• Home

  • Documents

  • Xen Containers: Better way to run Docker Containers5 Docker Containers Running • docker...
18
1 Xen Containers: Better way to run Docker Containers Sainath Grandhi [email protected] Contributions: Jun Nakajima

Xen Containers: Better way to run Docker Containers5 Docker Containers Running • docker run/create/stop Building • docker build Packaging • docker push/pull/commit Docker –a

  • Upload
    others

  • View
    27

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Xen Containers: Better way to run Docker Containers5 Docker Containers Running • docker run/create/stop Building • docker build Packaging • docker push/pull/commit Docker –a

1

Xen Containers: Better way to run Docker Containers

Sainath Grandhi

[email protected]

Contributions: Jun Nakajima

Page 2: Xen Containers: Better way to run Docker Containers5 Docker Containers Running • docker run/create/stop Building • docker build Packaging • docker push/pull/commit Docker –a

2

Motivation

“Containers” being adopted for application development/deploying

Containers looked upon as lightweight alternative for traditional VMs

VMs offer stronger application isolation

Benefits of VMs can be reaped if they are made lightweight and run like containers

Page 3: Xen Containers: Better way to run Docker Containers5 Docker Containers Running • docker run/create/stop Building • docker build Packaging • docker push/pull/commit Docker –a

3

Agenda

Containers

Xen Containers

Numbers

Next Steps

Page 4: Xen Containers: Better way to run Docker Containers5 Docker Containers Running • docker run/create/stop Building • docker build Packaging • docker push/pull/commit Docker –a

4 4

Host OS

Cgroups Namespaces Union FS

Application

Libraries

Middleware

Container A

Application

Libraries

Middleware

Container C

Application

Libraries

Middleware

Container D

Application

Libraries

Middleware

Container B

Namespaces Namespaces Namespaces

Server Hardware

Page 5: Xen Containers: Better way to run Docker Containers5 Docker Containers Running • docker run/create/stop Building • docker build Packaging • docker push/pull/commit Docker –a

5

Docker Containers

Running

• docker run/create/stop

Building

• docker build

Packaging

• docker push/pull/commit

Docker – a one stop solution for running, building and packaging containers

Host OS

Dockerclient

Docker daemon

Docker image

Docker command

Parent/child

Cgroups Namespaces Union FS

Application

Libraries

Middleware

Container A

Page 6: Xen Containers: Better way to run Docker Containers5 Docker Containers Running • docker run/create/stop Building • docker build Packaging • docker push/pull/commit Docker –a

6

Bare metal containers - Isolation

Isolation provided by Host OS

Security compromised kernel can be exploited by malicious images/applications for namespace intrusion

Enabling cgroups and namespaces in the kernel increases the kernel attack surface

Malicious public images

Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilitieshttp://www.banyanops.com/blog/analyzing-docker-hub/

Multi-tenant Cloud Providers

Google: “we see the VM as the only truly safe isolation.… Until we see foolproof security for containers, we will always double-bag our customers' workloads”http://www.informationweek.com/cloud/infrastructure-as-a-

service/google-docker-does-containers-right/d/d-id/1319146

Application

Libraries

Middleware

Container A

Application

Libraries

Middleware

Container B

Namespaces

http://www.theregister.co.uk/2014/11/25/docker_vulnerabilities/
http://www.informationweek.com/cloud/infrastructure-as-a-
Page 7: Xen Containers: Better way to run Docker Containers5 Docker Containers Running • docker run/create/stop Building • docker build Packaging • docker push/pull/commit Docker –a

7

Agenda

Containers

Xen Containers

Numbers

Next Steps

Page 8: Xen Containers: Better way to run Docker Containers5 Docker Containers Running • docker run/create/stop Building • docker build Packaging • docker push/pull/commit Docker –a

8

Containers

8

Host OS

Cgroups Namespaces Union FS

Application

Libraries

Middleware

Container A

Application

Libraries

Middleware

Container C

Application

Libraries

Middleware

Container D

Application

Libraries

Middleware

Container B

Namespaces Namespaces Namespaces

Server Hardware

Page 9: Xen Containers: Better way to run Docker Containers5 Docker Containers Running • docker run/create/stop Building • docker build Packaging • docker push/pull/commit Docker –a

9

VM Containers

9

Host OS/Dom0

Cgroups Union FS

Application

Libraries

Middleware

VMContainer

Application

Libraries

Middleware

Server Hardware

Hypervisor

VMContainer

VM

Application

Libraries

Middleware

Application

Libraries

Middleware

Container A Container B

Page 10: Xen Containers: Better way to run Docker Containers5 Docker Containers Running • docker run/create/stop Building • docker build Packaging • docker push/pull/commit Docker –a

10

Xen PVH Containers

• VM containers good for multi-tenant cloud providers

Group containers from a tenant onto a VM

• Great infrastructure in place for guest isolation

• PVH for app containers

Boot to guest kernel in protected mode

PV performance for disk and network

Hardware virtualized performance for CPU and memory

• Why PVH (vs. HVM)

No dependence on QEMU

No BIOS

Faster Boot time

Page 11: Xen Containers: Better way to run Docker Containers5 Docker Containers Running • docker run/create/stop Building • docker build Packaging • docker push/pull/commit Docker –a

11

Xen Containers with Docker

Server Hardware

Hypervisor

User

Xen-blkback

Xen-netback

Dom0

Kernel Docker storage devices

Docker client

Docker Daemon

PVH DomU

Kernel

User

Xen-blkfront

Xen-netfront

Container Root device

Init

Application

vNIC

PVH DomU

Page 12: Xen Containers: Better way to run Docker Containers5 Docker Containers Running • docker run/create/stop Building • docker build Packaging • docker push/pull/commit Docker –a

12

Xen Containers with Docker – Guest Anatomy

Minimal Kernel

Minimally configured kernel

Init

Init service to mount application rootfs and configure network

Storage

Docker container volume as rootfs

Networking

Docker subnet IP and docker bridge gateway

Kernel

User

Xen-blkfront

Xen-netfront

Container Root device

Init

Application

vNIC

PVH DomU

Page 13: Xen Containers: Better way to run Docker Containers5 Docker Containers Running • docker run/create/stop Building • docker build Packaging • docker push/pull/commit Docker –a

13

Xen Containers with Docker – Guest Configuration

Storage

Docker devicemapperstorage backend – container volume

Application path

Application path from docker run/exec command

Network IP

DHCP/docker subnet for interoperability with dockercontainers

Dom0Docker host

docker run ubuntu

/bin/bash

PVH

DomU

i

n

i

t

k

e

r

n

e

l

ApplicationContainer

block device

/bin/bashIP:172.17.

xx.xx

Page 14: Xen Containers: Better way to run Docker Containers5 Docker Containers Running • docker run/create/stop Building • docker build Packaging • docker push/pull/commit Docker –a

14

Agenda

Containers

Xen Containers

Numbers

Next Steps

Page 15: Xen Containers: Better way to run Docker Containers5 Docker Containers Running • docker run/create/stop Building • docker build Packaging • docker push/pull/commit Docker –a

15

Numbers

PVH HVM Comments

Domain Creation

224 184 Time spent by xl toolstack to setup domain

To drop into container shell

1380 2503 Time taken to boot the minimal kernel and drop into shell from container rootfs

Guest Memory Used – 16MB

Config:Host GuestXeon® CPU E5-2699 v3 Memory – 128MBMemory – 60GB vCPU - 1Dom0 Memory – 4GB Dom0 vCPUs – 8

Page 16: Xen Containers: Better way to run Docker Containers5 Docker Containers Running • docker run/create/stop Building • docker build Packaging • docker push/pull/commit Docker –a

16

Agenda

Containers

Xen Containers

Numbers

Next Steps

Page 17: Xen Containers: Better way to run Docker Containers5 Docker Containers Running • docker run/create/stop Building • docker build Packaging • docker push/pull/commit Docker –a

17

Next Steps

Docker Volumes

PV VirtFS for supporting docker volumes

Pods (Multiple applications in a VM)

Leverage systemd as the init service inside VM to resource control multiple applications

Page 18: Xen Containers: Better way to run Docker Containers5 Docker Containers Running • docker run/create/stop Building • docker build Packaging • docker push/pull/commit Docker –a

Q & A


Monitoring Docker containers - Docker NYC Feb 2015

Monitoring Docker containers - Docker NYC Feb 2015

Technology
LXC, Docker, security: is it safe to run applications in Linux Containers?

LXC, Docker, security: is it safe to run applications in Linux Containers?

Technology
Docker containers : introduction

Docker containers : introduction

Software
WebNN Server CPU - Washington State University · Docker allows Containers to run on multiple operating systems. Docker also provides methods to isolated the Containers into a few

WebNN Server CPU - Washington State University · Docker allows Containers to run on multiple operating systems. Docker also provides methods to isolated the Containers into a few

Documents
Docker Containers in Azure

Docker Containers in Azure

Software
CI/CD @ bol · Gitlab CI Build docker images Google Container Registry Spinnaker Store docker images Deploy dockerized apps Kubernetes Run docker containers More developer control

CI/CD @ bol · Gitlab CI Build docker images Google Container Registry Spinnaker Store docker images Deploy dockerized apps Kubernetes Run docker containers More developer control

Documents
Monitoramento de containers Docker

Monitoramento de containers Docker

Technology
Containers and Docker - people.redhat.compeople.redhat.com/.../presentations/sept2014/ContainersAndDocker.pdf · 35 Docker 101 Working with existing containers. $> docker start httpd_container

Containers and Docker - people.redhat.compeople.redhat.com/.../presentations/sept2014/ContainersAndDocker.pdf · 35 Docker 101 Working with existing containers. $> docker start httpd_container

Documents
Docker containers

Docker containers

Software
Containers and Security Serverless Applications, · How a container is born Dockerfile Docker Image Docker Containers builds a generates Dockerfile FROM ubuntu:14.04 RUN apt-get update

Containers and Security Serverless Applications, · How a container is born Dockerfile Docker Image Docker Containers builds a generates Dockerfile FROM ubuntu:14.04 RUN apt-get update

Documents
Run Docker Containers. In Production. Today. by Guido Appenzeller, VMware

Run Docker Containers. In Production. Today. by Guido Appenzeller, VMware

Technology
Containers com docker #CPRecife4

Containers com docker #CPRecife4

Internet
Docker Containers - sinog.si · Dockerization of applications GITHUB (GitLab) DOCKER BUILD DOCKERHUB (Docker Registry) DOCKER RUN FROM ubuntu RUN apt-get update RUN apt-get -y install

Docker Containers - sinog.si · Dockerization of applications GITHUB (GitLab) DOCKER BUILD DOCKERHUB (Docker Registry) DOCKER RUN FROM ubuntu RUN apt-get update RUN apt-get -y install

Documents
Docker Buenos Aires - microservices using relocatable docker containers

Docker Buenos Aires - microservices using relocatable docker containers

Technology
CRI Runtimes: Who @estesp is running my pod? · 2019-12-21 · Docker Captain, containerd maintainer @estesp. @estesp Docker Containers $ docker run redis $ docker ps $ docker stop

CRI Runtimes: Who @estesp is running my pod? · 2019-12-21 · Docker Captain, containerd maintainer @estesp. @estesp Docker Containers $ docker run redis $ docker ps $ docker stop

Documents
Providing reproducible user experience using Docker containers · Starting a container using the ‘docker run’ command Here is what happens when you run the image and generate

Providing reproducible user experience using Docker containers · Starting a container using the ‘docker run’ command Here is what happens when you run the image and generate

Documents
Docker Container - cpl.thalesgroup.com · CHAPTER 1: Introduction Docker makes it easier to create, deploy and run applications by using containers. Containers allow a developer to

Docker Container - cpl.thalesgroup.com · CHAPTER 1: Introduction Docker makes it easier to create, deploy and run applications by using containers. Containers allow a developer to

Documents
Building Docker Containers @ Scale

Building Docker Containers @ Scale

Engineering
Recent Developments in Free Medical Imaging Software · 2019. 12. 17. · Docker/DockerHub •docker run jodogne/orthanc Vagrant/VirtualBox ... Available on Docker containers. Dicoogle

Recent Developments in Free Medical Imaging Software · 2019. 12. 17. · Docker/DockerHub •docker run jodogne/orthanc Vagrant/VirtualBox ... Available on Docker containers. Dicoogle

Documents
Docker Martin Meyer 2014-12-18. Agenda What is Docker? –Docker vs. Virtual Machine –History, Status, Run Platforms –Hello World Images and Containers

Docker Martin Meyer 2014-12-18. Agenda What is Docker? –Docker vs. Virtual Machine –History, Status, Run Platforms –Hello World Images and Containers

Documents
Using Docker and Singularity - Inserm€¦ · Same idea of Docker : images and containers Same functionalities than Docker Somehow less confined No need to be sudo to run containers

Using Docker and Singularity - Inserm€¦ · Same idea of Docker : images and containers Same functionalities than Docker Somehow less confined No need to be sudo to run containers

Documents
Docker 101 - all about Docker containers

Docker 101 - all about Docker containers

Software
About the Tutorial - tutorialspoint.com · Docker for Windows - It allows one to run Docker containers on the Windows OS. Docker Engine – It is used for building Docker images and

About the Tutorial - tutorialspoint.com · Docker for Windows - It allows one to run Docker containers on the Windows OS. Docker Engine – It is used for building Docker images and

Documents
IPVS for Docker Containers

IPVS for Docker Containers

Technology
Replacing Docker With Podman · runc default implementation of OCI Runtime Spec (Same tool Docker uses to run containers) Standard Way to setup networking for containers Container

Replacing Docker With Podman · runc default implementation of OCI Runtime Spec (Same tool Docker uses to run containers) Standard Way to setup networking for containers Container

Documents
Docker in the real world - sddconf.com · What are Docker containers? •Containers are runtime environments. You usually run one main process in one Docker container. •Docker containers

Docker in the real world - sddconf.com · What are Docker containers? •Containers are runtime environments. You usually run one main process in one Docker container. •Docker containers

Documents
Containers - docs.freitagsrunde.org · Docker Client docker build Build an image from a Dockerfile docker exec Run a command in a running container docker inspect Return low-level

Containers - docs.freitagsrunde.org · Docker Client docker build Build an image from a Dockerfile docker exec Run a command in a running container docker inspect Return low-level

Documents
Docker and Containers overview - Docker Workshop

Docker and Containers overview - Docker Workshop

Technology
TX-2016.TIER New and Next - Internet2 · • Docker containers • Virtual machine images to run the containers • Focus on automation tools • Build containers and VMs ... TIER

TX-2016.TIER New and Next - Internet2 · • Docker containers • Virtual machine images to run the containers • Focus on automation tools • Build containers and VMs ... TIER

Documents
runC: The little engine that could (run Docker containers) by Docker Captain Phil Estes

runC: The little engine that could (run Docker containers) by Docker Captain Phil Estes

Technology