Embed Size (px)
Citation preview
1
Before We Get Started
YES! This session is being recorded
Questions and comments
• You can access the video anytime on Youtube
• Enter into the Q&A window• We will answer at the end of the session
3
Containers Demystified
Life cycle of your applications and security
Phone
System librairiesUI framework
Host System
Navigation Dashboard
New version of your Dashboard using Altia?
4
Containers Demystified
Life cycle of your applications and security
Phone
System librairiesUI framework
Host System
Navigation DashboardDashboard
Altia
Containers come packaged up with everything they need.
5
Containers Demystified
Life cycle of your applications and security
Phone
System librairiesUI framework
Host System
NavigationAtomic update of your container!
Dashboard
Altia
6
Containers Demystified
Life cycle of your applications and security
Phone
System librairiesUI framework
Host System
NavigationDashboard
Altia
The new container is not working properly? Just Rollback to the former version!
Dashboard
7
Containers Demystified
What is a container?
Container Isolation
Source: Freedom Penguin
File system container
File system host system
Libraries
Application 1
Libraries
Linux KernelHardware
8
Containers Demystified
Virtual Machine versus Container
Container IsolationLibraries
Application 1Linux kernel
Libraries
Application 1
Hypervisor
LibrariesLinux Kernel
Hardware
• Performance:
• Size:
• Security:
Container VM
Container VM
Container VM
9
Containers Demystified
Namespace
Container 1
Network interface
Process ID
CgroupNam
espa
ce1
Wrap a particular global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource.Source: https://lwn.net/Articles/531114/
Container 2
Container 3
10
Containers Demystified
Control Groups
Container 1 < 20% Process scheduler
Memory manager
Network interface
< 100MB
< 10MB/s
Fine-grained control over allocating, prioritizing, denying and managing system resources
Control Groups
11
Containers Demystified
Control Groups
Container 1 < 20% Process scheduler
Memory manager
Network interface
< 100MB
< 10MB/s
Control Groups
> 100MB
Out Of Memory from Cgroups will kill your container. One container equal one application!
12
Rootless
Containers Demystified
Security
Source: pixabay.com/
Container 1
Host system
CGroups
MAC
Seccomp
Namespace
• Cgroups limit resource access• Namespace virtualize access to
resource• Seccomp limit access to system
calls.• Mandatory Access Control policy• Rootless containers
13
Containers Demystified
Open Container Initiative
Source: DockerCon 2016 + wikipedia
✓ RUNC (used bydocker)
✓ RailCar (developed byOracle)
• More than 13 different implementations of container runtimes!
• Open industry standards around container format and runtime
• 2 independent implementations
14
Containers Demystified
Containers on Embedded System
ContainerRuntime App1 App2
Shared Libraries 1 Shared Libraries 2
ContainerRuntime
Shared Libraries 1
App2
Shared Libraries 2
Filesystem
App1
Shared Libraries 1
Shared Libraries 2
Filesystem
Filesystem
15
Containers Demystified
Containers on Embedded System
ContainerRuntime
Shared Libraries 1
App2
Shared Libraries 2
Filesystem
App1
Shared Libraries 1
Shared Libraries 2
Filesystem
Filesystem
One file system including the minimum necessary to run your container runtime
Your containers
16
Containers Demystified
How can we help?
Source: pixabay.com/
• Generate your containers.• Secure your containers• Sign your containers• Transfer your containers• Roll back your containers
17
Follow us on our blog
www.witek.io
©2017 Witekio & Subsidiaries. All Rights Reserved. This document and the information it contains is confidential and remains the property of our company. It may not be copied or communicated to a third party or used for any purpose other than that for which it is supplied without the prior written consent of our company.
Thank you
