innovating out in the open - oscon 2016
TRANSCRIPT
Innovating Out in the OpenPhil Estes, IBM <[email protected]>
Twitter/IRC: @estesp
Phil EstesSenior Technical Staff MemberIBM Open Cloud Technologies@estesp
> Docker core engine maintainer> Member of “Docker Captains” program> 10+ years involved in Linux/OSS> Interests: cloud/containers/Linux
Intro
Key upstream accomplishments> Brought user namespace support to the Docker engine> Helped design v2.2 image specification with multi-platform support> Implemented first tool to create multi-platform images in Docker v2.3 registry
Open Container Initiative (OCI)
• A Linux Foundation Collaborative Project• Free from control by any particular vendor’s
specific cloud stack or ecosystem• Includes a specification, reference runtime*
and now, a specified image format
An open governance structure for creating open industry standards: a common container runtime and image format.
*seeded with runc + libcontainer by Docker
OCI: Specs and Status
> Runtime specification: Release 0.5.0 / April 2016 https://github.com/opencontainers/runtime-spec/releases/tag/v0.5.0
Goal is to reach a 1.0 release by mid-JuneIncludes required core for containerization on Linux & Windows
> Image format specification: Release 0.1.0 / May 2016 https://github.com/opencontainers/image-spec/releases/tag/v0.1.0
Seeded with Docker registry v2.2 specificationWork just beginning in the repository; 0.1 is a “stake in the ground”
▪ Announced June 20th, 2015
▪ Charter signed on December 8th, 2015
▪ 46 current member companies
▪ Target of a 1.0 specification (runtime) by June
https://opencontainers.orghttps://github.com/opencontainers
Introduction to > is a client wrapper around libcontainer> Libcontainer is the OS level interface for containers
Other platforms and architectures can implement the libcontainer API via their own primitives/system-level container concepts
Runc In The Wild
▪ CloudFoundry Garden OCI implementation- https://github.com/cloudfoundry-incubator/guardian- Uses runc as a backend for container execution
▪ Docker 1.11 (and above)- Switched from direct libcontainer API linkage to
calling runc as container executor- Uses containerd as a gRPC daemon to
disconnect Docker daemon (API/mgmt) from container execution (allows daemon restart in future without container runtime impact)
runC: An open innovation platform for containersImplement low-level container features
▪ Operating system level features should be defined in the OCI runtime specification▪ New capabilities (PID cgroup controls, checkpoint/restore, seccomp) implemented in runC
OCI compliance/pluggable execution engine▪ Implement a OS/environment for containers via an OCI spec compliant binary▪ Examples: runz (Solaris zones), runv (hypervisor-based), Intel Clear Containers
Iterative container configuration test/debug▪ Simple variant of “Docker-like” containers with less friction for quick modifications▪ Low bar for dependencies: single binary + physical rootfs bundle + JSON config
Let’s Demo
What I’m going to show you:
→
OCI Futures- Image format specification
- Just getting underway
- More users and contributed implementations
- runC innovations moving into higher level implementations- Checkpoint+restore under consideration for exposure via Docker API
- Seccomp, user namespaces, and PID limits are prior examples
- What do you plan to do with OCI and/or runC?
Questions?
@estesp
github.com/estesp
https://integratedcode.us
IRC: estesp CO
NTA
CT
INFO