containers today and beyond
play

Containers Today and Beyond Michal Svec Flavio Castelli Product - PowerPoint PPT Presentation

Jun 02, 2023 •170 likes •692 views

Containers Today and Beyond Michal Svec Flavio Castelli Product Manager Engineering Manager msvec@suse.com fcastelli@suse.com Agenda How it all started Why should I care? What are containers? Gimme more! Show me! 2 How

  1. Containers Today and Beyond Michal Svec Flavio Castelli Product Manager Engineering Manager msvec@suse.com fcastelli@suse.com

  2. Agenda ● How it all started ● Why should I care? ● What are containers? ● Gimme more! ● Show me! 2

  3. How it all started 3

  4. Bimodal IT – Challenges & Opportunities Malcom McLean 4

  5. 5

  6. How does it apply to me? ● Running applications? ● Providing services? ● …? 6

  7. 7

  8. 8

  9. Why should I care? 9

  10. Bimodal IT – Challenges & Opportunities 10

  11. The two brains of IT Mode 1 Mode 2 Reliability Agility Waterfall, ITIL Agile, DevOps Conventional Projects New & Uncertain Projects Long-cycle Times Short Cycle (days, weeks) (months) 11

  12. Two Worlds of IT Need a Bridge Traditional IT Agile IT Mode 1 Mode 2 45% of organizatjons claim to have some form of bimodal capability today. 12

  13. Challenges in Context of Containers New features; Faster please! Developers Operations • Frequent releases vs. staged Manage growing services • production schedule. Reliability and uptime of new applications • “It works on my machine.” Time to market • Efficiency 13

  14. What are containers, really? 14

  15. Containers OS-level or application virtualization with Linux Containers (LXC) and container engine. Support for Windows Subsystem for Linux (WSL). 15

  16. What are containers – two views ● Operations ● Applications ● Components of Linux kernel and OS ● Packaging ● Image format, specific tools ● Share easily ● Isolation ● Easily extensible ● High density ● Scale up/down ● Smaller, lighter, faster ● Self-contained ● Orchestration, management ● Micro-services 16

  17. 17

  18. Linux Containers • System containers – Full system in the container (no kernel) – libvirt-lxc • Application containers – One process per container – Docker, podman, ... – Rich ecosystem 18

  19. Linux Containers App App App App System container A A' B B' Application container Bins/Libs Bins/Libs Bins/Libs Bins/Libs Guest OS Guest OS Guest OS Guest OS Kernel Kernel Hypervisor (Type 2) Host OS Server 19

  20. Advantages of Linux Containers Lightweight virtualization solution – Isolated from the other processes – 1 kernel to rule them all – Normal I/O – Dynamic changes possible without reboot – Nested virtualization is not a problem – No boot time or very short one Isolate services (e.g. web server, ftp, …) Much more (see furter) ... 20

  21. Linux Containers – Limitations They cannot run a different OS/architecture – Cannot run Windows containers on Linux Risk of escaping from containers – Solution: user namespaces Shared kernel with the host – Syscall exploits can be exploited from within the container – Solution: seccomp2 Security measures – Patch, don’t use root, kernel capabilities, confinement – Use VMs 21

  22. Containers and orchestration • Standalone container host – SLES, container engine, registry (Portus) • Orchestrated datacenter – SUSE CaaS Platform (Micro OS, K8s) – Containerized applications, micro services • Bi-modal datacenter – SUSE CaaS Platform + SUSE OpenStack Cloud – Combination of traditional IT + agile (containers) 23

  23. Bimodal IT – Challenges & Opportunities 25

  24. 26

  25. Too much going on, dive deeper! (And show me!) 27

  26. Containers are standardized • OCI runtime specification: • Defines container runtime (API, data structures, …) • How to start/stop/... containers • OCI provides a reference implementation: runC • OCI image format specification: • Defines how a container image is structured • Result: • Avoid vendor lock-in • Avoid fragmentation • Containers are truly portable • Foster innovation 28

  27. Running containers • Stand-alone node: • docker • podman • Container orchestration - kubernetes: • docker • containerd • CRI-O • ... 29

  28. Introducing podman • Drop-in replacement for docker • Focuses on single node operations, close to docker 1.13 • No daemon • Relies on runC • Network implemented using CNI 30

  29. podman extra features • Has the concept of "pods": • Works like with kubernetes • Allows to group several containers together • Remove some isolation features on purpose (namespaces, cgroups) • Can work in rootless mode: • Regular unprivileged users can create containers • Containers are visible only to the user who created them • Makes containers even more secure 31

  30. Building containers • Most of you are probably using "docker build" but... • Other ways to build container images exist • Images delivered by SUSE are not built using docker: • Base container images • Derived images, think about all the CaaS Platform ones How could that work? 32

  31. Repetition: standards matter! • Container images follow the OCI image specification • This is what grants image portability across container engines • Different ways to build OCI images: • docker • podman build • buildah • KIWI • ... 33

  32. Building with docker • Start from an existing container image (the "base" image) • Write a Dockerfile • Use Dockerfile directives to: • Execute commands: most used one "RUN" -> install/build software, ... • Write image metadata • ... 34

  33. Building with podman • Start from an existing container image (the "base" image) • Write a Dockerfile • Use Dockerfile directives to: • Execute commands: most used one "RUN" -> install/build software, ... • Write image metadata • … YES – it's like the previous slide, podman is a drop-in replacement for docker open-source engine! 35

  34. Building with buildah • Can build using a simple Dockerfile • Allows more flexible build mode: • Start from existing image, create a container • Mount the container rootfs on the host • Interact with the container rootfs from the host: cp, scripts, zypper,… • Can produce small images with zero external dependencies (no need to have zypper around or in the history of the image!) 36

  35. Building with KIWI • Appliance builder used at SUSE since a long time • Steeper learning curve compared to the others • Integrates nicely with the Open Build Service: • Automatic rebuilds of the images on package updates • Automatic rebuilds of derived image after base image is updated • Note well: OBS supports also builds using special Dockerfile 37

  36. Demo 38

  37. Pre-built images • Docker HUB Community, handle with care! – • SUSE Registry (registry.suse.com) Enterprise contents, secure, verified, signed – SUSE Products (CaaS Platform, Cloud Application Platform, …) – What used to be in SLES Containers module (e.g.: Portus) – 39

  38. Interacting with SUSE registry • SUSE publishes all its product images to registry.suse.com • SUSE products will automatically download images from there • This can be done in two ways: Manifest file – Helm charts – • SUSE’s helm charts are hosted on a public helm chart repository operated by SUSE 40

  39. New world, old problems • Pulling images from an external registry can be expensive (time, bandwidth) • Pulling isn’t even possible in some scenarios (air-gapped environments) • The same applies to helm charts • RPM world had the same problems: solved with tools like SMT (more recently RMT) 41

  40. Registry mirroring • Provide our customers a way to mirror the contents of an external registry into an on-premise one • Solution available since CaaS Platform v3 • More plans to improve it over the time 42

  41. Air-gapped scenario • Most complex case • Container hosts don’t have access to the internet • Nodes must be able to pull containers from local registry • We don’t want to change names of the container images registry.suse.com/caasp:1.0 should NOT change name (eg: my-registry.acme.lan/caasp:1.0) 43

  42. Architecture air-gapped network registry.suse.com mirror.local.lan mirror.secure.lan Secured drive with registry contents node1 node2 44

  43. Helm chart mirroring • Helm charts can be downloaded using “helm-mirror” • The charts can be copied to a local HTTP server • Charts are just static files 45

  44. Container images mirroring • Use “helm-mirror” to get a list of all the images referenced by the charts • Use “skopeo sync” to download all the images: Save the images into a local USB drive – Connect the drive to a machine inside of the air-gapped network – Use skopeo sync to import all the images into a local registry – • Configure the container engine to use the local registry as a mirror of registry.suse.com → no need to re-write image names 46

  45. Container engine: mirroring support • Out of the box docker supports mirroring only for the Docker Hub • We have a patch extending that, still going through upstream review • SUSE CaaS Platform v3+ have the patch applied • CRI-O patch is under review from upstream 47

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are not going to be the answer to preventing your application from being compromised, but they can limit the damage from a compromise. How do

823 views • 25 slides
Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com

Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com

Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com Containers are great Containers are resource efficient Containers make deployment easy Containers can be monitored easily Containers are secure But are

508 views • 38 slides
Everything you need to know about Containers Security Track Containers Jos Manuel Ortega

Everything you need to know about Containers Security Track Containers Jos Manuel Ortega

Everything you need to know about Containers Security Track Containers Jos Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container

807 views • 57 slides
SUSE Containers as a Service Platform 53 53 Why Do You Want to Invest in Containers? 54 54

SUSE Containers as a Service Platform 53 53 Why Do You Want to Invest in Containers? 54 54

SUSE Containers as a Service Platform 53 53 Why Do You Want to Invest in Containers? 54 54 What are Containers? A package/image that can be deployed anywhere (thats running a Linux Kernel) Developers create a layered image of their

996 views • 53 slides
Herd of Containers Sad DIF Database Engineer Herd of Containers: PostgreSQL in containers at

Herd of Containers Sad DIF Database Engineer Herd of Containers: PostgreSQL in containers at

Herd of Containers Sad DIF Database Engineer Herd of Containers: PostgreSQL in containers at BlaBlaCar pgDay Paris, Mar 15, 2018 BlaBlaCar Overview Todays agenda PostgreSQL usage at BlaBlaCar Switching to a new implementation

844 views • 40 slides
Goals for Today Learning Objective: Understanding how operating systems support containers

Goals for Today Learning Objective: Understanding how operating systems support containers

Goals for Today Learning Objective: Understanding how operating systems support containers and modern cloud computing paradigms Announcements, etc: MP4 due May 6th Get started ASAP! HW1 available! Due May 8th Just an

869 views • 29 slides
Persistent storage for Containers Anil Degwekar What are we talking about? Containers have

Persistent storage for Containers Anil Degwekar What are we talking about? Containers have

Persistent storage for Containers Anil Degwekar What are we talking about? Containers have become popular replacing many Physical / Virtual Machine use cases But: The persistent storage problem for containers is still not fully solved

1.01k views • 17 slides
Containers in the Enterprise Avoiding the Kobayashi Maru Agenda Containers Bring Change

Containers in the Enterprise Avoiding the Kobayashi Maru Agenda Containers Bring Change

Containers in the Enterprise Avoiding the Kobayashi Maru Agenda Containers Bring Change An Approach Required Software Processes Cultural Changes Additional Concerns Lessons Learned Why This Talk? Containers are

678 views • 49 slides
Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs

Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs

Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs Google Wisdom: VMs and Containers are similar but different Try running containers in VMs for security Containers are best for scale-out

314 views • 17 slides
our container journey @beshippable shippable.com our container journey containers can

our container journey @beshippable shippable.com our container journey containers can

our container journey @beshippable shippable.com our container journey containers can make us way more efficient containers can save us money on hosting containers sound interesting company founded in 2013

848 views • 30 slides
The proposed containers are "Flat-pack" type. Disassembled and reduced as

The proposed containers are "Flat-pack" type. Disassembled and reduced as

CON-IMEX CONTAINERS 2009 AKAR Logistics 70 Beecham Court Owings Mills, MD 21117 USA Sophia Akar Tel: + 410-961-7232 / + 410-961-0327 Fax: + 410-356-8267 sophia@akarlogistics.com 1 / 20 GENERAL The proposed containers are

313 views • 20 slides
Fairport Containers Supporting the Charity Retail Sector www.fairportcontainers.co.uk

Fairport Containers Supporting the Charity Retail Sector www.fairportcontainers.co.uk

Fairport Containers Supporting the Charity Retail Sector www.fairportcontainers.co.uk Introductions David Porter Fairport Containers Director Steve Collinson Managing Director Fairport Containers Ltd Tam Unsworth Recycling Banks

552 views • 28 slides
Singularity - Containers for Scientific Computing ZID Workshop Michael Fink Universitt

Singularity - Containers for Scientific Computing ZID Workshop Michael Fink Universitt

Singularity - Containers for Scientific Computing ZID Workshop Michael Fink Universitt Innsbruck Innsbruck Nov 2018 Overview Preliminaries Why containers Understanding Containers vs. Virtual Machines Comparison of

482 views • 37 slides
Alm dos Containers na Nuvem QConSP - Containers & Devops 26 April 2017 Guilherme Rezende

Alm dos Containers na Nuvem QConSP - Containers & Devops 26 April 2017 Guilherme Rezende

Alm dos Containers na Nuvem QConSP - Containers & Devops 26 April 2017 Guilherme Rezende Globo.com About me Software Engineer at Globo.com/Tsuru @guilhermebr (GitHub) in/guilhermebr (LinkedIn) @gbrezende (Twitter) Agenda Cloud Native

636 views • 45 slides
100% Containers Powered Carpooling Maxime Fouilleul Database Reliability Engineer BlaBlaCar -

100% Containers Powered Carpooling Maxime Fouilleul Database Reliability Engineer BlaBlaCar -

100% Containers Powered Carpooling Maxime Fouilleul Database Reliability Engineer BlaBlaCar - Facts & Figures Infrastructure Ecosystem - 100% containers powered carpooling Todays agenda Stateful Services into containers - MariaDB as

463 views • 45 slides
Containers, VMs, and Clouds: Containers & Clouds & VMs: OH My Oh My! Mike Coleman,

Containers, VMs, and Clouds: Containers & Clouds & VMs: OH My Oh My! Mike Coleman,

Containers, VMs, and Clouds: Containers & Clouds & VMs: OH My Oh My! Mike Coleman, Technology Evangelist Docker @mikegcoleman Who Am I? Technology evangelist at Docker Former: Puppet, VMware, MSFT, Intel, and HP First

390 views • 25 slides
SVA Health Insurance Presentation Plan Highlights and Benefits Unlimited Maximum Per Insured

SVA Health Insurance Presentation Plan Highlights and Benefits Unlimited Maximum Per Insured

SVA Health Insurance Presentation Plan Highlights and Benefits Unlimited Maximum Per Insured Person, Per Policy Year for Covered Medical Expenses. $100 Deductible Per Insured Person, Per Policy Year. Whats a deductible? A

496 views • 13 slides
Deprecating jCard in RDAP: why and how Mario Loffredo - IIT-CNR/Registro.it Gavin Brown

Deprecating jCard in RDAP: why and how Mario Loffredo - IIT-CNR/Registro.it Gavin Brown

9 th ROW - Registration Operations Workshop - June 16 th , 2020 Deprecating jCard in RDAP: why and how Mario Loffredo - IIT-CNR/Registro.it Gavin Brown CentralNIC Registry Why to deprecate jCard in RDAP ? jCard is the most frequent

490 views • 11 slides
New Business Card Request System Programmed Layout Just type in information and the layout

New Business Card Request System Programmed Layout Just type in information and the layout

New Business Card Request System Programmed Layout Just type in information and the layout will adjust . Your order is then placed and reviewed . Benefits Get your card quicker . Cost savings in printing . Adjuncts who we

416 views • 14 slides
Alumni Admission Volunteer Program College Fair Goals Increase name recognition of Kalamazoo

Alumni Admission Volunteer Program College Fair Goals Increase name recognition of Kalamazoo

College Fair Handbook Alumni Admission Volunteer Program College Fair Goals Increase name recognition of Kalamazoo College Reach a larger audience of prospective students Give basic and often introductory information about the

276 views • 8 slides
Scalable and Lightweight CTF Infrastructures Using Application Containers Arvind S Raj, Bithin

Scalable and Lightweight CTF Infrastructures Using Application Containers Arvind S Raj, Bithin

Existing game infrastructures Docker Container-based game infrastructure Evaluation Future work Conclusion Scalable and Lightweight CTF Infrastructures Using Application Containers Arvind S Raj, Bithin Alangot, Seshagiri Prabhu and

400 views • 38 slides
Operations Summary CONTAINER ARRIVAL Trucks arrive from terminals/depots with empty

Operations Summary CONTAINER ARRIVAL Trucks arrive from terminals/depots with empty

Operations Summary CONTAINER ARRIVAL Trucks arrive from terminals/depots with empty containers. Volumes range from 50-300 per day, depending on street turns or available terminal reservations. Containers are lifted off and placed

402 views • 8 slides
Part 3: Concepts and methods for designing and operating dry ports Peter Hodgkinson, Consultant

Part 3: Concepts and methods for designing and operating dry ports Peter Hodgkinson, Consultant

Capacity building seminar on planning, design, development and operation of intermodal freight interfaces, including dry ports Part 3: Concepts and methods for designing and operating dry ports Peter Hodgkinson, Consultant Transport Economist

409 views • 27 slides
INVESTOR CONFERENCE CALL October 24, 2019 1 DISCLAIMER Forward-Looking Statements Certain

INVESTOR CONFERENCE CALL October 24, 2019 1 DISCLAIMER Forward-Looking Statements Certain

THIRD QUARTER 2019 INVESTOR CONFERENCE CALL October 24, 2019 1 DISCLAIMER Forward-Looking Statements Certain statements in this presentation, other than statements of historical facts, including statements regarding our strategy, future

238 views • 20 slides

More recommend