Containers, OCI, CNCF,
Magnum, Kuryr, and You!
Jeffrey Borek
Daniel Krook
Val Bercovici
Program Director, Open Tech, IBM
Senior Software Engineer, IBM
Global Cloud CTO, NetApp/SolidFire
@JeffBorek
@DanielKrook
@valb00

What you will learn today
• The benefits and tradeoffs of standalone container technology and its organic
community based evolution over time
• How containerization fits into OpenStack, and in particular its role in the Magnum
and Kuryr projects
• What the container focused Linux Foundation collaborative projects aim to achieve
• Open Container Initiative opencontainers.org
• Cloud Native Computing Foundation cncf.io
• How OCI and CNCF container standardization affects OpenStack

Our background is in open source and open standards
Jeffrey Borek
• IBM representative to the OCI & CNCF, Chair of Docker Governance Advisory Board
• WW Program Director, Open Technologies and Partnerships, Cloud Computing
• @JeffBorek
Daniel Krook
• Customer advocate for open technologies adoption (OpenStack, Cloud Foundry, Docker)
• Senior Software Engineer, Cloud and Open Source Technologies, IBM
• @DanielKrook
Val Bercovici
• Governing Boards SNIA SSSI, CDMI, LF CNCF
• Global Cloud CTO, NetApp/SolidFire
• @valb00

Container technology today enables greater density, faster
startup, and more consistent packaging of applications
Containers provide isolation for processes
sharing compute, networking, and
storage resources on a host system.
They are logically similar to virtualized
machine instances but share the host
kernel and avoid hardware emulation.
Applications can be packaged with all the
additional dependencies that they need,
above what is provided by the host.
This makes them efficient to run, easy to
move from host to host, and enable more
granular control of applications.
There are tradeoffs and drawbacks,
however, including isolation. Consider the
analogy of buying a house (VM) versus
renting an apartment (container).
Diagram source: Exploring Opportunities: Containers and OpenStack
Abstractions required for
VMs, not used by containers

Containers are not new. Many organic innovations from many
independent organizations have brought them where we are today.
Jails
VServer
Zones
cgroups
Namespaces
LXC
Docker
FreeBSD Jails expand
on Unix chroot to
isolate files
2000
Linux-­VServer ports
kernel isolation, but
requires recompilation
Solaris Zones bring the
concept of snapshots
Google introduces
Process Containers,
merged as cgroups
Red Hat adds user
namespaces, limiting root
access in containers
IBM creates LXC,
providing user
tools for cgroups
and namespaces
Docker provides
simple user tools
and images.
Containers go
mainstream
20082004
20062001 2008
2013

Several OpenStack projects leverage containers to more efficiently use
resources, deploy faster, and package services more consistently
A Docker hypervisor driver for
Nova Compute to treat containers
and images as the same type of
resource as virtual machines.
Nova
A plugin template for
orchestrating Docker resources
on top of OpenStack resources.
Allows access to full Docker API.
Heat
Containerizes the OpenStack
control services themselves as
microservices to simplify the
operational experience.
Kolla
Provides an application catalog
of containerized applications
that can be deployed to an
OpenStack cloud.
Murano
OpenStack is above all an integration engine, bringing various technologies
together through common APIs. Therefore, containers have naturally been plugged
into several existing projects and will find their way into other areas as well.
Provides an API to manage multi-­
tenant Containers-­as-­a-­Service
leveraging Heat, Nova, and
Neutron.
Magnum
Brings the Neutron networking
model to containers. Providing
consistency between bare metal,
virtual machines, and containers.
Kuryr

Magnum provides APIs and tenant isolation for Container Orchestration Engines
• Complete management for containers within OpenStack
• Orchestrates the underlying host machines with Heat
• Implements multi-­tenancy of separate clusters through Keystone
• Provides multi-­host networking with Neutron
• Supports several Container Orchestration Engines (COE)
• Docker Swarm
• Google Kubernetes
• Apache Mesos
• Allows direct access to native container APIs
• Docker CLI clients can access hosts and containers
• The Kubernetes client can also directly manage pods, services, etc.

Magnum builds on several other mature OpenStack projects
Magnum
components
Diagram source: Exploring Opportunities: Containers and OpenStack

Kuryr connects Docker and Kubernetes networks to OpenStack
• Kuryr provides networking to Docker containers
by leveraging the Neutron APIs and services. It
also provides containerized images for common
Neutron plugins.
• Kuryr should address Magnum project use cases
in terms of containers networking and serve as a
unified interface for Magnum or any other
OpenStack project that needs to leverage
containers networking through Neutron API.
• Kuryr also builds on mature OpenStack projects
• Keystone for authentication
• Neutron client
• Oslo libraries
Docker
Engine
Kuryr
libnetwork
Neutron

Introducing the Linux Foundation Open Container Initiative (OCI)
A single, open container specification:
• Not bound to higher level constructs such as a
particular client or orchestration stack
• Not tightly associated with any particular commercial
vendor or project
• Portable across a wide variety of operating systems,
hardware, CPU architectures, public clouds, etc.
The OCI is a lightweight, open
governance structure for the
express purpose of creating
open industry standards
around container formats and
runtime
Announced June 22, 2015
opencontainers.org

The OCI aims to meld ecosystems towards an open standard
• Users should be able to package their
application once and have it work with any
container runtime
• The standard should fulfill the requirements of
the most rigorous security and production
environments
• The standard should be vendor neutral and
developed in the open

The OCI governs a container specification and an implementation
Open Container Runtime Spec
Docker container runtime implementation:
runC (formerly libcontainer)
CoreOS runtime implementation:
appC (formerly Rocket)
github.com/opencontainers
Spec and implementation
updated in concert
Innovation driven
into the specOpen Container Initiative
ecosystem
Community
innovation driven into
the spec
Open Image Format Spec
Good News!
• Open
Specification for
Container Image
• Starting with
Docker v2.2
• Announced
April 14, 2016

Introducing the Cloud Native Computing Foundation (CNCF)
• Container packaged: In order to improve the
overall developer experience, foster code reuse
and simplify operations
• Dynamically managed: Actively scheduled and
managed by a central orchestrating process to
radically improve machine efficiency
• Micro-­services oriented: Loosely coupled with
dependencies explicitly described through service
endpoints for overall agility, maintainability of
applications
The CNCF plans to create and drive
the adoption of a new set of
common container technologies,
driven and informed by technical
merit and end user value, inspired
by Internet-­scale computing
Announced July 21, 2015
cncf.io

CNCF: Supporting companies and initial high level architecture
Just as the OCI targets container
image portability, the CNCF targets
cloud application portability…

CNCF: Incubation projects
Seed project:
Reported by
the press
for possible
future inclusion:
bit.ly/k8s-­cncf
“The acceptance of Kubernetes is a first step in establishing
the CNCF as an organization that supports leading cloud
native projects of production quality, but this is just the start.
The future of cloud native will involve many projects and use
cases, which we look forward to advancing.”

Keep an eye on developments in these areas as you formulate
your organization's containerization strategy. Please get involved
to ensure standards reflect your own usage scenarios.
Container technology has evolved over the
last 16 years with contributions from many
organizations.
It will continue to do so with greater
collaboration and governance through the
Open Container Initiative and the Cloud Native
Computing Foundation.
Containerization is used throughout
OpenStack in Nova, Heat, Kolla, Murano and
other big tent projects…
…but Magnum and Kuryr will be the most
impacted by standards given the exposure of
COE native APIs (Kubernetes, Swarm, Mesos)
and separately governed container standards.
The OpenStack Foundation provides
governance over Infrastructure-­as-­a-­Service
(compute, network, and storage) APIs.
The OCI and the CNCF will provide
governance of container formats and
standardize orchestration engine technologies.

Online resources
The OpenStack Magnum wiki bit.ly/mgm-­wiki
OpenStack Magnum midcycle meetup presentation bit.ly/mgnm-­mid
Austin Summit videos, with Kuryr deep dives bit.ly/aus-­videos
Exploring Opportunities: Containers and OpenStack whitepaper bit.ly/ctrs-­os
The Docker and Container Ecosystem TheNewStack publication bit.ly/tns-­ctrs
Open Containers Initiative web site opencontainers.org
Cloud Native Computing Foundation web site cncf.io
The history of containers Red Hat EL blog post bit.ly/rh-­ctrs
Moments in container history Pivotal infographic bit.ly/pvt-­ctrs