SlideShare a Scribd company logo
1 of 22
Download to read offline
Container
Runtimes:
Comparing and
contrasting
today’s engines
WHO AM I?
Phil Estes
Senior Technical Staff Member
Office of the CTO, IBM Watson & Cloud Platform
Maintainer, Docker engine
Maintainer, containerd
Contributor, OCI/runc
Docker Captain & {code} Catalyst
Blog: https://integratedcode.us
Twitter: @estesp
BORING!!
Let’s Make Containers Boring - Vincent
Batts, Red Hat (meetup talk)
An Ode To Boring: Creating Open and Stable
Container World - Bob Wise (Medium)
The goal of standardising containers is,
ultimately, to make them boring - Jonathan
Boulle (Container Camp interview)
But many platform builders and operators are looking for “boring
infrastructure”: a basic component that provides the robust primitives
for running containers on their system, bundled in a stable interface,
and nothing else. - Docker Blog, containerd announcement
NOT
QUITE
AS
BORING
1.
What is a
container
runtime?
Phil’s Dictionary Definition:
A software interface to operating
system “container” isolation
technology used to execute
lifecycle commands (create, start,
pause, resume, stop, delete)
against a container instance.
Unix/chroot
BSD
1982 2000 Today2008200720062005
FreeBSD
jails/Solaris zones
OpenVZ
Parallels
Cgroups/Process
Containers
IBM/Google
AIX Wpars
IBM
LXC
CONTAINER HISTORY LESSON
WHERE WE ARE TODAY IS MOSTLY DUE TO DOCKER
▸ 2013-2014: A better UX on top of LXC + image library
▸ 2014: libcontainer project (moving away from LXC)
▸ 2016-17: OCI, runc, containerd refactoring
Docker’s surge in popularity created an
environment where containers went from
relatively obscure Linux kernel technology to
standard developer tool for packaging software.
Runtime specification
Image specification
runC implementation
2013 2014 2015 2016 2017
Garden-runC
Guardian project
K8sCRI
*[0.2.x branch]
*[1.0 branch]
2.
Comparing the
container
runtimes
libnetwork
VolumeAPI
AuthZ
ctr-shim
runc
{
/usr/bin/docker
/usr/bin/dockerd
/usr/bin/dockerd
/usr/bin/docker
Single statically-linked
binary comprised:
> Client
> Daemon
> Build tool
> Registry client
HTTP/JSON
Docker API
gRPC
API
▸ Launched in December 2014
▸ Differences of opinion and direction caused CoreOS to
create rkt as a Docker alternative
▸ CoreOS created standards that rkt was an
implementation for: the appc spec comprised a
runtime configuration and the ACI image format
▸ Rkt moved to a “pod-native” approach to
containers/applications early on (v0.5.3)
▸ Daemon-less operation supported by systemd and,
specifically systemd-nspawn
▸ Contributed as a CNCF project in March 2017
Created in December 2014
> 63 releases (1.28.1 current)
> 185 contributors
> CoreOS created; now a CNCF project
> Available as Kubernetes CRI
Implementation, Mesos, Nomad drivers
▸ Uses a stage execution model
to allow for different “stage1”
implementations:
▹ Qemu-kvm
▹ Systemd/nspawn
▹ “Fly” (simple chroot)
▹ 3rd party
implementations
▸ Appc Spec development
deprecated in favor of using
OCI specs for future rkt
releases.
Design/Implementation
& runC
> Announced June 20th, 2015
> Charter signed on
December 8th, 2015
> 44 member companies
> Both specifications
reached 1.0 last month
https://opencontainers.org
https://github.com/opencontainers
> runc is a client wrapper around libcontainer
> libcontainer is the OS level interface for containers
> OCI spec covers Solaris, Linux, & MS Windows
$ docker run -it --read-only 
-v /host:/hostpath 
alpine sh
/#
{
"ociVersion": "1.0.0",
"platform": {
"os": "linux",
"arch": "amd64"
},
"process": {
"terminal": true,
"args": [
"sh"
],
"env": [
"PATH=/usr/sbin:/usr/local/bin:/bin”
config.json
• A Linux Foundation Collaborative Project
• Free from control by any particular vendor’s specific cloud stack or ecosystem
• Includes a specification, reference runtime* and now, a specified image format
*seeded with runc + libcontainer by Docker
runC Created in June 2015
> 16 releases (1.0.0-rc4 current)
> 215 contributors
> OCI maintained/governance
> Used by Docker, containerd,
garden-runc/Guardian, others
▸ Runc is a client wrapper around the pre-existing
libcontainer library project
▸ Runc is one implementation of the OCI runtime
specification
▸ Scope of runc is clearly limited by OCI charter: no
networking, image handling/resolution, storage
support
▸ Enablement of low-level OS features happen here:
ambient caps, rootless containers, new cgroup support,
and so on
▸ Daemon-less operation; wrapping code must handle
any broader node and cluster level container mgmt.
Garden-runC/Guardian
Created in June 2015
> 29 releases (1.9.2 current)
> 40+ contributors
> CF project governance
> Garden CF runtime uses this
implementation to run containers
▸ Cloud Foundry is a enterprise-class PaaS open source
project that has used Linux containers for many years
▸ CF Garden-linux driver now is deprecated in favor of the
garden-runc/guardian codebase, using OCI+runc to
execute containers
▸ The guardian codebase effectively wraps runc with
network, image, volume, and rootfs management
support that runC doesn’t provide on its own
▸ Because of the use of OCI & runc, this guardian layer
has added support for interesting things like rootless
containers (experimental) and Windows container
support
https://github.com/cloudfoundry/garden-runc-release | https://github.com/cloudfoundry/guardian
Created in December 2015
> 22 releases (1.0.0-alpha6 current)
> 96 contributors
> Docker created; now a CNCF project
> Used by Docker, cri-containerd
(incubation project in K8s), AWS, VMWare
▸ Launched initially in December 2015 (used as part of a
Docker release in early 2016)
▸ Two streams of activity to discuss:
▹ “0.2.x” branch: used in today’s Docker releases as a
simple runc manager
▹ “1.0.0” branch: based on the December 2016
announcement and contribution of containerd to
CNCF for use as a core embeddable container
runtime for Kubernetes and other projects
▸ Executes containers using the OCI runc executor;
containerd manages state/metadata, image & registry
interactions, snapshot drivers (overlay, btrfs)
▸ Supports Windows, Linux, Solaris, multi-arch
Metadata Content Snapshotter
Runtime
Linux (shim)
OCI runC
IMAGE TASK CONTAINER
Client library (Golang)gRPC
Service
APIs
Vendor client library to embed containerd{ or } ▸ Metrics API &
Prometheus
support
▸ OCI runtime and
image support
▸ Clean API and
abstractions
▸ Pluggable runtime
support (used by
VMWare impl.)
▸ Namespace
support
(multi-tenancy)
Created in September 2016
> 6 releases (1.0.0-beta.0 current)
> 49 contributors
> Kubernetes incubation project
> Specifically created to implement
the K8s CRI; no standalone usage
▸ Launched in September 2016
▸ An assembly of components to implement the
Kubernetes CRI:
▹ OCI runc (or any OCI runtime implementation)
▹ containers/image & containers/storage GitHub
libraries
▹ Network support via CNI plugins
▸ Red Hat created and maintained project; promoted as
runtime for Kubernetes and OpenShift (K8s-based)
▸ Based on the idea that K8s has simple containerizer
needs: cri-o is “just enough” runtime built from OCI and
glue pieces to provide that baseline functionality
3.
Summary
▸ THE GOOD:
▹ Docker and an early shared community brought about a tidal
wave of interest in (existing) container technology
▹ Plenty of cross-industry focus today on stable, “boring”
container runtime technology; higher layers are well
supported and have choice in runtime implementations
▹ OCI brought a strong community of experts together to
create a well-defined specification to standardize containers
▹ OCI specs & implementations are being shared!
▸ THE NOT SO GOOD:
▹ Human nature: we like doing our own thing; some amount of
confusion still in our ecosystem re: runtime strategy and
what is politics versus technical differentiation
▹ Open source politics & Twitter battles are wasting time and
energy; especially time that could == innovative/creative
power of competitive vendors working together on stable
underpinnings
@estesp
github.com/estesp
estesp@gmail.com
https://integratedcode.us
IRC: estesp
THANK YOU!
CREDITS
Special thanks to all the people who made and released these
awesome resources for free:
▸ Simple line icons by Mirko Monti
▸ E-commerce icons by Virgil Pana
▸ Streamline iconset by Webalys
▸ Presentation template by SlidesCarnival

More Related Content

What's hot

Containers without docker
Containers without dockerContainers without docker
Containers without dockerBen Hall
 
The state of containerd
The state of containerdThe state of containerd
The state of containerdDocker, Inc.
 
Devoxx 2016: A Developer's Guide to OCI and runC
Devoxx 2016: A Developer's Guide to OCI and runCDevoxx 2016: A Developer's Guide to OCI and runC
Devoxx 2016: A Developer's Guide to OCI and runCPhil Estes
 
Kubernetes with docker
Kubernetes with dockerKubernetes with docker
Kubernetes with dockerDocker, Inc.
 
Docker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EEDocker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EEDocker, Inc.
 
Platform Orchestration with Kubernetes and Docker
Platform Orchestration with Kubernetes and DockerPlatform Orchestration with Kubernetes and Docker
Platform Orchestration with Kubernetes and DockerJulian Strobl
 
Bucketbench: Benchmarking Container Runtime Performance
Bucketbench: Benchmarking Container Runtime PerformanceBucketbench: Benchmarking Container Runtime Performance
Bucketbench: Benchmarking Container Runtime PerformancePhil Estes
 
Containerize All the Multi-Platform Things! - DockerCon Seattle 2016
Containerize All the Multi-Platform Things! - DockerCon Seattle 2016Containerize All the Multi-Platform Things! - DockerCon Seattle 2016
Containerize All the Multi-Platform Things! - DockerCon Seattle 2016Phil Estes
 
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1Etsuji Nakai
 
Introduction to LinuxKit - Docker Bangalore Meetup
Introduction to LinuxKit - Docker Bangalore MeetupIntroduction to LinuxKit - Docker Bangalore Meetup
Introduction to LinuxKit - Docker Bangalore MeetupAjeet Singh Raina
 
Kubernetes deep dive - - Huawei 2015-10
Kubernetes deep dive - - Huawei 2015-10Kubernetes deep dive - - Huawei 2015-10
Kubernetes deep dive - - Huawei 2015-10Vishnu Kannan
 
containerd summit - Deep Dive into containerd
containerd summit - Deep Dive into containerdcontainerd summit - Deep Dive into containerd
containerd summit - Deep Dive into containerdDocker, Inc.
 
Kubernetes - introduction
Kubernetes - introductionKubernetes - introduction
Kubernetes - introductionSparkbit
 
Introducing LinuxKit
Introducing LinuxKitIntroducing LinuxKit
Introducing LinuxKitDocker, Inc.
 
Dockercon 16 Wrap-up (Docker for Mac and Win, Docker 1.12, Swarm Mode, etc.)
Dockercon 16 Wrap-up (Docker for Mac and Win, Docker 1.12, Swarm Mode, etc.)Dockercon 16 Wrap-up (Docker for Mac and Win, Docker 1.12, Swarm Mode, etc.)
Dockercon 16 Wrap-up (Docker for Mac and Win, Docker 1.12, Swarm Mode, etc.)Nils De Moor
 
KubeCon 2017: Kubernetes from Dev to Prod
KubeCon 2017: Kubernetes from Dev to ProdKubeCon 2017: Kubernetes from Dev to Prod
KubeCon 2017: Kubernetes from Dev to ProdSubhas Dandapani
 
Docker London Meetup: Docker Engine Evolution
Docker London Meetup: Docker Engine EvolutionDocker London Meetup: Docker Engine Evolution
Docker London Meetup: Docker Engine EvolutionPhil Estes
 
Docker and kubernetes_introduction
Docker and kubernetes_introductionDocker and kubernetes_introduction
Docker and kubernetes_introductionJason Hu
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes IntroductionEric Gustafson
 

What's hot (20)

Containers without docker
Containers without dockerContainers without docker
Containers without docker
 
The state of containerd
The state of containerdThe state of containerd
The state of containerd
 
Devoxx 2016: A Developer's Guide to OCI and runC
Devoxx 2016: A Developer's Guide to OCI and runCDevoxx 2016: A Developer's Guide to OCI and runC
Devoxx 2016: A Developer's Guide to OCI and runC
 
Kubernetes with docker
Kubernetes with dockerKubernetes with docker
Kubernetes with docker
 
Docker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EEDocker Online Meetup: Announcing Docker CE + EE
Docker Online Meetup: Announcing Docker CE + EE
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
 
Platform Orchestration with Kubernetes and Docker
Platform Orchestration with Kubernetes and DockerPlatform Orchestration with Kubernetes and Docker
Platform Orchestration with Kubernetes and Docker
 
Bucketbench: Benchmarking Container Runtime Performance
Bucketbench: Benchmarking Container Runtime PerformanceBucketbench: Benchmarking Container Runtime Performance
Bucketbench: Benchmarking Container Runtime Performance
 
Containerize All the Multi-Platform Things! - DockerCon Seattle 2016
Containerize All the Multi-Platform Things! - DockerCon Seattle 2016Containerize All the Multi-Platform Things! - DockerCon Seattle 2016
Containerize All the Multi-Platform Things! - DockerCon Seattle 2016
 
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
 
Introduction to LinuxKit - Docker Bangalore Meetup
Introduction to LinuxKit - Docker Bangalore MeetupIntroduction to LinuxKit - Docker Bangalore Meetup
Introduction to LinuxKit - Docker Bangalore Meetup
 
Kubernetes deep dive - - Huawei 2015-10
Kubernetes deep dive - - Huawei 2015-10Kubernetes deep dive - - Huawei 2015-10
Kubernetes deep dive - - Huawei 2015-10
 
containerd summit - Deep Dive into containerd
containerd summit - Deep Dive into containerdcontainerd summit - Deep Dive into containerd
containerd summit - Deep Dive into containerd
 
Kubernetes - introduction
Kubernetes - introductionKubernetes - introduction
Kubernetes - introduction
 
Introducing LinuxKit
Introducing LinuxKitIntroducing LinuxKit
Introducing LinuxKit
 
Dockercon 16 Wrap-up (Docker for Mac and Win, Docker 1.12, Swarm Mode, etc.)
Dockercon 16 Wrap-up (Docker for Mac and Win, Docker 1.12, Swarm Mode, etc.)Dockercon 16 Wrap-up (Docker for Mac and Win, Docker 1.12, Swarm Mode, etc.)
Dockercon 16 Wrap-up (Docker for Mac and Win, Docker 1.12, Swarm Mode, etc.)
 
KubeCon 2017: Kubernetes from Dev to Prod
KubeCon 2017: Kubernetes from Dev to ProdKubeCon 2017: Kubernetes from Dev to Prod
KubeCon 2017: Kubernetes from Dev to Prod
 
Docker London Meetup: Docker Engine Evolution
Docker London Meetup: Docker Engine EvolutionDocker London Meetup: Docker Engine Evolution
Docker London Meetup: Docker Engine Evolution
 
Docker and kubernetes_introduction
Docker and kubernetes_introductionDocker and kubernetes_introduction
Docker and kubernetes_introduction
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 

Similar to Container Runtimes: Comparing and Contrasting Today's Engines

Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017Patrick Chanezon
 
Cloud Native Landscape (CNCF and OCI)
Cloud Native Landscape (CNCF and OCI)Cloud Native Landscape (CNCF and OCI)
Cloud Native Landscape (CNCF and OCI)Chris Aniszczyk
 
Whose Job Is It Anyway? Kubernetes, CRI, & Container Runtimes
Whose Job Is It Anyway? Kubernetes, CRI, & Container RuntimesWhose Job Is It Anyway? Kubernetes, CRI, & Container Runtimes
Whose Job Is It Anyway? Kubernetes, CRI, & Container RuntimesPhil Estes
 
Runc: The Little Engine That Could (Run Docker Containers)
Runc: The Little Engine That Could (Run Docker Containers)Runc: The Little Engine That Could (Run Docker Containers)
Runc: The Little Engine That Could (Run Docker Containers)Phil Estes
 
runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...Docker, Inc.
 
Being a Moby maintainer
Being a Moby maintainerBeing a Moby maintainer
Being a Moby maintainerAkihiro Suda
 
HLayer / Docker and its ecosystem
HLayer / Docker and its ecosystemHLayer / Docker and its ecosystem
HLayer / Docker and its ecosystemAymen EL Amri
 
Alibaba Cloud Conference 2016 - Docker Open Source
Alibaba Cloud Conference   2016 - Docker Open Source Alibaba Cloud Conference   2016 - Docker Open Source
Alibaba Cloud Conference 2016 - Docker Open Source John Willis
 
Innovating Out in the Open
Innovating Out in the Open Innovating Out in the Open
Innovating Out in the Open Dev_Events
 
Dev opsec dockerimage_patch_n_lifecyclemanagement_
Dev opsec dockerimage_patch_n_lifecyclemanagement_Dev opsec dockerimage_patch_n_lifecyclemanagement_
Dev opsec dockerimage_patch_n_lifecyclemanagement_kanedafromparis
 
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin	Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin Vietnam Open Infrastructure User Group
 
Docker Meetup Rosenheim: Container Runtimes
Docker Meetup Rosenheim: Container RuntimesDocker Meetup Rosenheim: Container Runtimes
Docker Meetup Rosenheim: Container RuntimesNico Meisenzahl
 
Innovating Out In The Open - OSCON 2016
Innovating Out In The Open - OSCON 2016Innovating Out In The Open - OSCON 2016
Innovating Out In The Open - OSCON 2016Phil Estes
 
Building Distributed Systems without Docker, Using Docker Plumbing Projects -...
Building Distributed Systems without Docker, Using Docker Plumbing Projects -...Building Distributed Systems without Docker, Using Docker Plumbing Projects -...
Building Distributed Systems without Docker, Using Docker Plumbing Projects -...Patrick Chanezon
 
Moving microsoft .net applications one container at a time
 Moving microsoft .net applications one container at a time  Moving microsoft .net applications one container at a time
Moving microsoft .net applications one container at a time Amazon Web Services
 
Oscon 2017: Build your own container-based system with the Moby project
Oscon 2017: Build your own container-based system with the Moby projectOscon 2017: Build your own container-based system with the Moby project
Oscon 2017: Build your own container-based system with the Moby projectPatrick Chanezon
 
Containers, OCI, CNCF, Magnum, Kuryr, and You!
Containers, OCI, CNCF, Magnum, Kuryr, and You!Containers, OCI, CNCF, Magnum, Kuryr, and You!
Containers, OCI, CNCF, Magnum, Kuryr, and You!Daniel Krook
 
Neues aus dem Docker-Universum
Neues aus dem Docker-UniversumNeues aus dem Docker-Universum
Neues aus dem Docker-UniversumNicholas Dille
 

Similar to Container Runtimes: Comparing and Contrasting Today's Engines (20)

Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017
 
Cloud Native Landscape (CNCF and OCI)
Cloud Native Landscape (CNCF and OCI)Cloud Native Landscape (CNCF and OCI)
Cloud Native Landscape (CNCF and OCI)
 
Whose Job Is It Anyway? Kubernetes, CRI, & Container Runtimes
Whose Job Is It Anyway? Kubernetes, CRI, & Container RuntimesWhose Job Is It Anyway? Kubernetes, CRI, & Container Runtimes
Whose Job Is It Anyway? Kubernetes, CRI, & Container Runtimes
 
Runc: The Little Engine That Could (Run Docker Containers)
Runc: The Little Engine That Could (Run Docker Containers)Runc: The Little Engine That Could (Run Docker Containers)
Runc: The Little Engine That Could (Run Docker Containers)
 
runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...
 
Moby KubeCon 2017
Moby KubeCon 2017Moby KubeCon 2017
Moby KubeCon 2017
 
Being a Moby maintainer
Being a Moby maintainerBeing a Moby maintainer
Being a Moby maintainer
 
HLayer / Docker and its ecosystem
HLayer / Docker and its ecosystemHLayer / Docker and its ecosystem
HLayer / Docker and its ecosystem
 
Alibaba Cloud Conference 2016 - Docker Open Source
Alibaba Cloud Conference   2016 - Docker Open Source Alibaba Cloud Conference   2016 - Docker Open Source
Alibaba Cloud Conference 2016 - Docker Open Source
 
Innovating Out in the Open
Innovating Out in the Open Innovating Out in the Open
Innovating Out in the Open
 
Dev opsec dockerimage_patch_n_lifecyclemanagement_
Dev opsec dockerimage_patch_n_lifecyclemanagement_Dev opsec dockerimage_patch_n_lifecyclemanagement_
Dev opsec dockerimage_patch_n_lifecyclemanagement_
 
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin	Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
 
Docker Meetup Rosenheim: Container Runtimes
Docker Meetup Rosenheim: Container RuntimesDocker Meetup Rosenheim: Container Runtimes
Docker Meetup Rosenheim: Container Runtimes
 
Innovating Out In The Open - OSCON 2016
Innovating Out In The Open - OSCON 2016Innovating Out In The Open - OSCON 2016
Innovating Out In The Open - OSCON 2016
 
Building Distributed Systems without Docker, Using Docker Plumbing Projects -...
Building Distributed Systems without Docker, Using Docker Plumbing Projects -...Building Distributed Systems without Docker, Using Docker Plumbing Projects -...
Building Distributed Systems without Docker, Using Docker Plumbing Projects -...
 
CRI, OCI, and CRI-O
CRI, OCI, and CRI-OCRI, OCI, and CRI-O
CRI, OCI, and CRI-O
 
Moving microsoft .net applications one container at a time
 Moving microsoft .net applications one container at a time  Moving microsoft .net applications one container at a time
Moving microsoft .net applications one container at a time
 
Oscon 2017: Build your own container-based system with the Moby project
Oscon 2017: Build your own container-based system with the Moby projectOscon 2017: Build your own container-based system with the Moby project
Oscon 2017: Build your own container-based system with the Moby project
 
Containers, OCI, CNCF, Magnum, Kuryr, and You!
Containers, OCI, CNCF, Magnum, Kuryr, and You!Containers, OCI, CNCF, Magnum, Kuryr, and You!
Containers, OCI, CNCF, Magnum, Kuryr, and You!
 
Neues aus dem Docker-Universum
Neues aus dem Docker-UniversumNeues aus dem Docker-Universum
Neues aus dem Docker-Universum
 

More from Phil Estes

Enabling Security via Container Runtimes
Enabling Security via Container RuntimesEnabling Security via Container Runtimes
Enabling Security via Container RuntimesPhil Estes
 
Extended and embedding: containerd update & project use cases
Extended and embedding: containerd update & project use casesExtended and embedding: containerd update & project use cases
Extended and embedding: containerd update & project use casesPhil Estes
 
Cloud Native TLV Meetup: Securing Containerized Applications Primer
Cloud Native TLV Meetup: Securing Containerized Applications PrimerCloud Native TLV Meetup: Securing Containerized Applications Primer
Cloud Native TLV Meetup: Securing Containerized Applications PrimerPhil Estes
 
Securing Containerized Applications: A Primer
Securing Containerized Applications: A PrimerSecuring Containerized Applications: A Primer
Securing Containerized Applications: A PrimerPhil Estes
 
Securing Containerized Applications: A Primer
Securing Containerized Applications: A PrimerSecuring Containerized Applications: A Primer
Securing Containerized Applications: A PrimerPhil Estes
 
Let's Try Every CRI Runtime Available for Kubernetes
Let's Try Every CRI Runtime Available for KubernetesLet's Try Every CRI Runtime Available for Kubernetes
Let's Try Every CRI Runtime Available for KubernetesPhil Estes
 
CraftConf 2019: CRI Runtimes Deep Dive: Who Is Running My Pod?
CraftConf 2019:  CRI Runtimes Deep Dive: Who Is Running My Pod?CraftConf 2019:  CRI Runtimes Deep Dive: Who Is Running My Pod?
CraftConf 2019: CRI Runtimes Deep Dive: Who Is Running My Pod?Phil Estes
 
JAX Con 2019: Containers. Microservices. Cloud. Open Source. Fantasy or Reali...
JAX Con 2019: Containers. Microservices. Cloud. Open Source. Fantasy or Reali...JAX Con 2019: Containers. Microservices. Cloud. Open Source. Fantasy or Reali...
JAX Con 2019: Containers. Microservices. Cloud. Open Source. Fantasy or Reali...Phil Estes
 
Giving Back to Upstream | DockerCon 2019
Giving Back to Upstream | DockerCon 2019Giving Back to Upstream | DockerCon 2019
Giving Back to Upstream | DockerCon 2019Phil Estes
 
What's Running My Containers? A review of runtimes and standards.
What's Running My Containers? A review of runtimes and standards.What's Running My Containers? A review of runtimes and standards.
What's Running My Containers? A review of runtimes and standards.Phil Estes
 
FOSDEM 2019: A containerd Project Update
FOSDEM 2019: A containerd Project UpdateFOSDEM 2019: A containerd Project Update
FOSDEM 2019: A containerd Project UpdatePhil Estes
 
CRI Runtimes Deep-Dive: Who's Running My Pod!?
CRI Runtimes Deep-Dive: Who's Running My Pod!?CRI Runtimes Deep-Dive: Who's Running My Pod!?
CRI Runtimes Deep-Dive: Who's Running My Pod!?Phil Estes
 
Docker Athens: Docker Engine Evolution & Containerd Use Cases
Docker Athens: Docker Engine Evolution & Containerd Use CasesDocker Athens: Docker Engine Evolution & Containerd Use Cases
Docker Athens: Docker Engine Evolution & Containerd Use CasesPhil Estes
 
It's 2018. Are My Containers Secure Yet!?
It's 2018. Are My Containers Secure Yet!?It's 2018. Are My Containers Secure Yet!?
It's 2018. Are My Containers Secure Yet!?Phil Estes
 
An Open Source Story: Open Containers & Open Communities
An Open Source Story: Open Containers & Open CommunitiesAn Open Source Story: Open Containers & Open Communities
An Open Source Story: Open Containers & Open CommunitiesPhil Estes
 
Containerd Project Update: FOSDEM 2018
Containerd Project Update: FOSDEM 2018Containerd Project Update: FOSDEM 2018
Containerd Project Update: FOSDEM 2018Phil Estes
 
AtlanTEC 2017: Containers! Why Docker, Why NOW?
AtlanTEC 2017: Containers! Why Docker, Why NOW?AtlanTEC 2017: Containers! Why Docker, Why NOW?
AtlanTEC 2017: Containers! Why Docker, Why NOW?Phil Estes
 
Empower Your Docker Containers with Watson - DockerCon 2017 Austin
Empower Your Docker Containers with Watson - DockerCon 2017 AustinEmpower Your Docker Containers with Watson - DockerCon 2017 Austin
Empower Your Docker Containers with Watson - DockerCon 2017 AustinPhil Estes
 
Containerize, PaaS, or Go Serverless!?
Containerize, PaaS, or Go Serverless!?Containerize, PaaS, or Go Serverless!?
Containerize, PaaS, or Go Serverless!?Phil Estes
 
Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingPhil Estes
 

More from Phil Estes (20)

Enabling Security via Container Runtimes
Enabling Security via Container RuntimesEnabling Security via Container Runtimes
Enabling Security via Container Runtimes
 
Extended and embedding: containerd update & project use cases
Extended and embedding: containerd update & project use casesExtended and embedding: containerd update & project use cases
Extended and embedding: containerd update & project use cases
 
Cloud Native TLV Meetup: Securing Containerized Applications Primer
Cloud Native TLV Meetup: Securing Containerized Applications PrimerCloud Native TLV Meetup: Securing Containerized Applications Primer
Cloud Native TLV Meetup: Securing Containerized Applications Primer
 
Securing Containerized Applications: A Primer
Securing Containerized Applications: A PrimerSecuring Containerized Applications: A Primer
Securing Containerized Applications: A Primer
 
Securing Containerized Applications: A Primer
Securing Containerized Applications: A PrimerSecuring Containerized Applications: A Primer
Securing Containerized Applications: A Primer
 
Let's Try Every CRI Runtime Available for Kubernetes
Let's Try Every CRI Runtime Available for KubernetesLet's Try Every CRI Runtime Available for Kubernetes
Let's Try Every CRI Runtime Available for Kubernetes
 
CraftConf 2019: CRI Runtimes Deep Dive: Who Is Running My Pod?
CraftConf 2019:  CRI Runtimes Deep Dive: Who Is Running My Pod?CraftConf 2019:  CRI Runtimes Deep Dive: Who Is Running My Pod?
CraftConf 2019: CRI Runtimes Deep Dive: Who Is Running My Pod?
 
JAX Con 2019: Containers. Microservices. Cloud. Open Source. Fantasy or Reali...
JAX Con 2019: Containers. Microservices. Cloud. Open Source. Fantasy or Reali...JAX Con 2019: Containers. Microservices. Cloud. Open Source. Fantasy or Reali...
JAX Con 2019: Containers. Microservices. Cloud. Open Source. Fantasy or Reali...
 
Giving Back to Upstream | DockerCon 2019
Giving Back to Upstream | DockerCon 2019Giving Back to Upstream | DockerCon 2019
Giving Back to Upstream | DockerCon 2019
 
What's Running My Containers? A review of runtimes and standards.
What's Running My Containers? A review of runtimes and standards.What's Running My Containers? A review of runtimes and standards.
What's Running My Containers? A review of runtimes and standards.
 
FOSDEM 2019: A containerd Project Update
FOSDEM 2019: A containerd Project UpdateFOSDEM 2019: A containerd Project Update
FOSDEM 2019: A containerd Project Update
 
CRI Runtimes Deep-Dive: Who's Running My Pod!?
CRI Runtimes Deep-Dive: Who's Running My Pod!?CRI Runtimes Deep-Dive: Who's Running My Pod!?
CRI Runtimes Deep-Dive: Who's Running My Pod!?
 
Docker Athens: Docker Engine Evolution & Containerd Use Cases
Docker Athens: Docker Engine Evolution & Containerd Use CasesDocker Athens: Docker Engine Evolution & Containerd Use Cases
Docker Athens: Docker Engine Evolution & Containerd Use Cases
 
It's 2018. Are My Containers Secure Yet!?
It's 2018. Are My Containers Secure Yet!?It's 2018. Are My Containers Secure Yet!?
It's 2018. Are My Containers Secure Yet!?
 
An Open Source Story: Open Containers & Open Communities
An Open Source Story: Open Containers & Open CommunitiesAn Open Source Story: Open Containers & Open Communities
An Open Source Story: Open Containers & Open Communities
 
Containerd Project Update: FOSDEM 2018
Containerd Project Update: FOSDEM 2018Containerd Project Update: FOSDEM 2018
Containerd Project Update: FOSDEM 2018
 
AtlanTEC 2017: Containers! Why Docker, Why NOW?
AtlanTEC 2017: Containers! Why Docker, Why NOW?AtlanTEC 2017: Containers! Why Docker, Why NOW?
AtlanTEC 2017: Containers! Why Docker, Why NOW?
 
Empower Your Docker Containers with Watson - DockerCon 2017 Austin
Empower Your Docker Containers with Watson - DockerCon 2017 AustinEmpower Your Docker Containers with Watson - DockerCon 2017 Austin
Empower Your Docker Containers with Watson - DockerCon 2017 Austin
 
Containerize, PaaS, or Go Serverless!?
Containerize, PaaS, or Go Serverless!?Containerize, PaaS, or Go Serverless!?
Containerize, PaaS, or Go Serverless!?
 
Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're Going
 

Recently uploaded

Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024Mind IT Systems
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilVICTOR MAESTRE RAMIREZ
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesSoftwareMill
 
Webinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptWebinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptkinjal48
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...OnePlan Solutions
 
Deep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampDeep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampVICTOR MAESTRE RAMIREZ
 
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageSales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageDista
 
Streamlining Your Application Builds with Cloud Native Buildpacks
Streamlining Your Application Builds  with Cloud Native BuildpacksStreamlining Your Application Builds  with Cloud Native Buildpacks
Streamlining Your Application Builds with Cloud Native BuildpacksVish Abrams
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?AmeliaSmith90
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Jaydeep Chhasatia
 
eAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionseAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionsNirav Modi
 
Fields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxFields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxJoão Esperancinha
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorShane Coughlan
 
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsYour Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsJaydeep Chhasatia
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies
 
ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxAutus Cyber Tech
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyRaymond Okyere-Forson
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfTobias Schneck
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmonyelliciumsolutionspun
 
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.Sharon Liu
 

Recently uploaded (20)

Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-Council
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retries
 
Webinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptWebinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.ppt
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
 
Deep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampDeep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - Datacamp
 
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageSales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
 
Streamlining Your Application Builds with Cloud Native Buildpacks
Streamlining Your Application Builds  with Cloud Native BuildpacksStreamlining Your Application Builds  with Cloud Native Buildpacks
Streamlining Your Application Builds with Cloud Native Buildpacks
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
 
eAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionseAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspections
 
Fields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxFields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptx
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS Calculator
 
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsYour Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in Trivandrum
 
ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptx
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human Beauty
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
 
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
 

Container Runtimes: Comparing and Contrasting Today's Engines

  • 2. WHO AM I? Phil Estes Senior Technical Staff Member Office of the CTO, IBM Watson & Cloud Platform Maintainer, Docker engine Maintainer, containerd Contributor, OCI/runc Docker Captain & {code} Catalyst Blog: https://integratedcode.us Twitter: @estesp
  • 3. BORING!! Let’s Make Containers Boring - Vincent Batts, Red Hat (meetup talk) An Ode To Boring: Creating Open and Stable Container World - Bob Wise (Medium) The goal of standardising containers is, ultimately, to make them boring - Jonathan Boulle (Container Camp interview) But many platform builders and operators are looking for “boring infrastructure”: a basic component that provides the robust primitives for running containers on their system, bundled in a stable interface, and nothing else. - Docker Blog, containerd announcement
  • 5. 1. What is a container runtime? Phil’s Dictionary Definition: A software interface to operating system “container” isolation technology used to execute lifecycle commands (create, start, pause, resume, stop, delete) against a container instance.
  • 6. Unix/chroot BSD 1982 2000 Today2008200720062005 FreeBSD jails/Solaris zones OpenVZ Parallels Cgroups/Process Containers IBM/Google AIX Wpars IBM LXC CONTAINER HISTORY LESSON
  • 7. WHERE WE ARE TODAY IS MOSTLY DUE TO DOCKER ▸ 2013-2014: A better UX on top of LXC + image library ▸ 2014: libcontainer project (moving away from LXC) ▸ 2016-17: OCI, runc, containerd refactoring Docker’s surge in popularity created an environment where containers went from relatively obscure Linux kernel technology to standard developer tool for packaging software.
  • 8. Runtime specification Image specification runC implementation 2013 2014 2015 2016 2017 Garden-runC Guardian project K8sCRI *[0.2.x branch] *[1.0 branch]
  • 11. ▸ Launched in December 2014 ▸ Differences of opinion and direction caused CoreOS to create rkt as a Docker alternative ▸ CoreOS created standards that rkt was an implementation for: the appc spec comprised a runtime configuration and the ACI image format ▸ Rkt moved to a “pod-native” approach to containers/applications early on (v0.5.3) ▸ Daemon-less operation supported by systemd and, specifically systemd-nspawn ▸ Contributed as a CNCF project in March 2017 Created in December 2014 > 63 releases (1.28.1 current) > 185 contributors > CoreOS created; now a CNCF project > Available as Kubernetes CRI Implementation, Mesos, Nomad drivers
  • 12. ▸ Uses a stage execution model to allow for different “stage1” implementations: ▹ Qemu-kvm ▹ Systemd/nspawn ▹ “Fly” (simple chroot) ▹ 3rd party implementations ▸ Appc Spec development deprecated in favor of using OCI specs for future rkt releases. Design/Implementation
  • 13. & runC > Announced June 20th, 2015 > Charter signed on December 8th, 2015 > 44 member companies > Both specifications reached 1.0 last month https://opencontainers.org https://github.com/opencontainers > runc is a client wrapper around libcontainer > libcontainer is the OS level interface for containers > OCI spec covers Solaris, Linux, & MS Windows $ docker run -it --read-only -v /host:/hostpath alpine sh /# { "ociVersion": "1.0.0", "platform": { "os": "linux", "arch": "amd64" }, "process": { "terminal": true, "args": [ "sh" ], "env": [ "PATH=/usr/sbin:/usr/local/bin:/bin” config.json • A Linux Foundation Collaborative Project • Free from control by any particular vendor’s specific cloud stack or ecosystem • Includes a specification, reference runtime* and now, a specified image format *seeded with runc + libcontainer by Docker
  • 14. runC Created in June 2015 > 16 releases (1.0.0-rc4 current) > 215 contributors > OCI maintained/governance > Used by Docker, containerd, garden-runc/Guardian, others ▸ Runc is a client wrapper around the pre-existing libcontainer library project ▸ Runc is one implementation of the OCI runtime specification ▸ Scope of runc is clearly limited by OCI charter: no networking, image handling/resolution, storage support ▸ Enablement of low-level OS features happen here: ambient caps, rootless containers, new cgroup support, and so on ▸ Daemon-less operation; wrapping code must handle any broader node and cluster level container mgmt.
  • 15. Garden-runC/Guardian Created in June 2015 > 29 releases (1.9.2 current) > 40+ contributors > CF project governance > Garden CF runtime uses this implementation to run containers ▸ Cloud Foundry is a enterprise-class PaaS open source project that has used Linux containers for many years ▸ CF Garden-linux driver now is deprecated in favor of the garden-runc/guardian codebase, using OCI+runc to execute containers ▸ The guardian codebase effectively wraps runc with network, image, volume, and rootfs management support that runC doesn’t provide on its own ▸ Because of the use of OCI & runc, this guardian layer has added support for interesting things like rootless containers (experimental) and Windows container support https://github.com/cloudfoundry/garden-runc-release | https://github.com/cloudfoundry/guardian
  • 16. Created in December 2015 > 22 releases (1.0.0-alpha6 current) > 96 contributors > Docker created; now a CNCF project > Used by Docker, cri-containerd (incubation project in K8s), AWS, VMWare ▸ Launched initially in December 2015 (used as part of a Docker release in early 2016) ▸ Two streams of activity to discuss: ▹ “0.2.x” branch: used in today’s Docker releases as a simple runc manager ▹ “1.0.0” branch: based on the December 2016 announcement and contribution of containerd to CNCF for use as a core embeddable container runtime for Kubernetes and other projects ▸ Executes containers using the OCI runc executor; containerd manages state/metadata, image & registry interactions, snapshot drivers (overlay, btrfs) ▸ Supports Windows, Linux, Solaris, multi-arch
  • 17. Metadata Content Snapshotter Runtime Linux (shim) OCI runC IMAGE TASK CONTAINER Client library (Golang)gRPC Service APIs Vendor client library to embed containerd{ or } ▸ Metrics API & Prometheus support ▸ OCI runtime and image support ▸ Clean API and abstractions ▸ Pluggable runtime support (used by VMWare impl.) ▸ Namespace support (multi-tenancy)
  • 18. Created in September 2016 > 6 releases (1.0.0-beta.0 current) > 49 contributors > Kubernetes incubation project > Specifically created to implement the K8s CRI; no standalone usage ▸ Launched in September 2016 ▸ An assembly of components to implement the Kubernetes CRI: ▹ OCI runc (or any OCI runtime implementation) ▹ containers/image & containers/storage GitHub libraries ▹ Network support via CNI plugins ▸ Red Hat created and maintained project; promoted as runtime for Kubernetes and OpenShift (K8s-based) ▸ Based on the idea that K8s has simple containerizer needs: cri-o is “just enough” runtime built from OCI and glue pieces to provide that baseline functionality
  • 20. ▸ THE GOOD: ▹ Docker and an early shared community brought about a tidal wave of interest in (existing) container technology ▹ Plenty of cross-industry focus today on stable, “boring” container runtime technology; higher layers are well supported and have choice in runtime implementations ▹ OCI brought a strong community of experts together to create a well-defined specification to standardize containers ▹ OCI specs & implementations are being shared! ▸ THE NOT SO GOOD: ▹ Human nature: we like doing our own thing; some amount of confusion still in our ecosystem re: runtime strategy and what is politics versus technical differentiation ▹ Open source politics & Twitter battles are wasting time and energy; especially time that could == innovative/creative power of competitive vendors working together on stable underpinnings
  • 22. CREDITS Special thanks to all the people who made and released these awesome resources for free: ▸ Simple line icons by Mirko Monti ▸ E-commerce icons by Virgil Pana ▸ Streamline iconset by Webalys ▸ Presentation template by SlidesCarnival