LEVEL UP Your Java Container Images Melissa McKay Developer Advocate @JFrog
A presentation at St. Louis Java User Group Meetup in April 2021 in St. Louis, MO, USA by Melissa McKay
LEVEL UP Your Java Container Images Melissa McKay Developer Advocate @JFrog
MELISSA MCKAY Developer Advocate @JFrog @melissajmckay linkedin.com/in/melissajmckay
THE AGENDA • Brief History • The Container Market • What is Docker? • What is a Container? • Container Gotchas
HOW ARE YOU USING CONTAINERS TODAY??? • LOCALLY • TEST/QA ENVIRONMENTS • PRODUCTION • WE DON’T USE THEM TODAY • WE ARE CONSIDERING USING THEM
ALL ABOUT … CONTAINERS
SHARING LIMITED RESOURCES 1979 / 1982- chroot
PROGRESS TOWARD VIRTUALIZATION ▪ 2000 - FreeBSD jail ▪ 2004 - Solaris Zones / snapshots ▪ 2006 - Google Process Containers / cgroups ▪ 2008 - IBM LinuX Containers (LXC) ▪ 2013 - Docker (open source!) - Google LMCTFY (open source!) ▪ 2014 - Docker trades LXC for libcontainer ▪ … more stuff happened 1 201 7 a v a J 2014 Java 8 ▪ June 2015 - Open Container Project/Initiative (OCI) ○ Runtime Specification (runtime-spec) ○ Image Specification (image-spec) ▪ … even more stuff happened and is still happening!
THE CONTAINER MARKET (according to Sysdig) 2017 - 45,000 Containers, 99% Docker 2018 - 90,000 Containers Fig. 1. 2018 Container Runtimes from: “2018 Docker usage report,” 29 May. 2018, sysdig.com/blog/2018-docker-usage-report/. Accessed 10 Jun. 2020. 18
THE CONTAINER MARKET (according to Sysdig) 2019 - 2 million Containers (includes both SaaS & on prem users) Fig. 2. 2019 Container Runtimes from: “Sysdig 2019 Container Usage Report: New Kubernetes and security insights,” 29 Oct. 2019, sysdig.com/blog/sysdig-2019-container-usage-report/. Accessed 10 Jun. 2020. 19
THE CONTAINER MARKET (according to Sysdig) 2020/21 - 2 million Containers (a subset of customer containers) Fig. 3. Container runtimes from: “REPORT.2021 Container Security And Usage Report,” Jan 2021, https://dig.sysdig.com/c/pf-2021-container-security-and-usage-report?x=u_WFRi. Accessed 21 Jan. 2021. 20
WHAT EXACTLY IS DOCKER? 21
WHAT DO WE ACTUALLY NEED/WANT? • An isolated environment where a user/application can operate, sharing the host system’s OS/kernel without interfering with the operation of another isolated environment on the same system (a container) • A way to define a container (an image format) • A way to build an image of a container • A way to manage container images • A way to distribute/share container images • A way to create a container environment • A way to launch/run a container (a container runtime) • A way to manage the lifecycle of container instances 22
DOCKER, THE WHOLE PACKAGE docker images DOCKER ENGINE DOCKER IMAGE FORMAT Dockerfile docker build docker rm docker push docker pull DOCKER HUB docker run docker stop docker ps 23
BREAKING UP THE MONOLITH OCI IMAGE FORMAT • Docker V2 Image Spec OCI CONTAINER RUNTIME • runC (which used to be libcontainer… which was written by Docker) OTHERS - containerd, rkt, cri-o, Kata, etc… https://lwn.net/Articles/741897/ https://www.ianlewis.org/en/container-runtimes-part-1-introduction-container-r 24
WHAT IF I DON’T WANNA DOCKAH?? & Skopeo https://developers.redhat.com/blog/2019/02/21/podman-and-buildah-for-docker-users/ https://www.redhat.com/en/blog/say-hello-buildah-podman-and-skopeo https://developers.redhat.com/blog/2020/02/12/podman-for-macos-sort-of/ 25
WHAT EXACTLY IS A CONTAINER? 26
CONTAINER COMPONENTS TARBALL OF A FILESYSTEM LINUX FEATURES • namespaces • cgroups • Union File systems Mix these together to create and run a container! Voila! https://docs.docker.com/get-started/overview/ 27
FILESYSTEM DETAILS … … NOTE: On OSX, containers will actually be running in a tiny Linux VM (use screen) screen ~/Library/Containers/com.docker.docker/Data/vms/0/tty screen ~/Library/Containers/com.docker.docker/Data/vms/0/tty 28
FILESYSTEM DETAILS … … 29
FILESYSTEM DETAILS 30
CONTAINER GOTCHAS 31
CONTAINER GOTCHAS - RUNNING AS ROOT 32
CONTAINER GOTCHAS - NO CONSTRAINTS 33
CONTAINER GOTCHAS - NEVER UPDATING 34
CONTAINER GOTCHAS - JAVA/JVM GOTCHAS 35
CONTAINER GOTCHAS - IMAGE BLOAT 36
MANAGING YOUR IMAGES - REMOTE BY DEFAULT START FREE: http://jfrog.co/FreeDevOpsTools_STLJUG https://dzone.com/refcardz/getting-started-with-container-registries 38
