SlideShare ist ein Scribd-Unternehmen logo

Docker-v3.pdf

Bruno Cornec
Bruno Cornec

Slides Docker pour la présentation FLOSS au Campus Numérique

Software
1 von 28
Downloaden Sie, um offline zu lesen
The Docker Ecosystem Definition,Architecture,Status March 2023 Bruno Cornec, HPE EG EMEA Open Source and Linux Strategist
Introducing myself ● Software engineering and Unices since 1988: – Mostly Configuration Management Systems (CMS), Build systems, quality tools, on multiple commercial Unix systems – Discovered Free, Libre, Open Source Software & Linux (FLOSS) & made first contributions in 1993 – Full time on OSL since 1995, first as HPE reseller then @HPE ● Currently: – WW FLOSS Technology Strategist in HPE, Grenoble, France – HPE FLOSS Advocate and Converged Infrastructure Ambassador – WW Linux Community Lead for the HPE Open Source Profession – AFUL and APRIL member. Mageia board member. FLOSSITA board chair. – Conferences at WW level at LinuxCon, Linux.conf.au, Fosdem, ... – MondoRescue, Project-Builder.org, python-redfish, UUWL and PUSK Project Lead – LinuxCOE, mrepo, tellico, rinse, fossology, collectl, Ironic contributor – FOSSBazaar/SPDX and FLOSS Governance enthusiast – Mageia (and Fedora) packager ● And also: – Amateur singer (Alto / Tenor), recorder player since 1976 and Choir director since 1987, CD collector (7000+), Concerts, Photography
Docker Architecture and Ecosystem
Container analogy Cargo transportation before the '60s: no standard way to transport goods – Multiplicity of goods and their security – Multiplicity of transportation methods The invention of the container allowed to – Support all type of goods – Can be loaded, unloaded, stacked – Support multiple transport mode – Sealed container – Standard transportation way leading to huge costs reduction
Container for software Computers before 2012 didn't had a standard way to transport IT workloads – Multiplicity of applications and their security – Multiplicity of transportation methods The invention of the container allowed to – Support all type of workload – Can be loaded, unloaded, stacked – Support multiple transport mode – Secure container – Standard transportation way leading to huge costs reduction
Bare-Metal vs VM vs Container Containerized application layer Bare metal application layer Virtualized application layer Container Network Storage Server Apps Host-OS Guest OS Apps Hypervisor Host-OS Infra structure Apps Apps Apps Apps Network Storage Server Network Storage Server
Docker In Brief • Vision: Build, Ship, and Run Any App Anywhere • Both: a company and an open source ecosystem (under the Apache license V2.0 since 2013) • Docker is a tool chain written in Go that simplifies the creation and management of containers. • Paradigm shift: “new” packaging model for deploying applications and services • Containers: A self-contained portable environment for packaging, deploying, and executing applications and services. Contains all execution dependencies for a service (one process == one container) • Better resource utilization: VMs virtualize the CPU, containers virtualize process(es) (lightweight) (launch in ms vs s, doesn't consume OS memory) • Application Lifecycle Management impact: – Build and configure once (integrated DevOps), and rebuild often ;-) – Deploy anywhere (laptop, server, cloud, …)
The Dev / Sec /Ops pipeline Agile development environment : Tested. Integrated. Portable. Optimized. Secured + + Ship Run Build From infrastructure to the cloud Composable Infrastructure Hybrid Cloud Cloud native & monolith Applications Developpers Communities enablement QA/Test Operations
What is Docker value-add ? Run applications in a neutral, lightweight and portable way Bundle: Everything packed together Layers: Images (ro) & containers (rw) using a union FS Registry: public/private registry of shared images Dockerfile: descriptive build of an image Volumes: loopback mounting host FS into container Ports: expose container services port to the host Portable: created once, run everywhere (on a given OS) Management: REST API/CLI Enterprise: Docker Enterprise (formerly DDC) Solomon Hykes, Docker Inc.
A layered approach Images Local or remote reference content to initiate a container Multiple images can be layered adding content at each time using Copy on Write FS Cache to speed up repeated operations Containers Last layer providing rw access to the cumulated set of images 1 application + its deps == 1 container
# List images $ docker images # Pull and run a container $ docker run -t -i repo:tag bash # List containers $ docker ps [-a] [-q] Demo 1: Managing images and containers
Basic Docker Workflow My computer Local Docker Engine Docker registry Images Containers Dockerfile FROM Ubuntu MAINTAINER pingouin@hpe.com RUN apt-get install apache2 ADD website /var/www/html/website EXPOSE 80 CMD /usr/bin/httpd }- Docker Hub
# Dockerfile $ cat Dockerfile FROM localhost:5000/pb:mageia-4-x86_64 RUN urpmi --force --auto apache ADD https://download.owncloud.org/community/owncloud- 7.0.3.tar.bz2 /var/www/html RUN urpmi --force --auto php php-dom php-mbstring php-pdo php-gd RUN chown -R apache:apache /var/www/html # Add persistent volume. VOLUME /data COPY run.sh /run.sh # Only 1 CMD! CMD /run.sh # Build image using the Dockerfile $ docker build . Demo 2: Dockerfile a receipe to build Docker images
Security • CTN Apps are more secured vs BM Apps • Docker has least priviledge principle • Different security isolation than VMs (Combine containers & VMs for improved security) • Uses cgroups, seccomp, namespaces, capabilities. Benefit from SELinux, apparmor, Grsecurity, PAX • Depends on choices and practices – Use of root privilege (only when necessary) – Disable SUID – Fine-grained privileges – Use advanced Docker configuration options • Trusted images / container secrets – Official images / Signed images – Vault –open source project to managing secrets • Container delivery pipeline can/should include security testing • Management of images and containers wrt security updates ● Container security continues to improve while its Understandably a hot topic
The Docker & Containers Ecosystem
Docker’s world Docker solutions and plumbling tools Plugin Extensibility Docker Libnetwork Networking Notary Security Docker Engine Creates & Runs containers Docker Machine Automated Provisioning Docker Compose Service Composition Docker Hub/Registry Package & Distribution Docker UCP Deploy & Manage Docker Swarm Native Host Clustering
Docker Compose – yaml file example weba: build: . expose: - 80 webb: build: . expose: - 80 haproxy: image: hypriot/rpi-haproxy volumes: - haproxy:/haproxy-override links: - weba - webb ports: - "80:80" - "70:70" expose: - "80" - "70"
Container Ecosystem – fantastic takeup Docker – Leader – Engine, Cluster, Build, Remote execution, ... Google – Open sourced Kubernetes container orchestration tool RedHat – integrated Docker into their RHEL7 releases. RH Atomic CaaS solution Redesigned OpenShift PaaS product to be based on Docker. SUSE – integrated Docker into their SLES 12 releases CaaS offering based on Docker, Kubernetes, Portus. PaaS on top based on CF to come CoreOS – Aim to be the best distribution to run Docker Goodies such as etcd, fleectl, rocket Mesosphere – Docker executor for Mesos (Chronos & Marathon) OpenStack – Nova & Glance drivers, Magnum (piloting Kubernetes/Swarm), Kolla and Kuryr Portainer.io – Management solution for docker engines or swarms
Container Ecosystem – fantastic takeup continued... IBM - integrated Docker into SoftLayer PaaS. Published KVM/Docker benchmarks Microsoft - made available Linux images in their Azure IaaS with Docker functionality Ongoing native Docker functionality for Windows Server VMWare – to integrate Docker functionality into vSphere. Joined Kubernetes initiative. Pivotal (CloudFoundry) – Replacing Warden by Docker (and Shipyard, Rancher, Panamax, ...)
Open Container Project • Standard specifications for a runtime and an image, vendor/architecture independent • Brings Docker and CoreOS back together (runC, appc, …) • https://www.opencontainers.org
The history of resources containment on Linux
Linux Resources management Support Linux Support Matrix OS minimal NUMA cgroups LXC KVM Namespace Upstream Kernel Linux 2.6.24 (Mar. 2008) 3.15/16 (2013) Linux 2.6.29 (2010) Linux 2.6.20 (Feb. 2007) Linux 2.6.19/24 (2007) 3.8 (2013) RHEL Yes (5.x) Yes (6.x) Yes (6.3) Yes (5.4) Yes (7.x) SLES Yes (10) Yes (11) Yes (11SP1) Yes (11) Yes (12) Fedora Yes Yes (F11) Yes (F12) Yes (F7) Yes (F19) Ubuntu Yes Yes (10.04) Yes (10.04) Yes (9.10) Yes (14.04)
– Help to manage groups of processes – Dedicated subsystems to manage specific resources: – Resource management: CPU shares, memory, blkio – Resource pools: CPU sets, ns, freezer, checkpoint/restart – Implemented as a special cgroup file system – Cgroup commands: cgcreate, cgexec, cgclear, cgclassify, ... – Cgroup services : ● cgconfig (/etc/cgconfig.conf), defines cgroups and mount points ● cgred (/etc/cgrules.conf), defines rules between tasks and cgroups – These are provided by libcgroup on top of the kernel cgroup virtual file system to allow persistence across reboot and ease of use. – Docker associates a cgroup to each container Linux Control Groups Share Dedicate
Linux workload management Shared resources example: ‘cpu’ cgroup subsystem – 'cpu' CGroup subsystem • cpu.shares – Shares default to 1024 – Customization example : Example of /etc/cgconfig.conf file: mount { cpu = /cgroup/cpu; } group default { cpu { cpu.shares = 1024; } } group db1 { cpu { cpu.shares = 3072; } } group db2 { cpu { cpu.shares = 6144; } } Share
Linux resource pools Dedicated resources example: ‘cpuset’ cgroup subsystem – CGroup subsystems: • cpuset −sets of CPU −sets of MEMORY (NUMA) • memory −limits the amount of RAM, RAM + SWAP −gives the current usage • blkio −change the behavior of Linux CFQ (Completely Fair Queue) Example of /etc/cgconfig.conf file: mount { cpuset = /cgroup/cpuset; } group default { cpuset { cpuset.cpus=0-2 ; cpuset.mem=0-2 } } group db2 { cpuset { cpuset.cpus=4-6 ; cpuset.mem=4-6 } } Dedicate
OS Virtualization (‘LXC / Docker’ containers) – Applications in a zone are isolated from the others (chroot on steroïds) • Security (as secure as your kernel) • Namespaces (root, UID, GID, network, PID, IPC, mount points, hostname/uts) • Cgroup Granularity • Single OS image manages HW accesses • Performance & transparency neither emulation nor full virtualization • Netfilter for network isolation (NAT and port fwd) • AuFS overlays isolated file systems on top of a physical file system – Other technos available • V-Server • Virtuozzo • OpenVZ Linux Containers OS Virt https://blog.docker.com/wp-content/uploads/2014/03/docker-execdriver-diagram.png
30/03/2023 Private | Confidential | Internal Use Only Project Build + metadata Use case: Continuous Packaging with Docker Docker Containers Local build Project Repository Local Build Server Packagers Developers
30/03/2023 Private | Confidential | Internal Use Only ”Changes are never easy to make. There is comfort and safety in tradition, but change must come, no matter how painful or expensive it may be.” Bill Hewlett Bruno.Cornec@hpe.com (Open Source and Linux Technology Strategist at the HP/Intel Solution Center) http://downloads.linux.hpe.com/ Linus Torvalds, Richard Stallman, Eric Raymond, Nat Makarevitch, René Cougnenc, Eric Dumas, Rémy Card, Bdale Garbee, Bryan Gartner, Craig Lamparter, Lee Mayes, Gallig Renaud, Andree Leidenfrost, Phil Robb, Bob Gobeille, Martin Michlmayr among others, for their work and devotion to the Open Source Software cause... and my family for their patience :-) THANK YOU

Empfohlen

Building distribution packages with Docker
Building distribution packages with DockerBuilding distribution packages with Docker
Building distribution packages with Docker
Bruno Cornec
 
Develop with linux containers and docker
Develop with linux containers and dockerDevelop with linux containers and docker
Develop with linux containers and docker
Fabio Fumarola
 
2 Linux Container and Docker
2 Linux Container and Docker2 Linux Container and Docker
2 Linux Container and Docker
Fabio Fumarola
 
Linux containers and docker
Linux containers and dockerLinux containers and docker
Linux containers and docker
Fabio Fumarola
 
Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment
Arun prasath
 
Dockerizing a Symfony2 application
Dockerizing a Symfony2 applicationDockerizing a Symfony2 application
Dockerizing a Symfony2 application
Roman Rodomansky
 
Linux Containers and Docker SHARE.ORG Seattle 2015
Linux Containers and Docker SHARE.ORG Seattle 2015Linux Containers and Docker SHARE.ORG Seattle 2015
Linux Containers and Docker SHARE.ORG Seattle 2015
Filipe Miranda
 
Docker Ecosystem on Azure
Docker Ecosystem on AzureDocker Ecosystem on Azure
Docker Ecosystem on Azure
Patrick Chanezon
 

Empfohlen

Building distribution packages with Docker
Building distribution packages with DockerBuilding distribution packages with Docker
Building distribution packages with Docker
Bruno Cornec
 
Develop with linux containers and docker
Develop with linux containers and dockerDevelop with linux containers and docker
Develop with linux containers and docker
Fabio Fumarola
 
2 Linux Container and Docker
2 Linux Container and Docker2 Linux Container and Docker
2 Linux Container and Docker
Fabio Fumarola
 
Linux containers and docker
Linux containers and dockerLinux containers and docker
Linux containers and docker
Fabio Fumarola
 
Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment
Arun prasath
 
Dockerizing a Symfony2 application
Dockerizing a Symfony2 applicationDockerizing a Symfony2 application
Dockerizing a Symfony2 application
Roman Rodomansky
 
Linux Containers and Docker SHARE.ORG Seattle 2015
Linux Containers and Docker SHARE.ORG Seattle 2015Linux Containers and Docker SHARE.ORG Seattle 2015
Linux Containers and Docker SHARE.ORG Seattle 2015
Filipe Miranda
 
Docker Ecosystem on Azure
Docker Ecosystem on AzureDocker Ecosystem on Azure
Docker Ecosystem on Azure
Patrick Chanezon
 
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Codemotion
 
Bhushan m dev_ops_engr_31june
Bhushan m dev_ops_engr_31juneBhushan m dev_ops_engr_31june
Bhushan m dev_ops_engr_31june
Bhushan Mahajan
 
codemotion-docker-2014
codemotion-docker-2014codemotion-docker-2014
codemotion-docker-2014
Carlo Bonamico
 
Containerization Is More than the New Virtualization
Containerization Is More than the New VirtualizationContainerization Is More than the New Virtualization
Containerization Is More than the New Virtualization
C4Media
 
Docker for .NET Developers
Docker for .NET DevelopersDocker for .NET Developers
Docker for .NET Developers
Taswar Bhatti
 
Docker module 1
Docker module 1Docker module 1
Docker module 1
Liang Bo
 
Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...
Jérôme Petazzoni
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization
WSO2
 
Evoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationEvoluation of Linux Container Virtualization
Evoluation of Linux Container Virtualization
Imesh Gunaratne
 
Docker+java
Docker+javaDocker+java
Docker+java
DPC Consulting Ltd
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
Dongwon Kim
 
Multi-OS Continuous Packaging with docker and Project-Builder.org
Multi-OS Continuous Packaging with docker and Project-Builder.orgMulti-OS Continuous Packaging with docker and Project-Builder.org
Multi-OS Continuous Packaging with docker and Project-Builder.org
Bruno Cornec
 
ExpoQA 2017 Using docker to build and test in your laptop and Jenkins
ExpoQA 2017 Using docker to build and test in your laptop and JenkinsExpoQA 2017 Using docker to build and test in your laptop and Jenkins
ExpoQA 2017 Using docker to build and test in your laptop and Jenkins
ElasTest Project
 
Michigan IT Symposium 2017 - Container BOF
Michigan IT Symposium 2017 - Container BOFMichigan IT Symposium 2017 - Container BOF
Michigan IT Symposium 2017 - Container BOF
Jeffrey Sica
 
Docker Multi-arch All The Things
Docker Multi-arch All The ThingsDocker Multi-arch All The Things
Docker Multi-arch All The Things
Docker, Inc.
 
Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetes
Krishna-Kumar
 
Kubernetes for the PHP developer
Kubernetes for the PHP developerKubernetes for the PHP developer
Kubernetes for the PHP developer
Paul Czarkowski
 
Docker Presentation at the OpenStack Austin Meetup | 2013-09-12
Docker Presentation at the OpenStack Austin Meetup | 2013-09-12Docker Presentation at the OpenStack Austin Meetup | 2013-09-12
Docker Presentation at the OpenStack Austin Meetup | 2013-09-12
dotCloud
 
Application Deployment on Openstack
Application Deployment on OpenstackApplication Deployment on Openstack
Application Deployment on Openstack
Docker, Inc.
 
Shipping Applications to Production in Containers with Docker
Shipping Applications to Production in Containers with DockerShipping Applications to Production in Containers with Docker
Shipping Applications to Production in Containers with Docker
Jérôme Petazzoni
 
Diaporama-TMG.pdf
Diaporama-TMG.pdfDiaporama-TMG.pdf
Diaporama-TMG.pdf
Bruno Cornec
 
Diaporama-2023.pdf
Diaporama-2023.pdfDiaporama-2023.pdf
Diaporama-2023.pdf
Bruno Cornec
 

Weitere ähnliche Inhalte

Ähnlich wie Docker-v3.pdf

Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...
Jérôme Petazzoni
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization
WSO2
 
Multi-OS Continuous Packaging with docker and Project-Builder.org
Multi-OS Continuous Packaging with docker and Project-Builder.orgMulti-OS Continuous Packaging with docker and Project-Builder.org
Multi-OS Continuous Packaging with docker and Project-Builder.org
Bruno Cornec
 
Michigan IT Symposium 2017 - Container BOF
Michigan IT Symposium 2017 - Container BOFMichigan IT Symposium 2017 - Container BOF
Michigan IT Symposium 2017 - Container BOF
Jeffrey Sica
 
Application Deployment on Openstack
Application Deployment on OpenstackApplication Deployment on Openstack
Application Deployment on Openstack
Docker, Inc.
 

Ähnlich wie Docker-v3.pdf (20)

Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
 
Bhushan m dev_ops_engr_31june
Bhushan m dev_ops_engr_31juneBhushan m dev_ops_engr_31june
Bhushan m dev_ops_engr_31june
 
codemotion-docker-2014
codemotion-docker-2014codemotion-docker-2014
codemotion-docker-2014
 
Containerization Is More than the New Virtualization
Containerization Is More than the New VirtualizationContainerization Is More than the New Virtualization
Containerization Is More than the New Virtualization
 
Docker for .NET Developers
Docker for .NET DevelopersDocker for .NET Developers
Docker for .NET Developers
 
Docker module 1
Docker module 1Docker module 1
Docker module 1
 
Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization
 
Evoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationEvoluation of Linux Container Virtualization
Evoluation of Linux Container Virtualization
 
Docker+java
Docker+javaDocker+java
Docker+java
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
 
Multi-OS Continuous Packaging with docker and Project-Builder.org
Multi-OS Continuous Packaging with docker and Project-Builder.orgMulti-OS Continuous Packaging with docker and Project-Builder.org
Multi-OS Continuous Packaging with docker and Project-Builder.org
 
ExpoQA 2017 Using docker to build and test in your laptop and Jenkins
ExpoQA 2017 Using docker to build and test in your laptop and JenkinsExpoQA 2017 Using docker to build and test in your laptop and Jenkins
ExpoQA 2017 Using docker to build and test in your laptop and Jenkins
 
Michigan IT Symposium 2017 - Container BOF
Michigan IT Symposium 2017 - Container BOFMichigan IT Symposium 2017 - Container BOF
Michigan IT Symposium 2017 - Container BOF
 
Docker Multi-arch All The Things
Docker Multi-arch All The ThingsDocker Multi-arch All The Things
Docker Multi-arch All The Things
 
Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetes
 
Kubernetes for the PHP developer
Kubernetes for the PHP developerKubernetes for the PHP developer
Kubernetes for the PHP developer
 
Docker Presentation at the OpenStack Austin Meetup | 2013-09-12
Docker Presentation at the OpenStack Austin Meetup | 2013-09-12Docker Presentation at the OpenStack Austin Meetup | 2013-09-12
Docker Presentation at the OpenStack Austin Meetup | 2013-09-12
 
Application Deployment on Openstack
Application Deployment on OpenstackApplication Deployment on Openstack
Application Deployment on Openstack
 
Shipping Applications to Production in Containers with Docker
Shipping Applications to Production in Containers with DockerShipping Applications to Production in Containers with Docker
Shipping Applications to Production in Containers with Docker
 

Mehr von Bruno Cornec

Using containers and Continuous Packaging to Build native FOSSology packages
Using containers and Continuous Packaging to Build native FOSSology packagesUsing containers and Continuous Packaging to Build native FOSSology packages
Using containers and Continuous Packaging to Build native FOSSology packages
Bruno Cornec
 

Mehr von Bruno Cornec (20)

Diaporama-TMG.pdf
Diaporama-TMG.pdfDiaporama-TMG.pdf
Diaporama-TMG.pdf
 
Diaporama-2023.pdf
Diaporama-2023.pdfDiaporama-2023.pdf
Diaporama-2023.pdf
 
Concert Amicus Meus 2023
Concert Amicus Meus 2023Concert Amicus Meus 2023
Concert Amicus Meus 2023
 
intro-linux-v4.pdf
intro-linux-v4.pdfintro-linux-v4.pdf
intro-linux-v4.pdf
 
Diaporama Exultate 2022
Diaporama Exultate 2022Diaporama Exultate 2022
Diaporama Exultate 2022
 
Diaporama-2021.pdf
Diaporama-2021.pdfDiaporama-2021.pdf
Diaporama-2021.pdf
 
Introduction à Linux et aux logiciels libres
Introduction à Linux et aux logiciels libresIntroduction à Linux et aux logiciels libres
Introduction à Linux et aux logiciels libres
 
Diaporama Variations 2019
Diaporama Variations 2019Diaporama Variations 2019
Diaporama Variations 2019
 
IPMI is dead, Long live Redfish
IPMI is dead, Long live RedfishIPMI is dead, Long live Redfish
IPMI is dead, Long live Redfish
 
Diaporama Exultate 2019
Diaporama Exultate 2019Diaporama Exultate 2019
Diaporama Exultate 2019
 
Diaporama Exultate 2018
Diaporama Exultate 2018Diaporama Exultate 2018
Diaporama Exultate 2018
 
Diaporama Exultate 2017
Diaporama Exultate 2017Diaporama Exultate 2017
Diaporama Exultate 2017
 
Diaporama 2018 Guerre de 100 ans
Diaporama 2018 Guerre de 100 ansDiaporama 2018 Guerre de 100 ans
Diaporama 2018 Guerre de 100 ans
 
Introduction aux logiciels libres et à Linux
Introduction aux logiciels libres et à LinuxIntroduction aux logiciels libres et à Linux
Introduction aux logiciels libres et à Linux
 
Diaporama 2011 Musique pour la Vierge
Diaporama 2011 Musique pour la ViergeDiaporama 2011 Musique pour la Vierge
Diaporama 2011 Musique pour la Vierge
 
Diaporama 2012 Musique polychorale
Diaporama 2012 Musique polychoraleDiaporama 2012 Musique polychorale
Diaporama 2012 Musique polychorale
 
Diaporama 2016 Musique Allemande
Diaporama 2016 Musique AllemandeDiaporama 2016 Musique Allemande
Diaporama 2016 Musique Allemande
 
Diaporama 2015 François Ier
Diaporama 2015 François IerDiaporama 2015 François Ier
Diaporama 2015 François Ier
 
Guide Open Source Syntec Numérique
Guide Open Source Syntec NumériqueGuide Open Source Syntec Numérique
Guide Open Source Syntec Numérique
 
Using containers and Continuous Packaging to Build native FOSSology packages
Using containers and Continuous Packaging to Build native FOSSology packagesUsing containers and Continuous Packaging to Build native FOSSology packages
Using containers and Continuous Packaging to Build native FOSSology packages
 

Kürzlich hochgeladen

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedSector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Delhi Call girls
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
ayushiqss
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Nitya salvi
 

Kürzlich hochgeladen (20)

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxBUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedSector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Pharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodologyPharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodology
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 

Docker-v3.pdf

  • 1. The Docker Ecosystem Definition,Architecture,Status March 2023 Bruno Cornec, HPE EG EMEA Open Source and Linux Strategist
  • 2. Introducing myself ● Software engineering and Unices since 1988: – Mostly Configuration Management Systems (CMS), Build systems, quality tools, on multiple commercial Unix systems – Discovered Free, Libre, Open Source Software & Linux (FLOSS) & made first contributions in 1993 – Full time on OSL since 1995, first as HPE reseller then @HPE ● Currently: – WW FLOSS Technology Strategist in HPE, Grenoble, France – HPE FLOSS Advocate and Converged Infrastructure Ambassador – WW Linux Community Lead for the HPE Open Source Profession – AFUL and APRIL member. Mageia board member. FLOSSITA board chair. – Conferences at WW level at LinuxCon, Linux.conf.au, Fosdem, ... – MondoRescue, Project-Builder.org, python-redfish, UUWL and PUSK Project Lead – LinuxCOE, mrepo, tellico, rinse, fossology, collectl, Ironic contributor – FOSSBazaar/SPDX and FLOSS Governance enthusiast – Mageia (and Fedora) packager ● And also: – Amateur singer (Alto / Tenor), recorder player since 1976 and Choir director since 1987, CD collector (7000+), Concerts, Photography
  • 4. Container analogy Cargo transportation before the '60s: no standard way to transport goods – Multiplicity of goods and their security – Multiplicity of transportation methods The invention of the container allowed to – Support all type of goods – Can be loaded, unloaded, stacked – Support multiple transport mode – Sealed container – Standard transportation way leading to huge costs reduction
  • 5. Container for software Computers before 2012 didn't had a standard way to transport IT workloads – Multiplicity of applications and their security – Multiplicity of transportation methods The invention of the container allowed to – Support all type of workload – Can be loaded, unloaded, stacked – Support multiple transport mode – Secure container – Standard transportation way leading to huge costs reduction
  • 6. Bare-Metal vs VM vs Container Containerized application layer Bare metal application layer Virtualized application layer Container Network Storage Server Apps Host-OS Guest OS Apps Hypervisor Host-OS Infra structure Apps Apps Apps Apps Network Storage Server Network Storage Server
  • 7. Docker In Brief • Vision: Build, Ship, and Run Any App Anywhere • Both: a company and an open source ecosystem (under the Apache license V2.0 since 2013) • Docker is a tool chain written in Go that simplifies the creation and management of containers. • Paradigm shift: “new” packaging model for deploying applications and services • Containers: A self-contained portable environment for packaging, deploying, and executing applications and services. Contains all execution dependencies for a service (one process == one container) • Better resource utilization: VMs virtualize the CPU, containers virtualize process(es) (lightweight) (launch in ms vs s, doesn't consume OS memory) • Application Lifecycle Management impact: – Build and configure once (integrated DevOps), and rebuild often ;-) – Deploy anywhere (laptop, server, cloud, …)
  • 8. The Dev / Sec /Ops pipeline Agile development environment : Tested. Integrated. Portable. Optimized. Secured + + Ship Run Build From infrastructure to the cloud Composable Infrastructure Hybrid Cloud Cloud native & monolith Applications Developpers Communities enablement QA/Test Operations
  • 9. What is Docker value-add ? Run applications in a neutral, lightweight and portable way Bundle: Everything packed together Layers: Images (ro) & containers (rw) using a union FS Registry: public/private registry of shared images Dockerfile: descriptive build of an image Volumes: loopback mounting host FS into container Ports: expose container services port to the host Portable: created once, run everywhere (on a given OS) Management: REST API/CLI Enterprise: Docker Enterprise (formerly DDC) Solomon Hykes, Docker Inc.
  • 10. A layered approach Images Local or remote reference content to initiate a container Multiple images can be layered adding content at each time using Copy on Write FS Cache to speed up repeated operations Containers Last layer providing rw access to the cumulated set of images 1 application + its deps == 1 container
  • 11. # List images $ docker images # Pull and run a container $ docker run -t -i repo:tag bash # List containers $ docker ps [-a] [-q] Demo 1: Managing images and containers
  • 12. Basic Docker Workflow My computer Local Docker Engine Docker registry Images Containers Dockerfile FROM Ubuntu MAINTAINER pingouin@hpe.com RUN apt-get install apache2 ADD website /var/www/html/website EXPOSE 80 CMD /usr/bin/httpd }- Docker Hub
  • 13. # Dockerfile $ cat Dockerfile FROM localhost:5000/pb:mageia-4-x86_64 RUN urpmi --force --auto apache ADD https://download.owncloud.org/community/owncloud- 7.0.3.tar.bz2 /var/www/html RUN urpmi --force --auto php php-dom php-mbstring php-pdo php-gd RUN chown -R apache:apache /var/www/html # Add persistent volume. VOLUME /data COPY run.sh /run.sh # Only 1 CMD! CMD /run.sh # Build image using the Dockerfile $ docker build . Demo 2: Dockerfile a receipe to build Docker images
  • 14. Security • CTN Apps are more secured vs BM Apps • Docker has least priviledge principle • Different security isolation than VMs (Combine containers & VMs for improved security) • Uses cgroups, seccomp, namespaces, capabilities. Benefit from SELinux, apparmor, Grsecurity, PAX • Depends on choices and practices – Use of root privilege (only when necessary) – Disable SUID – Fine-grained privileges – Use advanced Docker configuration options • Trusted images / container secrets – Official images / Signed images – Vault –open source project to managing secrets • Container delivery pipeline can/should include security testing • Management of images and containers wrt security updates ● Container security continues to improve while its Understandably a hot topic
  • 15. The Docker & Containers Ecosystem
  • 16. Docker’s world Docker solutions and plumbling tools Plugin Extensibility Docker Libnetwork Networking Notary Security Docker Engine Creates & Runs containers Docker Machine Automated Provisioning Docker Compose Service Composition Docker Hub/Registry Package & Distribution Docker UCP Deploy & Manage Docker Swarm Native Host Clustering
  • 17. Docker Compose – yaml file example weba: build: . expose: - 80 webb: build: . expose: - 80 haproxy: image: hypriot/rpi-haproxy volumes: - haproxy:/haproxy-override links: - weba - webb ports: - "80:80" - "70:70" expose: - "80" - "70"
  • 18. Container Ecosystem – fantastic takeup Docker – Leader – Engine, Cluster, Build, Remote execution, ... Google – Open sourced Kubernetes container orchestration tool RedHat – integrated Docker into their RHEL7 releases. RH Atomic CaaS solution Redesigned OpenShift PaaS product to be based on Docker. SUSE – integrated Docker into their SLES 12 releases CaaS offering based on Docker, Kubernetes, Portus. PaaS on top based on CF to come CoreOS – Aim to be the best distribution to run Docker Goodies such as etcd, fleectl, rocket Mesosphere – Docker executor for Mesos (Chronos & Marathon) OpenStack – Nova & Glance drivers, Magnum (piloting Kubernetes/Swarm), Kolla and Kuryr Portainer.io – Management solution for docker engines or swarms
  • 19. Container Ecosystem – fantastic takeup continued... IBM - integrated Docker into SoftLayer PaaS. Published KVM/Docker benchmarks Microsoft - made available Linux images in their Azure IaaS with Docker functionality Ongoing native Docker functionality for Windows Server VMWare – to integrate Docker functionality into vSphere. Joined Kubernetes initiative. Pivotal (CloudFoundry) – Replacing Warden by Docker (and Shipyard, Rancher, Panamax, ...)
  • 20. Open Container Project • Standard specifications for a runtime and an image, vendor/architecture independent • Brings Docker and CoreOS back together (runC, appc, …) • https://www.opencontainers.org
  • 21. The history of resources containment on Linux
  • 22. Linux Resources management Support Linux Support Matrix OS minimal NUMA cgroups LXC KVM Namespace Upstream Kernel Linux 2.6.24 (Mar. 2008) 3.15/16 (2013) Linux 2.6.29 (2010) Linux 2.6.20 (Feb. 2007) Linux 2.6.19/24 (2007) 3.8 (2013) RHEL Yes (5.x) Yes (6.x) Yes (6.3) Yes (5.4) Yes (7.x) SLES Yes (10) Yes (11) Yes (11SP1) Yes (11) Yes (12) Fedora Yes Yes (F11) Yes (F12) Yes (F7) Yes (F19) Ubuntu Yes Yes (10.04) Yes (10.04) Yes (9.10) Yes (14.04)
  • 23. – Help to manage groups of processes – Dedicated subsystems to manage specific resources: – Resource management: CPU shares, memory, blkio – Resource pools: CPU sets, ns, freezer, checkpoint/restart – Implemented as a special cgroup file system – Cgroup commands: cgcreate, cgexec, cgclear, cgclassify, ... – Cgroup services : ● cgconfig (/etc/cgconfig.conf), defines cgroups and mount points ● cgred (/etc/cgrules.conf), defines rules between tasks and cgroups – These are provided by libcgroup on top of the kernel cgroup virtual file system to allow persistence across reboot and ease of use. – Docker associates a cgroup to each container Linux Control Groups Share Dedicate
  • 24. Linux workload management Shared resources example: ‘cpu’ cgroup subsystem – 'cpu' CGroup subsystem • cpu.shares – Shares default to 1024 – Customization example : Example of /etc/cgconfig.conf file: mount { cpu = /cgroup/cpu; } group default { cpu { cpu.shares = 1024; } } group db1 { cpu { cpu.shares = 3072; } } group db2 { cpu { cpu.shares = 6144; } } Share
  • 25. Linux resource pools Dedicated resources example: ‘cpuset’ cgroup subsystem – CGroup subsystems: • cpuset −sets of CPU −sets of MEMORY (NUMA) • memory −limits the amount of RAM, RAM + SWAP −gives the current usage • blkio −change the behavior of Linux CFQ (Completely Fair Queue) Example of /etc/cgconfig.conf file: mount { cpuset = /cgroup/cpuset; } group default { cpuset { cpuset.cpus=0-2 ; cpuset.mem=0-2 } } group db2 { cpuset { cpuset.cpus=4-6 ; cpuset.mem=4-6 } } Dedicate
  • 26. OS Virtualization (‘LXC / Docker’ containers) – Applications in a zone are isolated from the others (chroot on steroïds) • Security (as secure as your kernel) • Namespaces (root, UID, GID, network, PID, IPC, mount points, hostname/uts) • Cgroup Granularity • Single OS image manages HW accesses • Performance & transparency neither emulation nor full virtualization • Netfilter for network isolation (NAT and port fwd) • AuFS overlays isolated file systems on top of a physical file system – Other technos available • V-Server • Virtuozzo • OpenVZ Linux Containers OS Virt https://blog.docker.com/wp-content/uploads/2014/03/docker-execdriver-diagram.png
  • 27. 30/03/2023 Private | Confidential | Internal Use Only Project Build + metadata Use case: Continuous Packaging with Docker Docker Containers Local build Project Repository Local Build Server Packagers Developers
  • 28. 30/03/2023 Private | Confidential | Internal Use Only ”Changes are never easy to make. There is comfort and safety in tradition, but change must come, no matter how painful or expensive it may be.” Bill Hewlett Bruno.Cornec@hpe.com (Open Source and Linux Technology Strategist at the HP/Intel Solution Center) http://downloads.linux.hpe.com/ Linus Torvalds, Richard Stallman, Eric Raymond, Nat Makarevitch, René Cougnenc, Eric Dumas, Rémy Card, Bdale Garbee, Bryan Gartner, Craig Lamparter, Lee Mayes, Gallig Renaud, Andree Leidenfrost, Phil Robb, Bob Gobeille, Martin Michlmayr among others, for their work and devotion to the Open Source Software cause... and my family for their patience :-) THANK YOU