Unpacking the Container: A Crash Course in Virtualized Container Technology

Unpacking the Container A Crash Course in Virtualized Container Technology Melissa McKay http://jfrog.com/shownotes

MELISSA MCKAY Developer Advocate @JFrog melissajmckay

HOW ARE YOU USING CONTAINERS TODAY??? • LOCALLY • TEST/QA ENVIRONMENTS • PRODUCTION • WE DON’T USE THEM TODAY • WE ARE CONSIDERING USING THEM

THE AGENDA • Brief History • The Container Market • What is Docker? • What is a Container? • Container Gotchas

ALL ABOUT … CONTAINERS

SHARING LIMITED RESOURCES 1979 / 1982- chroot

PROGRESS TOWARD VIRTUALIZATION ▪ 2000 - FreeBSD jail ▪ 2004 - Solaris Zones / snapshots ▪ 2006 - Google Process Containers / cgroups ▪ 2008 - IBM LinuX Containers (LXC) ▪ 2013 - Docker (open source!) - Google LMCTFY (open source!) ▪ 2014 - Docker trades LXC for libcontainer ▪ … more stuff happened ▪ June 2015 - Open Container Project/Initiative (OCI) ○ Runtime Specification (runtime-spec) ○ Image Specification (image-spec) ▪ … even more stuff happened and is still happening!

THE CONTAINER MARKET (according to Sysdig) 2017 - 45,000 Containers, 99% Docker 2018 - 90,000 Containers Fig. 1. 2018 Container Runtimes from: “2018 Docker usage report,” 29 May. 2018, sysdig.com/blog/2018-docker-usage-report/. Accessed 10 Jun. 2020. 10

THE CONTAINER MARKET 2019 - 2 million Containers (includes both SaaS & on prem users) Fig. 2. 2019 Container Runtimes from: “Sysdig 2019 Container Usage Report: New Kubernetes and security insights,” 29 Oct. 2019, sysdig.com/blog/sysdig-2019-container-usage-report/. Accessed 10 Jun. 2020. 11

WHAT EXACTLY IS DOCKER? 12

WHAT DO WE ACTUALLY NEED/WANT? • An isolated environment where a user/application can operate, sharing the host system’s OS/kernel without interfering with the operation of another isolated environment on the same system (a container) • A way to define a container (an image format) • A way to build an image of a container • A way to manage container images • A way to distribute/share container images • A way to create a container environment • A way to launch/run a container (a container runtime) • A way to manage the lifecycle of container instances 13

DOCKER, THE WHOLE PACKAGE docker images DOCKER ENGINE DOCKER IMAGE FORMAT Dockerfile docker build docker rm docker push docker pull DOCKER HUB docker run docker stop docker ps 14

BREAKING UP THE MONOLITH OCI IMAGE FORMAT • Docker V2 Image Spec OCI CONTAINER RUNTIME • runC (which used to be libcontainer… which was written by Docker) OTHERS - containerd, rkt, cri-o, Kata, etc… https://lwn.net/Articles/741897/ https://www.ianlewis.org/en/container-runtimes-part-1-introduction-container-r 15

WHAT IF I DON’T WANNA DOCKAH?? & Skopeo https://developers.redhat.com/blog/2019/02/21/podman-and-buildah-for-docker-users/ https://www.redhat.com/en/blog/say-hello-buildah-podman-and-skopeo https://developers.redhat.com/blog/2020/02/12/podman-for-macos-sort-of/ 16

WHAT EXACTLY IS A CONTAINER? 17

CONTAINER COMPONENTS TARBALL OF A FILESYSTEM LINUX FEATURES • namespaces • cgroups • Union File systems Mix these together to create and run a container! Voila! https://docs.docker.com/get-started/overview/ 18

FILESYSTEM DETAILS … … NOTE: On OSX, containers will actually be running in a tiny Linux VM (use screen) screen ~/Library/Containers/com.docker.docker/Data/vms/0/tty screen ~/Library/Containers/com.docker.docker/Data/vms/0/tty 19

FILESYSTEM DETAILS … … 20

FILESYSTEM DETAILS 21

CONTAINER GOTCHAS 22

CONTAINER GOTCHAS - RUNNING AS ROOT 23

CONTAINER GOTCHAS - NO CONSTRAINTS 24

CONTAINER GOTCHAS - NEVER UPDATING 25

CONTAINER GOTCHAS - JAVA/JVM GOTCHAS 26

CONTAINER GOTCHAS - IMAGE BLOAT 27

MANAGING YOUR IMAGES - REMOTE BY DEFAULT https://dzone.com/refcardz/getting-started-with-container-registries 29

Q&A THANK YOU! Melissa McKay @melissajmckay