docker introduction
TRANSCRIPT
2EMC CONFIDENTIAL—INTERNAL USE ONLY
$ uname -a
> No ops introduction> No codes> No Docker network (next time?)> No Docker storage (Dockerone,
Vivian)> One target: what is Docker?
> StarII program. Thanks for being here.
3EMC CONFIDENTIAL—INTERNAL USE ONLY
$ ls –al ./
> $ man Docker> $ man cgroup> $ man namespaces> User namespaces?> Security your Docker> $man UnionFS> $man docker-layer
5EMC CONFIDENTIAL—INTERNAL USE ONLY
$ cat Docker
OS Virtualization
• Virtual machine emulates everything, including hardware• Container isolates processes, users and filesystem.
10EMC CONFIDENTIAL—INTERNAL USE ONLY
$ man cgroup• Limit, account, and isolate resource usage (CPU, memory, disk I/O, and more)
of process groups:– Resource limiting: groups can be set to not exceed a set memory limit;– Prioritization: some groups may get larger share of CPU or disk I/O
throughput;– Accounting: to measure how much resource certain systems use;– Control: freezing groups or checkpoint and restart
13EMC CONFIDENTIAL—INTERNAL USE ONLY
$ man cgroup
Monitor resource inside a container?
Or: vmstat, iostat…
15EMC CONFIDENTIAL—INTERNAL USE ONLY
$ man namespaces• UTS: isolate node-name and domain-name—returned by the uname()
system call
• Network: provide isolation of the system resources associated with
networking, including own network devices, IP addresses, IP routing tables, /proc/net directory, port numbers, and so on.
• PID: isolate the process ID number space.
• Mount: isolate the set of filesystem mount points seen by a group of
processes. Thus, processes in different mount namespaces can have different views of the filesystem hierarchy.
• IPC: isolate certain inter-process communication (IPC) resources, namely,
System V IPC objects and POSIX message queues.
• User: isolate the user and group ID number spaces. In other words, a
process's user and group IDs can be different inside and outside a user namespace.
17EMC CONFIDENTIAL—INTERNAL USE ONLY
$ man namespaces
docker run -it -m 256m --net=container:09f40c99ea5cubuntu:14.04 /bin/bash
22EMC CONFIDENTIAL—INTERNAL USE ONLY
Why say no User namespaces (yet)?
ID-inside-ns ID-outside-ns length
23EMC CONFIDENTIAL—INTERNAL USE ONLY
Security your Docker
• No “--privileged=true”• GID_Mapping/UID_Mapping with LXC driver;• SELinux or AppArmor• Libseccomp• Capabilities• ...
See: https://github.com/GDSSecurity/Docker-Secure-Deployment-Guidelines
25EMC CONFIDENTIAL—INTERNAL USE ONLY
Conclusion of Isolation
–What is Isolation?–Why we feel Docker is excellent?
26EMC CONFIDENTIAL—INTERNAL USE ONLY
$ man UnionFSIt allows files and directories of separate file systems, known as branches, to be transparently overlaid, forming a single coherent file system. Contents of directories which have the same path within the merged branches will be seen together in a single merged directory, within the new, virtual filesystem.
When mounting branches, the priority of one branch over the other is specified. So when both branches contain a file with the same name, one gets priority over the other.
The different branches may be both read-only and read-write file systems, so that writes to the virtual, merged copy are directed to a specific real file system. This allows a file system to appear as writable, but without actually allowing writes to change the file system, also known as copy-on-write.
27EMC CONFIDENTIAL—INTERNAL USE ONLY
$ man docker-layer• Each layer of the FS is mounted on top of prior layers• The first layer is the base image• Current base images include debian, ubuntu, busybox,
fedora, cent os, etc• Each read-only layer is called an image (A layer is just
a collection of files and folders!)• The top layer is the only modifiable layer - it’s termed
the container
31EMC CONFIDENTIAL—INTERNAL USE ONLY
$ (reverse-i-search)`cat': cat Docker
cgroup + namespaces + Union FS
32EMC CONFIDENTIAL—INTERNAL USE ONLY
$ ls -AF |grep '^\.'
curl http://10.32.105.223/add_certs | sudo sh
(Only worked in Ubuntu currently)