The document is an agenda for an Upstate DevOps meetup event on March 28, 2019. It includes an introduction, thanks to event sponsors, a request for introductions from attendees, and a presentation on containers. The presentation covers what containers are, how they differ from virtual machines, common container runtimes and engines, Kubernetes basics, and new container tools like Buildah and Skopeo. It concludes with additional resource links.
2. UPSTATE DEVOPS - MARCH 28, 2019
TODAY’S AGENDA
▸ Lunch & Networking! ~ 11:30 - 12:00 PM
▸ Sponsor acknowledgement & introductions
▸ Today’s Topic ~ 12:00 - 12:45 PM
▸ Containers 101: What are they? Why should I care?
▸ Q/A and dismissal! ~ 12:45 - 1:00 PM
2
3. THANK YOU SPONSORS!
▸ Big thanks to Find Great People for the food!
▸ www.fgptech.com
▸ Big thanks to OpenWorks for the venue!
▸ www.joinopenworks.com
3UPSTATE DEVOPS - MARCH 28, 2019
4. INTRODUCE YOURSELF…
▸ Name?
▸ What do you do & what company do you work for?
▸ Would you like to present in a future meeting?
4UPSTATE DEVOPS - MARCH 28, 2019
5. CONTAINERS 101: WHAT ARE THEY? WHY SHOULD I CARE?
5UPSTATE DEVOPS - MARCH 28, 2019
6. WHAT ARE CONTAINERS?
It Depends Who You Ask
! Application processes on a shared kernel
! Simpler, lighter, and denser than VMs
! Portable across different environments
! Package apps with all dependencies
! Deploy to any environment in seconds
! Easily accessed and shared
INFRASTRUCTURE APPLICATIONS
7. VIRTUAL MACHINES AND CONTAINERS
VIRTUAL MACHINES CONTAINERS
VM isolates the hardware Container isolates the process
VM
OS Dependencies
Kernel
Hypervisor
Hardware
App App App App
Container Host (Kernel)
Container
App
OS deps
Container
App
OS deps
Container
App
OS deps
Container
App
OS deps
Hypervisor
Hardware
8. Virtual Machine
Application
OS dependencies
Operating System
VIRTUAL MACHINES AND CONTAINERS
VM Isolation
Complete OS
Static Compute
Static Memory
High Resource Usage
Container Isolation
Shared Kernel
Burstable Compute
Burstable Memory
Low Resource Usage
Container Host
Container
Application
OS dependencies
9. VIRTUAL MACHINES AND CONTAINERS
Container Host
Container
Application
OS dependencies
Dev
IT Ops
Infrastructure
Virtual Machine
Application
OS dependencies
Operating System
IT Ops
(and Dev, sort of)
Infrastructure
Clear ownership boundary
between Dev and IT Ops
drives DevOps adoption
and fosters agility
Optimized for stability
Optimized for agility
10. Virtual machines are NOT portable across hypervisor and
do NOT provide portable packaging for applications
APPLICATION PORTABILITY WITH VM
VM Type X
Application
OS dependencies
Operating System
BARE METAL PRIVATE CLOUD PUBLIC CLOUDVIRTUALIZATIONLAPTOP
Application
OS dependencies
Operating System
VM Type Y
Application
OS dependencies
Operating System
VM Type Z
Application
OS dependencies
Operating System
Guest VM
Application
OS dependencies
Operating System
11. APPLICATION PORTABILITY WITH
CONTAINERS
LAPTOP
Container
Application
OS dependencies
Guest VM
Linux
BARE METAL
Container
Application
OS dependencies
Linux
VIRTUALIZATION
Container
Application
OS dependencies
Virtual Machine
Linux
PRIVATE CLOUD
Container
Application
OS dependencies
Virtual Machine
Linux
PUBLIC CLOUD
Container
Application
OS dependencies
Virtual Machine
Linux
Linux Containers + Linux Host = Guaranteed Portability
Across Any Infrastructure
12. LINUX AND CONTAINER
INFRASTRUCTURE
CONTAINERS ARE LINUX
Red Hat
Enterprise Linux
is a leader in paid
Linux
70%
CY2016 paid
Linux share
CONTAINER CONTAINER CONTAINER
LINUX CONTAINER HOST (KERNEL)
LINUX O/S
DEPENDENCY
LINUX O/S
DEPENDENCY
LINUX O/S
DEPENDENCY
APP APP APP
Linux OS host
spans every
container
1 2
Linux is in
every single
container
13. Base Image
Image Layer 1
Image Layer 2
Image Layer 3
Base Linux
OS Update Layer
Java Runtime Layer
Application Layer
Container Image Layers Example Container Image
RAPID SECURITY PATCHING USING
CONTAINER IMAGE LAYERING
15. WHAT’S IN THAT CONTAINER? (DOCKERFILE)
UPSTATE DEVOPS - MARCH 28, 2019
FROM --platform=$BUILDPLATFORM golang:1.11-alpine AS builder
RUN apk add --no-cache git
RUN go get github.com/pdevine/go-asciisprite
WORKDIR /project
COPY surprise.go .
ARG TARGETOS
ARG TARGETARCH
ENV GOOS=$TARGETOS GOARCH=$TARGETARCH
RUN CGO_ENABLED=0 go build -a -ldflags '-extldflags "-static"' -o surprise surprise.go
FROM scratch AS release-linux
COPY --from=builder /project/surprise /surprise
ENTRYPOINT ["/surprise"]
FROM microsoft/nanoserver AS release-windows
COPY --from=builder /project/surprise /surprise.exe
ENTRYPOINT ["surprise.exe"]
FROM release-$TARGETOS
15
16. CONTAINER RUNTIMES/ENGINES
▸ Docker - https://www.docker.com/
▸ CRI-O - https://cri-o.io
▸ containerd - https://containerd.io
▸ Kata Containers - https://katacontainers.io/
▸ and many more…
UPSTATE DEVOPS - MARCH 28, 2019 16
17. A lightweight, OCI-compliant container runtime
Minimal and Secure
Architecture
Optimized for
Kubernetes
Runs any OCI-
compliant image
(including docker)
22. IMAGE REGISTRY
container images are stored in
an image registry
CONTAINER
CONTAINER
IMAGE
CONTAINER
IMAGE
CONTAINER
IMAGE
CONTAINER
IMAGE
CONTAINER
IMAGE
CONTAINER
IMAGE
23. an image repository contains all versions of an
image in the image registry
IMAGE REGISTRY
frontend:latest
frontend:2.0
frontend:1.1
frontend:1.0
CONTAINER
IMAGE
mongo:latest
mongo:3.7
mongo:3.6
mongo:3.4
CONTAINER
IMAGE
myregistry/frontend myregistry/mongo
24. PODPOD
containers are wrapped in pods which are
units of deployment and management
CONTAINER CONTAINERCONTAINER
IP: 10.1.0.11 IP: 10.1.0.55
25. pods configuration is defined
in a deployment
image name
replicas
labels
cpu
memory
storage
POD
CONTAINER
POD
CONTAINER
POD
CONTAINER
DEPLOYMENT
26. services provide internal load-balancing and
service discovery across pods
POD
CONTAINER
POD
CONTAINER
POD
CONTAINER
BACKEND SERVICE
POD
CONTAINER
role: backend
role: backendrole: backendrole: backendrole: frontend
10.110.1.11 10.120.2.22 10.130.3.3310.140.4.44
172.30.170.110
27. apps can talk to each other via services
Invoke
Backend API
POD
CONTAINER
POD
CONTAINER
POD
CONTAINER
BACKEND SERVICE
POD
CONTAINER
role: backend
role: backendrole: backendrole: backendrole: frontend
10.110.1.11 10.120.2.22 10.130.3.3310.140.4.44
172.30.170.110
28. POD
routes add services to the external load-balancer
and provide readable urls for the app
CONTAINER
POD
CONTAINER
POD
CONTAINER
BACKEND SERVICE
ROUTE
app-prod.mycompany.com
> curl http://app-prod.mycompany.com
29. projects isolate apps across environments,
teams, groups and departments
POD
C
POD
C
POD
C
PAYMENT DEV
POD
C
POD
C
POD
C
PAYMENT PROD
POD
C
POD
C
POD
C
CATALOG
POD
C
POD
C
POD
C
INVENTORY
❌
❌❌
30. COOL NEW TOOLS!
30UPSTATE DEVOPS - MARCH 28, 2019
▸ Buildah - (https://buildah.io)
▸ A tool that facilities building OCI compliant images
▸ Create a working container, either from scratch or using an image as a starting point
▸ Create an image, either from a working container or via the instructions in a Dockerfile
▸ Images can be built in either the OCI image format or the traditional upstream docker image format
▸ Mount a working container's root filesystem for manipulation
▸ Unmount a working container's root filesystem
▸ Use the updated contents of a container's root filesystem as a filesystem layer to create a new image
▸ Delete a working container or an image
▸ Rename a local container
31. COOL NEW TOOLS!
31UPSTATE DEVOPS - MARCH 28, 2019
▸ skopeo - (https://github.com/containers/skopeo)
▸ No daemon required
▸ Copying an image from and to various storage mechanisms. For example
you can copy images from one registry to another, without requiring
privilege.
▸ Inspecting a remote image showing its properties including its layers,
without requiring you to pull the image to the host.
▸ Deleting an image from an image repository.
▸ When required by the repository, skopeo can pass the appropriate
credentials and certificates for authentication
32. ANOTHER REALLY QUICK DEMO (SKOPEO VS DOCKER INSPECT)…
UPSTATE DEVOPS - MARCH 28, 2019 32
33. COOL NEW TOOLS!
33UPSTATE DEVOPS - MARCH 28, 2019
▸ podman - (https://podman.io/)
▸ What is Podman? Simply put: `alias docker=podman`
▸ Support multiple image formats including the OCI and Docker image formats.
▸ Support for multiple means to download images including trust & image verification.
▸ Container image management (managing image layers, overlay filesystems, etc).
▸ Full management of container lifecycle
▸ Support for pods to manage groups of containers together
▸ Resource isolation of containers and pods.
▸ Integration with CRI-O to share containers and backend code.