Containers

Overview

  • OS-level virtualization

Containers: an engine that enables any payload to be encapsulated

  • as a lightweight, portable, self-sufficient container

    • that can be manipulated using standard operations and run consistently on virtually any hardware platform

      high level: a lightweight VM

      • owns process space
        • owns network interface
          • has root access privileges
            • can have its own sbin/init (binary files) machine container

      low-level: chroot on steroids

      • can also have its own /sbin/init
        • container = isolated processes
          • share kernel with host application container

Containers are isolated but share OS when appropriate

  • resulting in faster deployment, less overhead, easy migration, fast restart

Cloud Container:

  • content agnostic: can encapsulate any payload and its dependencies
  • hardware agnostic: using OS primitives
    • can run consistently on any hardware-VMs
  • content isolation and interaction: resource, network, and content isolation
    • avoid complex dependencies
  • automation standardized operations
    • good for DevOps
  • highly efficient: lightweight
  • separation of duties: dev = code && op = infrastructure

why developers like containers? build once run anywhere

  • anywhere means on x86 server running a modern Linux kernel
  • clean safe, portable runtime environment
  • no missing dependencies, packages, or other issues from subsequent deployments
  • runs each app in its own isolated container
  • automate testing, integration, packaging anything you can script
  • reduce concerns about compatability on different platforms
  • cheap, zero-penalty containers to deploy services

a VM without the overhead of a VM instant replay and reset of image snapshots

Open Container Intiative

  • an open governance structure for the express purpose
    • of creating open industry standards around container formats and runtimes

At a high-level

  • OCI implementation would download an OCI image
    • then unpack that image into OCI Runtime filesystem bundle
      • at this time the OCI Runtime Bundle would be run by an OCI runtime

    • the Runtime specification outlines how to run a filesystem bundle that is unpacked on disk

    • the Image specification

    • the Distribution specification

Best Practices

  • use OCI compliant tools
    • select runtime engines following OCI specs
    • implement OCI-compliant registries
  • Container Image Management
    • follow OCI image format guidelines
    • implement proper versioning
    • use standard manifest formats
  • Security Considerations
    • implement image signing
    • follow OCI security best practices
    • regular security audits