Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConJérôme Petazzoni
Containers are everywhere. But what exactly is a container? What are they made from? What's the difference between LXC, butts-nspawn, Docker, and the other container systems out there? And why should we bother about specific filesystems?
In this talk, Jérôme will show the individual roles and behaviors of the components making up a container: namespaces, control groups, and copy-on-write systems. Then, he will use them to assemble a container from scratch, and highlight the differences (and likelinesses) with existing container systems.
The document discusses Kubernetes networking. It describes how Kubernetes networking allows pods to have routable IPs and communicate without NAT, unlike Docker networking which uses NAT. It covers how services provide stable virtual IPs to access pods, and how kube-proxy implements services by configuring iptables on nodes. It also discusses the DNS integration using SkyDNS and Ingress for layer 7 routing of HTTP traffic. Finally, it briefly mentions network plugins and how Kubernetes is designed to be open and customizable.
This document discusses improving the developer experience through GitOps and ArgoCD. It recommends building developer self-service tools for cloud resources and Kubernetes to reduce frustration. Example GitLab CI/CD pipelines are shown that handle releases, deployments to ECR, and patching apps in an ArgoCD repository to sync changes. The goal is to create faster feedback loops through Git operations and automation to motivate developers.
This document provides an overview of Kubernetes, a container orchestration system. It begins with background on Docker containers and orchestration tools prior to Kubernetes. It then covers key Kubernetes concepts including pods, labels, replication controllers, and services. Pods are the basic deployable unit in Kubernetes, while replication controllers ensure a specified number of pods are running. Services provide discovery and load balancing for pods. The document demonstrates how Kubernetes can be used to scale, upgrade, and rollback deployments through replication controllers and services.
Secret Management with Hashicorp’s VaultAWS Germany
When running a Kubernetes Cluster in AWS there are secrets like AWS and Kubernetes credentials, access information for databases or integration with the company LDAP that need to be stored and managed.
HashiCorp’s Vault secures, stores, and controls access to tokens, passwords, certificates, API keys, and other secrets . It handles leasing, key revocation, key rolling, and auditing.
This talk will give an overview of secret management in general and Vault’s concepts. The talk will explain how to make use of Vault’s extensive feature set and show patterns that implement integration between Kubernetes applications and Vault.
This document summarizes GitOps and the benefits of using GitOps for continuous delivery and deployment. It discusses how GitOps allows for simplified continuous delivery through using Git as a single source of truth, which can enhance productivity and experience while also increasing stability. Rollbacks are easy if issues arise by reverting commits in Git. Additional benefits include reliability, consistency, security, and auditability of changes. The document also provides an overview of ArgoCD, an open source GitOps tool for continuous delivery on Kubernetes, and its architecture.
For this info-packed and hands-on workshop we cover:
📍 Introduction to Kubernetes & GitOps talk:
We cover the most popular path that has brought success to many users already - GitOps as a natural evolution of Kubernetes. We'll give an overview of how you can benefit from Kubernetes and GitOps: greater security, reliability, velocity and more. Importantly, we cover definitions and principles standardized by the CNCF's OpenGitOps group and what it means for you.
📍 Get Started with GitOps:
You'll have GitOps up and running in about 30 mins using our free and open source tools! We'll give a brief vision of where you want to be with those security, reliability, and velocity benefits, and then we'll support you while go through the getting started steps. During the workshop, you'll also experience in action and see demos for:
- an opinionated repo structure to minimize decision fatigue
- disaster recovery using GitOps
- Helm charts example
- Multi-cluster example
- all with free and open source tools mostly in the CNCF (eg. Flux and Helm).
If you have questions before or after the workshop, talk to us at #weave-gitops http://bit.ly/WeaveGitOpsSlack (If you need to invite yourself to the Slack, visit https://slack.weave.works/)
Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications. It groups containers that make up an application into logical units for easy management and discovery called pods. Kubernetes masters manage the cluster and make scheduling decisions while nodes run the pods and containers. It uses labels and selectors to identify and group related application objects together. Services provide a single endpoint for pods, while deployments help manage replicated applications. Kubernetes provides mechanisms for storage, configuration, networking, security and other functionality to help run distributed systems reliably at scale.
Multiple Sites and Disaster Recovery with Ceph: Andrew Hatfield, Red HatOpenStack
Multiple Sites and Disaster Recovery with Ceph
Audience: Intermediate
Topic: Storage
Abstract: Ceph is the leading storage solution for OpenStack. As OpenStack deployments become more mission critical and widely deployed, multiple site requirements are increasing as is the need to ensure disaster recovery and business continuity. Learn about the new capabilities in Ceph that assist customers with meeting these requirements for block and object uses.
Speaker Bio: Andrew Hatfield, Red Hat
Andrew has over 20 years experience in the IT industry across APAC, specialising in Databases, Directory Systems, Groupware, Virtualisation and Storage for Enterprise and Government organisations. When not helping customers slash costs and increase agility by moving to the software-defined storage future, he’s enjoying the subtle tones of Islay Whisky and shredding pow pow on the world’s best snowboard resorts.
OpenStack Australia Day Government - Canberra 2016
https://events.aptira.com/openstack-australia-day-canberra-2016/
The document provides information on how to write a Dockerfile, including:
- What a Dockerfile is and its purpose of providing instructions to build a Docker image
- Common Dockerfile instructions like FROM, RUN, COPY, EXPOSE, and CMD
- Best practices for writing Dockerfiles such as making images smaller, choosing the correct build context, leveraging the build cache, and ordering instructions
- Additional topics covered include the Docker build context, Dockerfile format, and tools like Docker BuildKit and Docker Scan. The presentation concludes with a demonstration of Dockerfiles.
This document summarizes a presentation about hybrid cloud storage using Ceph and serverless functions. The presentation demonstrates setting up Ceph to store images in buckets for cats and dogs. When new images are uploaded, Ceph notifications trigger either a on-premise knative function to classify cat images, or an AWS lambda function to classify dog images, splitting the work between private and public clouds. The live demo shows configuring Ceph notifications, formatting events for knative/lambda, and functions classifying images from Ceph stored in different clouds.
Ceph QoS: How to support QoS in distributed storage system - Taewoong KimCeph Community
This document discusses supporting quality of service (QoS) in distributed storage systems like Ceph. It describes how SK Telecom has contributed to QoS support in Ceph, including an algorithm called dmClock that controls I/O request scheduling according to administrator-configured policies. It also details an outstanding I/O-based throttling mechanism to measure and regulate load. Finally, it discusses challenges like queue depth that can be addressed by increasing the number of scheduling threads, and outlines plans to improve and test Ceph's QoS features.
KubeCon EU 2016: Kubernetes Storage 101KubeAcademy
You have deployed your application on Kube and now you want to actually do something permanent with it?? You will need STORAGE.
This talk will be a good introduction to using storage in Kubernetes. It will cover the use of EmptyDir, HostPath and Persistent Storage options. How to configure and use each type. This talk will also discuss the security features for storage in the open source OpenShift project.
Sched Link: http://sched.co/6BcS
Kubernetes & Google Kubernetes Engine (GKE)Akash Agrawal
This document discusses Kubernetes and Google Kubernetes Engine (GKE). It begins with an agenda that covers understanding Kubernetes, containers, and GKE. It then discusses traditional application deployment versus containerized deployment. It defines Kubernetes and containers, explaining how Kubernetes is a container orchestration system that handles scheduling, scaling, self-healing, and other functions. The document outlines Kubernetes concepts like clusters, pods, services, and controllers. It describes GKE as a managed Kubernetes service on Google Cloud that provides auto-scaling, integration with Google Cloud services, and other features.
Helm helps you manage Kubernetes applications — Helm Charts help you define, install, and upgrade even the most complex Kubernetes application.
https://thinkcloudly.com/
Helm is a package manager for Kubernetes that allows easy installation and management of Kubernetes applications. It consists of a Helm client that runs on a user's machine and communicates with Tiller, which runs as a pod on the Kubernetes cluster and performs installation and management tasks. Charts, which are Helm packages containing Kubernetes manifest templates, are analogous to Puppet modules, while a release, which is an installed instance of a chart, is analogous to a Docker container.
Helm is a package manager for Kubernetes that allows for easy installation, upgrade, and management of Kubernetes applications. It provides repeatability, reliability, and simplifies deploying applications across multiple Kubernetes environments. Helm originated from an internal hackathon at Deis and was jointly developed by Google and Deis. It is now maintained by the Cloud Native Computing Foundation. Helm consists of a client that interacts with the Tiller server running inside the Kubernetes cluster to manage application lifecycles using charts, which are packages containing Kubernetes resource definitions.
CRUSH is the powerful, highly configurable algorithm Red Hat Ceph Storage uses to determine how data is stored across the many servers in a cluster. A healthy Red Hat Ceph Storage deployment depends on a properly configured CRUSH map. In this session, we will review the Red Hat Ceph Storage architecture and explain the purpose of CRUSH. Using example CRUSH maps, we will show you what works and what does not, and explain why.
Presented at Red Hat Summit 2016-06-29.
Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications. It groups containers that make up an application into logical units for easy management and discovery called pods. Its main components include a master node that manages the cluster and worker nodes that run the applications. It uses labels to identify pods and services and selectors to group related pods. Common concepts include deployments for updating apps, services for network access, persistent volumes for storage, and roles/bindings for access control. The deployment process involves the API server, controllers, scheduler and kubelet to reconcile the desired state and place pods on nodes from images while providing discovery and load balancing.
Comparing Next-Generation Container Image Building ToolsAkihiro Suda
http://sched.co/EaYe
Until recently, running `docker build` against Dockerfile had been the only way to build container images.
However, lots of opensource software are being proposed as successors/alternatives to `docker build`:
- BuildKit (Moby Project / Docker)
- img (Jessica Frazelle / Microsoft)
- Buildah (Project Atomic / Red Hat)
- umoci & Orca (SUSE)
- Bazel (Google)
- OpenShift S2I (Red Hat)
Akihiro Suda compares these new tools' advantages and disadvantages.
His evaluation basis would include but not be limited to:
- Performance (Cache efficiency, Concurrency, Distributed Execution)
- Secret management, e.g. SSH and AWS keys
- Support for non-Dockerfile
- Non-root execution
- UI & UX
- Governance of the community
He also proposes a unified interface for using these tools with Kubernetes in a vendor-neutral way.
Extended and embedding: containerd update & project use casesPhil Estes
A talk given at FOSDEM 2020 in the containers devroom on the current status of the CNCF containerd project as well as a dive into the ways users are extending and embedding containerd in other platforms and projects.
Internal presentation of Docker, Lightweight Virtualization, and linux Containers; at Spotify NYC offices, featuring engineers from Yandex, LinkedIn, Criteo, and NASA!
OSDC 2016 - rkt and Kubernentes what's new with Container Runtimes and Orches...NETWAYS
rkt and Kubernetes provide container runtimes and orchestration tools to seamlessly update operating systems without affecting application dependencies or uptime. rkt is a modern, secure container runtime that implements open standards and has a simple, modular architecture. It can be used as the container runtime for Kubernetes (rktnetes) or to run Kubernetes components directly. Both tools use the Container Networking Interface (CNI) plugin-based model for networking, allowing IP addresses to be assigned at the pod level. Integration between rkt and Kubernetes continues to improve to support features like TPM attestation and more seamless kubelet upgrades.
OSDC 2016 | rkt and Kubernetes: What’s new with Container Runtimes and Orches...NETWAYS
Application containers are changing some of the fundamentals of how Linux is used in the server environment. rkt is a daemon-free container runtime with a focus on security. rkt is also an implementation of the App Container (appc) runtime specification, which defines the concept of a pod: a grouping of multiple containerized applications in a single execution unit. Pods are also used as the abstraction within Kubernetes, and having rkt work natively with pods makes it uniquely suited as a Kubernetes container runtime engine. With different application container runtimes on Linux to choose from (including Docker, kurma and rkt) this session will cover the differences. It will also dive into use cases for rkt under Kubernetes.
Making your app soar without a container manifestLibbySchulze
This document discusses containerization and continuous integration/continuous delivery (CI/CD) tools. It introduces buildpacks as a way to containerize applications without needing a Dockerfile. Buildpacks inspect source code and create a plan to build and run the app by creating layers. Tekton is introduced as an open source project that aims to improve software delivery through standard CI/CD components based on Kubernetes. It contains reusable tasks, pipelines to assemble tasks, triggers for automating builds, and a catalog. A demo and Q&A session are included on the agenda.
Kubernetes @ Squarespace: Kubernetes in the DatacenterKevin Lynch
The document discusses Kubernetes adoption at Squarespace as their engineering organization grew. It describes the challenges of a monolithic architecture and how microservices addressed these challenges. It then discusses how Kubernetes helped solve operational challenges of provisioning and scaling microservices. Key Kubernetes concepts like pods, deployments, services and namespaces are explained. Monitoring, networking and security with Kubernetes are also covered.
Faster Container Image Distribution on a Variety of Tools with Lazy PullingKohei Tokunaga
Talked at KubeCon + CloudNativeCon North America 2021 Virtual about lazy pulling of container images with eStargz and nydus (October 14, 2021).
https://kccncna2021.sched.com/event/lV2a
Настройка окружения для кросскомпиляции проектов на основе docker'acorehard_by
Как быстро и легко настраивать/обновлять окружения для кросскомпиляции проектов под различные платформы(на основе docker), как быстро переключаться между ними, как используя эти кирпичики организовать CI и тестирование(на основе GitLab и Docker).
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionJérôme Petazzoni
Docker, the Open Source container Engine, lets you build, ship and run, any app, anywhere.
This is the presentation which was shown in December 2014 for the last stop of the "Tour de France" in Bordeaux. It is slightly different from the presentation which was shown in the other cities (http://www.slideshare.net/jpetazzo/introduction-to-docker-december-2014-tour-de-france-edition), and includes a detailed history of dotCloud and Docker and a few other differences.
Special thanks to https://twitter.com/LilliJane and https://twitter.com/zirkome, who gave me the necessary motivation to put together this slightly different presentation, since they had already seen the other presentation in Paris :-)
KubeCon EU 2016: "rktnetes": what's new with container runtimes and KubernetesKubeAcademy
rkt is a modern container runtime, built for security, efficiency, and composability. Kubernetes is a modern cluster orchestration system allowing users. Kubernetes doesn't directly execute application containers but instead delegate to a container runtime, which is integrated at the kubelet (node) level. When Kubernetes first launched, the only supported container runtime was Docker - but in recent months, we've been hard at work integrating rkt as an alternative container runtime, aka "rktnetes". The goal of "rktnetes" is to have first-class integration between rkt and the kubelet, and allow Kubernetes users to take advantage of some of rkt's unique features.
This talk will describe how rkt works, some of the features that make it unique as a container runtime, and some of the process of integrating an alternative container runtime with Kubernetes, as well as the latest state of "rktnetes."Introduction to rkt, including special/unique features.
Sched Link: http://sched.co/6BY7
A Kernel of Truth: Intrusion Detection and Attestation with eBPFoholiab
"Attestation is hard" is something you might hear from security researchers tracking nation states and APTs, but it's actually pretty true for most network-connected systems!
Modern deployment methodologies mean that disparate teams create workloads for shared worker-hosts (ranging from Jenkins to Kubernetes and all the other orchestrators and CI tools in-between), meaning that at any given moment your hosts could be running any one of a number of services, connecting to who-knows-what on the internet.
So when your network-based intrusion detection system (IDS) opaquely declares that one of these machines has made an "anomalous" network connection, how do you even determine if it's business as usual? Sure you can log on to the host to try and figure it out, but (in case you hadn't noticed) computers are pretty fast these days, and once the connection is closed it might as well not have happened... Assuming it wasn't actually a reverse shell...
At Yelp we turned to the Linux kernel to tell us whodunit! Utilizing the Linux kernel's eBPF subsystem - an in-kernel VM with syscall hooking capabilities - we're able to aggregate metadata about the calling process tree for any internet-bound TCP connection by filtering IPs and ports in-kernel and enriching with process tree information in userland. The result is "pidtree-bcc": a supplementary IDS. Now whenever there's an alert for a suspicious connection, we just search for it in our SIEM (spoiler alert: it's nearly always an engineer doing something "innovative")! And the cherry on top? It's stupid fast with negligible overhead, creating a much higher signal-to-noise ratio than the kernels firehose-like audit subsystems.
This talk will look at how you can tune the signal-to-noise ratio of your IDS by making it reflect your business logic and common usage patterns, get more work done by reducing MTTR for false positives, use eBPF and the kernel to do all the hard work for you, accidentally load test your new IDS by not filtering all RFC-1918 addresses, and abuse Docker to get to production ASAP!
As well as looking at some of the technologies that the kernel puts at your disposal, this talk will also tell pidtree-bcc's road from hackathon project to production system and how focus on demonstrating business value early on allowed the organization to give us buy-in to build and deploy a brand new project from scratch.
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon
Matt Carroll
Infrastructure Security Engineer at Yelp
"Attestation is hard" is something you might hear from security researchers tracking nation states and APTs, but it's actually pretty true for most network-connected systems!
Modern deployment methodologies mean that disparate teams create workloads for shared worker-hosts (ranging from Jenkins to Kubernetes and all the other orchestrators and CI tools in-between), meaning that at any given moment your hosts could be running any one of a number of services, connecting to who-knows-what on the internet.
So when your network-based intrusion detection system (IDS) opaquely declares that one of these machines has made an "anomalous" network connection, how do you even determine if it's business as usual? Sure you can log on to the host to try and figure it out, but (in case you hadn't noticed) computers are pretty fast these days, and once the connection is closed it might as well not have happened... Assuming it wasn't actually a reverse shell...
At Yelp we turned to the Linux kernel to tell us whodunit! Utilizing the Linux kernel's eBPF subsystem - an in-kernel VM with syscall hooking capabilities - we're able to aggregate metadata about the calling process tree for any internet-bound TCP connection by filtering IPs and ports in-kernel and enriching with process tree information in userland. The result is "pidtree-bcc": a supplementary IDS. Now whenever there's an alert for a suspicious connection, we just search for it in our SIEM (spoiler alert: it's nearly always an engineer doing something "innovative")! And the cherry on top? It's stupid fast with negligible overhead, creating a much higher signal-to-noise ratio than the kernels firehose-like audit subsystems.
This talk will look at how you can tune the signal-to-noise ratio of your IDS by making it reflect your business logic and common usage patterns, get more work done by reducing MTTR for false positives, use eBPF and the kernel to do all the hard work for you, accidentally load test your new IDS by not filtering all RFC-1918 addresses, and abuse Docker to get to production ASAP!
As well as looking at some of the technologies that the kernel puts at your disposal, this talk will also tell pidtree-bcc's road from hackathon project to production system and how focus on demonstrating business value early on allowed the organization to give us buy-in to build and deploy a brand new project from scratch.
This document introduces Docker and provides an overview of its key concepts and capabilities. It explains that Docker allows deploying applications into lightweight Linux containers that are isolated but share resources and run at native speeds. It describes how Docker uses namespaces and cgroups for isolation and copy-on-write storage for efficiency. The document also outlines common Docker workflows for building, testing, and deploying containerized applications both locally and in production environments at scale.
LXC, Docker, and the future of software delivery | LinuxCon 2013dotCloud
This document discusses Linux containers and Docker. It describes how Linux containers provide isolation using namespaces and cgroups to allow applications to run consistently across different environments. Docker builds on Linux containers to make them easy to use, create, share, and deploy. Docker allows building images from Dockerfiles, sharing images in registries, and developing hybrid cloud workflows. The document outlines Docker's roadmap and growing ecosystem of tools and projects building on Docker.
LXC Docker and the Future of Software DeliveryDocker, Inc.
This document discusses Linux containers and Docker. It describes how Linux containers provide isolation using namespaces and cgroups to allow applications to run consistently across different environments. Docker builds on Linux containers to make them easy to use, create, share, and deploy. Docker allows building images from Dockerfiles, sharing images in registries, and provides tools for continuous integration workflows. The document outlines Docker's roadmap and growing ecosystem of related projects.
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?ArangoDB Database
View the video of this webinar here: https://www.arangodb.com/arangodb-events/gvisor-kata-containers-firecracker-docker/
Containers* have revolutionized the IT landscape and for a long time. Docker seemed to be the default whenever people were talking about containerization technologies**. But traditional container technologies might not be suitable if strong isolation guarantees are required. So recently new technologies such as gVisor, Kata Container, or firecracker have been introduced to close the gap between the strong isolation of virtual machines and the small resource footprint of containers.
In this talk, we will provide an overview of the different containerization technologies, discuss their tradeoffs, and provide guidance for different use cases.
* We will define the term container in more detailed during the talk
** and yes we will also cover some of the pre-docker container space!
Enabling Security via Container RuntimesPhil Estes
A talk given at the Google-hosted Container Security Summit on Wednesday, February 12th, 2020 in Seattle, Washington. This talk covered the impact of work done at the lower-level runtimes layer and up through layers like cri-o, containerd, and Docker to bring specific security features to overall platforms like Kubernetes.
This document discusses Docker and containers. It begins with an introduction to Docker and the container model. It explains that containers provide isolation using namespaces and cgroups. Containers deploy applications efficiently by sharing resources and deploying anywhere due to standardization. The document then covers building images with Dockerfiles for reproducible builds. It concludes by discussing Docker's future including networking, metrics, logging, plugins and orchestration.
[KubeCon EU 2021] Introduction and Deep Dive Into ContainerdAkihiro Suda
Join containerd maintainers and reviewers in a combined introduction and deep dive session. They will discuss the overview and the recent updates of containerd as well as how it is being used by Kubernetes, Docker and other container-based systems. The brief introduction about its architecture and service design will be included. The talk will also deep dive into how to leverage contained by extending and customizing it for your use case with low-level plugins like remote snapshotters, as well as by implementing your own containerd client. Upcoming features and recent discussion in containerd community will also be covered.
- - -
https://kccnceu2021.sched.com/event/iE6v/introduction-and-deep-dive-into-containerd-kohei-tokunaga-akihiro-suda-ntt-corporation?iframe=no
Similar to [KubeCon EU 2020] containerd Deep Dive (20)
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...Akihiro Suda
Rootless mode is a technique to harden containers by running the container engine as a non-root user. The support for rootless mode has been merged into Docker since v19.03 (2019) and in Kubernetes since v1.22 (2021). However, setting up Rootless Kubernetes has been more challenging than setting up Rootless Docker due to its complexity. This session presents Usernetes Generation 2, a Kubernetes distribution that wraps Kubernetes in Rootless Docker for ease of setting up multi-node Rootless Kubernetes clusters. Unlike the original Usernetes (Generation 1) that was based on "Kubernetes The Hard Way", Usernetes Generation 2 supports kubeadm. Usernetes Generation 2 is similar to `kind` and `minikube`, however, unlike them Usernetes Generation 2 supports forming real multi-node clusters using Flannel (VXLAN) and it can be potentially used for production clusters. https://github.com/rootless-containers/usernetes
20240321 [KubeCon EU Pavilion] Lima.pdf_Akihiro Suda
Lima is a tool for running Linux virtual machines and containers on macOS. It provides automatic host filesystem sharing, port forwarding, and integration with container runtimes like Docker and Kubernetes. Users can launch preconfigured Linux distro and container engine templates with a single command.
20240320 [KubeCon EU Pavilion] containerd.pdfAkihiro Suda
An industry-standard container runtime that is graduated by the CNCF and adopted by major Kubernetes services and distributions. It is designed to be pluggable and support new features through plugins like remote snapshotters and WASM runtimes. It provides plugins for runtimes like runc and runhcs, snapshotters like overlayfs and btrfs, and tools like nerdctl and containerd v2.0 which focus on cleaning up deprecated features and improving user namespace support.
20240201 [HPC Containers] Rootless Containers.pdfAkihiro Suda
Rootless containers put the container runtime in a user namespace to limit privileges. This improves security by preventing access to other users' files, ability to modify the kernel or firmware. Rootless containers have been supported by container runtimes since 2014 and are useful for shared computing environments. Key aspects include user namespaces remap UIDs to limit privileges to inside namespaces, and networking solutions like slirp4netns or bypass4netns to provide networking without privileges. Rootless Kubernetes called Usernetes allows running Kubernetes without root privileges and supports multi-node clusters.
[Podman Special Event] Kubernetes in Rootless PodmanAkihiro Suda
- Kubernetes can run in rootless containers using techniques like Podman, Docker, and containerd which map the root user inside containers to a non-root user on the host for improved security.
- Popular ways to run rootless Kubernetes include kind, minikube wrapped in Podman containers, and Usernetes which supports real multi-node clusters across multiple hosts using networking like Flannel.
- Future work includes promoting the "KubeletInUserNamespace" feature flag and eliminating overhead of user-mode TCP/IP for containers to improve the rootless Kubernetes experience.
Lima is a tool for running Linux virtual machines on macOS to run containers. It provides automatic host filesystem sharing, port forwarding, and integration with container runtimes like Docker and Kubernetes. It uses QEMU or macOS's Virtualization.framework as the hypervisor and supports networking and filesystem options like sshfs, virtio-9p-pci, and virtiofs. It includes templates for common Linux distros and container engines that can be launched with a single command.
Containerd is a CNCF graduated, open source container runtime with many enterprise users. It uses plugins to support features like remote images, WASM runtimes, and different OSes. The runtime provides snapshotters for storage like overlayfs and btrfs, and runtime plugins for Linux, Windows, FreeBSD and WASM. Nerdctl is a container CLI similar to Docker but optimized for Containerd experiments. Recent updates include sandboxing for "pauseless" pods and image transfer APIs, with a focus on cleaning deprecated features and improving user namespaces in upcoming versions.
https://github.com/rootless-containers/usernetes
Usernetes (Gen2) deploys a Kubernetes cluster inside Rootless Docker, so as to mitigate potential container-breakout vulnerabilities.
Usernetes (Gen2) is similar to Rootless kind and Rootless minikube, but Usernetes (Gen 2) supports creating a cluster with multiple hosts.
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...Akihiro Suda
Images maintained by a reputable organization or an individual are often considered to be trustworthy; however, it is hard to deny the possibility that they might have silently injected malicious codes that are not present in the source repo. Also, even if they have no malicious intent, their images can still be compromised on an accidental leakage of registry credentials.
The latest release of BuildKit solves this supply chain security concern with reproducible builds. Reproducible builds is a technique to ensure that a bit-for-bit identical image can be reproduced from its source code, by anybody, at any time. When multiple actors can attest to an image's reproducibility, it signifies that the image contains no code of a secret origin.
Audiences of this talk will learn how they can and how sometimes they cannot make their images reproducible to improve their trust.
The internals and the latest trends of container runtimesAkihiro Suda
The document discusses the internals and latest trends of container runtimes. It describes how container runtimes like Docker use kernel features like namespaces and cgroups to isolate containers. It explains how containerd and runc work together to manage the lifecycles of container processes. It also covers security measures like capabilities, AppArmor, and SELinux that container runtimes employ to safeguard the host system.
This document summarizes Lima, an open-source tool for running Linux virtual machines and containers on macOS. Lima provides automatic host filesystem sharing and port forwarding, and integrates with container engines like Docker and container orchestrators like Kubernetes. It uses QEMU or macOS's Virtualization.framework as the hypervisor and supports networking and storage drivers. Templates are provided for common Linux distributions and container tools.
An industry-standard container runtime that is graduated by the CNCF since 2019 and adopted by major Kubernetes services and distributions. It is designed to be pluggable to support new features like remote snapshotting and WASM runtimes. Containerd provides plugins for snapshotting storage backends, runtimes for different operating systems, and tools like nerdctl for experimenting with new containerd capabilities. Upcoming versions will focus on cleaning deprecated features and improving APIs for image transfer and user namespaces.
[Container Plumbing Days 2023] Why was nerdctl made?Akihiro Suda
nerdctl (contaiNERD CTL) was made to facilitate development of new technologies in the containerd platform.
Such technologies include:
- Lazy-pulling with Stargz/Nydus/OverlayBD
- P2P image distribution with IPFS
- Image encryption with OCIcrypt
- Image signing with Cosign
- “Real” read-only mounts with mount_setattr
- Slirp-less rootless containers with bypass4netns
- Interactive debugging of Dockerfiles, with buildg
nerdctl is also useful for debugging Kubernetes nodes that are running containerd.
Through this session, the audiences will learn these functionalities of nerdctl, relevant projects, and the roadmap for the future.
https://containerplumbing.org/sessions/2023/why_was_nerdctl_
[FOSDEM2023] Bit-for-bit reproducible builds with DockerfileAkihiro Suda
This document discusses techniques for making container builds reproducible, including:
- Using BuildKit v0.11 which supports deterministic timestamps through SOURCE_DATE_EPOCH
- Using repro-get to cryptographically lock package versions to ensure reproducible package installation
- Future work including simplifying Dockerfiles, caching packages locally, and integrating with provenance standards
Lima is a Linux virtual machine for macOS that allows running container workloads like containerd and k3s. It provides automatic host filesystem sharing and port forwarding between the Linux VM and macOS host. Lima uses QEMU virtualization and virtio-9p-pci for filesystem sharing. It supports building and running containers without requiring root on the host. Lima aims to provide an easy way to run containers on macOS for development and testing purposes.
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...Akihiro Suda
nerdctl is a Docker-compatible CLI for containerd that provides the same UI/UX as Docker and Docker Compose. It supports features like lazy pulling via Stargz and encrypted images via OCIcrypt that are not yet available in Docker. While containerd includes ctr and crictl for debugging, nerdctl aims to be a full-featured CLI for container and image management with Docker-like usability. It can run on Linux, macOS via Lima virtual machines, and is working on native Windows support.
Break data silos with real-time connectivity using Confluent Cloud Connectorsconfluent
Connectors integrate Apache Kafka® with external data systems, enabling you to move away from a brittle spaghetti architecture to one that is more streamlined, secure, and future-proof. However, if your team still spends multiple dev cycles building and managing connectors using just open source Kafka Connect, it’s time to consider a faster and cost-effective alternative.
React and Next.js are complementary tools in web development. React, a JavaScript library, specializes in building user interfaces with its component-based architecture and efficient state management. Next.js extends React by providing server-side rendering, routing, and other utilities, making it ideal for building SEO-friendly, high-performance web applications.
What is OCR Technology and How to Extract Text from Any Image for FreeTwisterTools
Discover the fascinating world of Optical Character Recognition (OCR) technology with our comprehensive presentation. Learn how OCR converts various types of documents, such as scanned paper documents, PDFs, or images captured by a digital camera, into editable and searchable data. Dive into the history, modern applications, and future trends of OCR technology. Get step-by-step instructions on how to extract text from any image online for free using a simple tool, along with best practices for OCR image preparation. Ideal for professionals, students, and tech enthusiasts looking to harness the power of OCR.
A captivating AI chatbot PowerPoint presentation is made with a striking backdrop in order to attract a wider audience. Select this template featuring several AI chatbot visuals to boost audience engagement and spontaneity. With the aid of this multi-colored template, you may make a compelling presentation and get extra bonuses. To easily elucidate your ideas, choose a typeface with vibrant colors. You can include your data regarding utilizing the chatbot methodology to the remaining half of the template.
Lots of bloggers are using Google AdSense now. It’s getting really popular. With AdSense, bloggers can make money by showing ads on their websites. Read this important article written by the experienced designers of the best website designing company in Delhi –
An MVP (Minimum Viable Product) mobile application is a streamlined version of a mobile app that includes only the core features necessary to address the primary needs of its users. The purpose of an MVP is to validate the app concept with minimal resources, gather user feedback, and identify any areas for improvement before investing in a full-scale development. This approach allows businesses to quickly launch their app, test its market viability, and make data-driven decisions for future enhancements, ensuring a higher likelihood of success and user satisfaction.
A Comparative Analysis of Functional and Non-Functional Testing.pdfkalichargn70th171
A robust software testing strategy encompassing functional and non-functional testing is fundamental for development teams. These twin pillars are essential for ensuring the success of your applications. But why are they so critical?
Functional testing rigorously examines the application's processes against predefined requirements, ensuring they align seamlessly. Conversely, non-functional testing evaluates performance and reliability under load, enhancing the end-user experience.
IN Dubai [WHATSAPP:Only (+971588192166**)] Abortion Pills For Sale In Dubai** UAE** Mifepristone and Misoprostol Tablets Available In Dubai** UAE
CONTACT DR. SINDY Whatsapp +971588192166* We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai** Sharjah** Abudhabi** Ajman** Alain** Fujairah** Ras Al Khaimah** Umm Al Quwain** UAE** Buy cytotec in Dubai +971588192166* '''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol** Cytotec” +971588192166* ' Dr.SINDY ''BUY ABORTION PILLS MIFEGEST KIT** MISOPROSTOL** CYTOTEC PILLS IN DUBAI** ABU DHABI**UAE'' Contact me now via What's App… abortion pills in dubai Mtp-Kit Prices
abortion pills available in dubai/abortion pills for sale in dubai/abortion pills in uae/cytotec dubai/abortion pills in abu dhabi/abortion pills available in abu dhabi/abortion tablets in uae
… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all** Cytotec Abortion Pills are Available In Dubai / UAE** you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pills in Dubai** UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if it's beyond 6 months. Our Abu Dhabi** Ajman** Al Ain** Dubai** Fujairah** Ras Al Khaimah (RAK)** Sharjah** Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical** medical and surgical abortion methods for early through late second trimester** including the Abortion By Pill Procedure (RU 486** Mifeprex** Mifepristone** early options French Abortion Pill)** Tamoxifen** Methotrexate and Cytotec (Misoprostol). The Abu Dhabi** United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used** 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need for surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi** United Arab Emirates** uses the latest medications for medical abortions (RU-486** Mifeprex** Mifegyne** Mifepristone** early options French abortion pill)** Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi** United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our
Efficient hot work permit software for safe, streamlined work permit management and compliance. Enhance safety today. Contact us on +353 214536034.
https://sheqnetwork.com/work-permit/
Responsibilities of Fleet Managers and How TrackoBit Can Assist.pdfTrackobit
What do fleet managers do? What are their duties, responsibilities, and challenges? And what makes a fleet manager effective and successful? This blog answers all these questions.
CViewSurvey Digitech Pvt Ltd that works on a proven C.A.A.G. model.bhatinidhi2001
CViewSurvey is a SaaS-based Web & Mobile application that provides digital transformation to traditional paper surveys and feedback for customer & employee experience, field & market research that helps you evaluate your customer's as well as employee's loyalty.
With our unique C.A.A.G. Collect, Analysis, Act & Grow approach; business & industry’s can create customized surveys on web, publish on app to collect unlimited response & review AI backed real-time data analytics on mobile & tablets anytime, anywhere. Data collected when offline is securely stored in the device, which syncs to the cloud server when connected to any network.
Sami provided a beginner-friendly introduction to Amazon Web Services (AWS), covering essential terms, products, and services for cloud deployment. Participants explored AWS' latest Gen AI offerings, making it accessible for those starting their cloud journey or integrating AI into coding practices.
6. Adoption of containerd
● Container engines
● Kubernetes distributions
● Managed Kubernetes Services
Docker & Moby k3c PouchContainer
k3s kubespray microk8s
Alibaba ACK
Amazon EKS
(Fargate nodes)
Azure AKS
Google GKE IBM IKS
kind minikube
Charmed
Kubernetes
And more...
7. Adoption of containerd
● BuildKit
○ The modern implementation of `docker build`
● LinuxKit
○ Small Linux distro with containerd as the init
● Faasd
○ OpenFaaS for containerd
● VMware Fusion Nautilus
○ containerd on macOS, using VMware as the runtime plugin
9. Lazy pulling of images
● Run containers before completion of downloading the images
● Use cases:
○ Python/Ruby/Java/dotNET images
○ FaaS
○ Web apps with huge amount of HTML templates and media files
○ Jupyter Notebooks with big data samples included
○ Full GNOME/KDE desktop
10. Lazy pulling of images: Stargz & eStargz
● The containerd snapshotter plugin for Stargz & eStargz
https://github.com/containerd/stargz-snapshotter
● Stargz: seekable tar.gz for lazy-pullable container images
● eStargz: extended Stargz for batching frequently used files
● Both are fully compatible with legacy OCI tar.gz
12. Lazy pulling of images: Stargz & eStargz
● eStargz profiles the actual file access pattern and reorders the file entries,
so that relevant files can be prefetched in a single HTTP request
/usr/bin/apt-get
/bin/ls
/bin/vi
/lib/libc.so
/lib/libjpeg.so
/usr/bin/python3
.../usr/lib/python3/.../foo
/usr/lib/python3/.../bar
/app.py
/bin/ls
/app.py
/usr/bin/python3
/lib/libc.so
/usr/lib/python3/.../foo
/usr/lib/python3/.../bar
.../bin/vi
/lib/libjpeg.so
/usr/bin/apt-get
Stargz eStargz
15. Support for SELinux MCS on CRI mode
● MCS: multi-category security
Containers
Volumes
UID=0
C42
UID=0
C42
UID=0
C43
UID=0
C43
16. Support for cgroup v2
● The new cgroup hierarchy, adopted by Fedora (since 31)
● Simpler layout
○ V1: /sys/fs/cgroup/{memory,cpu,devices,pids….}/foo
○ V2: /sys/fs/cgroup/foo
● Supports eBPF integration, pressure metrics, improved OOM control...
● Friendly to non-root users
17. Improved support for rootless mode
● Run containerd (and relevant components) as a non-root user
● Protect the host from potential vulnerabilities
● Adoption in containerd-related projects
○ Docker
○ BuildKit
○ k3s
○ k3c (on plan)
○ Kubernetes (on proposal, KEP 1371)
18. Improved support for rootless mode
● [v1.3] No support for resource limitation (docker run --cpus … --memory ...)
○ Because unprivileged users cannot control cgroups
● [v1.3] No support for overlayfs snapshotter
○ Because unprivileged users cannot mount overlayfs
(except on Ubuntu/Debian kernels)
○ “Native” snapshotter can be used, but slow and wastes the disk
19. Improved support for rootless mode
● [v1.3] No support for resource limitation (docker run --cpus … --memory ...)
○ Because unprivileged users cannot control cgroups
● [v1.3] No support for overlayfs snapshotter
○ Because unprivileged users cannot mount overlayfs
(except on Ubuntu/Debian kernels)
○ “Native” snapshotter can be used, but slow and wastes the disk
→ v1.4 supports resource limitation
(requires cgroup v2 and systemd)
→ v1.4 supports FUSE-OverlayFS snapshotter
(requires kernel >= 4.18)
20. Demo: Rootless Kubernetes with Cgroup v2
“Usernetes” https://github.com/rootless-containers/usernetes
https://asciinema.org/a/349859
21. Other changes in v1.4
● Windows CRI
● systemd NOTIFY_SOCKET
● Support reloading CNI config without restarting the daemon
● Socat binary is no longer needed
Release note: https://github.com/containerd/containerd/releases
22. v1.5 planning
● NRI: Node Resource Interface (#4411)
○ The new common interface for node resources such as cgroup
○ The plugin spec is very similar to CNI
● Sandbox API (#4131)
○ Pod sandbox as a first-class object
○ No “/pause” process
● Filesystem quota (#759)
25. Backend as external plugins
● Big goal - no re-compilation required!!!
● Stream processors
● gRPC proxy plugin for image storage
● RuntimeV2 proto for OCI Runtime
26. Stream processor
● OCI Image layer data packaged in tar archive
● OCI image spec only supports few compression algorithms
○ +gzip/+zstd, but +gzip is more common
● How to handle experimental media-type stream?
○ Or encryption purpose?
Image
Layer
Snapshot
Tar Stream
Processor
Diff Service
+gzip
Custom?
27. Stream processor
● Stream processor(SP) is binary plugin handling media-type stream
○ Accepts customize media-types, returns other one
○ Call binary for media-type converter
● Example
○ containerd/imgcrypt
Image
Layer
Snapshot
Tar
SP
Diff Service
Tar+Gzip
SP
Tar(+Gzip)+encrypted
SP
Other Customize SP
30. Snapshot proxy plugin
package main
import(
"net"
"log"
"github.com/containerd/containerd/api/services/snapshots/v1"
"github.com/containerd/containerd/contrib/snapshotservice"
)
func main() {
rpc := grpc.NewServer()
sn := CustomSnapshotter()
service := snapshotservice.FromSnapshotter(sn)
snapshots.RegisterSnapshotsServer(rpc, service)
// Listen and serve
l, err := net.Listen("unix", "/var/run/mysnapshotter.sock")
if err != nil {
log.Fatalf("error: %vn", err)
}
if err := rpc.Serve(l); err != nil {
log.Fatalf("error: %vn", err)
}
}
● Configure with proxy_plugins
● Example
○ stargz-snapshotter
○ CVMFS Containerd Snapshotter
[proxy_plugins]
[proxy_plugins.customsnapshot]
type = "snapshot"
address = "/var/run/mysnapshotter.sock"
31. Runtime V2
● A first class shim API for runtime authors to integrate with containerd
○ More VM like runtimes have internal state and more abstract actions
○ A CLI approach introduces issues with state management
○ Each runtimes has its own values, but keep containerd in solid core scope
● Example
○ gVisor
○ KataContainer
○ Firecracker
33. Runtime V2 - Binary
● Binary naming convention
○ Name io.containerd.runc.v2 --> Binary containerd-shim-runc-v2
■ So both io.containerd.runc.v1 and io.containerd.runc.v2 are runtime V2
■ runc.v2 supports grouping several containers with less resource
■ runc.v2 as CRI plugin’s default runtime
○ Via a runtime binary available in containerd’s PATH
● Required start/delete sub-commands
○ Resources created by container will be cleanup by delete sub-command
34. Runtime V2 - Logging
● fifo/npipe as default channel
○ Receiver consumes more resources to handle log output.
dockerd
CRI-plugin
containerd shim
kernel
Named Pipe
35. Runtime V2 - Logging
● fifo/npipe as default channel
○ Receiver consumes more resources to handle log output.
○ And it requires that receiver must be alive!!!
○ Impact running containers if receiver is down too long.
containerd shim
Named Pipe
kernel
36. Runtime V2 - Logging
● Support pluggable logging via STDIO URIs
○ fifo - Linux (default)
○ npipe - Windows (default)
○ binary - Linux & Windows
○ file - Linux & Windows
schema path:// ?key=valueSTDIO URI
file file :// /var/log/cntr/hi ?maxSize=100MB
binary binary :// /usr/bin/syslog ?addr=192.168.0.3