distinguished engineer - red hat dan walsh @rhatdan · cri-o fully supported in openshift 3.9 along...
TRANSCRIPT
![Page 1: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/1.jpg)
Container Security and new container technologiesDan Walsh @rhatdan
Distinguished Engineer - Red Hat
![Page 2: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/2.jpg)
Please Stand
![Page 3: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/3.jpg)
Please read out loud all
text in RED
![Page 4: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/4.jpg)
I Promise
![Page 5: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/5.jpg)
To say Make a copyRather than
Make a Xerox
![Page 6: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/6.jpg)
I Promise
![Page 7: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/7.jpg)
To say Tissue
Rather than Kleenex
![Page 8: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/8.jpg)
I Promise
![Page 9: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/9.jpg)
To say Container Registries
Rather than Docker registries
![Page 10: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/10.jpg)
I Promise
![Page 11: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/11.jpg)
To say Container Images
Rather than Docker images
![Page 12: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/12.jpg)
I Promise
![Page 13: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/13.jpg)
To say ContainersRather than
Docker Containers
![Page 14: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/14.jpg)
Sit Down
![Page 15: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/15.jpg)
What do you need to run a container● Standard Definition of what makes up a container image.
○ OCI Image Bundle Definition
![Page 16: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/16.jpg)
Introducing Skopeo
https://github.com/containers/skopeo #nobigfatdaemons
![Page 17: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/17.jpg)
Skopeo● $ skopeo inspect docker://docker.io/fedora
● $ skopeo copy docker://busybox:1-glibc atomic:myns/unsigned:streaming
$ skopeo copy docker://busybox:latest dir:existingemptydirectory
$ skopeo copy docker://busybox:latest oci:busybox_ocilayout:latest
● $ skopeo delete docker://localhost:5000/imagename:latest
#nobigfatdaemons
![Page 18: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/18.jpg)
What do you need to run a container`● Standard Definition of what makes up a container image.
○ OCI Image Bundle Definition
● Mechanism to pull images from a container registry to the host○ github.com/containers/image
![Page 19: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/19.jpg)
What do you need to run a container● Standard Definition of what makes up a container image.
○ OCI Image Bundle Definition
● Mechanism to pull images from a container registry to the host○ github.com/containers/image
● Ability to explode images onto COW file systems on disk○ github.com/containers/storage
![Page 20: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/20.jpg)
What do you need to run a container● Standard Definition of what makes up a container image.
○ OCI Image Bundle Definition
● Mechanism to pull images from a container registry to the host○ github.com/containers/image
● Ability to explode images onto COW file systems on disk○ github.com/containers/storage
● Standard mechanism for running a container○ OCI Runtime Spec (1.0) ○ runc default implementation of OCI Runtime Spec (Same tool Docker uses to run containers)
![Page 21: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/21.jpg)
#nobigfatdaemons
![Page 22: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/22.jpg)
#nobigfatdaemons
![Page 23: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/23.jpg)
What does OpenShift/Kubernetes need run a container?
CRI - Container Runtime Interface
#nobigfatdaemons
![Page 24: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/24.jpg)
CRI - Container Runtime Interface
Kubernetes tells CRI to run Container Image:
#nobigfatdaemons
What does OpenShift/Kubernetes need run a container?
![Page 25: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/25.jpg)
CRI - Container Runtime Interface
Kubernetes tells CRI to run Container Image:
● CRI needs to pull image from Container Registry
#nobigfatdaemons
What does OpenShift/Kubernetes need run a container?
![Page 26: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/26.jpg)
CRI - Container Runtime Interface
Kubernetes tells CRI to run Container Image:
● CRI needs to pull image from Container Registry● CRI Needs to store image on COW File system
#nobigfatdaemons
What does OpenShift/Kubernetes need run a container?
![Page 27: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/27.jpg)
CRI - Container Runtime Interface
Kubernetes tells CRI to run Container Image:
● CRI needs to pull image from Container Registry● CRI Needs to store image on COW File system● CRI Needs to execute OCI Runtime
#nobigfatdaemons
What does OpenShift/Kubernetes need run a container?
![Page 28: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/28.jpg)
Introducing CRI-O
#nobigfatdaemons
![Page 29: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/29.jpg)
Introducing CRI-O
CRI-O - OCI-based implementation of Kubernetes Container Runtime Interface
● Scope tied to kubernetes CRI● Only supported user is kubernetes● Uses standard components as building blocks
“Nothing more, Nothing Less”
#nobigfatdaemons
![Page 30: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/30.jpg)
#nobigfatdaemons
![Page 31: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/31.jpg)
#nobigfatdaemons
![Page 32: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/32.jpg)
#nobigfatdaemons
![Page 33: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/33.jpg)
SWARM
#nobigfatdaemons
![Page 34: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/34.jpg)
SWARM
#nobigfatdaemons
![Page 35: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/35.jpg)
MOBY
#nobigfatdaemons
![Page 36: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/36.jpg)
MOBY
#nobigfatdaemons
![Page 37: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/37.jpg)
MOBY
#nobigfatdaemons
![Page 38: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/38.jpg)
#nobigfatdaemons
![Page 39: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/39.jpg)
Overview of additional components● oci-runtime-tools library is used to generate OCI configs for containers
#nobigfatdaemons
![Page 40: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/40.jpg)
Overview of additional components● oci-runtime-tools library is used to generate OCI configs for containers● CNI is used for setting up networking
○ Tested with Flannel, Weave and openshift-sdn
#nobigfatdaemons
![Page 41: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/41.jpg)
Overview of additional components● oci-runtime-tools library is used to generate OCI configs for containers● CNI is used for setting up networking
○ Tested with Flannel, Weave and openshift-sdn
● conmon is a utility for:○ Monitoring○ Logging○ Handling tty○ Serving attach clients○ Detecting and reporting OOM
#nobigfatdaemons
![Page 42: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/42.jpg)
Pod architecture (runc)
Infra Container
Pod (ipc, net, pid namespaces, cgroups)
Container A(runc)
Container B(runc)
conmon conmon conmon
#nobigfatdaemons
![Page 43: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/43.jpg)
Pod architecture (Kata Containers)
Virtual Machine(ipc, net, pid namespaces, cgroups)
Container A(kata-runtime)
Container B(kata-runtime)
conmon conmon
#nobigfatdaemons
kata-shim kata-shim
Pod (net namespace, cgroups)
![Page 44: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/44.jpg)
Architecture
#nobigfatdaemons
![Page 45: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/45.jpg)
Status● All e2e, cri-tools, integration, 9 test suites, (>500) tests passing.
○ No PRs merged without passing all the tests
#nobigfatdaemons
![Page 46: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/46.jpg)
Status● All e2e, cri-tools, integration, 9 test suites, (>500) tests passing.
○ No PRs merged without passing all the tests.● 1.0.7 (kube 1.7.x) supported. (December 2017)
#nobigfatdaemons
![Page 47: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/47.jpg)
Status● All e2e, cri-tools, integration, 9 test suites, (>500) tests passing.
○ No PRs merged without passing all the tests.● 1.0.7 (kube 1.7.x) supported. (December 2017)● 1.9.12 (kube 1.9.x) released.
○ CRI-O fully supported in OpenShift 3.9 along with docker.
#nobigfatdaemons
![Page 48: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/48.jpg)
Status● All e2e, cri-tools, integration, 9 test suites, (>500) tests passing.
○ No PRs merged without passing all the tests.● 1.0.7 (kube 1.7.x) supported. (December 2017)● 1.9.12 (kube 1.9.x) released.
○ CRI-O fully supported in OpenShift 3.9 along with docker.
● 1.10.6 (kube 1.10.x) released.
#nobigfatdaemons
![Page 49: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/49.jpg)
Status● All e2e, cri-tools, integration, 9 test suites, (>500) tests passing.
○ No PRs merged without passing all the tests.● 1.0.7 (kube 1.7.x) supported. (December 2017)● 1.9.12 (kube 1.9.x) released.
○ CRI-O fully supported in OpenShift 3.9 along with docker.
● 1.10.6 (kube 1.10.x) released. ● 1.11.2 (Kube 1.11.x) released
#nobigfatdaemons
![Page 50: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/50.jpg)
Status● All e2e, cri-tools, integration, 9 test suites, (>500) tests passing.
○ No PRs merged without passing all the tests.● 1.0.7 (kube 1.7.x) supported. (December 2017)● 1.9.12 (kube 1.9.x) released.
○ CRI-O fully supported in OpenShift 3.9 along with docker.
● 1.10.6 (kube 1.10.x) released. ● 1.11.2 (Kube 1.11.x) released● 1.12.1 (Kube 1.12.x) released● Goal for Openshift 4.0 is to fully support CRI-O by default.
#nobigfatdaemons
![Page 51: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/51.jpg)
Status
CRI-O is now powering nodes on OpenShift Online.
#nobigfatdaemons
![Page 52: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/52.jpg)
" CRI-O just works for them,
so they haven’t had much to say"
#nobigfatdaemons
![Page 53: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/53.jpg)
Making running containers in production
boring#nobigfatdaemons
![Page 54: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/54.jpg)
#nobigfatdaemons
Security in CRI-O- No Hard-Coded Capabilities list
- Since CRI-O does not do builds, containers by default have less capabilities
![Page 55: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/55.jpg)
#nobigfatdaemons
Security in CRI-O- No Hard-Coded Capabilities list
- Since CRI-O does not do builds, containers by default have less capabilities
- Read Only Containers - In production containers should not be allowed to modify images
![Page 56: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/56.jpg)
#nobigfatdaemons
Security in CRI-O- No Hard-Coded Capabilities list
- Since CRI-O does not do builds, containers by default have less capabilities
- Read Only Containers - In production containers should not be allowed to modify images
- Kata Containers support
![Page 57: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/57.jpg)
#nobigfatdaemons
Security in CRI-O- No Hard-Coded Capabilities list
- Since CRI-O does not do builds, containers by default have less capabilities
- Read Only Containers - In production containers should not be allowed to modify images
- Kata Containers support- Better User Namespace support
![Page 58: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/58.jpg)
What else does OpenShift need?● Ability to build container images● Ability to push container images to container registries
#nobigfatdaemons
![Page 59: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/59.jpg)
#nobigfatdaemons
![Page 60: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/60.jpg)
Introducing Buildah
https://github.com/containers/buildah
#nobigfatdaemons
![Page 61: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/61.jpg)
#nobigfatdaemonshttps://github.com/containers/buildah
![Page 62: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/62.jpg)
#nobigfatdaemons
![Page 63: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/63.jpg)
Coreutils for building containers. Simple interface
#nobigfatdaemons
![Page 64: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/64.jpg)
Coreutils for building containers. Simple interface# ctr=$(buildah from fedora)
#nobigfatdaemons
![Page 65: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/65.jpg)
Coreutils for building containers. Simple interface# ctr=$(buildah from fedora) # mnt=$(buildah mount $ctr)
#nobigfatdaemons
![Page 66: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/66.jpg)
#nobigfatdaemons
![Page 67: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/67.jpg)
Coreutils for building containers. Simple interface# ctr=$(buildah from fedora) # mnt=$(buildah mount $ctr)# cp -R src $mnt
#nobigfatdaemons
![Page 68: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/68.jpg)
Coreutils for building containers. Simple interface# ctr=$(buildah from fedora) # mnt=$(buildah mount $ctr)# cp -R src $mnt# dnf install --installroot=$mnt httpd
#nobigfatdaemons
![Page 69: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/69.jpg)
Coreutils for building containers. Simple interface# ctr=$(buildah from fedora) # mnt=$(buildah mount $ctr)# cp -R src $mnt# dnf install --installroot=$mnt httpd# make install DESTDIR=$mnt
#nobigfatdaemons
![Page 70: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/70.jpg)
Coreutils for building containers. Simple interface# ctr=$(buildah from fedora) # mnt=$(buildah mount $ctr)# cp -R src $mnt# dnf install --installroot=$mnt httpd# make install DESTDIR=$mnt# buildah config --entrypoint=/usr/sbin/test.sh --env foo=bar $ctr
#nobigfatdaemons
![Page 71: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/71.jpg)
Coreutils for building containers. Simple interface# ctr=$(buildah from fedora) # mnt=$(buildah mount $ctr)# cp -R src $mnt# dnf install --installroot=$mnt httpd# make install DESTDIR=$mnt# buildah config --entrypoint=/usr/sbin/test.sh --env foo=bar $ctr# buildah commit $ctr myhttpd
#nobigfatdaemons
![Page 72: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/72.jpg)
Coreutils for building containers. Simple interface# ctr=$(buildah from fedora) # mnt=$(buildah mount $ctr)# cp -R src $mnt# dnf install --installroot=$mnt httpd# make install DESTDIR=$mnt# buildah config --entrypoint=/usr/sbin/test.sh --env foo=bar $ctr# buildah commit $ctr myhttpd# buildah push myhttpd docker://rhatdan/myhttpd
#nobigfatdaemons
![Page 73: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/73.jpg)
Dan Wait!
#nobigfatdaemons
![Page 74: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/74.jpg)
Dan Wait! What about Dockerfile?????
#nobigfatdaemons
![Page 75: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/75.jpg)
Buildah also supports Dockerfilebuildah build-using-dockerfile -f Dockerfile .
#nobigfatdaemons
![Page 76: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/76.jpg)
Buildah also supports Dockerfilebuildah build-using-dockerfile -f Dockerfile .Or for those lazy ones:buildah bud -f Dockerfile .
#nobigfatdaemons
![Page 77: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/77.jpg)
Does Buildah have a scripting language? Perhaps Buildahfile?
#nobigfatdaemons
![Page 78: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/78.jpg)
BASH
#nobigfatdaemons
![Page 79: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/79.jpg)
BASHWe want others to build higher level tools on Buildah.
#nobigfatdaemons
![Page 80: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/80.jpg)
BASHWe want others to build higher level tools on Buildah.Working to make OpenShift use Buildah for S2I containers rather then use Docker.
#nobigfatdaemons
![Page 81: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/81.jpg)
BASHWe want others to build higher level tools on Buildah.Working to make OpenShift use Buildah for S2I containers rather then use Docker.Want to work with Ansible-containers to use buildah for containers as well.
#nobigfatdaemons
![Page 82: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/82.jpg)
Security- No Big Fat Container Daemon
- Run your container builds inside of locked down containers under Kubernetes- No need to leak in the docker.sock
#nobigfatdaemons
![Page 83: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/83.jpg)
Security- No Big Fat Container Daemon
- Run your container builds inside of locked down containers under Kubernetes- No need to leak in the docker.sock
- Working on running as non root from desktop
#nobigfatdaemons
![Page 84: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/84.jpg)
Security- No Big Fat Container Daemon
- Run your container builds inside of locked down containers under Kubernetes- No need to leak in the docker.sock
- Working on running as non root from desktop- Building Minimal Images
- Only include content in the image required to run the image- Does not require you to use Dockerfile and therefore include Yum/Python in image
#nobigfatdaemons
![Page 85: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/85.jpg)
What else does OpenShift need?● Ability to diagnose problems on the host● If you don’t use Docker to run the containers, how does an admin discover what is going on in his Container
runtime, without the docker CLI?
#nobigfatdaemons
![Page 86: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/86.jpg)
Introducing podman part of the libpod effort
#nobigfatdaemons
![Page 87: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/87.jpg)
Replacing Docker With Podman
By Dan Walsh @rhatdan
![Page 88: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/88.jpg)
dnf install -y podman
![Page 89: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/89.jpg)
dnf install -y podman
alias docker=podman
![Page 90: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/90.jpg)
QuestionsBlog: https://medium.com/cri-oGithub:
● https://github.com/kubernetes-sigs/cri-o● https://github.com/containers/buildah● https://github.com/containers/skopeo● https://github.com/containers/libpod (podman)● https://github.com/containers/storage● https://github.com/containers/image
Site: https://cri-o.io IRC: freenode: #cri-oSite: https://podman.io IRC: freenode: #podmanSite: https://buildah.io IRC: freenode: #buildah
![Page 91: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/91.jpg)
![Page 92: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/92.jpg)
Introducing podmanpodman is tool for managing POD/Containers based on the Docker CLI
https://github.com/projectatomic/libpod
#nobigfatdaemons
![Page 93: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/93.jpg)
Introducing podmanpodman is tool for managing POD/Containers based on the Docker CLI
# podman ps -a
#nobigfatdaemons
https://github.com/projectatomic/libpod
![Page 94: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/94.jpg)
Introducing podmanpodman is tool for managing POD/Containers based on the Docker CLI
# podman ps -a
# podman run -ti fedora sleep 2000
#nobigfatdaemons
https://github.com/projectatomic/libpod
![Page 95: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/95.jpg)
Introducing podmanpodman is tool for managing POD/Containers based on the Docker CLI
# podman ps -a
# podman run -ti fedora sleep 2000
# podman exec -ti fedora sh
#nobigfatdaemons
https://github.com/projectatomic/libpod
![Page 96: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/96.jpg)
Introducing podmanpodman is tool for managing POD/Containers based on the Docker CLI
# podman ps -a
# podman run -ti fedora sleep 2000
# podman exec -ti fedora sh
# podman images
...
#nobigfatdaemons
https://github.com/projectatomic/libpod
![Page 97: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/97.jpg)
DEMO
#nobigfatdaemons
![Page 98: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/98.jpg)
- No Big Fat Container Daemon- No need to leak in the docker.sock- Run Manage/Containers without being root.- No need for access to the /var/run/docker.sock
#nobigfatdaemons
Security
![Page 99: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/99.jpg)
- No Big Fat Container Daemon- No need to leak in the docker.sock- Run Manage/Containers without being root.- No need for access to the /var/run/docker.sock
- Containers run as child of the process that ran it- Better Auditing- Support for socket activation
#nobigfatdaemons
Security
![Page 100: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/100.jpg)
Proper Integration with Systemd● Can run systemd as PID 1 in container, with no modifications
![Page 101: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/101.jpg)
Proper Integration with Systemd● Can run systemd as PID 1 in container, with no modifications● Support sd_notify
![Page 102: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/102.jpg)
Proper Integration with Systemd● Can run systemd as PID 1 in container, with no modifications● Support sd_notify● Socket Activation
![Page 103: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/103.jpg)
Remote API for Podman● Added Varlink support● Socket activation of podman system service with varlink
[Unit]Description=Podman Remote API ServiceRequires=io.podman.socketAfter=io.podman.socketDocumentation=man:podman-varlink(1)
[Service]Type=simpleExecStart=/usr/bin/podman varlink unix:/run/podman/io.podman
[Install]WantedBy=multi-user.targetAlso=io.podman.socket
![Page 104: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/104.jpg)
Python Bindingspython3 -c "import podman; import json; c=podman.Client();print(json.dumps(c.system.info(), indent=4))"[ { "mem_free": 5796605952, "mem_total": 16679206912, "swap_free": 0, "swap_total": 0, "arch": "amd64", "cpus": 4, "hostname": "localhost.localdomain", "kernel": "4.18.9-200.fc28.x86_64", "os": "linux", "uptime": "11h 2m 32.25s (Approximately 0.46 days)" },...
![Page 105: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/105.jpg)
Remote API Supportpypodman - Python program used for running remote podman commands.
https://asciinema.org/a/203590
![Page 106: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/106.jpg)
Cockpit supporthttps://github.com/cockpit-project/cockpit-podman
![Page 107: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/107.jpg)
What we don’t do● Autostart, autorestart
○ Systemd should be handling this
● Swarm○ We support Kubernetes container orchestrator
● Notary○ We do support simple signing, but would look at PRs for Notary support
● HealthChecks○ We are looking into this, perhaps systemd support? Side car container in pod?
● Docker API - We have no plans to support this, but we do have Varlink● Docker volumes
○ It is on the roadmap
![Page 108: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/108.jpg)
https://github.com/mairin/coloringbook-container-commandos/blob/master/Web.pdf
![Page 109: Distinguished Engineer - Red Hat Dan Walsh @rhatdan · CRI-O fully supported in OpenShift 3.9 along with docker. 1.10.6 (kube 1.10.x) released. 1.11.2 (Kube 1.11.x) released 1.12.1](https://reader033.vdocuments.mx/reader033/viewer/2022050103/5f426513a3cab06b5c666712/html5/thumbnails/109.jpg)
QuestionsBlog: https://medium.com/cri-oGithub:
● https://github.com/kubernetes-sigs/cri-o● https://github.com/containers/buildah● https://github.com/containers/skopeo● https://github.com/containers/libpod (podman)● https://github.com/containers/storage● https://github.com/containers/image
Site: https://cri-o.io IRC: freenode: #cri-oSite: https://podman.io IRC: freenode: #podmanSite: https://buildah.io IRC: freenode: #buildah