Upload
others
View
15
Download
0
Embed Size (px)
Citation preview
Scott LoweEngineering Architect, VMware, Inc.
CNA2392BE
#VMworld #CNA2392BE
Navigating the Container Ecosystem
VMworld 2017 Content: Not fo
r publication or distri
bution
Scott LoweEngineering Architect, VMware, Inc.
CNA2392BE
#VMworld #CNA2392BE
Containers and Stuff
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
3#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Why are you in this session anyway?
4
“…. trying to make vIC [vSphere Integrated Containers] and OpenStack work together in Nova as a first-class citizen hypervisor and with the Magnum project to provision Kubernetes clusters directly from OpenStack using vIC as the Docker backend…”
Me [WTF?]: “What's the use case? What pain point does this "stack" solve?”
“Well there is a bit of "because I can" I will not lie to you. I love OpenStack, and since Docker is "the new great thing that will save IT" playing with both looked like an interesting science project ;)”
#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
An agenda we’ll try to follow
5#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
How we used to buy
6#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
How we buy today
7#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
What we buy today
Farmers buy this because of this
People buy this because of this
8#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
How is that possible? Why is that?
“Software is eating the world”
(aka: the value is in the software)
(And it’s giving people and organizations an edge!)
9#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
What does all this have to do with Cloud Native Apps & DevOps?
If software gives you an edge….
…then the time from “business/developer idea” to when it hits the user should tend to zero.
In other words:
Time(user enjoying experience) – Time(developer idea of said experience) 0
10#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
How software value gets created (in the old model)
Monolithic application
“Time to user”: months / years
Very heavy manual
integrations
11#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
How software value gets created (in the new model)
“Time to user”: hours / days
Small independent
components…
End-to-end (hands off) automation
…. with different
release cycles
12#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
An agenda we’ll try to follow
13#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
How software value gets created (in the old model)
Templates / Blueprints
Production
Enterprise “Cloud”
HA / Placement / Optimization / Monitoring / Scheduling / App Life Cycle etc.
Application
Code
“Magic”
(i.e. manual
integration)
14#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
How software value gets created (in the old model)
Templates / Blueprints
Production
Enterprise “Cloud”
HA / Placement / Optimization / Monitoring / Scheduling / App Life Cycle etc.
Application
Code
“Magic”
(i.e. manual
integration)
This is where the <beep> hits
the fan
15#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Templates / Blueprints
Production
“Infrastructure as code”
Development Staging
+Application
Code
HA / Placement / Optimization / Monitoring / Scheduling / App Life Cycleetc.
PublicClouds
PrivateCloud
Dev
How software value gets created (in the new model)
Ops
16#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Templates / Blueprints
Production
“Infrastructure as code”
Development Staging
+Application
Code
HA / Placement / Optimization / Monitoring / Scheduling / App Life Cycleetc.
PublicClouds
PrivateCloud
Dev
How software value gets created (in the new model)
Ops
Continuous
Integration Continuous
Delivery
Continuous
Deployment
17#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
If you are feeling stupid and/or behind, please don’t
18#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
An agenda we’ll try to follow
19#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Infrastructure Capacity
Data and State
Typical “pet” application pattern
20#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Instance State Data
Implementation of typical “pet” applications
21#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
StatelessEphemeralTransient
Poorly Reliable
StatefulPersistentAvailableDurableResilient
Typical cloud-native (“cattle”) application pattern
Infrastructure Capacity
Data and State
22#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
SQLObjectStore
NOSQL
Infrastructure State
These consume these
Implementation of typical cloud-native (“cattle”) applications
23#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
SQLObjectStore
NOSQL
Infrastructure State
These consume these
Implementation of typical cloud-native (“cattle”) applications
24#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
SQLObjectStore
NOSQL
Infrastructure State
In public clouds this domain is often consumed by users and provided as a managed service by the CSP (e.g. S3,
RDS/Aurora, DynamoDB, etc)
Debating how this domain is implemented on-premises is out of
scope for this presentation
Implementation of typical cloud-native (“cattle”) applications
25#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
An agenda we’ll try to follow
26#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Basics of containers (too basic?)
Hardware Hardware
Hypervisor
App
OS
OS
App AppOS
App App
container container
container container
VM
VM
The focus of this session isn’t“containers in VMs” versus “containers on bare metal”
Hardware
App
OS
27#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
But we do need to talk (briefly) about VMs versus bare metal
• Containers/Docker are pivoting towards optimizing application life cycle – “Docker is Microsoft Installer (aka MSI) without DLL hell” (Massimo Re Ferrè)
• Hypervisors master infrastructure optimization
• Some people see these two things as “and” (complementary)
• Some folks see them as “or” (mutually exclusive)
28#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Docker != Containers
Docker Engine
Container
Registry
$ docker build...
$ docker push...
$ docker pull...
$ docker run...
Docker (Engine) provides
application life cycle capabilities
Containers provide a mechanism to instantiate the code (shipped as a Dockerimage)
Container is just a collection of kernel functions (cgroups, namespaces, etc.)
29#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Docker != Containers
rkt
Container
Image
store
$ rkt fetch...
$ rkt run...
$ rkt list...
$ rkt run...
30#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Docker != Containers
systemd
Container
Filesystem
image
$ systemd-nspawn...
$ machinectl...
$ systemctl...
$ systemd-nspawn...
31#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Docker != Containers
LXD
Container
Image
remote
$ lxc image...
$ lxc launch...
$ lxc list...
$ lxc stop...
32#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Dockerfile (the magic of Docker)
FROM alpine:3.2
MAINTAINER Massimo Re Ferrè [email protected]
#created from sample: https://blog.codeship.com/build-minimal-docker-container-ruby-apps/
RUN apk update && apk upgrade && apk add curl wget bash
RUN rm -rf /var/cache/apk/*
RUN wget https://github.com/vmware/govmomi/releases/download/v0.6.0/govc_linux_amd64.gz
RUN gzip -d govc_linux_amd64.gz
RUN chmod +x govc_linux_amd64
RUN mv govc_linux_amd64 /usr/local/bin/govc
COPY vicinstallershell.sh /
RUN chmod +x /vicinstallershell.sh
CMD source '/vicinstallershell.sh';'bash'
33#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
SQLObjectStore
NOSQL
Infrastructure State
These consume these
Implementation of typical cloud-native (“cattle”) applications
The Dockerfile is usually checked in into source control (Git or
Github)34#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Why are containers (& Docker, specifically) gaining momentum?
• Fast to start (sub-second)
• Lean/small self-contained environments
• DevOps-oriented self-service authoring (e.g. Dockerfile)
• Ease of sharing (public/private registries)
• Infrastructure agnostic (move transparently from laptop to on-premises to public cloud)
• 1 container = 1 process (ideal to de-construct the monolith)
These characteristics are a great fit for a) cloud-native apps, and b) DevOps
35#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
However, this is a really fast-moving space…
36#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Moving away from “monolithic” Docker
• Not only is the container ecosystem changing, Docker itself is rapidly evolving
– Container runtime (runC) spun out in 2015 as part of Open Container Initiative (OCI)
– Container daemon (containerd) spun out in 2017, picked up by CNCF
• Docker open source project renamed to Moby
– Docker CE (Community Edition) and Docker EE (Enterprise Edition) are now “downstream” projects of Moby
37#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
But wait, there’s more…
• New standards are emerging (OCI image spec and OCI runtime spec both recently released 1.0)
• Alternative container runtimes are emerging
– rkt, originally introduced by CoreOS
– Railcar (OCI-compliant runtime) recently released by Oracle
• Distinction between VMs and containers is blurring
– runV (OCI-compliant hypervisor-based container runtime)
– Intel Clear Containers
– Support for Hyper-V isolation in Docker (using --isolation hyper-v flag)
38#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Hypervisor isolation for containers
• Is it a container, or is it a VM? Both!
• Numerous examples emerging:
– rkt has a KVM-based Stage1 image that leverages KVM when launching a container
– runV supports the use of KVM, Xen, and VirtualBox for enhanced isolation of OCI-compliant containers
– HyperContainer is a Docker-specific implementation of runV
– Support for Hyper-V isolation for Docker containers on Windows (via the --isolation hyper-v flag)
– vSphere Integrated Containers (VIC) Engine leverages vSphere isolation for containers
– Intel Clear Containers brings Intel VT support for Linux containers
– The “virtcontainers” project aims to build a common Go library for adding hypervisor isolation to container runtimes (unifying Clear Containers, runV, rkt’s KVM Stage1, for example)
• The distinction between container and VM is becoming less and less clear
39#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Speaking of VIC…
• VIC Engine IS NOT ABOUT “Should I run Docker Hosts on VMs or on bare metal?”
– This is totally another discussion (orthogonal to VIC Engine)
• VIC Engine IS NOT ABOUT “VMs are better than containers!”
– As evidenced by all the projects, the rest of the industry clearly recognizes the value of hypervisor isolation for containers
• VIC Engine IS ABOUT “What’s the provisioned element of docker run?”
40#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Docker != Containers (simplified view)
Docker Engine
Container
Registry
$ docker build...
$ docker push...
$ docker pull...
$ docker run...
Unikernel VM
41#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
An agenda we’ll try to follow
42#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
What do container management solutions (attempt to) do?
43https://twitter.com/mfdii/status/697532387240996864
#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
A picture of the container management industry landscape
44
Docker Engine
#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Some (but not all of the) random names you may have heard
• VMware Admiral
• Kubernetes
• Mesos/Marathon
• Docker Enterprise Edition (EE)
• Rancher
• AWS ECS (EC2 Container Service)
• Google Container Engine (GKE)
• Microsoft Azure Container Service
Software users can deploy on-premises or off-premises (managed by the users)
Proprietary solution delivered as a service (partially managed by AWS)
Kubernetes delivered as a service (managed by Google)
Automated Mesosphere/Swarm deployment (managed by the users)
45#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Peak of Confusion? What Confusion?
https://twitter.com/joyent/status/697549725319483392
46#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
These tools are also evolving quickly
• Take Kubernetes, for example
• CRI (Container Runtime Interface) aims to “decouple” Kubernetes from Docker and rkt
– CRI-O (CRI plugin for OCI-compliant runtimes, like runC)
– rktlet (CRI plugin for rkt)
– Docker CRI shim (CRI plugin for Docker)
– Frakti (CRI plugin for HyperContainer)
• KubeVirt project aims to allow Kubernetes to manage VMs
47#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Container management complexity just got squared
As if “x is better than y” was not enough…
…welcome to the saga of “You can run y on top of x”
#CNA2392BE CONFIDENTIAL 48
VMworld 2017 Content: Not fo
r publication or distri
bution
Swarm on Mesos
49#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Kubernetes on Mesos
50#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Marathon on Swarm
51#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
This is the gold rush
52#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
An agenda we’ll try to follow
53#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
In Conclusion…
• In the last 60 minutes we just scratched the surface
– Skipping lots of stuff and details
• Yes it is complicated (and messy)
– But it’s also an opportunity to innovate within your organization
– Be that champion!
• Our job (at VMware) is to try to make all this as easy as possible
– Your job is to break out of your comfort zone
• Don’t panic…this is a marathon, not a sprint
– That being said, you should start sooner rather than later!
54#CNA2392BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution