SlideShare ist ein Scribd-Unternehmen logo

Containerization is more than the new Virtualization: enabling separation of operational concerns

Jérôme Petazzoni
Jérôme Petazzoni

Docker offers a new, lightweight approach to application portability. Applications are shipped using a common container format, and managed with a high-level API. Their processes run within isolated namespaces which abstract the operating environment, independently of the distribution, versions, network setup, and other details of this environment. This "containerization" has often been nicknamed "the new virtualization". But containers are more than lightweight virtual machines. Beyond their smaller footprint, shorter boot times, and higher consolidation factors, they also bring a lot of new features and use cases which were not possible with classical virtual machines. We will focus on one of those features: separation of operational concerns. Specifically, we will demonstrate how some fundamental tasks like logging, remote access, backups, and troubleshooting can be entirely decoupled from the deployment of applications and services. This decoupling results in independent, smaller, simpler moving parts; just like microservice architectures break down large monolithic apps in more manageable components.

Technologie
1 von 61
Downloaden Sie, um offline zu lesen
containerization: more than the new virtualization
Jérôme Petazzoni (@jpetazzo) Grumpy French DevOps - Go away or I will replace you with a very small shell script Runs everything in containers - Docker-in-Docker - VPN-in-Docker - KVM-in-Docker - Xorg-in-Docker - ...
outline
Outline Containers as lightweight VMs Containers vs VMs Separation of operational concerns Benefits Conclusions
containers as lightweight VMs
It looks like a VM Private process space Can run stuff as root Private network interface and IP address Custom routes, iptables rules, etc. Can mount filesystems and more
Process tree in a “machine container” PID TTY STAT TIME COMMAND 1 ? Ss+ 0:00 /usr/bin/python3 -u /sbin/my_init --enable-insecure-key 104 ? S+ 0:00 /usr/bin/runsvdir -P /etc/service 105 ? Ss 0:00 _ runsv syslog-ng 108 ? S 0:00 | _ syslog-ng -F -p /var/run/syslog-ng.pid --no-caps 106 ? Ss 0:00 _ runsv sshd 109 ? S 0:00 | _ /usr/sbin/sshd -D 117 ? Ss 0:00 | _ sshd: root@pts/0 119 pts/0 Ss 0:00 | _ -bash 135 pts/0 R+ 0:00 | _ ps fx 107 ? Ss 0:00 _ runsv cron 110 ? S 0:00 _ /usr/sbin/cron -f
Faster to boot, less overhead than a VM $ time docker run ubuntu echo hello world hello world real 0m0.258s Disk usage: less than 100 kB Memory usage: less than 1.5 MB
Benchmark: infiniband
Benchmark: boot OpenStack instances
Benchmark: memory speed
impossibru!
containers vs virtual machines
Virtual Machines Emulate CPU instructions (painfully slow) Emulate hardware (storage, network...) (painfully slow) Run as a userland process on top of a kernel (painfully slow)
Virtual Machines Use native CPU (fast!) Paravirtualized storage, network... (fast, but higher resource usage) Run on top of a hypervisor (faster, but still some overhead)
Containers Processes isolated from each other Very little extra code path (in many cases, it's comparable to UID checking)
Virtual Machines vs Containers Native CPU Paravirtualized devices Hypervisor Native CPU Native syscalls Native kernel
Inter-VM communication Strong isolation, enforced by hypervisor + hardware - no fast-path data transfer between virtual machines - yes, there are PCI pass-throughs and things like xenbus, but that's not easy to use, very specific, not portable Most convenient method: network protocols (L2/L3) But: huge advantage from a security POV
Inter-container communication Tunable isolation - each namespace can be isolated or shared Allows normal Unix communication mechanisms - network protocols on loopback interface - UNIX sockets - shared memory - IPC... Reuse techniques that we know and love (?)
inter-container communication
Shared localhost Multiple containers can share the same “localhost” (by reusing the same network namespace) Communication over localhost is very very fast Also: localhost is a well-known address
Shared filesystem A directory can be shared by multiple containers (by using a bind-mount) That directory can contain: - named pipes (FIFOs) - UNIX sockets - memory-mapped files Bind-mount = zero overhead
Shared IPC Multiple containers can share IPC resources (using the special IPC namespace) Semaphores, Shared Memory, Message Queues... Is anybody still using this?
Host networking Containers can share the host's network stack (by reusing its network namespace) They can use the host's interfaces without penalty (high speed, low latency, no overhead!) Native performance to talk with external containers
Host filesystems Containers can share a directory with the host Example: use fast storage (SAN, SSD...) in container - mount it on the host - share it with the container - done! Native performance to use I/O subsystem
separation of operational concerns
...What? “Ops” functions (backups, logging...) can be performed in separate containers Application containers can run unchanged in various environments: dev, test, QA, prod...
logs
Old style ssh into container cd /var/log tail, grep, ack-grep, awk, sed, apachetop, perl, etc.
New style Create a “data container” to hold the logs docker run --name logs -v /var/log busybox true Start app container sharing that volume docker run --volumes-from logs myapp Inspect logs docker run -ti --volumes-from logs -w /var/log ubuntu bash Use fancy tools without polluting app container docker run -ti --volumes-from logs turbogrep ...
Bonus points Ship logs to something else (logstash, syslog...) docker run --volumes-from logs pipestash Change logging system independently: - without rebuilding app container - without restarting app container - run multiple logging systems at the same time (e.g. for migration)
backups
Old style Prepare the tools - install things like rsync, s3cmd, boto, mysqldump... - get backup script Perform one-shot manual backup - SSH and run the backup script Set up routine backups - edit crontab
New style: setup Create a “data container” to hold the files to back up docker run --name mysqldata -v /var/lib/mysql busybox true Start app container sharing that volume docker run --volumes-from mysqldata mysql Create a separate image with backup tools - Dockerfile with “apt-get install rsync s3cmd...”
New style: one-shot manual backup Use the special backup image docker run --rm --volumes-from mysqldata mysqlbackup tar -cJf- /var/lib/mysql | stream-it-to-the-cloud.py Of course, you can use something fancier than tar (e.g. rsync, tarsnap...)
New style: routine backups Option 1 - run “crond” in backup image - start backup image and keep it running Option 2 - start backup script from a crontab entry on the Docker host Option 3 - have a special “cron” container - give it access to the Docker API - let it start the backup container at regular intervals
network debugging
Old style ssh into container Install tcpdump, ngrep, … Run them
New style Make a container image with tcpdump, ngrep... (let's call it “netdebug”) Run it in the namespace of the application container docker run -ti --net container:<app_cid> netdebug bash Now run tcpdump, ngrep, etc. Want to copy a dump to see it with wireshark? docker run -ti --net container:... -v /tmp:/tmp netdebug tcpdump -s0 -peni eth0 -w/tmp/myapp.pcap
configuration tweaking
Old style ssh into container vi /etc/tomcat/something.xml (maybe) /etc/init.d/tomcat restart
New style Option 1 - set up /etc/tomcat to be a “data container” - start another container sharing this volume; install vi/emacs here Option 2 - set up /etc/tomcat to be on the host: docker run -v /etc/containers/myapp:/etc/tomcat … If needed: restart the container - docker stop; docker start - docker kill -s HUP
epiphany
composition
Virtual Machine deployment Linux base system Libraries Application Logging Backups Metrics ...
With configuration management node www { include common include web include logstash include backup include graphite }
Problems Conflicts between two components - example: logging and metrics systems use different Java versions Software certified for different distro - example: one component requires RHEL 6.4 but you run Ubuntu Migration from one component to another - example: from syslog to splunk
Container deployment Linux base system Docker Application container Logging container Backups container Metrics container ...
benefits
Immutable infrastructure What's an immutable infrastructure? - re-create images each time you change a line of code - prevent (or track) modifications of running images Why is it useful? - no more rebellious servers after manual upgrades - no more “oops, how do we roll back?” after catastrophic upgrade - easier security audit (inspect images at rest) How can containers help? - container images are easier to create and manage than VM images
Micro-service architecture What's a micro-service architecture? - break your big application down into many small services Why is it useful? - it's easier to upgrade/refactor/replace a small service - encourages to have many small teams*, each owning a service (*small teams are supposedly better; see Jeff Bezos' “two-pizza rule”) How can containers help? - problem: 10 micro-services instead of 1 big application = 10x more work to deploy everything - solution: need extremely easy deployment; hello containers!
thank you! questions?

Empfohlen

ansible why ?
ansible why ?ansible why ?
ansible why ?
Yashar Esmaildokht
 
Virtualization Vs. Containers
Virtualization Vs. ContainersVirtualization Vs. Containers
Virtualization Vs. Containers
actualtechmedia
 
Vmware overview
Vmware overviewVmware overview
Vmware overview
Syed Zeeshan
 
Lecture5 virtualization
Lecture5 virtualizationLecture5 virtualization
Lecture5 virtualization
hktripathy
 
Achieving CI/CD with Kubernetes
Achieving CI/CD with KubernetesAchieving CI/CD with Kubernetes
Achieving CI/CD with Kubernetes
Ramit Surana
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to docker
Instruqt
 
Automation with ansible
Automation with ansibleAutomation with ansible
Automation with ansible
Khizer Naeem
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
Winton Winton
 

Empfohlen

ansible why ?
ansible why ?ansible why ?
ansible why ?
Yashar Esmaildokht
 
Virtualization Vs. Containers
Virtualization Vs. ContainersVirtualization Vs. Containers
Virtualization Vs. Containers
actualtechmedia
 
Vmware overview
Vmware overviewVmware overview
Vmware overview
Syed Zeeshan
 
Lecture5 virtualization
Lecture5 virtualizationLecture5 virtualization
Lecture5 virtualization
hktripathy
 
Achieving CI/CD with Kubernetes
Achieving CI/CD with KubernetesAchieving CI/CD with Kubernetes
Achieving CI/CD with Kubernetes
Ramit Surana
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to docker
Instruqt
 
Automation with ansible
Automation with ansibleAutomation with ansible
Automation with ansible
Khizer Naeem
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
Winton Winton
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
Imesh Gunaratne
 
VMware Esx Short Presentation
VMware Esx Short PresentationVMware Esx Short Presentation
VMware Esx Short Presentation
Barcamp Cork
 
Virtualization
VirtualizationVirtualization
Virtualization
vishnurk
 
Introduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang NguyenIntroduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang Nguyen
Trang Nguyen
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Martin Danielsson
 
Virtualization
VirtualizationVirtualization
Virtualization
Kumar Harsha
 
Virtualization 101
Virtualization 101Virtualization 101
Virtualization 101
Gaurav Marwaha
 
The kvm virtualization way
The kvm virtualization wayThe kvm virtualization way
The kvm virtualization way
Francisco Gonçalves
 
Ingress overview
Ingress overviewIngress overview
Ingress overview
Harshal Shah
 
Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes Istio
Araf Karsh Hamid
 
Introduction to Ansible
Introduction to AnsibleIntroduction to Ansible
Introduction to Ansible
CoreStack
 
Kubernetes Architecture and Introduction
Kubernetes Architecture and IntroductionKubernetes Architecture and Introduction
Kubernetes Architecture and Introduction
Stefan Schimanski
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentation
John Lynch
 
Kubernetes - introduction
Kubernetes - introductionKubernetes - introduction
Kubernetes - introduction
Sparkbit
 
Introduction to virtualization
Introduction to virtualizationIntroduction to virtualization
Introduction to virtualization
Sasikumar Thirumoorthy
 
VMware Vsphere Graduation Project Presentation
VMware Vsphere Graduation Project PresentationVMware Vsphere Graduation Project Presentation
VMware Vsphere Graduation Project Presentation
Rabbah Adel Ammar
 
Introduction to Hyper-V
Introduction to Hyper-VIntroduction to Hyper-V
Introduction to Hyper-V
Mark Wilson
 
Elasticsearch Monitoring in Openshift
Elasticsearch Monitoring in OpenshiftElasticsearch Monitoring in Openshift
Elasticsearch Monitoring in Openshift
Lukas Vlcek
 
VMWARE ESX
VMWARE ESXVMWARE ESX
VMWARE ESX
Yogeshwaran R
 
DevOps with Kubernetes
DevOps with KubernetesDevOps with Kubernetes
DevOps with Kubernetes
EastBanc Tachnologies
 
Intro to containerization
Intro to containerizationIntro to containerization
Intro to containerization
Balint Pato
 
Software Containerization
Software ContainerizationSoftware Containerization
Software Containerization
Roshan Deniyage
 

Weitere ähnliche Inhalte

Was ist angesagt?

An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
Imesh Gunaratne
 
Introduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang NguyenIntroduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang Nguyen
Trang Nguyen
 

Was ist angesagt? (20)

An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
 
VMware Esx Short Presentation
VMware Esx Short PresentationVMware Esx Short Presentation
VMware Esx Short Presentation
 
Virtualization
VirtualizationVirtualization
Virtualization
 
Introduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang NguyenIntroduction of Kubernetes - Trang Nguyen
Introduction of Kubernetes - Trang Nguyen
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 
Virtualization
VirtualizationVirtualization
Virtualization
 
Virtualization 101
Virtualization 101Virtualization 101
Virtualization 101
 
The kvm virtualization way
The kvm virtualization wayThe kvm virtualization way
The kvm virtualization way
 
Ingress overview
Ingress overviewIngress overview
Ingress overview
 
Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes Istio
 
Introduction to Ansible
Introduction to AnsibleIntroduction to Ansible
Introduction to Ansible
 
Kubernetes Architecture and Introduction
Kubernetes Architecture and IntroductionKubernetes Architecture and Introduction
Kubernetes Architecture and Introduction
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentation
 
Kubernetes - introduction
Kubernetes - introductionKubernetes - introduction
Kubernetes - introduction
 
Introduction to virtualization
Introduction to virtualizationIntroduction to virtualization
Introduction to virtualization
 
VMware Vsphere Graduation Project Presentation
VMware Vsphere Graduation Project PresentationVMware Vsphere Graduation Project Presentation
VMware Vsphere Graduation Project Presentation
 
Introduction to Hyper-V
Introduction to Hyper-VIntroduction to Hyper-V
Introduction to Hyper-V
 
Elasticsearch Monitoring in Openshift
Elasticsearch Monitoring in OpenshiftElasticsearch Monitoring in Openshift
Elasticsearch Monitoring in Openshift
 
VMWARE ESX
VMWARE ESXVMWARE ESX
VMWARE ESX
 
DevOps with Kubernetes
DevOps with KubernetesDevOps with Kubernetes
DevOps with Kubernetes
 

Andere mochten auch

Rmll Virtualization As Is Tool 20090707 V1.0
Rmll Virtualization As Is Tool 20090707 V1.0Rmll Virtualization As Is Tool 20090707 V1.0
Rmll Virtualization As Is Tool 20090707 V1.0
guest72e8c1
 
Essence Of Containerizati on 230508
Essence Of Containerizati on 230508 Essence Of Containerizati on 230508
Essence Of Containerizati on 230508
jansowri
 
Continuous delivery with Gradle
Continuous delivery with GradleContinuous delivery with Gradle
Continuous delivery with Gradle
Bob Paulin
 

Andere mochten auch (20)

Intro to containerization
Intro to containerizationIntro to containerization
Intro to containerization
 
Software Containerization
Software ContainerizationSoftware Containerization
Software Containerization
 
Containerization
ContainerizationContainerization
Containerization
 
Devops is all greek
Devops is all greekDevops is all greek
Devops is all greek
 
Virtual machines and containers
Virtual machines and containersVirtual machines and containers
Virtual machines and containers
 
Virtualization
VirtualizationVirtualization
Virtualization
 
Rmll Virtualization As Is Tool 20090707 V1.0
Rmll Virtualization As Is Tool 20090707 V1.0Rmll Virtualization As Is Tool 20090707 V1.0
Rmll Virtualization As Is Tool 20090707 V1.0
 
Virutal Box
Virutal BoxVirutal Box
Virutal Box
 
A Primer to Containerization & Microservices
A Primer to Containerization & MicroservicesA Primer to Containerization & Microservices
A Primer to Containerization & Microservices
 
Hide your development environment and application in a container
Hide your development environment and application in a containerHide your development environment and application in a container
Hide your development environment and application in a container
 
Containerization using docker
Containerization using dockerContainerization using docker
Containerization using docker
 
Essence Of Containerizati on 230508
Essence Of Containerizati on 230508 Essence Of Containerizati on 230508
Essence Of Containerizati on 230508
 
Discussing the difference between docker dontainers and virtual machines
Discussing the difference between docker dontainers and virtual machinesDiscussing the difference between docker dontainers and virtual machines
Discussing the difference between docker dontainers and virtual machines
 
NoOps != No Operations
NoOps != No OperationsNoOps != No Operations
NoOps != No Operations
 
Virtualization with Vagrant (ua.pycon 2011)
Virtualization with Vagrant (ua.pycon 2011)Virtualization with Vagrant (ua.pycon 2011)
Virtualization with Vagrant (ua.pycon 2011)
 
bed-con 2015 - From Virtual Machines to Containers
bed-con 2015 - From Virtual Machines to Containersbed-con 2015 - From Virtual Machines to Containers
bed-con 2015 - From Virtual Machines to Containers
 
Docker containerization cookbook
Docker containerization cookbookDocker containerization cookbook
Docker containerization cookbook
 
Continuous delivery with Gradle
Continuous delivery with GradleContinuous delivery with Gradle
Continuous delivery with Gradle
 
Docker Basics
Docker BasicsDocker Basics
Docker Basics
 
Reactive Programming Models for IoT
Reactive Programming Models for IoTReactive Programming Models for IoT
Reactive Programming Models for IoT
 

Ähnlich wie Containerization is more than the new Virtualization: enabling separation of operational concerns

Lightweight Virtualization in Linux
Lightweight Virtualization in LinuxLightweight Virtualization in Linux
Lightweight Virtualization in Linux
Sadegh Dorri N.
 
Docker Online Meetup #3: Docker in Production
Docker Online Meetup #3: Docker in ProductionDocker Online Meetup #3: Docker in Production
Docker Online Meetup #3: Docker in Production
Docker, Inc.
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
Jérôme Petazzoni
 
Containers, Docker, and Microservices: the Terrific Trio
Containers, Docker, and Microservices: the Terrific TrioContainers, Docker, and Microservices: the Terrific Trio
Containers, Docker, and Microservices: the Terrific Trio
Jérôme Petazzoni
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
Jérôme Petazzoni
 
Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015
Jérôme Petazzoni
 
Drupalcamp es 2013 drupal with lxc docker and vagrant
Drupalcamp es 2013 drupal with lxc docker and vagrant Drupalcamp es 2013 drupal with lxc docker and vagrant
Drupalcamp es 2013 drupal with lxc docker and vagrant
Ricardo Amaro
 

Ähnlich wie Containerization is more than the new Virtualization: enabling separation of operational concerns (20)

Containerization Is More than the New Virtualization
Containerization Is More than the New VirtualizationContainerization Is More than the New Virtualization
Containerization Is More than the New Virtualization
 
Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment
 
Docker Tips And Tricks at the Docker Beijing Meetup
Docker Tips And Tricks at the Docker Beijing MeetupDocker Tips And Tricks at the Docker Beijing Meetup
Docker Tips And Tricks at the Docker Beijing Meetup
 
Lightweight Virtualization in Linux
Lightweight Virtualization in LinuxLightweight Virtualization in Linux
Lightweight Virtualization in Linux
 
Docker-v3.pdf
Docker-v3.pdfDocker-v3.pdf
Docker-v3.pdf
 
Docker Online Meetup #3: Docker in Production
Docker Online Meetup #3: Docker in ProductionDocker Online Meetup #3: Docker in Production
Docker Online Meetup #3: Docker in Production
 
Docker 0.11 at MaxCDN meetup in Los Angeles
Docker 0.11 at MaxCDN meetup in Los AngelesDocker 0.11 at MaxCDN meetup in Los Angeles
Docker 0.11 at MaxCDN meetup in Los Angeles
 
Containers and workload security an overview
Containers and workload security an overview Containers and workload security an overview
Containers and workload security an overview
 
Dockers zero to hero
Dockers zero to heroDockers zero to hero
Dockers zero to hero
 
Dockerizing a Symfony2 application
Dockerizing a Symfony2 applicationDockerizing a Symfony2 application
Dockerizing a Symfony2 application
 
Build High-Performance, Scalable, Distributed Applications with Stacks of Co...
Build High-Performance, Scalable, Distributed Applications with Stacks of Co... Build High-Performance, Scalable, Distributed Applications with Stacks of Co...
Build High-Performance, Scalable, Distributed Applications with Stacks of Co...
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
 
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
 
codemotion-docker-2014
codemotion-docker-2014codemotion-docker-2014
codemotion-docker-2014
 
Containers, Docker, and Microservices: the Terrific Trio
Containers, Docker, and Microservices: the Terrific TrioContainers, Docker, and Microservices: the Terrific Trio
Containers, Docker, and Microservices: the Terrific Trio
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
 
ExpoQA 2017 Using docker to build and test in your laptop and Jenkins
ExpoQA 2017 Using docker to build and test in your laptop and JenkinsExpoQA 2017 Using docker to build and test in your laptop and Jenkins
ExpoQA 2017 Using docker to build and test in your laptop and Jenkins
 
Linux containers and docker
Linux containers and dockerLinux containers and docker
Linux containers and docker
 
Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015Containers: from development to production at DevNation 2015
Containers: from development to production at DevNation 2015
 
Drupalcamp es 2013 drupal with lxc docker and vagrant
Drupalcamp es 2013 drupal with lxc docker and vagrant Drupalcamp es 2013 drupal with lxc docker and vagrant
Drupalcamp es 2013 drupal with lxc docker and vagrant
 

Mehr von Jérôme Petazzoni

Use the Source or Join the Dark Side: differences between Docker Community an...
Use the Source or Join the Dark Side: differences between Docker Community an...Use the Source or Join the Dark Side: differences between Docker Community an...
Use the Source or Join the Dark Side: differences between Docker Community an...
Jérôme Petazzoni
 
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Jérôme Petazzoni
 
How to contribute to large open source projects like Docker (LinuxCon 2015)
How to contribute to large open source projects like Docker (LinuxCon 2015)How to contribute to large open source projects like Docker (LinuxCon 2015)
How to contribute to large open source projects like Docker (LinuxCon 2015)
Jérôme Petazzoni
 
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Jérôme Petazzoni
 
Microservices. Microservices everywhere! (At OSCON 2015)
Microservices. Microservices everywhere! (At OSCON 2015)Microservices. Microservices everywhere! (At OSCON 2015)
Microservices. Microservices everywhere! (At OSCON 2015)
Jérôme Petazzoni
 
Deploy microservices in containers with Docker and friends - KCDC2015
Deploy microservices in containers with Docker and friends - KCDC2015Deploy microservices in containers with Docker and friends - KCDC2015
Deploy microservices in containers with Docker and friends - KCDC2015
Jérôme Petazzoni
 
Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)
Jérôme Petazzoni
 
The Docker ecosystem and the future of application deployment
The Docker ecosystem and the future of application deploymentThe Docker ecosystem and the future of application deployment
The Docker ecosystem and the future of application deployment
Jérôme Petazzoni
 
Docker: automation for the rest of us
Docker: automation for the rest of usDocker: automation for the rest of us
Docker: automation for the rest of us
Jérôme Petazzoni
 
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionIntroduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Jérôme Petazzoni
 

Mehr von Jérôme Petazzoni (20)

Use the Source or Join the Dark Side: differences between Docker Community an...
Use the Source or Join the Dark Side: differences between Docker Community an...Use the Source or Join the Dark Side: differences between Docker Community an...
Use the Source or Join the Dark Side: differences between Docker Community an...
 
Orchestration for the rest of us
Orchestration for the rest of usOrchestration for the rest of us
Orchestration for the rest of us
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
 
Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...
Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...
Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...
 
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...
 
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
 
From development environments to production deployments with Docker, Compose,...
From development environments to production deployments with Docker, Compose,...From development environments to production deployments with Docker, Compose,...
From development environments to production deployments with Docker, Compose,...
 
How to contribute to large open source projects like Docker (LinuxCon 2015)
How to contribute to large open source projects like Docker (LinuxCon 2015)How to contribute to large open source projects like Docker (LinuxCon 2015)
How to contribute to large open source projects like Docker (LinuxCon 2015)
 
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
 
Microservices. Microservices everywhere! (At OSCON 2015)
Microservices. Microservices everywhere! (At OSCON 2015)Microservices. Microservices everywhere! (At OSCON 2015)
Microservices. Microservices everywhere! (At OSCON 2015)
 
Deploy microservices in containers with Docker and friends - KCDC2015
Deploy microservices in containers with Docker and friends - KCDC2015Deploy microservices in containers with Docker and friends - KCDC2015
Deploy microservices in containers with Docker and friends - KCDC2015
 
Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)Immutable infrastructure with Docker and containers (GlueCon 2015)
Immutable infrastructure with Docker and containers (GlueCon 2015)
 
The Docker ecosystem and the future of application deployment
The Docker ecosystem and the future of application deploymentThe Docker ecosystem and the future of application deployment
The Docker ecosystem and the future of application deployment
 
Docker: automation for the rest of us
Docker: automation for the rest of usDocker: automation for the rest of us
Docker: automation for the rest of us
 
Docker Non Technical Presentation
Docker Non Technical PresentationDocker Non Technical Presentation
Docker Non Technical Presentation
 
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionIntroduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
 
Introduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionIntroduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" Edition
 
Pipework: Software-Defined Network for Containers and Docker
Pipework: Software-Defined Network for Containers and DockerPipework: Software-Defined Network for Containers and Docker
Pipework: Software-Defined Network for Containers and Docker
 
Introduction to Docker at Glidewell Laboratories in Orange County
Introduction to Docker at Glidewell Laboratories in Orange CountyIntroduction to Docker at Glidewell Laboratories in Orange County
Introduction to Docker at Glidewell Laboratories in Orange County
 

Kürzlich hochgeladen

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 

Kürzlich hochgeladen (20)

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 

Containerization is more than the new Virtualization: enabling separation of operational concerns

  • 1. containerization: more than the new virtualization
  • 2. Jérôme Petazzoni (@jpetazzo) Grumpy French DevOps - Go away or I will replace you with a very small shell script Runs everything in containers - Docker-in-Docker - VPN-in-Docker - KVM-in-Docker - Xorg-in-Docker - ...
  • 3.
  • 5. Outline Containers as lightweight VMs Containers vs VMs Separation of operational concerns Benefits Conclusions
  • 6.
  • 8. It looks like a VM Private process space Can run stuff as root Private network interface and IP address Custom routes, iptables rules, etc. Can mount filesystems and more
  • 9. Process tree in a “machine container” PID TTY STAT TIME COMMAND 1 ? Ss+ 0:00 /usr/bin/python3 -u /sbin/my_init --enable-insecure-key 104 ? S+ 0:00 /usr/bin/runsvdir -P /etc/service 105 ? Ss 0:00 _ runsv syslog-ng 108 ? S 0:00 | _ syslog-ng -F -p /var/run/syslog-ng.pid --no-caps 106 ? Ss 0:00 _ runsv sshd 109 ? S 0:00 | _ /usr/sbin/sshd -D 117 ? Ss 0:00 | _ sshd: root@pts/0 119 pts/0 Ss 0:00 | _ -bash 135 pts/0 R+ 0:00 | _ ps fx 107 ? Ss 0:00 _ runsv cron 110 ? S 0:00 _ /usr/sbin/cron -f
  • 10. Faster to boot, less overhead than a VM $ time docker run ubuntu echo hello world hello world real 0m0.258s Disk usage: less than 100 kB Memory usage: less than 1.5 MB
  • 15.
  • 17. Virtual Machines Emulate CPU instructions (painfully slow) Emulate hardware (storage, network...) (painfully slow) Run as a userland process on top of a kernel (painfully slow)
  • 18. Virtual Machines Use native CPU (fast!) Paravirtualized storage, network... (fast, but higher resource usage) Run on top of a hypervisor (faster, but still some overhead)
  • 19. Containers Processes isolated from each other Very little extra code path (in many cases, it's comparable to UID checking)
  • 20. Virtual Machines vs Containers Native CPU Paravirtualized devices Hypervisor Native CPU Native syscalls Native kernel
  • 21. Inter-VM communication Strong isolation, enforced by hypervisor + hardware - no fast-path data transfer between virtual machines - yes, there are PCI pass-throughs and things like xenbus, but that's not easy to use, very specific, not portable Most convenient method: network protocols (L2/L3) But: huge advantage from a security POV
  • 22. Inter-container communication Tunable isolation - each namespace can be isolated or shared Allows normal Unix communication mechanisms - network protocols on loopback interface - UNIX sockets - shared memory - IPC... Reuse techniques that we know and love (?)
  • 23.
  • 25. Shared localhost Multiple containers can share the same “localhost” (by reusing the same network namespace) Communication over localhost is very very fast Also: localhost is a well-known address
  • 26. Shared filesystem A directory can be shared by multiple containers (by using a bind-mount) That directory can contain: - named pipes (FIFOs) - UNIX sockets - memory-mapped files Bind-mount = zero overhead
  • 27. Shared IPC Multiple containers can share IPC resources (using the special IPC namespace) Semaphores, Shared Memory, Message Queues... Is anybody still using this?
  • 28. Host networking Containers can share the host's network stack (by reusing its network namespace) They can use the host's interfaces without penalty (high speed, low latency, no overhead!) Native performance to talk with external containers
  • 29. Host filesystems Containers can share a directory with the host Example: use fast storage (SAN, SSD...) in container - mount it on the host - share it with the container - done! Native performance to use I/O subsystem
  • 30.
  • 32. ...What? “Ops” functions (backups, logging...) can be performed in separate containers Application containers can run unchanged in various environments: dev, test, QA, prod...
  • 33. logs
  • 34. Old style ssh into container cd /var/log tail, grep, ack-grep, awk, sed, apachetop, perl, etc.
  • 35. New style Create a “data container” to hold the logs docker run --name logs -v /var/log busybox true Start app container sharing that volume docker run --volumes-from logs myapp Inspect logs docker run -ti --volumes-from logs -w /var/log ubuntu bash Use fancy tools without polluting app container docker run -ti --volumes-from logs turbogrep ...
  • 36. Bonus points Ship logs to something else (logstash, syslog...) docker run --volumes-from logs pipestash Change logging system independently: - without rebuilding app container - without restarting app container - run multiple logging systems at the same time (e.g. for migration)
  • 38. Old style Prepare the tools - install things like rsync, s3cmd, boto, mysqldump... - get backup script Perform one-shot manual backup - SSH and run the backup script Set up routine backups - edit crontab
  • 39. New style: setup Create a “data container” to hold the files to back up docker run --name mysqldata -v /var/lib/mysql busybox true Start app container sharing that volume docker run --volumes-from mysqldata mysql Create a separate image with backup tools - Dockerfile with “apt-get install rsync s3cmd...”
  • 40. New style: one-shot manual backup Use the special backup image docker run --rm --volumes-from mysqldata mysqlbackup tar -cJf- /var/lib/mysql | stream-it-to-the-cloud.py Of course, you can use something fancier than tar (e.g. rsync, tarsnap...)
  • 41. New style: routine backups Option 1 - run “crond” in backup image - start backup image and keep it running Option 2 - start backup script from a crontab entry on the Docker host Option 3 - have a special “cron” container - give it access to the Docker API - let it start the backup container at regular intervals
  • 43. Old style ssh into container Install tcpdump, ngrep, … Run them
  • 44. New style Make a container image with tcpdump, ngrep... (let's call it “netdebug”) Run it in the namespace of the application container docker run -ti --net container:<app_cid> netdebug bash Now run tcpdump, ngrep, etc. Want to copy a dump to see it with wireshark? docker run -ti --net container:... -v /tmp:/tmp netdebug tcpdump -s0 -peni eth0 -w/tmp/myapp.pcap
  • 46. Old style ssh into container vi /etc/tomcat/something.xml (maybe) /etc/init.d/tomcat restart
  • 47. New style Option 1 - set up /etc/tomcat to be a “data container” - start another container sharing this volume; install vi/emacs here Option 2 - set up /etc/tomcat to be on the host: docker run -v /etc/containers/myapp:/etc/tomcat … If needed: restart the container - docker stop; docker start - docker kill -s HUP
  • 48.
  • 50.
  • 52. Virtual Machine deployment Linux base system Libraries Application Logging Backups Metrics ...
  • 53. With configuration management node www { include common include web include logstash include backup include graphite }
  • 54. Problems Conflicts between two components - example: logging and metrics systems use different Java versions Software certified for different distro - example: one component requires RHEL 6.4 but you run Ubuntu Migration from one component to another - example: from syslog to splunk
  • 55. Container deployment Linux base system Docker Application container Logging container Backups container Metrics container ...
  • 56.
  • 58. Immutable infrastructure What's an immutable infrastructure? - re-create images each time you change a line of code - prevent (or track) modifications of running images Why is it useful? - no more rebellious servers after manual upgrades - no more “oops, how do we roll back?” after catastrophic upgrade - easier security audit (inspect images at rest) How can containers help? - container images are easier to create and manage than VM images
  • 59. Micro-service architecture What's a micro-service architecture? - break your big application down into many small services Why is it useful? - it's easier to upgrade/refactor/replace a small service - encourages to have many small teams*, each owning a service (*small teams are supposedly better; see Jeff Bezos' “two-pizza rule”) How can containers help? - problem: 10 micro-services instead of 1 big application = 10x more work to deploy everything - solution: need extremely easy deployment; hello containers!
  • 60.