Docker and OpenStack Boston Meetup

In this talk we will discuss how to build and run containers without root privileges. As part of the discussion, we will introduce new programs like fuse-overlayfs and slirp4netns and explain how it is possible to do this using user namespaces. fuse-overlayfs allows to use the same storage model as "root" containers and use layered images. slirp4netns emulates a TCP/IP stack in userland and allows to use a network namespace from a container and let it access the outside world (with some limitations). We will also introduce Usernetes, and how to run Kubernetes in an unprivileged user namespace https://sched.co/Jcgg

Join containerd maintainers and reviewers in a combined introduction and deep dive session. They will discuss the overview and the recent updates of containerd as well as how it is being used by Kubernetes, Docker and other container-based systems. The brief introduction about its architecture and service design will be included. The talk will also deep dive into how to leverage contained by extending and customizing it for your use case with low-level plugins like remote snapshotters, as well as by implementing your own containerd client. Upcoming features and recent discussion in containerd community will also be covered. - - - https://kccnceu2021.sched.com/event/iE6v/introduction-and-deep-dive-into-containerd-kohei-tokunaga-akihiro-suda-ntt-corporation?iframe=no

Docker containers provide significantly lower resource usage and higher density than traditional virtual machines when running multiple workloads concurrently on a server. When booting 15 Ubuntu VMs with MySQL sequentially, Docker containers boot on average 3.5 seconds compared to 5.8 seconds for KVMs. During steady state operation of 15 active VMs, Docker uses on average 0.2% CPU and 49MB RAM per container, while KVMs use 1.9% CPU and 292MB RAM each. Docker maintains low 1-minute load averages of 0.15, while KVMs average 35.9% under load.

Lors de cette présentation, nous allons dans un premier temps rappeler la spécificité de docker par rapport à une VM (PID, cgroups, etc) parler du système de layer et de la différence entre images et instances puis nous présenterons succinctement kubernetes. Ensuite, nous présenterons un processus « standard » de propagation d’une version CI/CD (développement, préproduction, production) à travers les tags docker. Enfin, nous parlerons des différents composants constituant une application docker (base-image, tooling, librairie, code). Une fois cette introduction réalisée, nous parlerons du cycle de vie d’une application à travers ses phases de développement, BAU pour mettre en avant que les failles de sécurité en période de développement sont rapidement corrigées par de nouvelles releases, mais pas nécessairement en BAU où les releases sont plus rares. Nous parlerons des diverses solutions (jfrog Xray, clair, …) pour le suivie des automatique des CVE et l’automatisation des mises à jour. Enfin, nous ferons un bref retour d’expérience pour parler des difficultés rencontrées et des propositions d’organisation mises en oeuvre. Cette présentation bien qu’illustrée par des implémentations techniques est principalement organisationnelle.

Docker is an open-source project to easily create lightweight, portable, self-sufficient containers from any application. The same container that a developer builds and tests on a laptop can run at scale, in production, on VMs, bare metal, OpenStack clusters, public clouds and more.

An introduction to Docker and docker-compose. Starting from single docker run commands we discover docker file basics, docker-compose basics and finally we play around with scaling containers in docker-compose.

Rootless containers allow users to run containers without root privileges by leveraging user and namespace isolation techniques. While rootless containers mitigate some security risks, there are still unresolved issues around sub-user management, networking, and adoption by runtimes and image builders. Rootless containers also cannot prevent all attacks if a container is broken out of. Container runtimes are working to improve support for rootless containers to further enhance security.

This document discusses various lies and forms of virtualization that are commonly used in computing. It begins by summarizing different virtualization technologies used at Joyent like zones, SmartOS, and Triton. It then discusses lies told at different layers of the stack, from virtual memory to network virtualization. Some key lies discussed include hyperthreading, paravirtualization, hardware virtual machines, Docker containers, filesystem virtualization techniques, and network virtualization. The document argues that many of these lies are practical choices that improve performance and workload density despite not perfectly representing the underlying hardware. It concludes by acknowledging the need to be mindful of security issues but also not to stop lying at the edge of the compute node.

This document provides an overview of Docker and Kubernetes concepts and demonstrates how to create and run Docker containers and Kubernetes pods and deployments. It begins with an introduction to virtual machines and containers before demonstrating how to build a Docker image and container. It then introduces Kubernetes concepts like masters, nodes, pods and deployments. The document walks through running example containers and pods using commands like docker run, kubectl run, kubectl get and kubectl delete. It also shows how to create pods and deployments from configuration files and set resource limits.

Kubernetes supports several security mechanisms such as Seccomp, Apparmor, SELinux, and runAsUser for protecting the hosts from container-breakout attacks. However, these mechanisms are not sufficient for the security demand because Kubelet and CRI/OCI runtimes require the root privileges on the hosts, and these components are seriously bug-prone. The dependency on the root privileges has been also problematic for promoting Kubernetes to the HPC world, where users are often disallowed to install software as the root. In this talk, Akihiro and Giuseppe will show the community’s ongoing work for making Kubernetes deployable and runnable as a non-root user, by using User Namespaces. The main topics of discussion will be UID/GID mapping, unprivileged Copy-on-Write filesystems, Usermode networking (Slirp), and Cgroups. https://fosdem.org/2019/schedule/event/containers_k8s_rootless/

This document discusses Linux containers and Docker. It describes how Linux containers provide isolation using namespaces and cgroups to allow applications to run consistently across different environments. Docker builds on Linux containers to make them easy to use, create, share, and deploy. Docker allows building images from Dockerfiles, sharing images in registries, and developing hybrid cloud workflows. The document outlines Docker's roadmap and growing ecosystem of tools and projects building on Docker.

https://fosdem.org/2020/schedule/event/containers_lazy_image_distribution/ The biggest problem of the OCI Image Spec is that a container cannot be started until all the tarball layers are downloaded, even though more than 90% of the tarball contents are often unneeded for the actual workload. This session will show state-of-the-art alternative image formats, which allow runtime implementations to start a container without waiting for all its image contents to be locally available. Especially, this session will put focus on CRFS/stargz and its implementation status in containerd (https://github.com/containerd/containerd/issues/3731). The plan for BuildKit integration will be shown as well.

Rootless Containers means running the container runtimes (e.g. runc, containerd, and kubelet) as well as the containers without the host root privileges. The most significant advantage of Rootless Containers is that it can mitigate potential container-breakout vulnerability of the runtimes, but it is also useful for isolating multi-user environments on HPC hosts. This talk will contain the introduction to rootless containers and deep-dive topics about the recent updates such as Seccomp User Notification. The main focus will be on containerd (CNCF Graduated Project) and its consumer projects including Kubernetes and Docker/Moby, but topics about other runtimes will be discussed as well. https://sched.co/fGWc

Learn the basics of Docker and Kubernetes before applying these complementary tools to deploy containers on Google Cloud Platform (GCP).

http://sched.co/EaYe Until recently, running `docker build` against Dockerfile had been the only way to build container images. However, lots of opensource software are being proposed as successors/alternatives to `docker build`: - BuildKit (Moby Project / Docker) - img (Jessica Frazelle / Microsoft) - Buildah (Project Atomic / Red Hat) - umoci & Orca (SUSE) - Bazel (Google) - OpenShift S2I (Red Hat) Akihiro Suda compares these new tools' advantages and disadvantages. His evaluation basis would include but not be limited to: - Performance (Cache efficiency, Concurrency, Distributed Execution) - Secret management, e.g. SSH and AWS keys - Support for non-Dockerfile - Non-root execution - UI & UX - Governance of the community He also proposes a unified interface for using these tools with Kubernetes in a vendor-neutral way.

Overview of the Docker ecosystem and orchestration systems, and how to make them run on Microsoft Azure.

nerdctl is a Docker-compatible CLI for containerd that provides the same UI/UX as Docker and Docker Compose. It supports features like lazy pulling via Stargz and encrypted images via OCIcrypt that are not yet available in Docker. While containerd includes ctr and crictl for debugging, nerdctl aims to be a full-featured CLI for container and image management with Docker-like usability. It can run on Linux, macOS via Lima virtual machines, and is working on native Windows support.