Containers,

Computing

and Change

 

Vincent Batts @vbatts

$> finger $(whoami)
Login: vbatts                           Name: Vincent Batts
Directory: /home/vbatts                 Shell: /bin/bash
Such mail.
Plan:
OHMAN
$> id -Gn
devel opencontainers docker appc redhat golang slackware

Containers

(Cite: The Internet)

Share the host's kernel

Containers:

Crashes and Exploits alike

virtualizing by "namespacing" kernel resources and concepts

Isolation by control groups, syscall filtering, and Linux Security Modules (SELinux, apparmor, etc.)

Kernel Namespaces:

  • mount
  • IPC (message queues, semaphores, shm)
  • UTS (hostname)
  • network
  • PID
  • cgroup
  • user

unshare() docs

Kernel Namespaces: PID

Container runtime Standards

OpenContainer Initiative Runtime Specification

$> runc spec
$> less config.json
{
        "ociVersion": "1.0.0-rc5",
        "platform": {
                "os": "linux",
                "arch": "amd64"
        },
        "process": {
                "terminal": true,
...

Using runc

Container Distribution

Root ('/') File System

Approaches:

  • Tar Archive
  • Raw Image
  • rsync
  • ostree

Container Distribution

Distributable formats (see Open Container Initiative)

tools like:

$ skopeo copy docker://opensuse/amd64:42.2 oci:opensuse:latest
Getting image source signatures
Copying blob sha256:b0d17859d0e6c32023637374cc2a58223f013758bf13b5b390e00f1c89556cb8
 47.09 MB / 47.09 MB [=========================================================]
Copying config sha256:402d70d449419de6963c694b69af418d35a026ad14159e93da8ef9973db21605
 0 B / 805 B [-----------------------------------------------------------------]
Writing manifest to image destination
Storing signatures
$ find ~/opensuse -type f
/home/vbatts/opensuse/blobs/sha256/ca2b806433c495ede5114aec2ffd567b43f084c60774346214b610f8ba0b8309
/home/vbatts/opensuse/blobs/sha256/402d70d449419de6963c694b69af418d35a026ad14159e93da8ef9973db21605
/home/vbatts/opensuse/blobs/sha256/b0d17859d0e6c32023637374cc2a58223f013758bf13b5b390e00f1c89556cb8
/home/vbatts/opensuse/refs/latest
/home/vbatts/opensuse/oci-layout

 

What's next?

Desktop applications will shape and mold (see flatpak.org)

Get used to not having root privileges (see bubblewrap and bwrap-oci)

Get used to not having capabilities (see System Tap)

What's next?

Cloud Native application development (see CNCF)

Rather than only shoving "legacy" code in new boxes

Discoverable APIs (see OpenAPIs)

"Scheduled" functionality (see OpenShift and Kubernetes)

intercommunication (see gRPC)

event and metric driven services

Cloud

(Cite: the internet)

Shameless Plug

Red Hat is active in this area

(both technology and proximity)

Thanks!

Vincent Batts

@vbatts| vbatts@redhat.com