Future of Containers
vincent Batts
Office of the CTO - Emerging Technologies
📦 Container Ecosystem
parts of containers are "boring" now!
conversation is at (and has been) at the orchestration layer (kubernetes/openshift)
standardization! OCI specifications
foundational community has bounded and rebounded, and is solid
less and less dependence on `docker`
More & more isolation
(source)
More & more isolation
containers inside containers
challenges of non-root everywhere (vfs and namespaces)
smarter and smarter CAPS, syscall awareness
More & more isolation
The goal is for consistent experience
in all arrangements
Control groups
cgroups v2 are coming!
"hybrid" cgroups was no good
BPF will be a new technology to settle down
Control groups
v1 controllers are each their own hierarchy
(pids, memory, freezer, devices, net_cls, net_prio, cpu, cpuacct, cupset, hugetlb, blkio, perf_event)
v2 controllers are a unified hierarchy
(cpu, memory, io, pids, cpuset, rdma, perf_event)
Some controllers are only via BPF now
(devices)
BPF
Super Cool Tech that we'll all hear more and more about
Originally focused on network filtering logic,
Now is kernel instrumented bytecode run in-kernel VM
Currently requires a compiler and is largely not relocatable 😰
Will likely become the defacto tracing tool for containers at large
🚚 Distribution 🚚
OCI distribution spec is underway (formerly Docker Registry API v2)
Consolidate all of our registry stories (all eyes on Quay 👀)
signing has more options now
Source code of the container image
Project Quay
- Open sourced as of November 2019
- projectquay.io
- Integration tests will benefit the ecosystem for registry conformance
source code image
- part of "container first" builds
- fundamental shift in Red Hat's focus on RPMs
- drastic audit improvement of "what's built into this container?"
- Significant like ftp.redhat.com
🔦Lights; 🎥Camera; 🕺Action!
`podman generate` and `podman play` (for system and k8s)
Try out Fedora 31 (which defaults to cgroups-v2-only)
I want to hear your software audit requirements!
get clarity on the nuance of non-root container requests
THANK YOU!
Vincent Batts
vbatts@