5. DEVOPS INDONESIA
5
Docker
• 3.5 million applications have been placed in containers using Docker technology
• 37 billion containerized applications have been downloaded.
• 451 Research also sees Docker technology being wildly successful
• Annual revenue is expected to increase by 4x, growing from $749 million in 2016 to
more than $3.4 billion by 2021
6. DEVOPS INDONESIA
6
Docker
• A container image format
• A method for building container images (Dockerfile/docker build)
• A way to manage container images (docker images, docker rmi, etc.)
• A way to manage instances of containers (docker ps, docker rm, etc.)
• A way to share container images (docker push/pull)
• A way to run containers (docker run)
9. DEVOPS INDONESIA
9
The History of Containers
2008:
KERNEL & USER
NAMESPACES
2008:
LINUX
CONTAINER
PROJECT (LXC)
2013:
DOTCLOUD
BECOMES
DOCKER
2013:
RED HAT
ENTERPRISE
LINUX
2000
2010
2005
2000:
JAILS ADDED
TO FREEBSD
2006:
PROCESS
CONFINEMENT
2007:
GPC RENAMED
CGROUPS
2014:
GOOGLE
KUBERNETES
2001:
LINUX -VSERVER
PROJECT
2003:
SELINUX
ADDED TO LINUX
MAINLINE
2005:
FULL RELEASE
OF SOLARIS
ZONES
2013:
DOTCLOUD PYCON
LIGHTNING TALK
1979:
CHROOT
SYSCALL ADDED
1979
10. DEVOPS INDONESIA
10
Container
Important corrections
● Containers do not run ON docker.
Containers are processes - they
run on the Linux kernel.
Containers are Linux.
● The docker daemon is one of the
many user space tools/libraries
that talks to the kernel to set up
containers
11. DEVOPS INDONESIA
11
Container Engine
1. Provide API/User Interface
○ We really want to use a simple API and/or command line tool. That’s how the docker
command line interface and API were developed.
2. Pulling/Expanding images to disk
○ The container engine has to pull the images to a local cache.
○ Extracting the image layers to disk when a container is created.
3. Building a config.json
○ Container engine is responsible for creating a config.json and passing it to runc.
12. DEVOPS INDONESIA
Container Runtime
● Consuming the container mount point provided by the Container Engine
● Consuming the container metadata (config.json) provided by the Container
Engine
● Communicating with the kernel to start containerized processes (clone
system call)
● Setting up cgroups
● Setting up SELinux Policy
● Setting up App Armor rules
13. DEVOPS INDONESIA
You guys should read this
https://www.ianlewis.org/en/container-runtimes-part-1-introduction-container-r
14. DEVOPS INDONESIA
So what is actually Docker?
Source:https://www.aquasec.com/wiki/display/containers/Docker+Architecture
15. DEVOPS INDONESIA
So what is actually Docker nowadays?
● Docker contributed that libary to
the OCI standards body as a
reference implementation called
runc.
● runC is a lightweight tool that
does one thing and does it well: it
runs a container.
● Containerd is a simple daemon
that uses runC to manage
containers and exposes
● Docker Engine exposes not only
containers, but also images,
volumes, networks, builds, etc.
using a full-blown HTTP API
16. DEVOPS INDONESIA
Is not Finished
2017:
Moby project
Announced
2018:
CRI-O is GA and
powers OpenShfit
Online
2017
2016
2018
2015:
Tectonic
Announced
2016:
Docker engine
1.12 adds swarm
2016:
CRI-O project
launched under
the name OCID
2017:
Buildah released
and ships in RHEL
2018:
Podman released
and ships in RHEL
2017:
Kata merges
Clear & RunV
projects
2017:
Docker includes
the new
containerd
2016:
Containerd
project launched
2017:
V1.0 of image &
runtime spec
2018:
V1.0 of
distribution spec
2016:
Skopeo project
launched under
the name OCID
2015
2015:
RED HAT
CONTAINER
PLATFORM 3.0
2015:
STANDARDS VIA
OCI AND CNCF
17. DEVOPS INDONESIA
18
Standardise Container
• The goal of the OCI is to avoid a
“balkanization” of the container ecosystem,
and ensure that containers built with one
engine can run on another
• Runtime spec (runc = Reference
implementation)
• Image Spec
• Distribution Spec
19. DEVOPS INDONESIA
21
How a container gets created in a Kubernetes environment
At a high level, conceptually here is what is happening:
Orchestration API -> Container Engine API -> Kernel API
Digging one level deeper:
Kubernetes Master -> Kubelet -> Docker Engine -> containerd
-> runc -> Linux kernel
20. DEVOPS INDONESIA
22
Next
In OpenShift 4 they are moving to this architecture:
Kubernetes Master -> Kubelet -> CRI-O -> runc -> Linux kernel
In the coming months, theoretically, some Kubernetes deployments could like this, with
containerd:
Kubernetes Master -> Kubelet -> containerd -> runc -> Linux
kernel
23. DEVOPS INDONESIA
25
Docker alternative
• A method for building container images (Dockerfile/docker build)
• A way to manage container images (docker images, docker rmi , etc.)
• A way to manage instances of containers (docker ps, docker rm , etc.)
• A way to share container images (docker push/pull)
• A way to run containers (docker run)
25. DEVOPS INDONESIA
27
CRI-O
Open source & Open governance
Lean, Stable, Secure and BORING!
● Tied to the CRI
● Shaped around Kubernetes
● Only supported user is Kubernetes
● Versioning and Support are tied to
Kubernetes
27. DEVOPS INDONESIA
29
Podman
Library (libpod) and CLI (podman) for
managing OCI-based Pods, Containers, and
Container Images
• Replacement for docker cli (known CLI)
• Integrated with CRI-O
• No daemon running
32. DEVOPS INDONESIA
34
Demo Buildah
$ container=$(buildah from fedora)
$ buildah containers
$ buildah config --author "rfebriya" --label "METADATA=Built with buildah"
$container
$ buildah inspect $container
$ buildah run $container sh
# echo “Hello Riza, built by Buildah” > /hello
# ls /
# cat /hello
# exit
$ buildah commit $container riza/example-buildah
$ podman run -it riza/example-buildah cat /hello
$ buildah bud -t riza/example-buildah-dockerfile:200819 -f 200819/Dockerfile .
$ podman run -it riza/example-buildah-dockerfile:200819 cat /hello
33. DEVOPS INDONESIA
35
Dockerless
Consume a Dockerfile, but build image without a docker daemon
Pros:
• Docker build-like experience (just write a Dockerfile)
• Less configuration
• Docker image best practices can be codified into tools
Cons:
• Dockerfile fidelity might make difficult some use cases
• Different approaches to image layer construction; Very fragmented across vendors,
no real standard
34. DEVOPS INDONESIA
Conclusion
1. Docker still provides nice end-to-end experience when it comes to containers
especially for developers
2. Docker engine doesn’t move at the same speed as Kubernetes. It’s on a totally
different lifecycle (same with containerd). This makes it difficult to add features
in the engine to support the Kubelet.
3. There’s some alternatives out there beside the Docker and it’s still far from
finished yet.