THE AGENDA • Brief History • The Container Market • What is Docker? • What is a Container? • Container Gotchas
Slide 4
HOW ARE YOU USING CONTAINERS TODAY??? • LOCALLY • TEST/QA ENVIRONMENTS • PRODUCTION • WE DON’T USE THEM TODAY • WE ARE CONSIDERING USING THEM
Slide 5
ALL ABOUT … CONTAINERS
Slide 6
SHARING LIMITED RESOURCES
1979 / 1982- chroot
Slide 7
PROGRESS TOWARD VIRTUALIZATION ▪ 2000 - FreeBSD jail ▪ 2004 - Solaris Zones / snapshots ▪ 2006 - Google Process Containers / cgroups ▪ 2008 - IBM LinuX Containers (LXC) ▪ 2013 - Docker (open source!) - Google LMCTFY (open source!) ▪ 2014 - Docker trades LXC for libcontainer ▪ … more stuff happened
1 201 7 a v a J
2014 Java 8
▪ June 2015 - Open Container Project/Initiative (OCI) ○ Runtime Specification (runtime-spec) ○ Image Specification (image-spec) ▪ … even more stuff happened and is still happening!
THE CONTAINER MARKET (according to Sysdig)
2019 - 2 million Containers (includes both SaaS & on prem users)
Fig. 2. 2019 Container Runtimes from: “Sysdig 2019 Container Usage Report: New Kubernetes and security insights,” 29 Oct. 2019, sysdig.com/blog/sysdig-2019-container-usage-report/. Accessed 10 Jun. 2020.
19
Slide 10
THE CONTAINER MARKET (according to Sysdig)
2020/21 - 2 million Containers (a subset of customer containers)
Fig. 3. Container runtimes from: “REPORT.2021 Container Security And Usage Report,” Jan 2021, https://dig.sysdig.com/c/pf-2021-container-security-and-usage-report?x=u_WFRi. Accessed 21 Jan. 2021.
20
Slide 11
WHAT EXACTLY IS DOCKER? 21
Slide 12
WHAT DO WE ACTUALLY NEED/WANT? • An isolated environment where a user/application can operate, sharing the host system’s OS/kernel without interfering with the operation of another isolated environment on the same system (a container) • A way to define a container (an image format) • A way to build an image of a container • A way to manage container images • A way to distribute/share container images • A way to create a container environment • A way to launch/run a container (a container runtime) • A way to manage the lifecycle of container instances 22
Slide 13
DOCKER, THE WHOLE PACKAGE docker images
DOCKER ENGINE DOCKER IMAGE FORMAT Dockerfile docker build
docker rm docker push docker pull DOCKER HUB docker run docker stop docker ps 23
Slide 14
BREAKING UP THE MONOLITH OCI IMAGE FORMAT • Docker V2 Image Spec
OCI CONTAINER RUNTIME • runC (which used to be libcontainer… which was written by Docker)
OTHERS - containerd, rkt, cri-o, Kata, etc… https://lwn.net/Articles/741897/ https://www.ianlewis.org/en/container-runtimes-part-1-introduction-container-r 24
Slide 15
WHAT IF I DON’T WANNA DOCKAH??
& Skopeo https://developers.redhat.com/blog/2019/02/21/podman-and-buildah-for-docker-users/ https://www.redhat.com/en/blog/say-hello-buildah-podman-and-skopeo https://developers.redhat.com/blog/2020/02/12/podman-for-macos-sort-of/ 25
Slide 16
WHAT EXACTLY IS A CONTAINER? 26
Slide 17
CONTAINER COMPONENTS TARBALL OF A FILESYSTEM LINUX FEATURES • namespaces • cgroups • Union File systems
Mix these together to create and run a container! Voila! https://docs.docker.com/get-started/overview/ 27
Slide 18
FILESYSTEM DETAILS …
… NOTE: On OSX, containers will actually be running in a tiny Linux VM (use screen) screen ~/Library/Containers/com.docker.docker/Data/vms/0/tty
screen ~/Library/Containers/com.docker.docker/Data/vms/0/tty
28
Slide 19
FILESYSTEM DETAILS
…
…
29
Slide 20
FILESYSTEM DETAILS
30
Slide 21
CONTAINER GOTCHAS
31
Slide 22
CONTAINER GOTCHAS - RUNNING AS ROOT
32
Slide 23
CONTAINER GOTCHAS - NO CONSTRAINTS
33
Slide 24
CONTAINER GOTCHAS - NEVER UPDATING
34
Slide 25
CONTAINER GOTCHAS - JAVA/JVM GOTCHAS
35
Slide 26
CONTAINER GOTCHAS - IMAGE BLOAT
36
Slide 27
MANAGING YOUR IMAGES - REMOTE BY DEFAULT START FREE: http://jfrog.co/FreeDevOpsTools_STLJUG
https://dzone.com/refcardz/getting-started-with-container-registries 38