THE AGENDA • Container History • Containers in Real Life • Container Gotchas • Distroless Images
Slide 4
ALL ABOUT … CONTAINERS
Slide 5
SHARING LIMITED RESOURCES
1979 / 1982- chroot
Slide 6
PROGRESS TOWARD VIRTUALIZATION ▪ 2000 - FreeBSD jail ▪ 2004 - Solaris Zones / snapshots ▪ 2006 - Google Process Containers / cgroups ▪ 2008 - IBM LinuX Containers (LXC) ▪ 2013 - Docker (open source!) - Google LMCTFY (open source!) ▪ 2014 - Docker trades LXC for libcontainer ▪ … more stuff happened
1 201 7 a v a J
2014 Java 8
▪ June 2015 - Open Container Project/Initiative (OCI) ○ Runtime Specification (runtime-spec) ○ Image Specification (image-spec) ▪ … even more stuff happened and is still happening!
Slide 7
WHAT EXACTLY IS A CONTAINER? 9
Slide 8
CONTAINER COMPONENTS TARBALL OF A FILESYSTEM LINUX FEATURES • namespaces • cgroups • Union File systems
Mix these together to create and run a container! Voila! https://docs.docker.com/get-started/overview/ 10
Slide 9
FILESYSTEM DETAILS …
… NOTE: On OSX, containers will actually be running in a tiny Linux VM (use screen) screen ~/Library/Containers/com.docker.docker/Data/vms/0/tty
screen ~/Library/Containers/com.docker.docker/Data/vms/0/tty
11
Slide 10
FILESYSTEM DETAILS
…
…
12
Slide 11
FILESYSTEM DETAILS
13
Slide 12
CONTAINER GOTCHAS
14
Slide 13
CONTAINER GOTCHAS - RUNNING AS ROOT
15
Slide 14
CONTAINER GOTCHAS - NO CONSTRAINTS
16
Slide 15
CONTAINER GOTCHAS - NEVER UPDATING
17
Slide 16
CONTAINER GOTCHAS - JAVA/JVM GOTCHAS
18
Slide 17
CONTAINER GOTCHAS - IMAGE BLOAT
19
Slide 18
DISTROLESS IMAGES - AND MULTISTAGE BUILDS • Waste Not Want Not (smaller images) • No Shell • No Exec
https://github.com/GoogleContainerTools/distroless (examples) 20
Slide 19
MANAGING YOUR IMAGES - REMOTE BY DEFAULT https://dzone.com/refcardz/getting-started-with-container-registries START FREE: https://bit.ly/MelissaWKSHP
21