SlideShare uma empresa Scribd logo

Exploding the Linux Container Host

C4Media
C4Media

Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/1NF22uW. Ben Corrie discusses Project Bonneville, how to create a shared Linux kernel for privileged containers, running containers without Linux, and VMware's dynamic resource constraints of a container host. Filmed at qconsf.com. Ben Corrie is currently a Principal Investigator at VMware and is the lead inventor of Project Bonneville, which runs Docker containers directly on ESX. Ben has had a 17 year engineering career, principally focussed on solving complex resource management problems and developing optimizations in managed runtimes, such as the JVM.

Tecnologia
1 de 20
Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings)
InfoQ.com: News & Community Site • 750,000 unique visitors/month • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • News 15-20 / week • Articles 3-4 / week • Presentations (videos) 12-15 / week • Interviews 2-3 / week • Books 1 / month Watch the video with slide synchronization on InfoQ.com! http://www.infoq.com/presentations /bonneville
Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide Presented at QCon San Francisco www.qconsf.com
2 Containers vs VMs •  Google Wisdom: –  VMs and Containers are similar but different –  Try running containers in VMs for security –  Containers are best for scale-out density –  VMs are better for legacy apps
3 Docker HubDocker Client LINUX HOST Container Control & TTY / REST Pull ImageDocker Daemon Docker Daemon Layered file system (AUFS) S D N Docker ImagesNET TRAFFIC TO CONTAINERS Linux Kernel 1.  A executable process 2.  Resource constraints / private namespace 3.  Binary dependencies: Application, runtime, OS 4.  A shared Linux kernel for running the executable STATELESS PORTABLE FAST SECURE What is a Container?
4 What is a Container Host? Docker Client LINUX HOST LXC Container Docker Daemon Container Container Layered file system (AUFS) S D N Docker ImagesNET TRAFFIC TO CONTAINERS Linux Kernel Control & TTY / REST Docker Hub Pull Image 1.  Control plane & lifecycle management for containers 2.  Resource scheduling and a container abstraction 3.  Infrastructure abstractions: Storage, networking etc 4.  A Linux kernel STATEFUL LONG-RUNNING SINGLE USER SINGLE USE
5 My Demo Container Hosts Derek Clive
6 Docker HubDocker Client ESX HOST / HYPERVISOR ContainerVM Control & TTY / REST Pull ImageDocker Daemon Docker Daemon VM Layered file system (VMDK) S D N Docker ImagesNET TRAFFIC TO CONTAINERS ESX Kernel 1.  A executable process 2.  Resource constraints / private namespace 3.  Binary dependencies: Application, runtime, OS 4.  A “shared” Linux kernel for running the executable STATELESS PORTABLE FAST SECURE What is a ContainerVM? Linux Kernel
7 Why????? •  Simple answer: The Container Host •  Linux container host limitations –  Single Docker daemon = single user –  Long running – slow and disruptive to refresh –  Stateful – images, volumes, containers, patch levels –  Static size – only resource efficient if well-packed –  Kernel is a single point of failure •  When virtualized –  Limited access to virtual infrastructure –  Limited monitoring of containers without 3rd party agents –  Duplicated infrastructure layer STATEFUL LONG-RUNNING MULTI USER MULTI USE
8 Differences between Derek & Clive 1.  Multi-tenancy 2.  Dynamic resource boundaries 3.  Disposable nested container hosts –  Control plane performance –  Statelessness – container hosts as cattle! –  Eg. Docker in Jenkins Slaves •  Dependencies on slaves are contained •  Slaves themselves need to be “garbage collected” –  Eg. Pre-populated container cache for Docker build -> push -> dispose –  Eg. Save /var/lib/docker in a volume – state persists, host does not 4.  Multi-OS support
The Docker ecosystem you love on the Hypervisor you trust • Provision Docker containers direct to vSphere –  No need for a Linux container host –  Vanilla Docker client connects to Docker Daemon appliance • Hardware-virtualized “containerVM” abstraction –  Containers are provisioned as VMs, not in VMs –  Hardware virtualization provides unprecedented security and isolation –  x86 abstraction allows for more than just Linux • “Instant Clone” delivers container speed and efficiency –  Container start in 2 seconds with a “shared” Linux Kernel 9 What is Bonneville?
10 Limitations Virtualizing Docker As-Is ESX Host/Cluster C1 C2 Docker API + Daemon Images Multi-user guest OS Tenant wasting ESX memory when containers stopped Other App Tenant at capacity Duplicated Image caches Limited isolation Only Linux kernels that support Docker
Exploding the Linux Container Host – in detail ESX Host/Cluster Other App Modified Docker API + Daemon Multi-user guest OS Images C 1 C 2 ESX Host/Cluster C 1 C 2 Docker API + Daemon Images Multi-user guest OS Tenant wasting ESX memory when containers stopped Other App Tenant at capacity Duplicated Image caches Limited isolation Shared Image Cache Robust Isolation Tenant not at capacity From earlier… To this… Tenant consuming minimal memory
12 What’s inside? Instant Clone and the “shared” Linux Kernel ESX Host Bonneville Appliance Photon Pico (25MB) C1 C2 C3 Provisions Shared Kernel Photon Pico Kernel Container Image A Container Image B Container Image C Read/Write Layer Volume Volume
•  Early concerns about efficiency of 1:1 container / VM mapping •  Container efficiency typically measured in terms of start time and memory consumption •  Start Time –  Start time not inherent limitation of VMs, simply the need to boot an OS –  Instant Clone removes the need for OS boot –  Docker appeal more than just container start time – pull image, run image, delete image flow –  Developers want instant container start, less critical when provisioning apps •  Memory consumption –  Misleading “Hello World” comparisons often made. Real apps use memory regardless –  Bonneville memory efficiencies achieved through Instant Clone + Photon Pico –  Instant Clone raises the potential for sharing much more than just the base OS 13 Bonneville Efficiency
•  Goal for Bonneville is complete transparency to the client / user •  Some concepts have to be a little different •  Container privileged access –  In Docker, flag gives a container privileged access to both the host kernel and the host itself –  In Bonneville, privileged access is the default with zero access to the host •  Host mounted volumes –  In Docker, you can mount a volume on the host into a container •  Useful for certain things, but means that the container is not idempotent –  In Bonneville, the host and container don’t share a filesystem •  Default container size –  In Docker if no constraints are specified, container has access to all the hosts resources –  In Bonneville this wouldn’t make sense, so a default size is used 14 Docker Feature Parity: Can you even tell?
•  What is a “Container Host”? –  A finite amount of compute resource with the necessary capability to host containers •  A container host does not have to be bound to an OS or physical machine 15 vSphere Integrated Containers: The Virtual Container Host Concept Linux ESX VCH Container host boundaries A VM or physical box An ESX server A vSphere resource pool Grow container host Shut down VM / N/A N/A Reconfigure the pool Clustering Docker Swarm Docker Swarm vSphere cluster Nested hosts Docker-in-Docker Resource pool / Photon Resource pool / Photon
•  Various takes on the “containerVM” concept have recently emerged –  “Clear Containers” from Intel •  Similar to Bonneville in concept, but different in execution – more of an OSS POC •  KVM without x86 QEMU layer or BIOS initializes Intel “Clear Linux” very fast –  “Hyper” •  Startup based in China with a very similar concept to Bonneville •  Supports KVM and Xen with a custom Linux kernel. Intended as Container-as-a-Service infrastructure •  Security and Isolation at the heart of these solutions –  Hypervisor hardware isolation is well proven and battle-hardened. Linux kernel exploits keep emerging –  Need to be able to secure and verify provenance of container images •  Bonneville delivers best of all worlds –  Robust security and isolation of a VM –  Full privileged access to a kernel – load kernel modules, loopback mount etc. 16 Isolation and Security
•  Docker is a platform •  Bonneville is the Docker platform for vSphere •  Bonneville gives you best of both worlds – Speed, efficiency and workflow of containers – Security, isolation and flexibility of VMs •  Don’t let your container hosts become pets! @bensdoings 17 Summary
Watch the video with slide synchronization on InfoQ.com! http://www.infoq.com/presentations/ bonneville

Recomendados

开源+自主开发 - 淘宝软件基础设施构建实践
开源+自主开发 - 淘宝软件基础设施构建实践开源+自主开发 - 淘宝软件基础设施构建实践
开源+自主开发 - 淘宝软件基础设施构建实践Wensong Zhang
 
章文嵩:使用LVS集群架设高可扩展的网络服务.pdf
章文嵩:使用LVS集群架设高可扩展的网络服务.pdf章文嵩:使用LVS集群架设高可扩展的网络服务.pdf
章文嵩:使用LVS集群架设高可扩展的网络服务.pdfXMourinho
 
使用LVS集群架设高可扩展的网络服务
使用LVS集群架设高可扩展的网络服务使用LVS集群架设高可扩展的网络服务
使用LVS集群架设高可扩展的网络服务Wensong Zhang
 
淘宝软件基础设施构建实践
淘宝软件基础设施构建实践淘宝软件基础设施构建实践
淘宝软件基础设施构建实践Wensong Zhang
 
Verizon NAB Show Media Cloud Ecosystem April 6, 2015 Final Scott Spector
Verizon NAB Show Media Cloud Ecosystem April 6, 2015 Final Scott SpectorVerizon NAB Show Media Cloud Ecosystem April 6, 2015 Final Scott Spector
Verizon NAB Show Media Cloud Ecosystem April 6, 2015 Final Scott SpectorScott Spector
 
Building a Virtualized Continuum with Intel(r) Clear Containers
Building a Virtualized Continuum with Intel(r) Clear ContainersBuilding a Virtualized Continuum with Intel(r) Clear Containers
Building a Virtualized Continuum with Intel(r) Clear ContainersMichelle Holley
 
Accelerating the Next 10,000 Clouds by Michael Kadera, Intel
Accelerating the Next 10,000 Clouds by Michael Kadera, IntelAccelerating the Next 10,000 Clouds by Michael Kadera, Intel
Accelerating the Next 10,000 Clouds by Michael Kadera, IntelDocker, Inc.
 
Streaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoStreaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoC4Media
 

Recomendados

开源+自主开发 - 淘宝软件基础设施构建实践
开源+自主开发 - 淘宝软件基础设施构建实践开源+自主开发 - 淘宝软件基础设施构建实践
开源+自主开发 - 淘宝软件基础设施构建实践Wensong Zhang
 
章文嵩:使用LVS集群架设高可扩展的网络服务.pdf
章文嵩:使用LVS集群架设高可扩展的网络服务.pdf章文嵩:使用LVS集群架设高可扩展的网络服务.pdf
章文嵩:使用LVS集群架设高可扩展的网络服务.pdfXMourinho
 
使用LVS集群架设高可扩展的网络服务
使用LVS集群架设高可扩展的网络服务使用LVS集群架设高可扩展的网络服务
使用LVS集群架设高可扩展的网络服务Wensong Zhang
 
淘宝软件基础设施构建实践
淘宝软件基础设施构建实践淘宝软件基础设施构建实践
淘宝软件基础设施构建实践Wensong Zhang
 
Verizon NAB Show Media Cloud Ecosystem April 6, 2015 Final Scott Spector
Verizon NAB Show Media Cloud Ecosystem April 6, 2015 Final Scott SpectorVerizon NAB Show Media Cloud Ecosystem April 6, 2015 Final Scott Spector
Verizon NAB Show Media Cloud Ecosystem April 6, 2015 Final Scott SpectorScott Spector
 
Building a Virtualized Continuum with Intel(r) Clear Containers
Building a Virtualized Continuum with Intel(r) Clear ContainersBuilding a Virtualized Continuum with Intel(r) Clear Containers
Building a Virtualized Continuum with Intel(r) Clear ContainersMichelle Holley
 
Accelerating the Next 10,000 Clouds by Michael Kadera, Intel
Accelerating the Next 10,000 Clouds by Michael Kadera, IntelAccelerating the Next 10,000 Clouds by Michael Kadera, Intel
Accelerating the Next 10,000 Clouds by Michael Kadera, IntelDocker, Inc.
 
Streaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoStreaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoC4Media
 
Next Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileNext Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileC4Media
 
Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020C4Media
 
Understand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsUnderstand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsC4Media
 
Kafka Needs No Keeper
Kafka Needs No KeeperKafka Needs No Keeper
Kafka Needs No KeeperC4Media
 
High Performing Teams Act Like Owners
High Performing Teams Act Like OwnersHigh Performing Teams Act Like Owners
High Performing Teams Act Like OwnersC4Media
 
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaDoes Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaC4Media
 
Service Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideService Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideC4Media
 
Shifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDShifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDC4Media
 
CI/CD for Machine Learning
CI/CD for Machine LearningCI/CD for Machine Learning
CI/CD for Machine LearningC4Media
 
Fault Tolerance at Speed
Fault Tolerance at SpeedFault Tolerance at Speed
Fault Tolerance at SpeedC4Media
 
Architectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsArchitectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsC4Media
 
ML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsC4Media
 
Build Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerBuild Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerC4Media
 
User & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleUser & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleC4Media
 
Scaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeScaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeC4Media
 
Make Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereMake Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereC4Media
 
The Talk You've Been Await-ing For
The Talk You've Been Await-ing ForThe Talk You've Been Await-ing For
The Talk You've Been Await-ing ForC4Media
 
Future of Data Engineering
Future of Data EngineeringFuture of Data Engineering
Future of Data EngineeringC4Media
 
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreAutomated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreC4Media
 
Navigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsNavigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsC4Media
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 

Mais conteúdo relacionado

Mais de C4Media

Next Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileNext Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileC4Media
 
Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020C4Media
 
Understand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsUnderstand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsC4Media
 
Kafka Needs No Keeper
Kafka Needs No KeeperKafka Needs No Keeper
Kafka Needs No KeeperC4Media
 
High Performing Teams Act Like Owners
High Performing Teams Act Like OwnersHigh Performing Teams Act Like Owners
High Performing Teams Act Like OwnersC4Media
 
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaDoes Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaC4Media
 
Service Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideService Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideC4Media
 
Shifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDShifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDC4Media
 
CI/CD for Machine Learning
CI/CD for Machine LearningCI/CD for Machine Learning
CI/CD for Machine LearningC4Media
 
Fault Tolerance at Speed
Fault Tolerance at SpeedFault Tolerance at Speed
Fault Tolerance at SpeedC4Media
 
Architectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsArchitectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsC4Media
 
ML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsC4Media
 
Build Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerBuild Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerC4Media
 
User & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleUser & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleC4Media
 
Scaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeScaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeC4Media
 
Make Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereMake Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereC4Media
 
The Talk You've Been Await-ing For
The Talk You've Been Await-ing ForThe Talk You've Been Await-ing For
The Talk You've Been Await-ing ForC4Media
 
Future of Data Engineering
Future of Data EngineeringFuture of Data Engineering
Future of Data EngineeringC4Media
 
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreAutomated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreC4Media
 
Navigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsNavigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsC4Media
 

Mais de C4Media (20)

Next Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileNext Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy Mobile
 
Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020
 
Understand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsUnderstand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java Applications
 
Kafka Needs No Keeper
Kafka Needs No KeeperKafka Needs No Keeper
Kafka Needs No Keeper
 
High Performing Teams Act Like Owners
High Performing Teams Act Like OwnersHigh Performing Teams Act Like Owners
High Performing Teams Act Like Owners
 
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaDoes Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
 
Service Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideService Meshes- The Ultimate Guide
Service Meshes- The Ultimate Guide
 
Shifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDShifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CD
 
CI/CD for Machine Learning
CI/CD for Machine LearningCI/CD for Machine Learning
CI/CD for Machine Learning
 
Fault Tolerance at Speed
Fault Tolerance at SpeedFault Tolerance at Speed
Fault Tolerance at Speed
 
Architectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsArchitectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep Systems
 
ML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.js
 
Build Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerBuild Your Own WebAssembly Compiler
Build Your Own WebAssembly Compiler
 
User & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleUser & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix Scale
 
Scaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeScaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's Edge
 
Make Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereMake Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home Everywhere
 
The Talk You've Been Await-ing For
The Talk You've Been Await-ing ForThe Talk You've Been Await-ing For
The Talk You've Been Await-ing For
 
Future of Data Engineering
Future of Data EngineeringFuture of Data Engineering
Future of Data Engineering
 
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreAutomated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
 
Navigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsNavigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery Teams
 

Último

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 

Último (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 

Exploding the Linux Container Host

  • 1. Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings)
  • 2. InfoQ.com: News & Community Site • 750,000 unique visitors/month • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • News 15-20 / week • Articles 3-4 / week • Presentations (videos) 12-15 / week • Interviews 2-3 / week • Books 1 / month Watch the video with slide synchronization on InfoQ.com! http://www.infoq.com/presentations /bonneville
  • 3. Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide Presented at QCon San Francisco www.qconsf.com
  • 4. 2 Containers vs VMs •  Google Wisdom: –  VMs and Containers are similar but different –  Try running containers in VMs for security –  Containers are best for scale-out density –  VMs are better for legacy apps
  • 5. 3 Docker HubDocker Client LINUX HOST Container Control & TTY / REST Pull ImageDocker Daemon Docker Daemon Layered file system (AUFS) S D N Docker ImagesNET TRAFFIC TO CONTAINERS Linux Kernel 1.  A executable process 2.  Resource constraints / private namespace 3.  Binary dependencies: Application, runtime, OS 4.  A shared Linux kernel for running the executable STATELESS PORTABLE FAST SECURE What is a Container?
  • 6. 4 What is a Container Host? Docker Client LINUX HOST LXC Container Docker Daemon Container Container Layered file system (AUFS) S D N Docker ImagesNET TRAFFIC TO CONTAINERS Linux Kernel Control & TTY / REST Docker Hub Pull Image 1.  Control plane & lifecycle management for containers 2.  Resource scheduling and a container abstraction 3.  Infrastructure abstractions: Storage, networking etc 4.  A Linux kernel STATEFUL LONG-RUNNING SINGLE USER SINGLE USE
  • 7. 5 My Demo Container Hosts Derek Clive
  • 8. 6 Docker HubDocker Client ESX HOST / HYPERVISOR ContainerVM Control & TTY / REST Pull ImageDocker Daemon Docker Daemon VM Layered file system (VMDK) S D N Docker ImagesNET TRAFFIC TO CONTAINERS ESX Kernel 1.  A executable process 2.  Resource constraints / private namespace 3.  Binary dependencies: Application, runtime, OS 4.  A “shared” Linux kernel for running the executable STATELESS PORTABLE FAST SECURE What is a ContainerVM? Linux Kernel
  • 9. 7 Why????? •  Simple answer: The Container Host •  Linux container host limitations –  Single Docker daemon = single user –  Long running – slow and disruptive to refresh –  Stateful – images, volumes, containers, patch levels –  Static size – only resource efficient if well-packed –  Kernel is a single point of failure •  When virtualized –  Limited access to virtual infrastructure –  Limited monitoring of containers without 3rd party agents –  Duplicated infrastructure layer STATEFUL LONG-RUNNING MULTI USER MULTI USE
  • 10. 8 Differences between Derek & Clive 1.  Multi-tenancy 2.  Dynamic resource boundaries 3.  Disposable nested container hosts –  Control plane performance –  Statelessness – container hosts as cattle! –  Eg. Docker in Jenkins Slaves •  Dependencies on slaves are contained •  Slaves themselves need to be “garbage collected” –  Eg. Pre-populated container cache for Docker build -> push -> dispose –  Eg. Save /var/lib/docker in a volume – state persists, host does not 4.  Multi-OS support
  • 11. The Docker ecosystem you love on the Hypervisor you trust • Provision Docker containers direct to vSphere –  No need for a Linux container host –  Vanilla Docker client connects to Docker Daemon appliance • Hardware-virtualized “containerVM” abstraction –  Containers are provisioned as VMs, not in VMs –  Hardware virtualization provides unprecedented security and isolation –  x86 abstraction allows for more than just Linux • “Instant Clone” delivers container speed and efficiency –  Container start in 2 seconds with a “shared” Linux Kernel 9 What is Bonneville?
  • 12. 10 Limitations Virtualizing Docker As-Is ESX Host/Cluster C1 C2 Docker API + Daemon Images Multi-user guest OS Tenant wasting ESX memory when containers stopped Other App Tenant at capacity Duplicated Image caches Limited isolation Only Linux kernels that support Docker
  • 13. Exploding the Linux Container Host – in detail ESX Host/Cluster Other App Modified Docker API + Daemon Multi-user guest OS Images C 1 C 2 ESX Host/Cluster C 1 C 2 Docker API + Daemon Images Multi-user guest OS Tenant wasting ESX memory when containers stopped Other App Tenant at capacity Duplicated Image caches Limited isolation Shared Image Cache Robust Isolation Tenant not at capacity From earlier… To this… Tenant consuming minimal memory
  • 14. 12 What’s inside? Instant Clone and the “shared” Linux Kernel ESX Host Bonneville Appliance Photon Pico (25MB) C1 C2 C3 Provisions Shared Kernel Photon Pico Kernel Container Image A Container Image B Container Image C Read/Write Layer Volume Volume
  • 15. •  Early concerns about efficiency of 1:1 container / VM mapping •  Container efficiency typically measured in terms of start time and memory consumption •  Start Time –  Start time not inherent limitation of VMs, simply the need to boot an OS –  Instant Clone removes the need for OS boot –  Docker appeal more than just container start time – pull image, run image, delete image flow –  Developers want instant container start, less critical when provisioning apps •  Memory consumption –  Misleading “Hello World” comparisons often made. Real apps use memory regardless –  Bonneville memory efficiencies achieved through Instant Clone + Photon Pico –  Instant Clone raises the potential for sharing much more than just the base OS 13 Bonneville Efficiency
  • 16. •  Goal for Bonneville is complete transparency to the client / user •  Some concepts have to be a little different •  Container privileged access –  In Docker, flag gives a container privileged access to both the host kernel and the host itself –  In Bonneville, privileged access is the default with zero access to the host •  Host mounted volumes –  In Docker, you can mount a volume on the host into a container •  Useful for certain things, but means that the container is not idempotent –  In Bonneville, the host and container don’t share a filesystem •  Default container size –  In Docker if no constraints are specified, container has access to all the hosts resources –  In Bonneville this wouldn’t make sense, so a default size is used 14 Docker Feature Parity: Can you even tell?
  • 17. •  What is a “Container Host”? –  A finite amount of compute resource with the necessary capability to host containers •  A container host does not have to be bound to an OS or physical machine 15 vSphere Integrated Containers: The Virtual Container Host Concept Linux ESX VCH Container host boundaries A VM or physical box An ESX server A vSphere resource pool Grow container host Shut down VM / N/A N/A Reconfigure the pool Clustering Docker Swarm Docker Swarm vSphere cluster Nested hosts Docker-in-Docker Resource pool / Photon Resource pool / Photon
  • 18. •  Various takes on the “containerVM” concept have recently emerged –  “Clear Containers” from Intel •  Similar to Bonneville in concept, but different in execution – more of an OSS POC •  KVM without x86 QEMU layer or BIOS initializes Intel “Clear Linux” very fast –  “Hyper” •  Startup based in China with a very similar concept to Bonneville •  Supports KVM and Xen with a custom Linux kernel. Intended as Container-as-a-Service infrastructure •  Security and Isolation at the heart of these solutions –  Hypervisor hardware isolation is well proven and battle-hardened. Linux kernel exploits keep emerging –  Need to be able to secure and verify provenance of container images •  Bonneville delivers best of all worlds –  Robust security and isolation of a VM –  Full privileged access to a kernel – load kernel modules, loopback mount etc. 16 Isolation and Security
  • 19. •  Docker is a platform •  Bonneville is the Docker platform for vSphere •  Bonneville gives you best of both worlds – Speed, efficiency and workflow of containers – Security, isolation and flexibility of VMs •  Don’t let your container hosts become pets! @bensdoings 17 Summary
  • 20. Watch the video with slide synchronization on InfoQ.com! http://www.infoq.com/presentations/ bonneville