SlideShare a Scribd company logo

[KubeCon EU 2020] containerd Deep Dive

A
Akihiro Suda

- containerd overview - Upcoming features in v1.4 - External plugins https://kccnceu20.sched.com/event/ZexS/containerd-deep-dive-akihiro-suda-ntt-wei-fu-alibaba

1 of 37
Download to read offline
containerd Deep Dive Akihiro Suda (NTT) & Wei Fu (Alibaba Cloud) KubeCon EU 2020 Virtual (Aug 19, 2020)
containerd overview Akihiro Suda (NTT)
What is ? ● “Mid-level Container runtime” ○ Below platforms (Docker, Kubernetes) ○ Above lower level runtimes (runc) ● Resource Manager ○ Container processes ○ Image artifacts ○ Filesystem snapshots ○ Metadata and dependencies ● CNCF graduated project since February 2019 ○ Following Kubernetes, Prometheus, Envoy, and CoreDNS
[KubeCon EU 2020] containerd Deep Dive
Highly customizable ● Runtime plugins ○ Runc, gVisor, Kata, Firecracker... ● Snapshotter plugins ○ OverlayFS, BtrFS, ZFS, … ● Content store plugins ○ Local, IPFS... ● Stream processor plugins ○ ImgCrypt, zstd...
Adoption of containerd ● Container engines ● Kubernetes distributions ● Managed Kubernetes Services Docker & Moby k3c PouchContainer k3s kubespray microk8s Alibaba ACK Amazon EKS (Fargate nodes) Azure AKS Google GKE IBM IKS kind minikube Charmed Kubernetes And more...
Adoption of containerd ● BuildKit ○ The modern implementation of `docker build` ● LinuxKit ○ Small Linux distro with containerd as the init ● Faasd ○ OpenFaaS for containerd ● VMware Fusion Nautilus ○ containerd on macOS, using VMware as the runtime plugin
Upcoming features in v1.4 Akihiro Suda (NTT)
Lazy pulling of images ● Run containers before completion of downloading the images ● Use cases: ○ Python/Ruby/Java/dotNET images ○ FaaS ○ Web apps with huge amount of HTML templates and media files ○ Jupyter Notebooks with big data samples included ○ Full GNOME/KDE desktop
Lazy pulling of images: Stargz & eStargz ● The containerd snapshotter plugin for Stargz & eStargz https://github.com/containerd/stargz-snapshotter ● Stargz: seekable tar.gz for lazy-pullable container images ● eStargz: extended Stargz for batching frequently used files ● Both are fully compatible with legacy OCI tar.gz
Lazy pulling of images: Stargz & eStargz Metadata 0 File 0 Metadata 1 File 1 Metadata {n-1} File {n-1} Footer ... gzip legacy tar.gz Stargz Metadata 0 File 0 gzip Metadata 1 File 1 gzip ... Metadata {n-1} File {n-1} gzip gzip Footer Metadata stargz.index.json Can’t inspect file offsets without reading the whole archive Can inspect the file offsets immediately
Lazy pulling of images: Stargz & eStargz ● eStargz profiles the actual file access pattern and reorders the file entries, so that relevant files can be prefetched in a single HTTP request /usr/bin/apt-get /bin/ls /bin/vi /lib/libc.so /lib/libjpeg.so /usr/bin/python3 .../usr/lib/python3/.../foo /usr/lib/python3/.../bar /app.py /bin/ls /app.py /usr/bin/python3 /lib/libc.so /usr/lib/python3/.../foo /usr/lib/python3/.../bar .../bin/vi /lib/libjpeg.so /usr/bin/apt-get Stargz eStargz
Lazy pulling of images: Stargz & eStargz
Lazy pulling of images: Stargz & eStargz Yesterday’s talk https://sched.co/ZepQ
Support for SELinux MCS on CRI mode ● MCS: multi-category security Containers Volumes UID=0 C42 UID=0 C42 UID=0 C43 UID=0 C43
Support for cgroup v2 ● The new cgroup hierarchy, adopted by Fedora (since 31) ● Simpler layout ○ V1: /sys/fs/cgroup/{memory,cpu,devices,pids….}/foo ○ V2: /sys/fs/cgroup/foo ● Supports eBPF integration, pressure metrics, improved OOM control... ● Friendly to non-root users
Improved support for rootless mode ● Run containerd (and relevant components) as a non-root user ● Protect the host from potential vulnerabilities ● Adoption in containerd-related projects ○ Docker ○ BuildKit ○ k3s ○ k3c (on plan) ○ Kubernetes (on proposal, KEP 1371)
Improved support for rootless mode ● [v1.3] No support for resource limitation (docker run --cpus … --memory ...) ○ Because unprivileged users cannot control cgroups ● [v1.3] No support for overlayfs snapshotter ○ Because unprivileged users cannot mount overlayfs (except on Ubuntu/Debian kernels) ○ “Native” snapshotter can be used, but slow and wastes the disk
Improved support for rootless mode ● [v1.3] No support for resource limitation (docker run --cpus … --memory ...) ○ Because unprivileged users cannot control cgroups ● [v1.3] No support for overlayfs snapshotter ○ Because unprivileged users cannot mount overlayfs (except on Ubuntu/Debian kernels) ○ “Native” snapshotter can be used, but slow and wastes the disk → v1.4 supports resource limitation (requires cgroup v2 and systemd) → v1.4 supports FUSE-OverlayFS snapshotter (requires kernel >= 4.18)
Demo: Rootless Kubernetes with Cgroup v2 “Usernetes” https://github.com/rootless-containers/usernetes https://asciinema.org/a/349859
Other changes in v1.4 ● Windows CRI ● systemd NOTIFY_SOCKET ● Support reloading CNI config without restarting the daemon ● Socat binary is no longer needed Release note: https://github.com/containerd/containerd/releases
v1.5 planning ● NRI: Node Resource Interface (#4411) ○ The new common interface for node resources such as cgroup ○ The plugin spec is very similar to CNI ● Sandbox API (#4131) ○ Pod sandbox as a first-class object ○ No “/pause” process ● Filesystem quota (#759)
containerd: external plugins Wei Fu (Alibaba Cloud)
[KubeCon EU 2020] containerd Deep Dive
Backend as external plugins ● Big goal - no re-compilation required!!! ● Stream processors ● gRPC proxy plugin for image storage ● RuntimeV2 proto for OCI Runtime
Stream processor ● OCI Image layer data packaged in tar archive ● OCI image spec only supports few compression algorithms ○ +gzip/+zstd, but +gzip is more common ● How to handle experimental media-type stream? ○ Or encryption purpose? Image Layer Snapshot Tar Stream Processor Diff Service +gzip Custom?
Stream processor ● Stream processor(SP) is binary plugin handling media-type stream ○ Accepts customize media-types, returns other one ○ Call binary for media-type converter ● Example ○ containerd/imgcrypt Image Layer Snapshot Tar SP Diff Service Tar+Gzip SP Tar(+Gzip)+encrypted SP Other Customize SP
Stream processor - Demo ● Integrate with +zstd media-type ● asciinema link [stream_processors] [stream_processors."zstd"] accepts = ["application/vnd.oci.image.layer.v1.tar+zstd"] returns = "application/vnd.oci.image.layer.v1.tar" path = "zstd" args = ["-dcf"]
Snapshot proxy plugin // Snapshot service manages snapshots service Snapshots { rpc Prepare(PrepareSnapshotRequest) returns (PrepareSnapshotResponse); rpc View(ViewSnapshotRequest) returns (ViewSnapshotResponse); rpc Mounts(MountsRequest) returns (MountsResponse); rpc Commit(CommitSnapshotRequest) returns (google.protobuf.Empty); rpc Remove(RemoveSnapshotRequest) returns (google.protobuf.Empty); rpc Stat(StatSnapshotRequest) returns (StatSnapshotResponse); rpc Update(UpdateSnapshotRequest) returns (UpdateSnapshotResponse); rpc List(ListSnapshotsRequest) returns (stream ListSnapshotsResponse); rpc Usage(UsageRequest) returns (UsageResponse); }
Snapshot proxy plugin package main import( "net" "log" "github.com/containerd/containerd/api/services/snapshots/v1" "github.com/containerd/containerd/contrib/snapshotservice" ) func main() { rpc := grpc.NewServer() sn := CustomSnapshotter() service := snapshotservice.FromSnapshotter(sn) snapshots.RegisterSnapshotsServer(rpc, service) // Listen and serve l, err := net.Listen("unix", "/var/run/mysnapshotter.sock") if err != nil { log.Fatalf("error: %vn", err) } if err := rpc.Serve(l); err != nil { log.Fatalf("error: %vn", err) } } ● Configure with proxy_plugins ● Example ○ stargz-snapshotter ○ CVMFS Containerd Snapshotter [proxy_plugins] [proxy_plugins.customsnapshot] type = "snapshot" address = "/var/run/mysnapshotter.sock"
Runtime V2 ● A first class shim API for runtime authors to integrate with containerd ○ More VM like runtimes have internal state and more abstract actions ○ A CLI approach introduces issues with state management ○ Each runtimes has its own values, but keep containerd in solid core scope ● Example ○ gVisor ○ KataContainer ○ Firecracker
Runtime V2 service Task { rpc State(StateRequest) returns (StateResponse); rpc Create(CreateTaskRequest) returns (CreateTaskResponse); rpc Start(StartRequest) returns (StartResponse); rpc Delete(DeleteRequest) returns (DeleteResponse); rpc Pids(PidsRequest) returns (PidsResponse); rpc Pause(PauseRequest) returns (google.protobuf.Empty); rpc Resume(ResumeRequest) returns (google.protobuf.Empty); rpc Checkpoint(CheckpointTaskRequest) returns (google.protobuf.Empty); rpc Kill(KillRequest) returns (google.protobuf.Empty); rpc Exec(ExecProcessRequest) returns (google.protobuf.Empty); rpc ResizePty(ResizePtyRequest) returns (google.protobuf.Empty); rpc CloseIO(CloseIORequest) returns (google.protobuf.Empty); rpc Update(UpdateTaskRequest) returns (google.protobuf.Empty); rpc Wait(WaitRequest) returns (WaitResponse); rpc Stats(StatsRequest) returns (StatsResponse); rpc Connect(ConnectRequest) returns (ConnectResponse); rpc Shutdown(ShutdownRequest) returns (google.protobuf.Empty); }
Runtime V2 - Binary ● Binary naming convention ○ Name io.containerd.runc.v2 --> Binary containerd-shim-runc-v2 ■ So both io.containerd.runc.v1 and io.containerd.runc.v2 are runtime V2 ■ runc.v2 supports grouping several containers with less resource ■ runc.v2 as CRI plugin’s default runtime ○ Via a runtime binary available in containerd’s PATH ● Required start/delete sub-commands ○ Resources created by container will be cleanup by delete sub-command
Runtime V2 - Logging ● fifo/npipe as default channel ○ Receiver consumes more resources to handle log output. dockerd CRI-plugin containerd shim kernel Named Pipe
Runtime V2 - Logging ● fifo/npipe as default channel ○ Receiver consumes more resources to handle log output. ○ And it requires that receiver must be alive!!! ○ Impact running containers if receiver is down too long. containerd shim Named Pipe kernel
Runtime V2 - Logging ● Support pluggable logging via STDIO URIs ○ fifo - Linux (default) ○ npipe - Windows (default) ○ binary - Linux & Windows ○ file - Linux & Windows schema path:// ?key=valueSTDIO URI file file :// /var/log/cntr/hi ?maxSize=100MB binary binary :// /usr/bin/syslog ?addr=192.168.0.3
Thank you

More Related Content

What's hot

Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Jérôme Petazzoni
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
CJ Cullen
 
Gitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCDGitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCD
Haggai Philip Zagury
 
Kubernetes
KubernetesKubernetes
Kubernetes
erialc_w
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
AWS Germany
 
GitOps w/argocd
GitOps w/argocdGitOps w/argocd
GitOps w/argocd
Jean-Philippe Bélanger
 
Intro to Kubernetes & GitOps Workshop
Intro to Kubernetes & GitOps WorkshopIntro to Kubernetes & GitOps Workshop
Intro to Kubernetes & GitOps Workshop
Weaveworks
 
Kubernetes PPT.pptx
Kubernetes PPT.pptxKubernetes PPT.pptx
Kubernetes PPT.pptx
ssuser0cc9131
 
Multiple Sites and Disaster Recovery with Ceph: Andrew Hatfield, Red Hat
Multiple Sites and Disaster Recovery with Ceph: Andrew Hatfield, Red HatMultiple Sites and Disaster Recovery with Ceph: Andrew Hatfield, Red Hat
Multiple Sites and Disaster Recovery with Ceph: Andrew Hatfield, Red Hat
OpenStack
 
How to write a Dockerfile
How to write a DockerfileHow to write a Dockerfile
How to write a Dockerfile
Knoldus Inc.
 
PubSub and Notifications in Ceph
PubSub and Notifications in CephPubSub and Notifications in Ceph
PubSub and Notifications in Ceph
Yuval Lifshitz
 
Ceph QoS: How to support QoS in distributed storage system - Taewoong Kim
Ceph QoS: How to support QoS in distributed storage system - Taewoong KimCeph QoS: How to support QoS in distributed storage system - Taewoong Kim
Ceph QoS: How to support QoS in distributed storage system - Taewoong Kim
Ceph Community
 
KubeCon EU 2016: Kubernetes Storage 101
KubeCon EU 2016: Kubernetes Storage 101KubeCon EU 2016: Kubernetes Storage 101
KubeCon EU 2016: Kubernetes Storage 101
KubeAcademy
 
Kubernetes & Google Kubernetes Engine (GKE)
Kubernetes & Google Kubernetes Engine (GKE)Kubernetes & Google Kubernetes Engine (GKE)
Kubernetes & Google Kubernetes Engine (GKE)
Akash Agrawal
 
What Is Helm
What Is Helm What Is Helm
What Is Helm
AMELIAOLIVIA2
 
Introduction to Helm
Introduction to HelmIntroduction to Helm
Introduction to Helm
Harshal Shah
 
Introduction to helm
Introduction to helmIntroduction to helm
Introduction to helm
Jeeva Chelladhurai
 
A crash course in CRUSH
A crash course in CRUSHA crash course in CRUSH
A crash course in CRUSH
Sage Weil
 
Kubernetes a comprehensive overview
Kubernetes a comprehensive overviewKubernetes a comprehensive overview
Kubernetes a comprehensive overview
Gabriel Carro
 
Comparing Next-Generation Container Image Building Tools
Comparing Next-Generation Container Image Building Tools Comparing Next-Generation Container Image Building Tools
Comparing Next-Generation Container Image Building Tools
Akihiro Suda
 

What's hot (20)

Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
 
Gitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCDGitlab, GitOps & ArgoCD
Gitlab, GitOps & ArgoCD
 
Kubernetes
KubernetesKubernetes
Kubernetes
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
 
GitOps w/argocd
GitOps w/argocdGitOps w/argocd
GitOps w/argocd
 
Intro to Kubernetes & GitOps Workshop
Intro to Kubernetes & GitOps WorkshopIntro to Kubernetes & GitOps Workshop
Intro to Kubernetes & GitOps Workshop
 
Kubernetes PPT.pptx
Kubernetes PPT.pptxKubernetes PPT.pptx
Kubernetes PPT.pptx
 
Multiple Sites and Disaster Recovery with Ceph: Andrew Hatfield, Red Hat
Multiple Sites and Disaster Recovery with Ceph: Andrew Hatfield, Red HatMultiple Sites and Disaster Recovery with Ceph: Andrew Hatfield, Red Hat
Multiple Sites and Disaster Recovery with Ceph: Andrew Hatfield, Red Hat
 
How to write a Dockerfile
How to write a DockerfileHow to write a Dockerfile
How to write a Dockerfile
 
PubSub and Notifications in Ceph
PubSub and Notifications in CephPubSub and Notifications in Ceph
PubSub and Notifications in Ceph
 
Ceph QoS: How to support QoS in distributed storage system - Taewoong Kim
Ceph QoS: How to support QoS in distributed storage system - Taewoong KimCeph QoS: How to support QoS in distributed storage system - Taewoong Kim
Ceph QoS: How to support QoS in distributed storage system - Taewoong Kim
 
KubeCon EU 2016: Kubernetes Storage 101
KubeCon EU 2016: Kubernetes Storage 101KubeCon EU 2016: Kubernetes Storage 101
KubeCon EU 2016: Kubernetes Storage 101
 
Kubernetes & Google Kubernetes Engine (GKE)
Kubernetes & Google Kubernetes Engine (GKE)Kubernetes & Google Kubernetes Engine (GKE)
Kubernetes & Google Kubernetes Engine (GKE)
 
What Is Helm
What Is Helm What Is Helm
What Is Helm
 
Introduction to Helm
Introduction to HelmIntroduction to Helm
Introduction to Helm
 
Introduction to helm
Introduction to helmIntroduction to helm
Introduction to helm
 
A crash course in CRUSH
A crash course in CRUSHA crash course in CRUSH
A crash course in CRUSH
 
Kubernetes a comprehensive overview
Kubernetes a comprehensive overviewKubernetes a comprehensive overview
Kubernetes a comprehensive overview
 
Comparing Next-Generation Container Image Building Tools
Comparing Next-Generation Container Image Building Tools Comparing Next-Generation Container Image Building Tools
Comparing Next-Generation Container Image Building Tools
 

Similar to [KubeCon EU 2020] containerd Deep Dive

Extended and embedding: containerd update & project use cases
Extended and embedding: containerd update & project use casesExtended and embedding: containerd update & project use cases
Extended and embedding: containerd update & project use cases
Phil Estes
 
Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Let's Containerize New York with Docker!
Let's Containerize New York with Docker!
Jérôme Petazzoni
 
OSDC 2016 - rkt and Kubernentes what's new with Container Runtimes and Orches...
OSDC 2016 - rkt and Kubernentes what's new with Container Runtimes and Orches...OSDC 2016 - rkt and Kubernentes what's new with Container Runtimes and Orches...
OSDC 2016 - rkt and Kubernentes what's new with Container Runtimes and Orches...
NETWAYS
 
OSDC 2016 | rkt and Kubernetes: What’s new with Container Runtimes and Orches...
OSDC 2016 | rkt and Kubernetes: What’s new with Container Runtimes and Orches...OSDC 2016 | rkt and Kubernetes: What’s new with Container Runtimes and Orches...
OSDC 2016 | rkt and Kubernetes: What’s new with Container Runtimes and Orches...
NETWAYS
 
containerd and CRI
containerd and CRIcontainerd and CRI
containerd and CRI
Docker, Inc.
 
Making your app soar without a container manifest
Making your app soar without a container manifestMaking your app soar without a container manifest
Making your app soar without a container manifest
LibbySchulze
 
Kubernetes @ Squarespace: Kubernetes in the Datacenter
Kubernetes @ Squarespace: Kubernetes in the DatacenterKubernetes @ Squarespace: Kubernetes in the Datacenter
Kubernetes @ Squarespace: Kubernetes in the Datacenter
Kevin Lynch
 
Faster Container Image Distribution on a Variety of Tools with Lazy Pulling
Faster Container Image Distribution on a Variety of Tools with Lazy PullingFaster Container Image Distribution on a Variety of Tools with Lazy Pulling
Faster Container Image Distribution on a Variety of Tools with Lazy Pulling
Kohei Tokunaga
 
Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'a
corehard_by
 
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionIntroduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Jérôme Petazzoni
 
KubeCon EU 2016: "rktnetes": what's new with container runtimes and Kubernetes
KubeCon EU 2016: "rktnetes": what's new with container runtimes and KubernetesKubeCon EU 2016: "rktnetes": what's new with container runtimes and Kubernetes
KubeCon EU 2016: "rktnetes": what's new with container runtimes and Kubernetes
KubeAcademy
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFA Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
oholiab
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon
 
Docker 0.11 at MaxCDN meetup in Los Angeles
Docker 0.11 at MaxCDN meetup in Los AngelesDocker 0.11 at MaxCDN meetup in Los Angeles
Docker 0.11 at MaxCDN meetup in Los Angeles
Jérôme Petazzoni
 
LXC, Docker, and the future of software delivery | LinuxCon 2013
LXC, Docker, and the future of software delivery | LinuxCon 2013LXC, Docker, and the future of software delivery | LinuxCon 2013
LXC, Docker, and the future of software delivery | LinuxCon 2013
dotCloud
 
LXC Docker and the Future of Software Delivery
LXC Docker and the Future of Software DeliveryLXC Docker and the Future of Software Delivery
LXC Docker and the Future of Software Delivery
Docker, Inc.
 
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
ArangoDB Database
 
Enabling Security via Container Runtimes
Enabling Security via Container RuntimesEnabling Security via Container Runtimes
Enabling Security via Container Runtimes
Phil Estes
 
Docker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xDocker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12x
rkr10
 
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
Akihiro Suda
 

Similar to [KubeCon EU 2020] containerd Deep Dive (20)

Extended and embedding: containerd update & project use cases
Extended and embedding: containerd update & project use casesExtended and embedding: containerd update & project use cases
Extended and embedding: containerd update & project use cases
 
Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Let's Containerize New York with Docker!
Let's Containerize New York with Docker!
 
OSDC 2016 - rkt and Kubernentes what's new with Container Runtimes and Orches...
OSDC 2016 - rkt and Kubernentes what's new with Container Runtimes and Orches...OSDC 2016 - rkt and Kubernentes what's new with Container Runtimes and Orches...
OSDC 2016 - rkt and Kubernentes what's new with Container Runtimes and Orches...
 
OSDC 2016 | rkt and Kubernetes: What’s new with Container Runtimes and Orches...
OSDC 2016 | rkt and Kubernetes: What’s new with Container Runtimes and Orches...OSDC 2016 | rkt and Kubernetes: What’s new with Container Runtimes and Orches...
OSDC 2016 | rkt and Kubernetes: What’s new with Container Runtimes and Orches...
 
containerd and CRI
containerd and CRIcontainerd and CRI
containerd and CRI
 
Making your app soar without a container manifest
Making your app soar without a container manifestMaking your app soar without a container manifest
Making your app soar without a container manifest
 
Kubernetes @ Squarespace: Kubernetes in the Datacenter
Kubernetes @ Squarespace: Kubernetes in the DatacenterKubernetes @ Squarespace: Kubernetes in the Datacenter
Kubernetes @ Squarespace: Kubernetes in the Datacenter
 
Faster Container Image Distribution on a Variety of Tools with Lazy Pulling
Faster Container Image Distribution on a Variety of Tools with Lazy PullingFaster Container Image Distribution on a Variety of Tools with Lazy Pulling
Faster Container Image Distribution on a Variety of Tools with Lazy Pulling
 
Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'a
 
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionIntroduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
 
KubeCon EU 2016: "rktnetes": what's new with container runtimes and Kubernetes
KubeCon EU 2016: "rktnetes": what's new with container runtimes and KubernetesKubeCon EU 2016: "rktnetes": what's new with container runtimes and Kubernetes
KubeCon EU 2016: "rktnetes": what's new with container runtimes and Kubernetes
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFA Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
 
Docker 0.11 at MaxCDN meetup in Los Angeles
Docker 0.11 at MaxCDN meetup in Los AngelesDocker 0.11 at MaxCDN meetup in Los Angeles
Docker 0.11 at MaxCDN meetup in Los Angeles
 
LXC, Docker, and the future of software delivery | LinuxCon 2013
LXC, Docker, and the future of software delivery | LinuxCon 2013LXC, Docker, and the future of software delivery | LinuxCon 2013
LXC, Docker, and the future of software delivery | LinuxCon 2013
 
LXC Docker and the Future of Software Delivery
LXC Docker and the Future of Software DeliveryLXC Docker and the Future of Software Delivery
LXC Docker and the Future of Software Delivery
 
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
 
Enabling Security via Container Runtimes
Enabling Security via Container RuntimesEnabling Security via Container Runtimes
Enabling Security via Container Runtimes
 
Docker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xDocker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12x
 
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
 

More from Akihiro Suda

20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
Akihiro Suda
 
20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_
Akihiro Suda
 
20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf
Akihiro Suda
 
20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf
Akihiro Suda
 
[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman
Akihiro Suda
 
[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion
Akihiro Suda
 
[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion
Akihiro Suda
 
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
Akihiro Suda
 
[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2
Akihiro Suda
 
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
Akihiro Suda
 
The internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesThe internals and the latest trends of container runtimes
The internals and the latest trends of container runtimes
Akihiro Suda
 
[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion
Akihiro Suda
 
[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion
Akihiro Suda
 
[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?
Akihiro Suda
 
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
Akihiro Suda
 
[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima
Akihiro Suda
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行
Akihiro Suda
 
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
Akihiro Suda
 
[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10
Akihiro Suda
 
DockerとPodmanの比較
DockerとPodmanの比較DockerとPodmanの比較
DockerとPodmanの比較
Akihiro Suda
 

More from Akihiro Suda (20)

20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
 
20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_
 
20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf
 
20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf
 
[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman
 
[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion
 
[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion
 
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
 
[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2
 
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
 
The internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesThe internals and the latest trends of container runtimes
The internals and the latest trends of container runtimes
 
[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion
 
[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion
 
[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?
 
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
 
[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行
 
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
 
[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10
 
DockerとPodmanの比較
DockerとPodmanの比較DockerとPodmanの比較
DockerとPodmanの比較
 

Recently uploaded

Break data silos with real-time connectivity using Confluent Cloud Connectors
Break data silos with real-time connectivity using Confluent Cloud ConnectorsBreak data silos with real-time connectivity using Confluent Cloud Connectors
Break data silos with real-time connectivity using Confluent Cloud Connectors
confluent
 
React vs Next js: Which is Better for Web Development? - Semiosis Software Pr...
React vs Next js: Which is Better for Web Development? - Semiosis Software Pr...React vs Next js: Which is Better for Web Development? - Semiosis Software Pr...
React vs Next js: Which is Better for Web Development? - Semiosis Software Pr...
Semiosis Software Private Limited
 
What is OCR Technology and How to Extract Text from Any Image for Free
What is OCR Technology and How to Extract Text from Any Image for FreeWhat is OCR Technology and How to Extract Text from Any Image for Free
What is OCR Technology and How to Extract Text from Any Image for Free
TwisterTools
 
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) AWS Security .pdf
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) AWS Security .pdfAWS Cloud Practitioner Essentials (Second Edition) (Arabic) AWS Security .pdf
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) AWS Security .pdf
karim wahed
 
Development of Chatbot Using AI\ML Technologies
Development of Chatbot Using AI\ML TechnologiesDevelopment of Chatbot Using AI\ML Technologies
Development of Chatbot Using AI\ML Technologies
MaisnamLuwangPibarel
 
Ported to Cloud with Wing_ Blue ZnZone app from _Hexagonal Architecture Expla...
Ported to Cloud with Wing_ Blue ZnZone app from _Hexagonal Architecture Expla...Ported to Cloud with Wing_ Blue ZnZone app from _Hexagonal Architecture Expla...
Ported to Cloud with Wing_ Blue ZnZone app from _Hexagonal Architecture Expla...
Asher Sterkin
 
Top 10 Tips To Get Google AdSense For Your Website
Top 10 Tips To Get Google AdSense For Your WebsiteTop 10 Tips To Get Google AdSense For Your Website
Top 10 Tips To Get Google AdSense For Your Website
e-Definers Technology
 
MVP Mobile Application - Codearrest.pptx
MVP Mobile Application - Codearrest.pptxMVP Mobile Application - Codearrest.pptx
MVP Mobile Application - Codearrest.pptx
Mitchell Marsh
 
Leading Project Management Tool Taskruop.pptx
Leading Project Management Tool Taskruop.pptxLeading Project Management Tool Taskruop.pptx
Leading Project Management Tool Taskruop.pptx
taskroupseo
 
一比一原版英国牛津大学毕业证(oxon毕业证书)如何办理
一比一原版英国牛津大学毕业证(oxon毕业证书)如何办理一比一原版英国牛津大学毕业证(oxon毕业证书)如何办理
一比一原版英国牛津大学毕业证(oxon毕业证书)如何办理
avufu
 
A Comparative Analysis of Functional and Non-Functional Testing.pdf
A Comparative Analysis of Functional and Non-Functional Testing.pdfA Comparative Analysis of Functional and Non-Functional Testing.pdf
A Comparative Analysis of Functional and Non-Functional Testing.pdf
kalichargn70th171
 
Abortion pills in Fujairah *((+971588192166*)☎️)¥) **Effective Abortion Pills...
Abortion pills in Fujairah *((+971588192166*)☎️)¥) **Effective Abortion Pills...Abortion pills in Fujairah *((+971588192166*)☎️)¥) **Effective Abortion Pills...
Abortion pills in Fujairah *((+971588192166*)☎️)¥) **Effective Abortion Pills...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
Safe Work Permit Management Software for Hot Work Permits
Safe Work Permit Management Software for Hot Work PermitsSafe Work Permit Management Software for Hot Work Permits
Safe Work Permit Management Software for Hot Work Permits
sheqnetworkmarketing
 
Responsibilities of Fleet Managers and How TrackoBit Can Assist.pdf
Responsibilities of Fleet Managers and How TrackoBit Can Assist.pdfResponsibilities of Fleet Managers and How TrackoBit Can Assist.pdf
Responsibilities of Fleet Managers and How TrackoBit Can Assist.pdf
Trackobit
 
CViewSurvey Digitech Pvt Ltd that works on a proven C.A.A.G. model.
CViewSurvey Digitech Pvt Ltd that works on a proven C.A.A.G. model.CViewSurvey Digitech Pvt Ltd that works on a proven C.A.A.G. model.
CViewSurvey Digitech Pvt Ltd that works on a proven C.A.A.G. model.
bhatinidhi2001
 
Shivam Pandit working on Php Web Developer.
Shivam Pandit working on Php Web Developer.Shivam Pandit working on Php Web Developer.
Shivam Pandit working on Php Web Developer.
shivamt017
 
Cisco Live Announcements: New ThousandEyes Release Highlights - July 2024
Cisco Live Announcements: New ThousandEyes Release Highlights - July 2024Cisco Live Announcements: New ThousandEyes Release Highlights - July 2024
Cisco Live Announcements: New ThousandEyes Release Highlights - July 2024
ThousandEyes
 
BITCOIN HEIST RANSOMEWARE ATTACK PREDICTION
BITCOIN HEIST RANSOMEWARE ATTACK PREDICTIONBITCOIN HEIST RANSOMEWARE ATTACK PREDICTION
BITCOIN HEIST RANSOMEWARE ATTACK PREDICTION
ssuser2b426d1
 
Intro to Amazon Web Services (AWS) and Gen AI
Intro to Amazon Web Services (AWS) and Gen AIIntro to Amazon Web Services (AWS) and Gen AI
Intro to Amazon Web Services (AWS) and Gen AI
Ortus Solutions, Corp
 
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) Course Introducti...
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) Course Introducti...AWS Cloud Practitioner Essentials (Second Edition) (Arabic) Course Introducti...
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) Course Introducti...
karim wahed
 

Recently uploaded (20)

Break data silos with real-time connectivity using Confluent Cloud Connectors
Break data silos with real-time connectivity using Confluent Cloud ConnectorsBreak data silos with real-time connectivity using Confluent Cloud Connectors
Break data silos with real-time connectivity using Confluent Cloud Connectors
 
React vs Next js: Which is Better for Web Development? - Semiosis Software Pr...
React vs Next js: Which is Better for Web Development? - Semiosis Software Pr...React vs Next js: Which is Better for Web Development? - Semiosis Software Pr...
React vs Next js: Which is Better for Web Development? - Semiosis Software Pr...
 
What is OCR Technology and How to Extract Text from Any Image for Free
What is OCR Technology and How to Extract Text from Any Image for FreeWhat is OCR Technology and How to Extract Text from Any Image for Free
What is OCR Technology and How to Extract Text from Any Image for Free
 
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) AWS Security .pdf
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) AWS Security .pdfAWS Cloud Practitioner Essentials (Second Edition) (Arabic) AWS Security .pdf
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) AWS Security .pdf
 
Development of Chatbot Using AI\ML Technologies
Development of Chatbot Using AI\ML TechnologiesDevelopment of Chatbot Using AI\ML Technologies
Development of Chatbot Using AI\ML Technologies
 
Ported to Cloud with Wing_ Blue ZnZone app from _Hexagonal Architecture Expla...
Ported to Cloud with Wing_ Blue ZnZone app from _Hexagonal Architecture Expla...Ported to Cloud with Wing_ Blue ZnZone app from _Hexagonal Architecture Expla...
Ported to Cloud with Wing_ Blue ZnZone app from _Hexagonal Architecture Expla...
 
Top 10 Tips To Get Google AdSense For Your Website
Top 10 Tips To Get Google AdSense For Your WebsiteTop 10 Tips To Get Google AdSense For Your Website
Top 10 Tips To Get Google AdSense For Your Website
 
MVP Mobile Application - Codearrest.pptx
MVP Mobile Application - Codearrest.pptxMVP Mobile Application - Codearrest.pptx
MVP Mobile Application - Codearrest.pptx
 
Leading Project Management Tool Taskruop.pptx
Leading Project Management Tool Taskruop.pptxLeading Project Management Tool Taskruop.pptx
Leading Project Management Tool Taskruop.pptx
 
一比一原版英国牛津大学毕业证(oxon毕业证书)如何办理
一比一原版英国牛津大学毕业证(oxon毕业证书)如何办理一比一原版英国牛津大学毕业证(oxon毕业证书)如何办理
一比一原版英国牛津大学毕业证(oxon毕业证书)如何办理
 
A Comparative Analysis of Functional and Non-Functional Testing.pdf
A Comparative Analysis of Functional and Non-Functional Testing.pdfA Comparative Analysis of Functional and Non-Functional Testing.pdf
A Comparative Analysis of Functional and Non-Functional Testing.pdf
 
Abortion pills in Fujairah *((+971588192166*)☎️)¥) **Effective Abortion Pills...
Abortion pills in Fujairah *((+971588192166*)☎️)¥) **Effective Abortion Pills...Abortion pills in Fujairah *((+971588192166*)☎️)¥) **Effective Abortion Pills...
Abortion pills in Fujairah *((+971588192166*)☎️)¥) **Effective Abortion Pills...
 
Safe Work Permit Management Software for Hot Work Permits
Safe Work Permit Management Software for Hot Work PermitsSafe Work Permit Management Software for Hot Work Permits
Safe Work Permit Management Software for Hot Work Permits
 
Responsibilities of Fleet Managers and How TrackoBit Can Assist.pdf
Responsibilities of Fleet Managers and How TrackoBit Can Assist.pdfResponsibilities of Fleet Managers and How TrackoBit Can Assist.pdf
Responsibilities of Fleet Managers and How TrackoBit Can Assist.pdf
 
CViewSurvey Digitech Pvt Ltd that works on a proven C.A.A.G. model.
CViewSurvey Digitech Pvt Ltd that works on a proven C.A.A.G. model.CViewSurvey Digitech Pvt Ltd that works on a proven C.A.A.G. model.
CViewSurvey Digitech Pvt Ltd that works on a proven C.A.A.G. model.
 
Shivam Pandit working on Php Web Developer.
Shivam Pandit working on Php Web Developer.Shivam Pandit working on Php Web Developer.
Shivam Pandit working on Php Web Developer.
 
Cisco Live Announcements: New ThousandEyes Release Highlights - July 2024
Cisco Live Announcements: New ThousandEyes Release Highlights - July 2024Cisco Live Announcements: New ThousandEyes Release Highlights - July 2024
Cisco Live Announcements: New ThousandEyes Release Highlights - July 2024
 
BITCOIN HEIST RANSOMEWARE ATTACK PREDICTION
BITCOIN HEIST RANSOMEWARE ATTACK PREDICTIONBITCOIN HEIST RANSOMEWARE ATTACK PREDICTION
BITCOIN HEIST RANSOMEWARE ATTACK PREDICTION
 
Intro to Amazon Web Services (AWS) and Gen AI
Intro to Amazon Web Services (AWS) and Gen AIIntro to Amazon Web Services (AWS) and Gen AI
Intro to Amazon Web Services (AWS) and Gen AI
 
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) Course Introducti...
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) Course Introducti...AWS Cloud Practitioner Essentials (Second Edition) (Arabic) Course Introducti...
AWS Cloud Practitioner Essentials (Second Edition) (Arabic) Course Introducti...
 

[KubeCon EU 2020] containerd Deep Dive

  • 1. containerd Deep Dive Akihiro Suda (NTT) & Wei Fu (Alibaba Cloud) KubeCon EU 2020 Virtual (Aug 19, 2020)
  • 3. What is ? ● “Mid-level Container runtime” ○ Below platforms (Docker, Kubernetes) ○ Above lower level runtimes (runc) ● Resource Manager ○ Container processes ○ Image artifacts ○ Filesystem snapshots ○ Metadata and dependencies ● CNCF graduated project since February 2019 ○ Following Kubernetes, Prometheus, Envoy, and CoreDNS
  • 5. Highly customizable ● Runtime plugins ○ Runc, gVisor, Kata, Firecracker... ● Snapshotter plugins ○ OverlayFS, BtrFS, ZFS, … ● Content store plugins ○ Local, IPFS... ● Stream processor plugins ○ ImgCrypt, zstd...
  • 6. Adoption of containerd ● Container engines ● Kubernetes distributions ● Managed Kubernetes Services Docker & Moby k3c PouchContainer k3s kubespray microk8s Alibaba ACK Amazon EKS (Fargate nodes) Azure AKS Google GKE IBM IKS kind minikube Charmed Kubernetes And more...
  • 7. Adoption of containerd ● BuildKit ○ The modern implementation of `docker build` ● LinuxKit ○ Small Linux distro with containerd as the init ● Faasd ○ OpenFaaS for containerd ● VMware Fusion Nautilus ○ containerd on macOS, using VMware as the runtime plugin
  • 8. Upcoming features in v1.4 Akihiro Suda (NTT)
  • 9. Lazy pulling of images ● Run containers before completion of downloading the images ● Use cases: ○ Python/Ruby/Java/dotNET images ○ FaaS ○ Web apps with huge amount of HTML templates and media files ○ Jupyter Notebooks with big data samples included ○ Full GNOME/KDE desktop
  • 10. Lazy pulling of images: Stargz & eStargz ● The containerd snapshotter plugin for Stargz & eStargz https://github.com/containerd/stargz-snapshotter ● Stargz: seekable tar.gz for lazy-pullable container images ● eStargz: extended Stargz for batching frequently used files ● Both are fully compatible with legacy OCI tar.gz
  • 11. Lazy pulling of images: Stargz & eStargz Metadata 0 File 0 Metadata 1 File 1 Metadata {n-1} File {n-1} Footer ... gzip legacy tar.gz Stargz Metadata 0 File 0 gzip Metadata 1 File 1 gzip ... Metadata {n-1} File {n-1} gzip gzip Footer Metadata stargz.index.json Can’t inspect file offsets without reading the whole archive Can inspect the file offsets immediately
  • 12. Lazy pulling of images: Stargz & eStargz ● eStargz profiles the actual file access pattern and reorders the file entries, so that relevant files can be prefetched in a single HTTP request /usr/bin/apt-get /bin/ls /bin/vi /lib/libc.so /lib/libjpeg.so /usr/bin/python3 .../usr/lib/python3/.../foo /usr/lib/python3/.../bar /app.py /bin/ls /app.py /usr/bin/python3 /lib/libc.so /usr/lib/python3/.../foo /usr/lib/python3/.../bar .../bin/vi /lib/libjpeg.so /usr/bin/apt-get Stargz eStargz
  • 13. Lazy pulling of images: Stargz & eStargz
  • 14. Lazy pulling of images: Stargz & eStargz Yesterday’s talk https://sched.co/ZepQ
  • 15. Support for SELinux MCS on CRI mode ● MCS: multi-category security Containers Volumes UID=0 C42 UID=0 C42 UID=0 C43 UID=0 C43
  • 16. Support for cgroup v2 ● The new cgroup hierarchy, adopted by Fedora (since 31) ● Simpler layout ○ V1: /sys/fs/cgroup/{memory,cpu,devices,pids….}/foo ○ V2: /sys/fs/cgroup/foo ● Supports eBPF integration, pressure metrics, improved OOM control... ● Friendly to non-root users
  • 17. Improved support for rootless mode ● Run containerd (and relevant components) as a non-root user ● Protect the host from potential vulnerabilities ● Adoption in containerd-related projects ○ Docker ○ BuildKit ○ k3s ○ k3c (on plan) ○ Kubernetes (on proposal, KEP 1371)
  • 18. Improved support for rootless mode ● [v1.3] No support for resource limitation (docker run --cpus … --memory ...) ○ Because unprivileged users cannot control cgroups ● [v1.3] No support for overlayfs snapshotter ○ Because unprivileged users cannot mount overlayfs (except on Ubuntu/Debian kernels) ○ “Native” snapshotter can be used, but slow and wastes the disk
  • 19. Improved support for rootless mode ● [v1.3] No support for resource limitation (docker run --cpus … --memory ...) ○ Because unprivileged users cannot control cgroups ● [v1.3] No support for overlayfs snapshotter ○ Because unprivileged users cannot mount overlayfs (except on Ubuntu/Debian kernels) ○ “Native” snapshotter can be used, but slow and wastes the disk → v1.4 supports resource limitation (requires cgroup v2 and systemd) → v1.4 supports FUSE-OverlayFS snapshotter (requires kernel >= 4.18)
  • 20. Demo: Rootless Kubernetes with Cgroup v2 “Usernetes” https://github.com/rootless-containers/usernetes https://asciinema.org/a/349859
  • 21. Other changes in v1.4 ● Windows CRI ● systemd NOTIFY_SOCKET ● Support reloading CNI config without restarting the daemon ● Socat binary is no longer needed Release note: https://github.com/containerd/containerd/releases
  • 22. v1.5 planning ● NRI: Node Resource Interface (#4411) ○ The new common interface for node resources such as cgroup ○ The plugin spec is very similar to CNI ● Sandbox API (#4131) ○ Pod sandbox as a first-class object ○ No “/pause” process ● Filesystem quota (#759)
  • 23. containerd: external plugins Wei Fu (Alibaba Cloud)
  • 25. Backend as external plugins ● Big goal - no re-compilation required!!! ● Stream processors ● gRPC proxy plugin for image storage ● RuntimeV2 proto for OCI Runtime
  • 26. Stream processor ● OCI Image layer data packaged in tar archive ● OCI image spec only supports few compression algorithms ○ +gzip/+zstd, but +gzip is more common ● How to handle experimental media-type stream? ○ Or encryption purpose? Image Layer Snapshot Tar Stream Processor Diff Service +gzip Custom?
  • 27. Stream processor ● Stream processor(SP) is binary plugin handling media-type stream ○ Accepts customize media-types, returns other one ○ Call binary for media-type converter ● Example ○ containerd/imgcrypt Image Layer Snapshot Tar SP Diff Service Tar+Gzip SP Tar(+Gzip)+encrypted SP Other Customize SP
  • 28. Stream processor - Demo ● Integrate with +zstd media-type ● asciinema link [stream_processors] [stream_processors."zstd"] accepts = ["application/vnd.oci.image.layer.v1.tar+zstd"] returns = "application/vnd.oci.image.layer.v1.tar" path = "zstd" args = ["-dcf"]
  • 29. Snapshot proxy plugin // Snapshot service manages snapshots service Snapshots { rpc Prepare(PrepareSnapshotRequest) returns (PrepareSnapshotResponse); rpc View(ViewSnapshotRequest) returns (ViewSnapshotResponse); rpc Mounts(MountsRequest) returns (MountsResponse); rpc Commit(CommitSnapshotRequest) returns (google.protobuf.Empty); rpc Remove(RemoveSnapshotRequest) returns (google.protobuf.Empty); rpc Stat(StatSnapshotRequest) returns (StatSnapshotResponse); rpc Update(UpdateSnapshotRequest) returns (UpdateSnapshotResponse); rpc List(ListSnapshotsRequest) returns (stream ListSnapshotsResponse); rpc Usage(UsageRequest) returns (UsageResponse); }
  • 30. Snapshot proxy plugin package main import( "net" "log" "github.com/containerd/containerd/api/services/snapshots/v1" "github.com/containerd/containerd/contrib/snapshotservice" ) func main() { rpc := grpc.NewServer() sn := CustomSnapshotter() service := snapshotservice.FromSnapshotter(sn) snapshots.RegisterSnapshotsServer(rpc, service) // Listen and serve l, err := net.Listen("unix", "/var/run/mysnapshotter.sock") if err != nil { log.Fatalf("error: %vn", err) } if err := rpc.Serve(l); err != nil { log.Fatalf("error: %vn", err) } } ● Configure with proxy_plugins ● Example ○ stargz-snapshotter ○ CVMFS Containerd Snapshotter [proxy_plugins] [proxy_plugins.customsnapshot] type = "snapshot" address = "/var/run/mysnapshotter.sock"
  • 31. Runtime V2 ● A first class shim API for runtime authors to integrate with containerd ○ More VM like runtimes have internal state and more abstract actions ○ A CLI approach introduces issues with state management ○ Each runtimes has its own values, but keep containerd in solid core scope ● Example ○ gVisor ○ KataContainer ○ Firecracker
  • 32. Runtime V2 service Task { rpc State(StateRequest) returns (StateResponse); rpc Create(CreateTaskRequest) returns (CreateTaskResponse); rpc Start(StartRequest) returns (StartResponse); rpc Delete(DeleteRequest) returns (DeleteResponse); rpc Pids(PidsRequest) returns (PidsResponse); rpc Pause(PauseRequest) returns (google.protobuf.Empty); rpc Resume(ResumeRequest) returns (google.protobuf.Empty); rpc Checkpoint(CheckpointTaskRequest) returns (google.protobuf.Empty); rpc Kill(KillRequest) returns (google.protobuf.Empty); rpc Exec(ExecProcessRequest) returns (google.protobuf.Empty); rpc ResizePty(ResizePtyRequest) returns (google.protobuf.Empty); rpc CloseIO(CloseIORequest) returns (google.protobuf.Empty); rpc Update(UpdateTaskRequest) returns (google.protobuf.Empty); rpc Wait(WaitRequest) returns (WaitResponse); rpc Stats(StatsRequest) returns (StatsResponse); rpc Connect(ConnectRequest) returns (ConnectResponse); rpc Shutdown(ShutdownRequest) returns (google.protobuf.Empty); }
  • 33. Runtime V2 - Binary ● Binary naming convention ○ Name io.containerd.runc.v2 --> Binary containerd-shim-runc-v2 ■ So both io.containerd.runc.v1 and io.containerd.runc.v2 are runtime V2 ■ runc.v2 supports grouping several containers with less resource ■ runc.v2 as CRI plugin’s default runtime ○ Via a runtime binary available in containerd’s PATH ● Required start/delete sub-commands ○ Resources created by container will be cleanup by delete sub-command
  • 34. Runtime V2 - Logging ● fifo/npipe as default channel ○ Receiver consumes more resources to handle log output. dockerd CRI-plugin containerd shim kernel Named Pipe
  • 35. Runtime V2 - Logging ● fifo/npipe as default channel ○ Receiver consumes more resources to handle log output. ○ And it requires that receiver must be alive!!! ○ Impact running containers if receiver is down too long. containerd shim Named Pipe kernel
  • 36. Runtime V2 - Logging ● Support pluggable logging via STDIO URIs ○ fifo - Linux (default) ○ npipe - Windows (default) ○ binary - Linux & Windows ○ file - Linux & Windows schema path:// ?key=valueSTDIO URI file file :// /var/log/cntr/hi ?maxSize=100MB binary binary :// /usr/bin/syslog ?addr=192.168.0.3