Embed Size (px)
Citation preview
SecurityManagement Networking IntrospectionPerformance Utilization
the 7 characteristics of container-native infrastructure
herehas…
who
container?built a
container?run a
containerrun a
in production?
yeah?
you run it?where’d
in a VMyou ran it
didn’t you?
container-native!that’s not
container-nativeinfrastructure
7 characteristics of
@misterbissontweet questions to
native?Container-
containerUnit of compute
containersProvision
VMs…not
bare metalContainers run on
VMs…not in
containersPay for
VMs…not
Our simple app
Nginx
Couchbase
Node
audiofprint
Deploy that app
Nginx
Couchbase
Node
audiofprint
Nginx
Couchbase
Node
audiofprint
VM-native Container-Native
VM: 2 vCPU / 7.5GB RAM
Now scale it
CouchbaseCouchbase
Nginx Node
audiofprint
Nginx Node
audiofprint
VM: 2 vCPU / 7.5GB RAMVM: 2 vCPU / 7.5GB RAM
VM-native Container-Native
Nginx
Couchbase
Node audiofprint
Nginx
Couchbase
Node audiofprint
VM: 2 vCPU / 7.5GB RAMVM: 2 vCPU / 7.5GB RAM
What’s that bill?
VM-native 4 VMs
8 containers
$0.560/hour $403.20/month
Container-native 0 VMs
8 containers
$0.315/hour $226.66/month
have to bewhy does it
that way?
mostinfrastructure
twoscenario
pick
two:• elasticity • security • performance
pick
two:• elasticity • security • performance
pick
bare metal{
two:• elasticity • security • performance
pick
hardware virtual
machine{
container-nativeinfrastructure
threescenario
pick
three:• elasticity • security • performance
pick
bare metal
containers{
but
the kernelsupports it
only if
only if
the kernelsupports it
only if
–Docker's Jérôme Petazzoni
–Travis CI’s Sven Fuchs
not Docker’sfault
it’s
the kernel’sfault
it’s
breath for a moment
are wedoing this?
why
foundationcontainers are the
foundationnot the goal
containers are the
it didn’torphotos
happen
it didn’torphotos
happen
it doesn’torrepo
work
it doesn’tor
work
public repo
withpublic repo
1. Dockerfile 2. docker-compose.yml 3. documentation, etc…
wait
stopwait
stopwait
the audience says…
how
proprietary codein a public repo?
can i put
proprietary codei argue back
but that’s not
“For our Go microservices, we use Travis CI to run tests and to create Debian packages as build artifacts. Travis uploads these packages to S3, and then another system pulls them down, signs them, and imports them into our private Apt repository. We use FPM to create packages, and Aptly to manage our repos.”
“[W]e’ve really embraced chatops at 500px, so we've scripted the use of those tools into our beloved and loyal Hubot friend, BMO. Anyone at 500px can easily deploy the site or a microservice with a simple chat message like bmo deploy <this thing>.”
that’s1. public APIs & open source tools 2. glue code / infrastructure as code 3. secrets & configuration details
so, either1. the glue code really is proprietary 2. they didn’t have time 3. it doesn’t work 4. the secrets are baked into the code 5. it runs on pets and can’t be
deployed repeatably
so, either1. the glue code really is proprietary 2. they didn’t have time 3. it doesn’t work 4. the secrets are baked into the code 5. it runs on pets and can’t be
deployed repeatably
fix thatplease
we need1. immutable infrastructure 2. repeatable installs 3. separate config from code
container-nativemakes it possible
container-nativemakes it real
developing for
breath for a moment
promised youa list
i
the unit of computeis a container
1:
you provisioncontainers
2:
the containers runon bare metal
3:
the kernel offersreal security4:
no escapeno incursion
that means
porouscontainers
non-
the containers are protectedfrom noisy neighbors
5:
48 cores of bare metalif a single container can
dominate them all?
what’s the point of
every container getsa VNIC
6:
every container getsa VNIC
6:
(or two)
every container getsa VNIC
6:
(or three)
every container getsa VNIC
6:
(or more)
well-connected containeris a happy container
because a
You pay forcontainers
7:
You pay forcontainers
7:
(not VMs)
science fictionthis is not
state of the artthis is
availablenow
this is
actuallynot new at all
this is
container spectrum
bare metal alternatives to hardware VMs
container spectrum
infrastructure containers
container spectrum
application containers
bare metal alternatives to hardware VMs
container spectrum
Docker
infrastructure containers
container spectrum
Docker
infrastructure containers
multi-process Docker containers
container spectrum
Docker
infrastructure containersslimmed-down
infrastructure containers
container spectrum
Docker
infrastructure containers
multi-process Docker containers
slimmed-down infrastructure containers
container spectrum
Docker
infrastructure containers
multi-process Docker containers
slimmed-down infrastructure containers
they’re all
good
breath for a moment
container-nativemakes it possible
container-nativemakes it real
developing for
and
container-nativemakes it fastand
hostsno more
petsno more
lifecycleno more
management
pay foronly
what you use
breath for a moment
The best place to run containers. Making Ops simple and scalable.
SecurityManagement Networking IntrospectionPerformance Utilization
SecurityManagement Networking IntrospectionPerformance Utilization
Public Cloud Triton Elastic Container Service. We run our customer’s mission critical applications on container native infrastructure
Private Cloud Triton Elastic Container Infrastructure is an on-premise, container run-time environment used by some of the world’s most recognizable brands
SecurityManagement Networking IntrospectionPerformance Utilization
Public Cloud Triton Elastic Container Service. We run our customer’s mission critical applications on container native infrastructure
Private DataCenter Triton Elastic Container Infrastructure is an on-premise, container run-time environment used by some of the world’s most recognizable brands
it’s open source!fork me, pull me: https://github.com/joyent/sdc
how do yousecure it for
So…
bare metal?
Container anatomy
Applicationpackage
Runtimeenvironment
Container anatomy
Applicationpackage
Executiondriver
Container anatomy
Applicationpackage
LXC }Dock
er
Container anatomy
Applicationpackage
libcontainer }Dock
er
Container anatomy
Applicationpackage
appc }Rock
et
Container anatomy
Applicationpackage
runC }O
pen
Cont
ainer
Fou
ndat
ion
Container anatomy
Applicationpackage
SmartOSZone
}Dock
er o
n Tri
ton
can i run myLinux images
So…
on Triton?
yes!
Demotime
SecurityManagement Networking IntrospectionPerformance Utilization
thank you
the 7 characteristics of container-native infrastructure1. the unit of compute is a container 2. you provision containers 3. the containers run on bare metal 4. the containers are multi-tenant bare metal secure 5. every container gets its share 6. every container gets one or more VNICs 7. you pay for containers
