Building specialized container-based systems with Moby: a few use cases
This talk will explain how you can leverage the Moby project to assemble your own specialized container-based system, whether for IoT, cloud or bare metal scenarios. We will cover Moby itself, the framework, and tooling around the project, as well as many of it’s components: LinuxKit, InfraKit, containerd, SwarmKit, Notary. Then we will present a few use cases and demos of how different companies have leveraged Moby and some of the Moby components to create their own container-based systems.
6. Docker is building a stack to program the Internet
CE
EEA commercial product,
built on
a development platform,
built on
infrastructure,
built on
standards.
8. Image Registry
CI/CD
Security scan
& sign
Traditional
Third Party
Microservices
docker store
DEVELOPERS IT OPERATIONS
Control Plane
Docker EE Container Platform to Modernize Traditional Apps
and beyond
More Info: Docker.com/MTA
10. Docker is a platform made of components
Raft Store
Node
Identity
Secrets
Routing
Mesh
Overlay
Networking
Swarm Orchestration
Engine
Application Services
12. A Brief History
APRIL 2016 Containerd “0.2” announced, Docker 1.11
DECEMBER 2016Announce expansion of containerd OSS project
Management/Supervisor for the OCI runc executor
Containerd 1.0: A core container runtime project for the industry
MARCH 2017 Containerd project contributed to CNCF
13. runc
containerd
Why Containerd 1.0?
▪ Continue projects spun out
from monolithic Docker engine
▪ Expected use beyond Docker
engine (Kubernetes CRI)
▪ Donation to foundation for
broad industry collaboration
▫ Similar to runc/libcontainer
and the OCI
14. Technical Goals/Intentions
▪ Clean gRPC-based API + client library
▪ Full OCI support (runtime and image spec)
▪ Stability and performance with tight, well-
defined core of container function
▪ Decoupled systems (image, filesystem,
runtime) for pluggability, reuse
15. Requirements
- A la carte: use only what is required
- Runtime agility: fits into different platforms
- Pass-through container configuration (direct OCI)
- Decoupled
- Use known-good technology
- OCI container runtime and images
- gRPC for API
- Prometheus for Metrics
16. Use cases
- CURRENT
- Docker (moby)
- Kubernetes (cri-
containerd)
- SwarmKit (experimental)
- LinuxKit
- BuildKit
- FUTURE/POTENTIAL
- IBM Cloud/Bluemix
- OpenFaaS
- {your project here}
17. LinuxKit
A toolkit for building secure, portable and lean
operating systems for containers
18. What is LinuxKit?
A toolkit for building secure, portable and lean operating systems for
containers.
● uses Moby tooling to build system images
● everything is a container
● runs with Containerd 1.0 branch for over four months
● lightweight, fully customizable
19. Some metrics
● 75 contributors!
● first new maintainer appointed from the community
● 50 commits a week since DockerCon
20. Arm64 support
Thanks to Dennis Chen at ARM
● multi arch base images so system containers can be built
● signed multiarch manifests - thanks to IBM for all their work
● thanks to Packet.net for providing ARM64 machines
● ongoing work on EFI boot that works cross platform
● other architectures now easy to add
21. Linux Containers on Windows
● as announced at DockerCon
● LinuxKit provides build images in blueprints/lcow.yml
● ultra minimal system only 13MB
● blog post soon with HOWTO instructions
● ongoing work with Microsoft on shipping this
22. Platform support
The community added support for so many platforms...
● Azure
● OpenStack
● VMware and vCenter
● Packet.net
● Vultr
● IBM Bluemix
... and improved AWS, GCP, Hyperkit, KVM, Hyper-V...
24. Lots of smaller improvements
● TPM support
● containers to run on clean shutdown
● fully immutable images, eg CD-ROM images
● 4.10, 4.11, 4.12 kernels, 4.13 coming soon
● namespace sharing for system containers
● rewrote a lot of shell scripts in Go for better maintainability
● OCI runtime spec 1.0
● static PIE binaries everywhere
● many more tests
25. WireGuard graduated from projects
● fast secure modern VPN tunnel based on Noise framework
● added to the LinuxKit kernels
● now easy to construct network tunnels between system containers
● prototype next stage of container networking
26. Kubernetes about to graduate from projects
● initial port contributed by Weave for DockerCon launch
● maintained since then
● also working on CRI-Containerd support, with shared system containerd
● more work ongoing
● full testing and validation planned
28. LinuxKit Use Cases
● Linux Containers on Windows - announced at DockerCon, in the works
● Docker for Mac: shipping in edge release soon
● Kubernetes with shared system containerd
● Secure appliances
● Network function virtualization
32. It’s time to take our ecosystem to the next level…
By collaborating on components AND COMMON ASSEMBLIES.
33.
34. – Library of 80+ components
– Package your own
components as containers
– Reference assemblies
deployed on millions of nodes
– Create your own assemblies
or start from an existing one
A framework to assemble
specialized container
systems without
reinventing the wheel.
35. Docker uses Moby for its
open-source
– Thousands of contributors,
hundreds of patches/week
– Component development
– Specialized assembly
development
– Integration tests
– Architecture design
– Integration with other projects
– Experimentation and bleeding
edge features
36. Docker uses Moby for its
open-source...
and so can you!
– Community-run
– Open governance inspired by
the Fedora project
– Plays well with existing
projects - no donation
necessary!
38. What it means for you
Moby helps you
innovate without tying
you to Docker
System BuildersDocker Users
Docker will better leverage
the ecosystem to innovate
faster for you
47. Notary & TUF
A Framework for trusted content distribution.
48. What is Notary?
- Framework for trusted content
distribution.
- Golang implementation of The
Update Framework (TUF)
- Created by a group of NYU
researchers.
- Based on the TOR updater Thandy
49. Proposal to contribute to CNCF June 20
- Still waiting for vote
- Proposal and discussion at https://github.com/cncf/toc/pull/38
50. TUF core concepts
- Compromise-resilient software distribution
- Principled, graceful degradation of security
- Focus on key revocation / partial compromise of infrastructure
- Applies security best practices: separation of privilege (roles), threshold signatures,
minimizing risk, selective delegation of trust, etc.
- Flexibility
- Does not prescribe exactly how to perform a task
- Works with existing deployments constraints
51. TUF in the Cloud Native Ecosystem
- Solves trusted data distribution problem.
- Specific opinionated implementations, or uses of existing tools like Notary
can solve vast majority of content trust problems.
- Abstract solution aiming for best security.
- Sets the bar for high expectation of security in ecosystem.
56. Notary in the Cloud Native Ecosystem
- Solves the problem of image provenance
- Can be more generally applied:
- OS/VM images
- Updates/patches
- Shared filesystems
- External resources
- Every piece of deployed code from the OS to the application should be signed
57. Notary Use Cases
- Signing container images for trusted distribution.
- Docker, Quay, Huawei, Motorola, VMWare
- Signing system components/packages for system updates.
- LinuxKit
- Signing filesystem integrity checksums
- moby
- Threshold signing to require quorum for validity
- Docker Data Center, Quay
- Signing service definitions
- Docker Swarm, Kubernetes
58. Notary Community
- Open Sourced at DockerCon SF 2015
- 865 GitHub stars, 156 forks
- 45 Contributors
- 8 maintainers from 3 Companies; Docker, CoreOS, Huawei
- 2600+ commits, 34 releases
60. Alignment with CNCF
- Provides state of the art trust and provenance for content distribution.
- Uses existing CNCF projects
- GRPC
- Prometheus
- Enhances existing CNCF projects
- Can provide trusted content acquisition for containerd, kubernetes, rkt
62. What is it?
62
• Launched at LinuxCon, Berlin in October, 2016.
• Toolkit for building declarative, self-managing distributed
applications
• Active management with active controllers
• scaling groups, rolling updates
• monitoring / health checks
• connecting nodes to L4 / ingress
• Declarative infrastructure
• Proposal to contribute to CNCF 6/20, too soon
63. What is InfraKit
63
• Toolkit for infrastructure automation
• Provisioning and management services for
higher-level systems
• Focus on patterns and automation:
• Convergence to declarative specification
• Scaling groups, rolling updates
• Infrastructure metadata, events
• Immutable infrastructure
Application Definition/ Development
Orchestration & Management
Runtime
Provisioning
Infrastructure (Bare Metal/Cloud)
64. InfraKit in a Cloud Native Ecosystem
64
• Immutable nodes + attached storage
• OS Images - LinuxKit integration
• Devops Deployment Tooling &
Provisioning
• Infrastructure Automation
• Compute - rolling updates, scaling
groups
• Storage
• Network
Provisioning layer + infrastructure automation services
65. InfraKit Use Cases
65
• Day-0 (install), Day-1 (configure) of container orchestrators
• Docker Swarm - Docker for GCP, AWS, Appcelerator/AMP
• Kubernetes
• Day-N automation of infrastructure - provisioning, rolling
updates and capacity scaling.
• A cloud provider for Kubernetes Cluster Autoscaler
• GPU cluster provisioning
• LinuxKit integration for building, deployment of custom OS on
bare-metal or virtualized infrastructure (video).
67. InfraKit Deployment
67
CLI
API
Control Plane
• High availability, single leader
• Can share leader election / spec
storage with higher-level systems:
• Docker swarm mode
• etcd (k8s)
• As Docker or containerd / oci
containers
• Typically “embedded” in control plane
of higher systems as “system”
containers (e.g. LinuxKit image)
68. InfraKit Community: active and growing
• Made public at LinuxCon, Berlin in October, 2016
•1.5K Github stars, 140+ forks
•16 infrastructure providers
•4 maintainers, 4 companies (Docker, IBM, NTT, Axway)
•25 contributors total, 200+ members on slack
•460+ commits, 7 releases, ~50 commits / month
•Meetups: Moby Project Summit, April 20, 2017;
Next: June 19, 2017
68
72. Support more platforms
72
• Compute:
• Bare-metal: HP OneView, MAAS, RackHD
• Public cloud: AWS, GCP
• MacOS X (HyperKit); Docker containers
• Coming soon: Azure, IBM, Digital Ocean,
Packet, libvirt
• Other resource types
• AWS - vpc, subnets, gateways, etc.
73. Improve usability
73
• Templates
• Complex scripts and configuration in any format;
no more escape quotes in JSON
• Fetch templates from remote repositories
• Playbooks
• CLI - flags, prompts — config driven and
dynamic
• Share “playbooks” from remote repositories
74. Improve core system
74
• High Availability — Swarm Mode or etcd
• New Plugin types — Metadata and Events
• Metadata: cluster-wide sysfs and reflection
• Events - publish / subscribe
• Remote client access:
infrakit -H host:port to remote cluster
75. Use Cases
75
• Support container orchestration
• bootstrapping + day N management
• API for cluster autoscaling
• k8s, Docker Swarm Mode
• Bare-metal + GPU provisioning
• IoT — LinuxKit integration / custom kernel
deployment
78. Example: build an autoscaling group
● Pick a plugin to create instances
● Add flavor plugin
● Embed config inside definition of a group.
ID: group/workers
Properties:
Instance:
Plugin: terraform
Properties:
// terraform config here
Flavor:
Plugin: kubernetes/worker
Properties:
// config add-on, etc.
terraform
kubernetes configs
Group RPC API
infrastructure API
Client
79. … across zones / clouds
● Wrap instance plugins with Selector
● Selector selects plugin to provision,
based on weights or spread evenly.
ID: group/workers
Properties:
Instance:
Plugin: selector/weighted
Properties:
aws-us-east/workers:
gcp-us-central/workers:
Options: - aws-us-east:80
- gcp-us-central:20
Flavor:
Plugin: kubernetes/worker
Properties:
// config add-on, etc.
aws-us-east
kubernetes configs
Group RPC API
Client
gcpaws
gcp-us-central
80% 20%
80. … with provisioning priorities
● Tiered selector is just another Instance
● Selects one option after another until
provisioning succeeds.
ID: group/workers
Properties:
Instance:
Plugin: selector/tiered
Properties:
Plugin: vsphere/on-prem-workers:
Properties: // ...
Plugin: aws/ec2-spot-instance:
Properties: // spot price...
Plugin: aws/ec2-instance:
Properties: // on-demand…
Flavor:
Plugin: kubernetes/worker ...
on-prem: vsphere
kubernetes configs
Group RPC API
Client
cloud: AWS spot
cloud: AWS on-demand
82. Learn More at OSS Summit
- Wednesday, September 13 • 4:00pm - 4:40pm
Unikernels: Where Are They Now? - Amir Chaudhry,
Docker
- Thursday, September 14 • 9:00am - 12:10pm
Tutorial: Docker Container Orchestration: Building
Clusters in Production - Bret Fisher, DevOps Sysadmin
and Docker Captain & Laura Frank, Codeship
83. Moby Summit at OSS NA
Thursday, September 14, 2017
“An open framework to assemble specialized
container systems without reinventing the
wheel.”
Tickets:
https://www.eventbrite.com/e/moby-summit-los-angeles-tickets-35930560273
Docker has its roots in dev productivitystill lot of work to dosolve it by listening to devs, solving all their pbs one by onelet’s talk about dev problems.
our job is to give you the best tools to take your app to prod securely
3 rules we follow
usability, portability, scalability
usable security so that devs don't bypass it
scale, automation
Docker suite of tools for security in production
tools deliver security that is
usable
scalable
portable
not getting in the way of operators
help developers make applications be more secure
has to be easy and portable so that developers will use it.
Security never ends, continuous process
We made a lot of progress this year
4 features I want to talk about
reason that Docker is so componentized because of open dev model we adopted
partnered with an ecosystem that grew around it
several phases
----
docker is a container platform
solve pb for our users
develop new components, or improve existing components
open dev model, 12 oss projects produce one comp of a container platform
any one project useless on its own
This is compared to “container systems of the past” that were monolithic and tightly coupled
Example: hard to reuse components; e.g. take a Docker graphdriver and use it to implement a volume driver
introduced assemblies
allowed docker to scale internally
allowed us to ramp up to 12 editions of docker
complexity
duplication of effort, design
allowed docker to scale internally
allowed us to ramp up to 12 editions of docker
introduced an additional level of collaboration, assembly, cpatures what is common and that teams can use for their environments
looks like this, moby origin, assembly we use to create editions of docker
all of our assembly dev will take place in moby project
if want close derivative to docker platform, join dev of moby origin
want diofferent assembly, fork moby-origin
partners
Introducing a new project
where Docker does 100% of its oss work
all components
all assemblies
inviting users, partners the whole ecosystem to join this project and together take container ecosystem to the mainstream
seed this project with 12s of components, an assembly that is very stable and deployed in prod on 1000s nodes
the most important project we have introduced since 2014
not a foundation moby does not own projects
any project can come collab and retain ownership of their code
all components
all assemblies
inviting users, partners the whole ecosystem to join this project and together take container ecosystem to the mainstream
seed this project with 12s of components, an assembly that is very stable and deployed in prod on 1000s nodes
the most important project we have introduced since 2014
not a foundation moby does not own projects
any project can come collab and retain ownership of their code
all components
all assemblies
inviting users, partners the whole ecosystem to join this project and together take container ecosystem to the mainstream
seed this project with 12s of components, an assembly that is very stable and deployed in prod on 1000s nodes
the most important project we have introduced since 2014
not a foundation moby does not own projects
any project can come collab and retain ownership of their code
platform based on containers
Docker uses Moby to innovate in the open.
Each version of Docker will innovate faster
Moore innovation/more choice
all components
all assemblies
inviting users, partners the whole ecosystem to join this project and together take container ecosystem to the mainstream
seed this project with 12s of components, an assembly that is very stable and deployed in prod on 1000s nodes
the most important project we have introduced since 2014
not a foundation moby does not own projects
any project can come collab and retain ownership of their code
platform based on containers
platform based on containers
TUF is used in production by Docker, LEAP, App Container with integrations on-going into multiple other large projects. It is standardized by Python for deployment in their community repository. The automotive industry has begun integrating a TUF-variant called Uptane. You can buy Uptane from two suppliers, with an OEM currently integrating Uptane. It has been security audited by multiple groups.
InfraKit is designed to automate setup and management of infrastructure in support of distributed systems and higher-level container orchestration systems. These are the use cases we currently focus on.
Maintainers from a diverse set of companies: Docker, IBM, NTT, and Axway.
Used in Docker Editions (Docker for AWS, Docker for GCP), Axway Appcelerator
Instance plugin implementation ⇒ to different platform providers.
Diverse set of platforms from bare-metal provisioning (HP OneView, Dell/EMC RackHD) to public clouds (AWS, Alibaba Cloud). Even includes integration with Terraform for even more platform coverage.