dockercon 2014: thoughts on interoperable containers
DESCRIPTION
Docker is driving the popularization of Linux containers, but there are many different container managers out there, such as LXC and lmctfy. Not to mention different PaaS being built on top of these technologies. How great would it be if applications were portable to all (or most of) those different providers and container managers with little or no effort? This talk will discuss some ideas of what needs to be done for it to happen and what the community can do to help.TRANSCRIPT
![Page 2: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/2.jpg)
Please don't continue. Go see this instead:
http://fabiokung.com/2014/06/11/my-dockercon-2014-talk
![Page 3: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/3.jpg)
Fabio, Runtime Systems at
I run linux containers.
![Page 4: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/4.jpg)
http://12factor.net
![Page 5: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/5.jpg)
“write once, run everywhere– Sun Microsystems (?)
![Page 6: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/6.jpg)
“write once, debug everywhere– (?)
![Page 7: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/7.jpg)
https://www.flickr.com/photos/tjblackwell/3545764529
![Page 8: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/8.jpg)
Developers want apps...
https://www.flickr.com/photos/cyol/7642566946
![Page 9: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/9.jpg)
PaaS wants scale...
https://www.flickr.com/photos/johngarghan/3401814659
![Page 10: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/10.jpg)
Docker wants...
docker logo usage follows guidelines published at http://www.docker.com/marks_and_logos/
![Page 11: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/11.jpg)
![Page 12: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/12.jpg)
PaaS
You
dockerlxc
lmctfy...
background: https://www.flickr.com/photos/jdhancock/12397433023
![Page 13: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/13.jpg)
Containershttps://www.flickr.com/photos/joshua/433354324
![Page 14: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/14.jpg)
“trying to make Docker secure for multi-tenant scenarios is a can of worms
– darren0, at #docker-dev
![Page 15: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/15.jpg)
1 vs 1M
https://www.flickr.com/photos/enerva/9068467267
![Page 16: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/16.jpg)
Roothttps://www.flickr.com/photos/ashleyrosex/2861690380
![Page 17: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/17.jpg)
apt-get install …
![Page 18: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/18.jpg)
vi /etc/…
![Page 19: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/19.jpg)
mount -t fancy …
![Page 20: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/20.jpg)
modprobe something
![Page 21: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/21.jpg)
iptables -A INPUT …
![Page 22: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/22.jpg)
kernelspace abuse
https://www.flickr.com/photos/erlendaasland/4107345124
![Page 23: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/23.jpg)
User NamespacesUnprivileged Containers
https://www.flickr.com/photos/ntr23/730371240
![Page 24: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/24.jpg)
“(…) the kernel grants all capabilities to the initial process in a user namespace, this does not mean that process then has superuser privileges within the wider system. (It may, however, mean that unprivileged users now have access to exploits in kernel code that was formerly accessible only to root, ...)
– Michael Kerrisk, “Namespaces in operation, part 6: more on user namespaces", LWN.net
![Page 25: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/25.jpg)
if (getuid() == 0) { // do root stuff}
![Page 26: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/26.jpg)
just don't run as root?
![Page 27: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/27.jpg)
also SUID
![Page 28: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/28.jpg)
Restrictions
https://www.flickr.com/photos/mollivan_jon/10431164633
![Page 29: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/29.jpg)
Networking
https://www.flickr.com/photos/emptyage/177466621
![Page 30: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/30.jpg)
ephemeral disks
https://www.flickr.com/photos/pixeltree/4876732522
![Page 31: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/31.jpg)
arch, OS, image size, …
![Page 32: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/32.jpg)
containers/container-rfc · GitHub
“A vendor neutral format for Linux container images and runtime
![Page 33: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/33.jpg)
https://www.flickr.com/photos/littlebiglens/6034320322
Image Size
![Page 34: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/34.jpg)
Layers
https://www.flickr.com/photos/ralan808/11300490173
![Page 35: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/35.jpg)
Updates?
noncommercial use
![Page 36: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/36.jpg)
https://www.flickr.com/photos/doug88888/2801103568
Packages“slugs”
![Page 37: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/37.jpg)
dotcloud/docker#332
docker load --rebase=new-base-image
![Page 38: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/38.jpg)
Appshttps://www.flickr.com/photos/zoomar/338952152
![Page 39: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/39.jpg)
Buildpacksapp source + base image
![Page 40: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/40.jpg)
FROM heroku/cedar
ADD . /buildpackONBUILD ADD . /appONBUILD RUN /buildpack/bin/compile /appONBUILD ENV PORT 5000ONBUILD EXPOSE 5000
![Page 41: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/41.jpg)
`ONBUILD ONBUILD`dotcloud/docker#5714
![Page 42: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/42.jpg)
Buildstephttps://github.com/progrium/buildstep
![Page 43: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/43.jpg)
https://github.com/radial/
![Page 44: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/44.jpg)
#!/usr/bin/env make -f
buildpath := .buildbuildpackpath := $(buildpath)/packbuildpackcache := $(buildpath)/cache
build: $(buildpackpath)/bin $(buildpackpath)/bin/compile . $(buildpackcache)
$(buildpackcache): mkdir -p $(buildpath) mkdir -p $(buildpackcache) curl -O https://codon-buildpacks.s3.amazonaws.com/.../go.tgz mv go.tgz $(buildpath)
$(buildpackpath)/bin: $(buildpackcache) mkdir -p $(buildpackpath) tar -C $(buildpackpath) -zxf $(buildpath)/go.tgz
![Page 45: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/45.jpg)
ruby = "https://codon-buildpacks.s3.amazonaws.com/.../ruby.tgz"
app_container "myapp" do buildpack ruby git_url "[email protected]:myapp.git"end
define :app_container, name: nil, buildpack: nil, git_url: nil do # ...
execute "#{name} buildpack compile" do command "#{dir}/.build/pack/bin/compile #{dir} .build/cache" endend
![Page 46: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/46.jpg)
container centric: whole image
app centric: builds as a mapping layer
recap: the container revolution
![Page 47: DockerCon 2014: Thoughts on interoperable containers](https://reader033.vdocuments.us/reader033/viewer/2022052601/55974d871a28abb7018b463b/html5/thumbnails/47.jpg)
Thank you!
All images used in this presentation are under a Creative Commons License, unless otherwise notedhttps://www.flickr.com/photos/compacflt/5948542359