems COMP 212. Lecture 18 Othon Michail

Installation and setup guide of 1.1 demonstrator

Virtual Infrastructure: VMs and Containers

Red Hat OpenShift Roadmap Q4 CY16 and H1 CY17 Releases. Lutz Lange Solution

How to build scalable, reliable and stable Kubernetes cluster atop OpenStack.

Immutable Application Containers Reproducibility of CAE-computations through Immutable Application Containers

VM Migration, Containers (Lecture 12, cs262a)

CS 470 Spring Virtualization and Cloud Computing. Mike Lam, Professor. Content taken from the following:

Kubernetes: Twelve KeyFeatures

OPENSTACK Building Block for Cloud. Ng Hwee Ming Principal Technologist (Telco) APAC Office of Technology

Important DevOps Technologies (3+2+3days) for Deployment

Building Kubernetes cloud: real world deployment examples, challenges and approaches. Alena Prokharchyk, Rancher Labs

RECap: RunEscape Capsule for On-demand Managed Service Delivery in the Cloud

Hacking and Hardening Kubernetes

Red Hat Enterprise Virtualization Hypervisor Roadmap. Bhavna Sarathy Senior Technology Product Manager, Red Hat

Understanding and Evaluating Kubernetes. Haseeb Tariq Anubhavnidhi Archie Abhashkumar

COMPUTER ARCHITECTURE. Virtualization and Memory Hierarchy

Docker LibNetwork Plugins. Explorer s Tale

Linux Containers Roadmap Red Hat Enterprise Linux 7 RC. Bhavna Sarathy Senior Technology Product Manager, Red Hat

AMD EPYC Delivers Linear Scalability for Docker with Bare-Metal Performance

A day in the life of a log message Kyle Liberti, Josef

Transcription:

How Container Runtimes matter in Kubernetes? Kunal Kushwaha NTT OSS Center

About me Works @ NTT Open Source Software Center Contributes to containerd and other related projects. Docker community leader, Tokyo @kunalkushwaha :2

Agenda Kubernetes Architecture. What is CRI (Container Runtime Interface) What is OCI (Open Container Initiative) CRI & OCI Implementations Why runtimes affect Kubernetes. Runtime Benchmarking results Analyzing for various workloads Summary :3

:4 Kubernetes Architecture A typical Kubernetes cluster

:5 Kubernetes Cluster Overview User kubectl - kubectl is tool for user to interact with k8s cluster. - Master node interpret the command and if required interact with worker nodes.

:6 Master Node Overview Kubernetes Master Scheduler Control manager API Server etcd Important components of Kubernetes Master Node

:7 Master Node Control Flow Kubernetes Master Scheduler Control manager kubectl REST API Server etcd - API Server plays a central part for cluster communication - etcd store all definition of kubernetes resources - Scheduler and Control Manager push commands for workers via API Server

:8 Kubernetes Architecture User kubectl

:9 Kubernetes Worker Overview Kubernetes Worker Service Proxy Kubelet Container Runtime Pod Pod Important components of Kubernetes Worker Node

:10 Kubernetes Worker Control Flow Kubernetes Worker Service Proxy Kubelet Container Runtime Pod Pod - Kubelet is the primary Node agent. API Server talks to Kubelet. - Service Proxy enables user to access applications running on node. - Docker running on node is used for creating Pods.

:11 Kubernetes Worker Control Flow Kubernetes Worker Service Proxy Pod Docker Kubelet Pod - Kubelet is the primary Node agent. API Server talks to Kubelet. - Service Proxy enables user to access applications running on node. - Docker running on node is used for creating Pods.

:12 Kubernetes Worker Overview 2014 Kubernetes Worker Service Proxy Pod Kubelet Pod With alternative container runtimes, Kubelet code gets bloated to support each.

:13 Container Runtime Interface Introduced in Kubernetes 1.5 *. (2016) Interfaces for grpc service for Runtime & Image Management Container centric interfaces Pod containers as Sandbox containers Current status: v1alpha2 *https://github.com/kubernetes/kubernetes/blob/release-1.5/docs/proposals/container-runtime-interface-v1.md

:14 Kubelet with CRI Kubernetes Worker Kubelet CRI C R I S h I m Docker CRI solves supporting various runtime alternatives with no change in Kubelet

:15 Container Runtime Kubernetes Worker Kubelet CRI C R I S h I m Container Runtime

:16 What is Container Runtime Provides core primitives to manage containers on host Container execution & supervision Network Interfaces and management Image management Manage local storage e.g. LXC, Docker, rkt

:17 Open Container Initiative Container runtime & Image specification Runtime specs define input to create a container Multiple platform supported (Linux, Windows, Solaris & VM) runc is default implementation of OCI Runtime Specs Current Runtime Specs status : v1.0.1

:18 Gap between Kubelet & OCI runtime Kubelet Requirements for Runtime OCI Runtime Manage images (pull / push / rm..) Talks CRI / grpc Do not understand concept of image Input is OCI specs (json and rootfs) Prepare environment to successfully instantiate container. Prepare network for pod Consume the rootfs and container config file (json) Attach network as pre-start hook.

:19 Runtime in Kubernetes Kubernetes Worker Kubelet Container Runtime OCI Runtime Apart from OCI, another runtime component is required

:20 Runtime in Kubernetes Kubernetes Worker High-level Runtime Kubelet Container Runtime OCI Runtime CRI - High level runtime implement CRI grpc services - Take care of all prerequisite to successfully operate OCI runtimes

:21 Runtime in Kubernetes Kubernetes Worker High-level Runtime Low-level Runtime Kubelet Container Runtime OCI Runtime CRI OCI - OCI runtime works as low-level runtime - High-level runtime provides inputs to OCI runtime as per OCI Specs

CRI Implementations Dockershim CRI-O Containerd Frakti rktlet :22

:23 Dockershim Kubernetes Worker Kubelet Pod CRI Dockershim Containerd (Old) runc Pod - Embedded into Kubelet. - Dockershim talks to docker, which manage pods. - Default CRI implementation & enjoy majority in current kubernetes deployments

:24 CRI-O Kubernetes Worker Kubelet Pod CRI OCI runc Pod - CRI-O reduces the one extra hop from docker. - CRI-O uses CNI for providing networking to pods. - Monolithic design (understands CRI and outputs OCI compatible) - Works with all OCI runtimes.

containerd Kubernetes Worker Kubelet Pod CRI CRI Plugin OCI runc Pod - containerd, with revised scope eliminates the extra hop required by docker. - Redesigned storage drivers for simplicity and better performance. - Extensible design, CRI service runs as plugin. - Uses CNI for networking - Works with all OCI runtimes. :25

Frakti Kubernetes Worker Kubelet Frakti Pod Dockershim CRI OCI Hyped runv VM Pod - Frakti runtime was designed to support VM based runtime to kubernetes. - It supports mixed runtimes - Linux containers for privilege containers and runv containers for rest - Though uses dockershim to use linux containers, result into extra hops - Also supports Unikernels :26

:27 Frakti v2- Coming soon Kubernetes Worker Kubelet runc Pod CRI CRI Plugin Frakti Plugin Kata containers VM Pod - Frakti v2 will be implemented as runtime plugin for containerd. - Reduce extra hops and implementation effort too.

:28 OCI Runtimes runc - Default OCI specs implementation - Isolation based on Namespace, cgroups, secomp & MAC (AppArmor, SELinux) runv Clear Containers kata-runtime gvisor

:29 OCI Runtimes runc - Default OCI specs implementation - Isolation based on Namespace, cgroups, secomp & MAC (AppArmor, SELinux) runv - OCI compliant VM based runtime - Uses optimized qemu & KVM. - A light weight guest kernel is used. Clear Containers kata-runtime gvisor

:30 OCI Runtimes runc - Default OCI specs implementation - Isolation based on Namespace, cgroups, secomp & MAC (AppArmor, SELinux) runv - OCI compliant VM based runtime - Uses qemu & KVM. - A light weight guest kernel is used. Clear Containers - Hardware-virtualized containers using Intel s VT-x - Utilize DAX direct access feature of 4.0 kernel kata-runtime gvisor

:31 OCI Runtimes runc - Default OCI specs implementation - Isolation based on Namespace, cgroups, secomp & MAC (AppArmor, SELinux) runv - OCI compliant VM based runtime - Uses qemu & KVM. - A light weight guest kernel is used. Clear Containers - Hardware-virtualized containers using Intel s VT-x - Utilize DAX direct access feature of 4.0 kernel kata-runtime - Best of runv & cc-containers - 1.0 Release (22 nd May, 2018) - Under active development gvisor

:32 OCI Runtimes runc - Default OCI specs implementation - Isolation based on Namespace, cgroups, secomp & MAC (AppArmor, SELinux) runv - OCI compliant VM based runtime - Uses qemu & KVM. - A light weight guest kernel is used. Clear Containers - Hardware-virtualized containers using Intel s VT-x - Utilize DAX direct access feature of 4.0 kernel kata-runtime gvisor - Best of runv & cc-containers - 1.0 Release (22 nd May, 2018) - Under active development - Sandbox based containers - Intercepts application system call acts like kernel. - similar approach as User Mode Linux (UML) - Under active development

:33 Final candidates for Evaluation High-level Runtime Low-level Runtime Dockershim CRI-O containerd runc Kata containers runv clear containers

Why runtimes affect kubernetes :34

:35 Kubernetes Architecture Kubernetes Worker #1 Kubernetes Worker #n - Kubernetes offers variety of choices to tune the system

Kubernetes Architecture Kubernetes Worker #1 Kubernetes Worker #n - Kubernetes offers variety of choices to tune the system - Once rest of components finalized - for deployment and management runtime is only variable factor. - For application performance only low level runtime matters. :36

:37 Performance benchmarking Application deployment performance Container operations ( Create, start, stop, remove) Application Performance Containerization / Virtualization overhead.

:38 Performance benchmarking process Prerequisite : Pull Sandbox Image Pull Container Image (ubuntu:latest) Benchmark Environment Architecture: x86_64 CPU(s): 8 Core(s) per socket: 4 Model name: i7-3630qm CPU @ 2.40GHz Virtualization: VT-x Kernel : linux 4.15 OS : Ubuntu 4 Threads x 50 Create Start Stop Delete - Create & Run PodSandbox - Start Application Container - Stop Application Container - Delete Application Container - Create Application Container - Stop PodSandbox Rootfs prepared from Image - Delete PodSandbox Writable area for container CNI plugin invocation for Network

:39 runc Performance Software versions Containerd : v1.1.0 cri-o : v1.10.1 Docker : 18.05.0.ce Runc : v1.0 git #69663f0bd4b Create Start 0.03 containerd cri-o dockershim 0.26 0.73 0.64 0.17 0.75 Performance difference due to high level runtime Low-level runtime (runc) is constant in all Stop 0.19 0.24 0.58 cri-o and docker share same graph driver design, could be reason for high create time. Delete 0.27 0.53 0.19 0 0.2 0.4 0.6 0.8 Seconds containerd perform better in almost all case.

:40 Latency with runc Less is better Time to start containerd cri-o dockershim 0.43 0.76 Time before application start running in runc container cri-o & containerd both perform better than docker 0.46 1.39 In performance, containerd performs better than cri-o Time to stop 0.77 0.77 Time before resources are released after application stops 0 0.35 0.7 1.05 1.4 Seconds

Kata-runtime Performance Software versions Containerd : v1.1.0 cri-o : v1.10.1 Docker : 18.05.0.ce kata-runtime: v1.0 containerd cri-o dockershim Create Start 1.37 1.65 1.53 0.09 0.03 0.14 Difference is mainly due to high level runtime performance. Stop 10.25 10.32 10.34 * Delete 0.4 0.62 0.48 0 3 6 9 12 Seconds * - Bug in Stop logic, while invoked through CRI - Takes < 2 seconds, if done directly through docker or containerd :41

:42 Latency with Kata Less is better containerd cri-o dockershim Frakti Time to start 1.46 1.68 1.67 Latency with kata-container is comparable with all high-level runtimes. 10.65 High-level Runtime don t make much difference if low-level runtime consume most Time to stop 10.94 10.82 0 2.75 5.5 8.25 11 Seconds

:43 kata vs runv vs clear-containers kata + containerd cc-containers + containerd runv + frakti Software versions Containerd : v1.1.0 Docker : 18.05.0.ce Frakti : v1.10.0 runv : v1.0.0 Create Start 1.37 0.6 0.09 0.35 0.69 2.67 Stop function of cc-containers & runv looks normal. Hence fix required for kata containers. Stop Delete 1.49 0.54 0.4 0.81 0.32 10.25 Kata containers performance is in-between runv and cc-runtime. 0 3 6 9 12 Seconds

:44 Latency with VM based runtimes Less is better kata + containerd cc-container + containerd runv + frakti Time to start 1.29 2.27 3.02 runv performs for container operations is best in VM containers. Time to stop 0.86 2.3 10.65 Kata is still in active development 0 2.75 5.5 8.25 11 Seconds

:45 Performance Overhead Low-level runtimes More is better 211 I/O Throughput Average System Load 3.91 3.17 3.17 Less is better Mb/s 101 65.6 102 CPU Load 1.62 Runtime performance overhead affect application running inside container. runc perform best in both IO throughput and average CPU load. kata-containers perform best among VM containers.

Workloads :46

Serverless Host functions instead of applications? Functions as service e.g. AWS Lambda Ideal Platform Low latency High parallelism i.e. high density. Low on resources (CPU, Memory) :47

:48 Serverless platform containerd + runc cri-o + runc Frakti + runv Any + kata-containers Latency Best Better Good Average Cold start Best Better Better Average Warm start Better Best Average Good Density Best Good Average Average Security Good (namespace + seccomp + SELinux) Good (namespace + seccomp + SELinux) Best (VM based) Best (VM Based) Stability Stable Stable/Best with Openshift Stable Under Active development Support Cycle (defined support cycle for each release) (Not defined) (managed by hyper.sh) (not defined) (Not defined)

:49 Peak hour demand / Micro Services Mostly applications are of type Micro services. Ideally immutable Quick scale up and scale down. Ideal Platform Low latency for start application and free resources. Better utilize the host system.

Mean Time To Recover (MTTR) - DevOps Short Lived containers Frequent updates Fast recovery is important. Low on resources :50

:51 Micro-services / MTTR containerd + runc cri-o + runc Frakti + runv Any + kata-containers Latency Best Better Good Average Density Best Better Average Good Security Good (namespace + seccomp + SELinux) Good (namespace + seccomp + SELinux) Best (VM based) Best (VM Based) Stability Stable Stable/Best with Openshift Stable Under Active development Support Cycle (defined support cycle for each release) (Not defined) (managed by hyper.sh) (not defined)

:52 Long running containers Migrated application. Stateful containers. Hard to scale containers. Requirements Stability Security Performance Migration

:53 Long running containers containerd + runc cri-o + runc Frakti + runv Any + kata-containers Stability Best Stable/Best with Openshift Good Under Active development Support Cycle (defined support cycle for each release) (Not defined) (managed by hyper.sh) (not defined) (not defined) Security Good (namespace + seccomp + SELinux) Good (namespace + seccomp + SELinux) Best (VM based) Best (VM Based) Performance Overhead Best Best Average Better Migration Required Required Required Required Governance CNCF + OCI Kubernetes Incubator + OCI Kubernetes + hypersh OpenStack Foundation

Summary CRI and OCI enable more choices for container runtimes. For Cloud Native workloads, Linux containers based runtimes suite better. High level runtime performance do not matter much for long running containers, So low level runtime performance & capabilities become focus. VM based runtimes are promising, but still need some time to reach flexibility and usability as Linux containers runtime. Migration of monolithic applications / high security applications to modern platform like kubernetes will get boost with VM based runtimes. :54

Few more OCI runtimes Runtime getting ready for OCI complaint rkt - container runtime from CoreOS https://github.com/rkt/rkt https://github.com/rkt/rkt/issues/3368 gvisor - Sandbox based containerization https://github.com/google/gvisor railcar linux containers in implementation in rust https://github.com/oracle/railcar slow development crun linux containers in implementation in C https://github.com/giuseppe/crun Fully featured but lack clarity on maintenance and support. :55

Thank You

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback