LEVEL UP Your Java Container Images Melissa McKay Developer Advocate @JFrog

THE SWAG http://bit.ly/JFokusJFrog2021

MELISSA MCKAY Developer Advocate @JFrog melissajmckay linkedin.com/in/melissajmckay

THE AGENDA • Brief History • The Container Market • What is Docker? • What is a Container? • Container Gotchas

HOW ARE YOU USING CONTAINERS TODAY??? • LOCALLY • TEST/QA ENVIRONMENTS • PRODUCTION • WE DON’T USE THEM TODAY • WE ARE CONSIDERING USING THEM

ALL ABOUT … CONTAINERS

SHARING LIMITED RESOURCES 1979 / 1982- chroot

PROGRESS TOWARD VIRTUALIZATION ▪ 2000 - FreeBSD jail ▪ 2004 - Solaris Zones / snapshots ▪ 2006 - Google Process Containers / cgroups ▪ 2008 - IBM LinuX Containers (LXC) ▪ 2013 - Docker (open source!) - Google LMCTFY (open source!) ▪ 2014 - Docker trades LXC for libcontainer ▪ … more stuff happened 1 201 7 a v a J 2014 Java 8 ▪ June 2015 - Open Container Project/Initiative (OCI) ○ Runtime Specification (runtime-spec) ○ Image Specification (image-spec) ▪ … even more stuff happened and is still happening!

THE CONTAINER MARKET (according to Sysdig) 2017 - 45,000 Containers, 99% Docker 2018 - 90,000 Containers Fig. 1. 2018 Container Runtimes from: “2018 Docker usage report,” 29 May. 2018, sysdig.com/blog/2018-docker-usage-report/. Accessed 10 Jun. 2020. 14

THE CONTAINER MARKET (according to Sysdig) 2019 - 2 million Containers (includes both SaaS & on prem users) Fig. 2. 2019 Container Runtimes from: “Sysdig 2019 Container Usage Report: New Kubernetes and security insights,” 29 Oct. 2019, sysdig.com/blog/sysdig-2019-container-usage-report/. Accessed 10 Jun. 2020. 15

THE CONTAINER MARKET (according to Sysdig) 2020/21 - 2 million Containers (a subset of customer containers) Fig. 3. Container runtimes from: “REPORT.2021 Container Security And Usage Report,” Jan 2021, https://dig.sysdig.com/c/pf-2021-container-security-and-usage-report?x=u_WFRi. Accessed 21 Jan. 2021. 16

WHAT EXACTLY IS DOCKER? 17

WHAT DO WE ACTUALLY NEED/WANT? • An isolated environment where a user/application can operate, sharing the host system’s OS/kernel without interfering with the operation of another isolated environment on the same system (a container) • A way to define a container (an image format) • A way to build an image of a container • A way to manage container images • A way to distribute/share container images • A way to create a container environment • A way to launch/run a container (a container runtime) • A way to manage the lifecycle of container instances 18

DOCKER, THE WHOLE PACKAGE docker images DOCKER ENGINE DOCKER IMAGE FORMAT Dockerfile docker build docker rm docker push docker pull DOCKER HUB docker run docker stop docker ps 19

BREAKING UP THE MONOLITH OCI IMAGE FORMAT • Docker V2 Image Spec OCI CONTAINER RUNTIME • runC (which used to be libcontainer… which was written by Docker) OTHERS - containerd, rkt, cri-o, Kata, etc… https://lwn.net/Articles/741897/ https://www.ianlewis.org/en/container-runtimes-part-1-introduction-container-r 20

WHAT EXACTLY IS A CONTAINER? 22

CONTAINER COMPONENTS TARBALL OF A FILESYSTEM LINUX FEATURES • namespaces • cgroups • Union File systems Mix these together to create and run a container! Voila! https://docs.docker.com/get-started/overview/ 23

FILESYSTEM DETAILS … … NOTE: On OSX, containers will actually be running in a tiny Linux VM (use screen) screen ~/Library/Containers/com.docker.docker/Data/vms/0/tty screen ~/Library/Containers/com.docker.docker/Data/vms/0/tty 24

FILESYSTEM DETAILS … … 25

FILESYSTEM DETAILS 26

CONTAINER GOTCHAS 27

CONTAINER GOTCHAS - RUNNING AS ROOT 28

CONTAINER GOTCHAS - NO CONSTRAINTS 29

CONTAINER GOTCHAS - NEVER UPDATING 30

CONTAINER GOTCHAS - JAVA/JVM GOTCHAS 31

CONTAINER GOTCHAS - IMAGE BLOAT 32

MANAGING YOUR IMAGES - REMOTE BY DEFAULT START FREE: http://bit.ly/JFokus_Free_DevOps_Tools https://dzone.com/refcardz/getting-started-with-container-registries 33

THE SWAG - DON’T FORGET! http://bit.ly/JFokusJFrog2021

Q&A THANK YOU! Melissa McKay @melissajmckay linkedin.com/in/melissajmckay