interoperable containers

Download Interoperable Containers

Post on 11-Nov-2014

92 views

Category:

Documents

0 download

Embed Size (px)

DESCRIPTION

 

TRANSCRIPT

  • 1. interoperable containers Fabio Kung fabio@heroku.com https://www.flickr.com/photos/usnavy/8612337045

2. Fabio, Runtime Systems at I run linux containers. 3. http://12factor.net 4. write once, run everywhere Sun Microsystems (?) 5. write once, debug everywhere (?) 6. https://www.flickr.com/photos/tjblackwell/3545764529 7. Developers want apps... https://www.flickr.com/photos/cyol/7642566946 8. PaaS wants scale... https://www.flickr.com/photos/johngarghan/3401814659 9. Docker wants... docker logo usage follows guidelines published at http://www.docker.com/marks_and_logos/ 10. PaaS You docker lxc lmctfy ... background: https://www.flickr.com/photos/jdhancock/12397433023 11. Containers https://www.flickr.com/photos/joshua/433354324 12. trying to make Docker secure for multi-tenant scenarios is a can of worms darren0, at #docker-dev 13. 1 vs 1M https://www.flickr.com/photos/enerva/9068467267 14. Root https://www.flickr.com/photos/ashleyrosex/2861690380 15. apt-get install 16. vi /etc/ 17. mount -t fancy 18. modprobe something 19. iptables -A INPUT 20. kernelspace abuse https://www.flickr.com/photos/erlendaasland/4107345124 21. User Namespaces Unprivileged Containers https://www.flickr.com/photos/ntr23/730371240 22. () the kernel grants all capabilities to the initial process in a user namespace, this does not mean that process then has superuser privileges within the wider system. (It may, however, mean that unprivileged users now have access to exploits in kernel code that was formerly accessible only to root, ...) Michael Kerrisk, Namespaces in operation, part 6: more on user namespaces", LWN.net 23. if (getuid() == 0) { // do root stuff } 24. just don't run as root? 25. also SUID 26. Restrictions https://www.flickr.com/photos/mollivan_jon/10431164633 27. Networking https://www.flickr.com/photos/emptyage/177466621 28. ephemeral disks https://www.flickr.com/photos/pixeltree/4876732522 29. arch, OS, image size, 30. containers/container-rfc GitHub A vendor neutral format for Linux container images and runtime 31. https://www.flickr.com/photos/littlebiglens/6034320322 Image Size 32. Layers https://www.flickr.com/photos/ralan808/11300490173 33. Updates? noncommercial use 34. https://www.flickr.com/photos/doug88888/2801103568 Packages slugs 35. dotcloud/docker#332 docker load --rebase=new-base-image 36. Apps https://www.flickr.com/photos/zoomar/338952152 37. Buildpacks app source + base image 38. FROM heroku/cedar ADD . /buildpack ONBUILD ADD . /app ONBUILD RUN /buildpack/bin/compile /app ONBUILD ENV PORT 5000 ONBUILD EXPOSE 5000 39. `ONBUILD ONBUILD` dotcloud/docker#5714 40. Buildstep https://github.com/progrium/buildstep 41. https://github.com/radial/ 42. #!/usr/bin/env make -f buildpath := .build buildpackpath := $(buildpath)/pack buildpackcache := $(buildpath)/cache build: $(buildpackpath)/bin $(buildpackpath)/bin/compile . $(buildpackcache) $(buildpackcache): mkdir -p $(buildpath) mkdir -p $(buildpackcache) curl -O https://codon-buildpacks.s3.amazonaws.com/.../go.tgz mv go.tgz $(buildpath) $(buildpackpath)/bin: $(buildpackcache) mkdir -p $(buildpackpath) tar -C $(buildpackpath) -zxf $(buildpath)/go.tgz 43. ruby = "https://codon-buildpacks.s3.amazonaws.com/.../ruby.tgz" app_container "myapp" do buildpack ruby git_url "git@mycompany.com:myapp.git" end define :app_container, name: nil, buildpack: nil, git_url: nil do # ... execute "#{name} buildpack compile" do command "#{dir}/.build/pack/bin/compile #{dir} .build/cache" end end 44. container centric: whole image app centric: builds as a mapping layer recap: the container revolution 45. Thank you! fabio@heroku.com All images used in this presentation are under a Creative Commons License, unless otherwise noted https://www.flickr.com/photos/compacflt/5948542359

Recommended

View more >