This document discusses using Docker containers with OpenStack for application deployment. It begins with an introduction to Docker, describing its growth in usage and integration with various tools. Docker is presented as a solution to issues around deploying applications across different environments and hardware by providing lightweight, portable containers that package code and dependencies. The document demonstrates how Docker can be used with OpenStack through a new hypervisor that allows OpenStack to deploy and manage Linux containers, enabling control of Docker through the OpenStack dashboard. It outlines some benefits of Docker combined with OpenStack and the current state of the related OpenStack project.
The document discusses Docker on various operating systems including Linux, Windows, and Mac OS X. It provides an overview of using Docker Toolbox versus installing Docker natively. When using Docker natively, it installs the Docker client, engine, compose and other tools directly onto the operating system leveraging native virtualization capabilities for improved performance compared to Docker Toolbox. However, the native versions are currently in beta with some limitations like only allowing one Linux virtual machine on Windows Hyper-V.
Docker containers provide significantly lower resource usage and higher density than traditional virtual machines when running multiple workloads concurrently on a server. When booting 15 Ubuntu VMs with MySQL sequentially, Docker containers boot on average 3.5 seconds compared to 5.8 seconds for KVMs. During steady state operation of 15 active VMs, Docker uses on average 0.2% CPU and 49MB RAM per container, while KVMs use 1.9% CPU and 292MB RAM each. Docker maintains low 1-minute load averages of 0.15, while KVMs average 35.9% under load.
Join containerd maintainers and reviewers in a combined introduction and deep dive session. They will discuss the overview and the recent updates of containerd as well as how it is being used by Kubernetes, Docker and other container-based systems. The brief introduction about its architecture and service design will be included. The talk will also deep dive into how to leverage contained by extending and customizing it for your use case with low-level plugins like remote snapshotters, as well as by implementing your own containerd client. Upcoming features and recent discussion in containerd community will also be covered. - - - https://kccnceu2021.sched.com/event/iE6v/introduction-and-deep-dive-into-containerd-kohei-tokunaga-akihiro-suda-ntt-corporation?iframe=no
Lors de cette présentation, nous allons dans un premier temps rappeler la spécificité de docker par rapport à une VM (PID, cgroups, etc) parler du système de layer et de la différence entre images et instances puis nous présenterons succinctement kubernetes. Ensuite, nous présenterons un processus « standard » de propagation d’une version CI/CD (développement, préproduction, production) à travers les tags docker. Enfin, nous parlerons des différents composants constituant une application docker (base-image, tooling, librairie, code). Une fois cette introduction réalisée, nous parlerons du cycle de vie d’une application à travers ses phases de développement, BAU pour mettre en avant que les failles de sécurité en période de développement sont rapidement corrigées par de nouvelles releases, mais pas nécessairement en BAU où les releases sont plus rares. Nous parlerons des diverses solutions (jfrog Xray, clair, …) pour le suivie des automatique des CVE et l’automatisation des mises à jour. Enfin, nous ferons un bref retour d’expérience pour parler des difficultés rencontrées et des propositions d’organisation mises en oeuvre. Cette présentation bien qu’illustrée par des implémentations techniques est principalement organisationnelle.
Rootless containers allow users to run containers without root privileges by leveraging user and namespace isolation techniques. While rootless containers mitigate some security risks, there are still unresolved issues around sub-user management, networking, and adoption by runtimes and image builders. Rootless containers also cannot prevent all attacks if a container is broken out of. Container runtimes are working to improve support for rootless containers to further enhance security.
Docker is an open-source project to easily create lightweight, portable, self-sufficient containers from any application. The same container that a developer builds and tests on a laptop can run at scale, in production, on VMs, bare metal, OpenStack clusters, public clouds and more.
This document discusses various lies and forms of virtualization that are commonly used in computing. It begins by summarizing different virtualization technologies used at Joyent like zones, SmartOS, and Triton. It then discusses lies told at different layers of the stack, from virtual memory to network virtualization. Some key lies discussed include hyperthreading, paravirtualization, hardware virtual machines, Docker containers, filesystem virtualization techniques, and network virtualization. The document argues that many of these lies are practical choices that improve performance and workload density despite not perfectly representing the underlying hardware. It concludes by acknowledging the need to be mindful of security issues but also not to stop lying at the edge of the compute node.
This document provides an overview of Docker and Kubernetes concepts and demonstrates how to create and run Docker containers and Kubernetes pods and deployments. It begins with an introduction to virtual machines and containers before demonstrating how to build a Docker image and container. It then introduces Kubernetes concepts like masters, nodes, pods and deployments. The document walks through running example containers and pods using commands like docker run, kubectl run, kubectl get and kubectl delete. It also shows how to create pods and deployments from configuration files and set resource limits.
An introduction to Docker and docker-compose. Starting from single docker run commands we discover docker file basics, docker-compose basics and finally we play around with scaling containers in docker-compose.
https://fosdem.org/2020/schedule/event/containers_lazy_image_distribution/ The biggest problem of the OCI Image Spec is that a container cannot be started until all the tarball layers are downloaded, even though more than 90% of the tarball contents are often unneeded for the actual workload. This session will show state-of-the-art alternative image formats, which allow runtime implementations to start a container without waiting for all its image contents to be locally available. Especially, this session will put focus on CRFS/stargz and its implementation status in containerd (https://github.com/containerd/containerd/issues/3731). The plan for BuildKit integration will be shown as well.
Kubernetes supports several security mechanisms such as Seccomp, Apparmor, SELinux, and runAsUser for protecting the hosts from container-breakout attacks. However, these mechanisms are not sufficient for the security demand because Kubelet and CRI/OCI runtimes require the root privileges on the hosts, and these components are seriously bug-prone. The dependency on the root privileges has been also problematic for promoting Kubernetes to the HPC world, where users are often disallowed to install software as the root. In this talk, Akihiro and Giuseppe will show the community’s ongoing work for making Kubernetes deployable and runnable as a non-root user, by using User Namespaces. The main topics of discussion will be UID/GID mapping, unprivileged Copy-on-Write filesystems, Usermode networking (Slirp), and Cgroups. https://fosdem.org/2019/schedule/event/containers_k8s_rootless/
Rootless Containers means running the container runtimes (e.g. runc, containerd, and kubelet) as well as the containers without the host root privileges. The most significant advantage of Rootless Containers is that it can mitigate potential container-breakout vulnerability of the runtimes, but it is also useful for isolating multi-user environments on HPC hosts. This talk will contain the introduction to rootless containers and deep-dive topics about the recent updates such as Seccomp User Notification. The main focus will be on containerd (CNCF Graduated Project) and its consumer projects including Kubernetes and Docker/Moby, but topics about other runtimes will be discussed as well. https://sched.co/fGWc
This document discusses Linux containers and Docker. It describes how Linux containers provide isolation using namespaces and cgroups to allow applications to run consistently across different environments. Docker builds on Linux containers to make them easy to use, create, share, and deploy. Docker allows building images from Dockerfiles, sharing images in registries, and developing hybrid cloud workflows. The document outlines Docker's roadmap and growing ecosystem of tools and projects building on Docker.
nerdctl is a Docker-compatible CLI for containerd that provides the same UI/UX as Docker and Docker Compose. It supports features like lazy pulling via Stargz and encrypted images via OCIcrypt that are not yet available in Docker. While containerd includes ctr and crictl for debugging, nerdctl aims to be a full-featured CLI for container and image management with Docker-like usability. It can run on Linux, macOS via Lima virtual machines, and is working on native Windows support.
http://sched.co/EaYe Until recently, running `docker build` against Dockerfile had been the only way to build container images. However, lots of opensource software are being proposed as successors/alternatives to `docker build`: - BuildKit (Moby Project / Docker) - img (Jessica Frazelle / Microsoft) - Buildah (Project Atomic / Red Hat) - umoci & Orca (SUSE) - Bazel (Google) - OpenShift S2I (Red Hat) Akihiro Suda compares these new tools' advantages and disadvantages. His evaluation basis would include but not be limited to: - Performance (Cache efficiency, Concurrency, Distributed Execution) - Secret management, e.g. SSH and AWS keys - Support for non-Dockerfile - Non-root execution - UI & UX - Governance of the community He also proposes a unified interface for using these tools with Kubernetes in a vendor-neutral way.
Learn the basics of Docker and Kubernetes before applying these complementary tools to deploy containers on Google Cloud Platform (GCP).
https://dockercon19.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=281879 Docker CE 19.03 is going to support "Rootless mode", which allows running the entire Docker daemon and its dependencies as a non-root user on the host, so as to protect the host from malicious containers in a simple but very strong way. Rootless mode is also attractive for users who cannot get `sudo` permission for installing Docker on shared computing machines. e.g. HPC users. In this talk, Akihiro Suda, the author of the Rootless mode (PR: moby#38050), will explain how users can get started with Rootless mode. He will also explain the implementation details of Rootless mode and planned enhancements such as LDAP integration.
OpenStack, Containers, and Docker: The Future of Application Deployment Twenty years ago, developers built static applications on well-defined stacks that ran on proprietary, monolithic hardware. Developers today want freedom to build applications using their choice of services and stacks and, ideally, want to be able to run those applications on any available hardware. Of course, this raises questions about service interaction, the practicality of migrating applications across environments, and the challenges of managing unlimited combinations of services and hardware environment. By promoting an opensource approach to flexible and inter-operable infrastructure, OpenStack goes a long way towards achieving this vision of the future. This talk discusses the application and platform side of the equation, and the interplay between OpenStack, Container technology (e.g. LXC), and the opensource Docker.io project. Docker.io enables any application and its dependencies to be deployed as lightweight containers that run consistently virtually anywhere. The same containerized application that runs on a developer's laptop can run consistently on a bare metal server, an OpenStack cluster, a Rackspace cloud, a VM,etc. While providing isolation and compatibility, containers have significant size, performance, and deployment advantages over traditional VMs. Recently, the community created an integration between Docker and OpenStack Nova, opening up exciting possibilities for web scale application deployment, continuous integration and deployment, private PaaS, and hybrid cloud. This session will give an introduction to Docker and containers in the context of OpenStack, and will then demonstrate cross-environment deployment of applications.