Who am I?Yujie Du

About: https://about.me/Yujie.Du Twitter: @ben_duyujie Email: duyujie.dyj@gmail.com Linkedin: https://www.linkedin.com/in/duyujie Download: https://www.slideshare.net/ben_duyujie/containers-caas/

One company has certainly found growth by injecting software into its industry.

source: http://thenewstack.io/uber-netflix-and-the-dreams-of-devops-and-microservices/

5

Uber's rumored net revenue

2013 2014 2015

2000

400108

Since2000,52%oftheFortune500arenolongeronthelist.Thepaceofchangehasincreased.

Docker will play a central role for every player in that market.

Private Hybrid Public

IT Pros DeploymentPackaging Architects Developers

Docker is also the contract between Developers and Operations. Developers and Operations often have very different attitudes when it comes to choosing tools and environments.

IT Pros DeploymentPackaging Architects Developers

Waterfall

Agile

DevOps

Monolithic

N-Tier

Microservices

Datacenter

Hosted

Cloud

Physical Servers

Virtual Servers

Containers

Cloud Native Application

Figure from M. Schwarzkopf, “Operating system support for warehouse-scale computing”, PhD thesis, University of Cambridge, 2015 (to appear).

Details & Bibliography: http://malteschwarzkopf.de/research/assets/google-stack.pdf

Retail Finance Media Transportation App

Container

AppDev“Monolithic”

SystemsManagement1

VMwareMicrosoftLinux

Hardware

AppDev“Cloud-native”

SystemsManagement2

OpenStackCloudFoundry

AWSetc.

Hardware

SystemsManagement3

DockerMesosCoreOS

Kubernetesetc.

Hardware

Plain old virtualization Cloud, public and private

Management tools always(?) change

What runs everything, most of

attention is here

Hardware no longer eating the world - cheaper, faster

Shift from web, to web + mobile

A single API for managing applications on 4 infrastructures

Physical Processor

Virtual Processor

Operating System

Libraries

User Code Private Copy

Shared

Virtual Machines

Physical Processor

Virtual Processor

Operating System

Libraries

User Code

Containers

ISA

syscall

Containers: less overhead, enable more “magic”

Sandboxing(chroot jails)

Various projects... chroot (1979) jail Linux-VServer OpenVZ ...

Linux container(chroot + OS isolation)

brought into the kernel... namespaces cgroups SELinux AppArmor btrs/aufs/device mapper/etc ...

Docker (LXC + packaging)

and packaged up. systemd-nspawn LXC lmctfy libvirt-lxc Docker / libcontainer rkt / appc ...

Containers are isolated, portable environments where you can run applications along with all the libraries and dependencies they need.

User request

Linux Kernel

hardware

shell Application

Each user has a home directory and process directory

Run in memory

A paradigm shift for the O/S : Redefines “Kernel Space” & “User Space”

Better fit for distributed computing

Who built this image?

What’s its purpose? Was it created to support a demo?

Is it safe to consume? Who maintains it?

RED HAT CERTIFIED Trusted source for the host and the containers Trusted content inside the container with security Dxes available as part of an enterprise lifecycle Portability across hosts

HWHostOS

Containers

Certify

ProcessA

fork()

ProcessAcontinues

ProcessB

execev()

exit()

wait() ZOMBIE

SIGCHLD

cleanup

Child-newPID

executesadifferentprogram!

Parent-originalPID

Reference:http://www.lynx.com/the-fork-call-posix-processes-and-parent-child-relationships

1.

DockerDaemon

processfork

exec

dockerinit ENTRYPOINT CMD(yourapplication)2. 3.

newnamespaces

initnamespaces

theonlyprocess(samePID)

cgroupsapplied

DockerContainerprocess process process

process

DockerContainerisbornjustbysyscallforkandexecaprocess

1.

CGROUPS NAMESPACES IMAGES DOCKER CONTAINER

• Kernel Feature • Groups of Processes • Control Resource

Allocation • CPU, CPU Sets • Memory • Disk • Block I/O

• Not a File System • Not a VHD • Basically a tar file • Has a Hierarchy

• Arbitrary Depth • Fits into Docker Registry

• The real magic behind containers

• It creates barriers between processes

• Different Namespaces • PID Namespace • Net Namespace • IPC Namespace • MNT Namespace

• Linux Kernel Namespace introduced between kernel 2.6.15 – 2.6.26

docker run lxc-start

Open Container Initiative+ =

ACSACS

ACI

ID

Signed Encrypted

Archive

Manifest Rootfs

veth ipvlan macvlan raw dev

FS Volume

Environment

Logging

Isolators

Capabilities

Linux Isolators

Resource Isolators

block network

cpu memory

Runtime Env

Pods

UUID Manifest

Executor

Image Discovery

Simple Discovery

Meta Discovery

Network

loopback

ip

overlay

DM

cgroup

Application Containers

“An application container is a way of packaging and executing

processes on a computer system that isolates the application from

the underlying host operating system”

https://github.com/appc/spec, 2015.

CNM & CNILibnetwork: Docker 1.7

Container Network Model,CNMAppC

Container Network Interface,CNI

https://www.ibm.com/developerworks/community/blogs/1ba56fe3-efad-432f-a1ab-58ba3910b073/entry/thoughts_on_future_of_resource_managers_and_schedulers_in_the_cloud?lang=en

IaaSCapacity (VM, Storage…)

PaaSApp (code)

CaaSApp container

CNCF & OCI Application definition and orchestration

Resource scheduling

Distributed system services

Container Runtime agent Container registryContainer repositoryComputing node OS

Software define network Software define storage

Infrastructure provisioning

Out of scopeApi specification

OCI and specification

Reference implementation

OCI api spec

. .….N

http://stackalytics.com/

Docker Kubernetes

The End~