innovating out in the open
TRANSCRIPT
Phil EstesSenior Technical Staff MemberIBM Open Cloud Technologies@estesp
> Docker core engine maintainer> Member of “Docker Captains” program> 10+ years involved in Linux/OSS> Interests: cloud/containers/Linux
Intro
Key upstream accomplishments> Brought user namespace support to the Docker engine> Helped design v2.2 image specification with multi-platform support> Implemented first tool to create multi-platform images in Docker v2.3 registry
Open Container Initiative (OCI)
•A Linux Foundation Collaborative Project
•Free from control by any particular vendor’s specific cloud stack or ecosystem
•Includes a specification, reference runtime* and now, a specified image format
An open governance structure for creating open industry standards: a common container runtime and image format.*seeded with runc +
libcontainer by Docker
OCI: Specs and Status> Runtime specification: Release 0.5.0 / April
2016 https://github.com/opencontainers/runtime-spec/releases/tag/v0.5.0
Goal is to reach a 1.0 release by mid-JuneIncludes required core for containerization on Linux &
Windows> Image format specification: Release 0.1.0 /
May 2016 https://github.com/opencontainers/image-spec/releases/tag/v0.1.0
Seeded with Docker registry v2.2 specificationWork just beginning in the repository; 0.1 is a “stake in the
ground”
▪ Announced June 20th, 2015
▪ Charter signed on December 8th, 2015
▪ 46 current member companies
▪ Target of a 1.0 specification (runtime) by June
https://opencontainers.orghttps://github.com/
opencontainers
Introduction to `runc`> runc is a client wrapper around
libcontainer> Libcontainer is the OS level interface for
containersOther platforms and architectures can implement the libcontainer API via their
own primitives/system-level container concepts
$ docker run -it --read-only -v /host:/hostpath alpine sh/#
{ "ociVersion": "0.6.0-dev", "platform": { "os": "linux", "arch": "amd64" }, "process": { "terminal": true, "args": [ "sh" ], "env": [ "PATH=/usr/local/sbin:/usr/local/bin:/bin”
config.json
Runc In The Wild
▪CloudFoundry Garden OCI implementation-https://github.com/cloudfoundry-incubator/guardian
-Uses runc as a backend for container execution
▪Docker 1.11 (and above)- Switched from direct libcontainer API
linkage to calling runc as container executor
- Uses containerd as a gRPC daemon to disconnect Docker daemon (API/mgmt) from container execution (allows daemon restart in future without container runtime impact)
runC: An open innovation platform for containersImplement low-level container features
▪Operating system level features should be defined in the OCI runtime specification
▪New capabilities (PID cgroup controls, checkpoint/restore, seccomp) implemented in runC
OCI compliance/pluggable execution engine▪Implement a OS/environment for containers via an OCI spec compliant binary▪Examples: runz (Solaris zones), runv (hypervisor-based), Intel Clear Containers
Iterative container configuration test/debug▪Simple variant of “Docker-like” containers with less friction for quick modifications
▪Low bar for dependencies: single binary + physical rootfs bundle + JSON config
INTEREST
INTEREST
INTEREST
1. Docker 2. OpenVZ 3. Huawei 4. Redhat 5. Google 6. IBM 7. SuSE8. Pivotal 9. Fujitsu 10. Microsoft
Top 10 Contributors to opencontainers/runc
Let’s Demo
What I’m going to show you:runc runC binary (in my case, shared with Docker
1.11 installationgithub.com/opencontainers/runc
ocitools Command-line JSON OCI spec generator github.com/opencontainers/ocitoolsriddler Docker container → JSON OCI spec converter github.com/jfrazelle/riddleruidmapshift
Filesystem ownership shift tool for user namespace mappings
http://bazaar.launchpad.net/~serge-hallyn/+junk/nsexec/view/head:/uidmapshift.c
netns Netlink-based bridge networking implemened as an OCI pre-start hook
github.com/jfrazelle/netns
OCI Futures▪Image format specification
-Just getting underway▪More users and contributed implementations▪runC innovations moving into higher level implementations
-Checkpoint+restore under consideration for exposure via Docker API-Seccomp, user namespaces, and PID limits are prior examples
▪What do you plan to do with OCI and/or runC?
Questions?
@estesp
github.com/estesp
http://integratedcode.us
IRC: estesp CON
TACT
IN
FO