We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

containerd update

00:00

Formale Metadaten

Titel
containerd update
Alternativer Titel
A containerd project update: 20 minute project update for 2019 FOSDEM containers devroom
Serientitel
Anzahl der Teile
561
Autor
Lizenz
CC-Namensnennung 2.0 Belgien:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
Identifikatoren
Herausgeber
Erscheinungsjahr
Sprache

Inhaltliche Metadaten

Fachgebiet
Genre
Abstract
Last year at FOSDEM, containerd was presented as a fairly new CNCF project which had just reached its 1.0 release a month prior. With two major releases since then and a large list of new adopters, including two major public clouds, containerd has continued to gain momentum as a project and this talk will provide an update on users, releases, and the future plans for containerd and its maturity as a core, open source container runtime. Last year at FOSDEM, containerd was presented as a fairly new CNCF project which had just reached its 1.0 release a month prior. With two major releases since then and a large list of new adopters, including two major public clouds, containerd has continued to gain momentum as a project and this talk will provide an update on users, releases, and the future plans for containerd and its maturity as a core, open source container runtime. In 2018, containerd and its CRI plugin was marked as GA for use in Kubernetes, followed by two major public clouds--Google's GKE and IBM Cloud's IKS--offering containerd as their managed Kubernetes cluster's runtime. Containerd continues to be used by all Docker releases, and Docker has plans to remove more code from the moby project and utilize stable features within containerd instead, furthering adoption of containerd's codebase. Additionally, the attractive API and stability of containerd has brought quite a few new adopters since last year including AWS Firecracker VMM, Kata Containers, Alibaba PouchContainer, and Microsoft contributing and hardening the complete Windows container support in the containerd 1.2 release. Containerd has also proposed to be a "graduated" project in the CNCF and has received a full security audit which will be published soon.
10
58
80
111
137
Vorschaubild
15:21
159
Vorschaubild
18:51
168
Vorschaubild
26:18
213
221
Vorschaubild
15:22
234
Vorschaubild
49:51
248
Vorschaubild
23:06
256
268
283
Vorschaubild
28:38
313
Vorschaubild
1:00:10
318
Vorschaubild
21:35
343
345
Vorschaubild
36:13
353
Vorschaubild
18:44
369
370
373
Vorschaubild
44:37
396
Vorschaubild
28:21
413
Vorschaubild
16:24
439
455
Vorschaubild
25:10
529
Vorschaubild
15:36
535
Vorschaubild
28:04
552
MultiplikationsoperatorComputerarchitekturAnalytische FortsetzungBitComputeranimation
ClientSpeicherabzugSchlüsselverwaltungKomponente <Software>PunktwolkeKlasse <Mathematik>Gebäude <Mathematik>SchlüsselverwaltungSoftwarewartungQuick-SortStabilitätstheorie <Logik>Gemeinsamer SpeicherZahlenbereichDatenfeldLaufzeitfehlerMAPProjektive EbeneSpeicherabzugMailing-ListeCMM <Software Engineering>ComputersicherheitMultiplikationsoperatorGraphInformationStatistikWeb SiteKraftInhalt <Mathematik>ClientComputerspielPunktBitFlächeninhaltFokalpunktTwitter <Softwareplattform>TouchscreenSchnittmengeGüte der AnpassungRechenschieberMomentenproblemVerschlingungProdukt <Mathematik>CodeDirekte numerische SimulationBasis <Mathematik>Computeranimation
Stabilitätstheorie <Logik>Projektive EbeneGruppenoperationInterface <Schaltung>Plug inRepository <Informatik>LaufzeitfehlerSoftwarewartungImplementierungMultiplikationsoperatorSpeicherabzugComputerarchitekturFlussdiagramm
PunktwolkeComputerarchitekturLaufzeitfehlerCodeProjektive EbeneVerkehrsinformationMinkowski-MetrikRepository <Informatik>VorgehensmodellComputersicherheitCASE <Informatik>Web SiteIntegralCluster <Rechnernetz>Quick-SortTrennschärfe <Statistik>Programm/Quellcode
ClientMetrisches SystemLaufzeitfehlerPlug inArchitektur <Informatik>Dienst <Informatik>Interface <Schaltung>SystemplattformTaskInhalt <Mathematik>GammafunktionLokales MinimumIRIS-TLaufzeitfehlerNamensraumGraphDienst <Informatik>DateiverwaltungComputerarchitekturFlächeninhaltInterface <Schaltung>MetadatenFokalpunktTreiber <Programm>Bildgebendes VerfahrenIntegralBildschirmfensterImplementierungSchnittmengeRechenschieberOverlay-NetzFeasibility-StudieVirtualisierungHolographischer SpeicherDatenverwaltungFlussdiagramm
ClientPlastikkarteProgrammbibliothekInterface <Schaltung>KonfigurationsraumGerichtete MengeKomponente <Software>EreignishorizontTaskAdressraumMetrisches SystemVorgehensmodellLaufzeitfehlerPlug inOverlay-NetzBinärdatenProjektive EbeneClientLaufzeitfehlerEinfache GenauigkeitPlug inKonfigurationsraumInstallation <Informatik>Elektronische PublikationDokumentenserverOverlay-NetzMereologieIntelligentes NetzStandardabweichungDienst <Informatik>Metrisches SystemUmwandlungsenthalpieKomponente <Software>DistributionenraumTypentheorieEnterprise-Resource-PlanningBildgebendes VerfahrenFlächeninhaltRechenschieberFaserbündelDefaultProgrammbibliothekSoftwarewartungKonfigurationsdatenbankNichtlinearer OperatorCASE <Informatik>BildschirmfensterCodeHorizontaleFokalpunktVersionsverwaltungCodierung <Programmierung>SocketFlussdiagramm
VorgehensmodellPlastikkarteClientPlug inServerArchitektur <Informatik>Interface <Schaltung>Dienst <Informatik>Gerichtete MengeServerResolventePlug inInterface <Schaltung>Bildgebendes VerfahrenComputerarchitekturKonfigurationsdatenbankDienst <Informatik>Computeranimation
PunktwolkeLaufzeitfehlerNP-hartes ProblemProjektive EbeneLaufzeitfehlerInteraktives FernsehenWrapper <Programmierung>CodeWurzel <Mathematik>Bildgebendes VerfahrenZahlenbereichPunktPunktwolkeDateiverwaltungSchnittmengeSoftware Development KitDienst <Informatik>TeilmengeInternet der DingeRefactoringMobiles InternetComputeranimation
ATMComputersicherheitExplosion <Stochastik>Gebäude <Mathematik>CMM <Software Engineering>LaufzeitfehlerPlug inDienst <Informatik>ClientInterface <Schaltung>SpezialrechnerLokales MinimumSoftwarewartungLaufzeitfehlerBenutzerschnittstellenverwaltungssystemProjektive EbeneMultiplikationsoperatorCASE <Informatik>ProgrammierungOpen SourceIntegralPunktwolkeBildgebendes VerfahrenCMM <Software Engineering>Cluster <Rechnernetz>MereologieBitComputersicherheitZahlenbereichSchnittmengeVersionsverwaltungSpeicherabzugAffiner RaumSoftware Development KitMultiplikationProgramm/Quellcode
MultiplikationsoperatorFigurierte ZahlRechter WinkelComputeranimation
PunktwolkeComputeranimation
Transkript: Englisch(automatisch erzeugt)
All right next up we've got Phyllis that's gonna give us an update on container D All right, good to see everybody who's heard of container D
Alright, so I'm not going to spend a whole lot of time on Deep dive of the architecture. There's lots of great talks on that that you can find Most recently kubecon Seattle we did both an intro and a deep dive Where we had more time but in 20 minutes, I'm just going to kind of give you an update on the past year
I spoke in this room last year container D was a bit younger than we had just Reached our 1.0 a few months before that so I'm going to kind of start there and and let you know What's happened in the past year? A little bit of overview. I just threw a few slides in here from our
Graduation proposal to the CNCF just because it happened to be a good collection of information So sounds like again most of you have heard of container D again the reason it sort of came to life related to this idea of
Just a contentions around what Docker was becoming Kubernetes gaining popularity and an outcry of hey We just want a boring container runtime that can be this sort of level playing field on which Docker can build its its Projects and products the kubernetes community can have this sort of core container runtime that moves at a slower pace
And has well supported releases. So that was kind of the basis on which container D came to life And really the key tenants are that we focused on since we created the project is Reliability and stability so strong guarantees about the API about its life
you know EOL dates how long things are supported a Very clear and stable client API and so I think up on the screen those tweets are way too small to read I'll post all this online After the talk, but these are people saying hey the API is great
It's so easy to build on top of container D And we'll look at how that's grown in the past year to not just being used by Docker and kubernetes But others are finding that API attractive and using container D as a runtime in their own personal projects or even larger projects And then performance again is another key focus area that we've had
The community has grown quite a bit in the past year This graph again way too small for you to take too many meaningful things from it Although it's straight from the CNCF dashboard. So at any time you can go to the dev stats
Website on the CNCF and dig into any project and all the statistics We can see at some point when we join CNCF It's interesting to note a broad array of new contributors showed up and a lot more activity across a lot more companies We currently have 12 maintainers representing eight different companies and we also have a class of
Project maintainers we call reviewers who can LGTM and that even adds more companies who are involved in the building of container D Again I just mentioned the usage again that initial Kind of proposal for container D was let's have this stable boring container runtime that Docker can build on that kubernetes can build on
But since then we've definitely seen a huge increase in the number of adopters of Projects that are using container D and I'll come around toward the end of the talk and talk about a few of these
And show this list again as I mentioned those slides we just looked at came from the graduation proposal the CNCF has levels of maturity and Kubernetes has graduated and a few others core core DNS, I believe
You can find that on the CNCF website, but at the moment we Proposed to graduate last November. I think is when we open this PR You can read there again. The URL is at the top and I'll post this Set of slides as well so you can follow through to the links
Effectively We presented this to the CNCF late in the year Then there was kubecon and a TOC election. So we're just now getting back on the docket to to graduate That may or may not be important to some of you, but at least this document
collects up the requirements for graduation and you can see some things that we've done in the last year to approach Project health maturity of the codebase security audit all those things are referenced in here and maybe of interest To some of you. I'll skip this first one because that's history prior to last FOSDEM
This picks up here. We had just done 1.0 Late 2017. So last year at FOSDEM we were a few months into that and then a few months after FOSDEM We released our 1.1 release That's around the time that the CRI implementation so again the plug-in that implements the kubernetes CRI interface
Was a separate project and I think I may have said in the containers dev room last year that the CRI project was going to merge into our same github repo that did happen and now the CRI and
Containerd core itself are developed by the same group of people The maintainers for the CRI plug-in are also maintainers in containerd and vice-versa. So we've been working together now for just about a year and Then containerd 1.2 was released in October again, just about three months ago
the runtime shim API Stabilized and that's now being used by cata and firecracker as was mentioned in a prior talk here today Again, we've continued to focus on stability and also extensibility which we'll look at in the architecture
So I don't remember where we were a year ago with both IBM cloud and and Google's Google clouds managed kubernetes offering but now both of us both IBM cloud and GKE have adopted containerd as the runtime underneath our kubernetes offerings
and so again, you can go to GKE and Start to create a cluster and you can select containerd as the runtime For IBM cloud if you create kubernetes 1.12 or now 1.13 clusters You automatically get containerd as a runtime. I
Just mentioned for graduation the security audit. So the CNCF pays for a third-party Security company to do audits of your code base and your project and So that work completed in December and so that's now published on our github repo and on our website
And that's actually a really well done report on the code quality and security posture of containerd And I already talked about the graduation criteria The interesting thing That I wanted to mention that I that I said earlier is that we're seeing use cases not just in these sort of traditional Docker and
Kubernetes Models, but we're in discussions with CERN about use of containerd in the HPC space And we'll see why that may be interesting when we look at the plug-in model that we've matured in the last year You've already heard about firecracker if you were in the room earlier
That rust based VMM has an integration with containerd as well and again a lot of that coming out of Focusing on a pluggable design and having a clean usage API So this is The architecture I'm gonna again. I'm not doing a deep dive here today in 20 minutes because I really couldn't
Do that in a feasible way, but we'll look at some highlights and like I said, it's Very easy to go out to YouTube and find the talks from kubecon Seattle the deep dive talk especially digging into the architecture
But effectively there's a set of gRPC services that are organized around containers images and namespaces and the metadata around that And that those services sit over top of a runtime manager, which gives us the plug ability to not just use run C
But run HCS so we have full Windows support now That Microsoft has provided through their OCI implementation Cata containers has a shim again. You can actually with the Cata integration a firecracker You can use their shim to either drive their QMU KVM based Lightweight virtualization or you can now use it after the PR merged in December
to drive Firecracker from the Cata shim and again, that's pluggable and other shims can show up there as well and then snapshotters are the Interface to file systems like overlay. So traditionally in Docker you think of graph drivers
Snapshotters are a simpler interface that can also be extended and that's where CERN is interested in having a snapshotter that understands their Highly distributed file system So focus on a few few areas here the next few slides
The go API that I talked about the client library Is being used by Docker of course by our CTR tool our client tool by Alibaba's pouch container project And other projects as well
This is the area where you know, people have been very happy with the design Of this API it's clean. It's easy to use and it simply operates around the OCI specifications, so give me an OCI config and a bundle and Containerd can create and start containers. It also handles push-pull so it obviously can talk to registries
And actually is extensible if you want to do more interesting things than the standard Docker v2 and which is now becoming the OCI distribution spec Again that sits over top of the actual gRPC API if you wanted to use a specific service of containerd
Without using containerd as a whole Then you can go straight to the gRPC API and have low-level access to components There's some interesting projects we highlight that people have built just using the services themselves
It also has built-in metrics support exposed through Prometheus you can turn that on in your config And then I mentioned the CRI plug-in so this is obviously how Kubernetes support is provided through containerd The plug-in now obviously uses that same go client
So it's the CRI plug-in is written in go and becomes a client of containerd to handle the CRI API calls And in fact uses the same listener Unix socket so kubelet talks to the CRI Says create me a sandbox create me a container and the CRI plug-in obviously uses the containerd
Go API to to actually do that work in containerd So CRI is just one of many plugins again the the Design is pluggable CRI is one type of plug-in It's built in by default
So if you download a containerd release you automatically have the CRI plug-in and part of that is why we merge the repositories Snapshodder plugins like I said there's going to be built-ins like overlay, butterfs, aufs But now we actually in version 1.2 of containerd we support custom plugins and so you can actually have
Your own Snapshodder your own custom file system. This is what we're working on with CERN And this allows you to to basically not even build yourself into the containerd codebase to have containerd call your plug-in to do the Snapshodder operations
And I believe we actually have an example of that in the code base So if you want to see what it looks like to use an external Snapshodder Derek McGowan one of our maintainers actually wrote a simple one and I think the deep dive talk actually covers that in detail. I mentioned runtime plugins. So again, this is where you can
use custom shims for other runtimes other than run C Obviously the most common use case is VM based runtimes like Cata or firecracker But it's also used by the Windows team to support calling out to their windows shim
to support Windows containers The interesting thing is we actually have a client install command that works with images so you could create a container image Put your runtime plug-in In that image is a single file and you CTR install get it installed into your containerd
Installation and then begin using it and I think Darren Shepherd from rancher said this is an amazing feature that now he can basically package his whole project Use containerd to install it and run it without creating any other packaging
So again, the whole idea here was to have extensibility So anything you need to do that containerd hasn't provided for you These are all interfaces that you can implement yourself. I already mentioned the resolver interface
Say you have a special custom registry or some other way that you want to interact with container images. You can implement that And then again the server side also has the plug-in Architecture where you can register and then have your own plugins and have direct access to the rest of the containerd services
I mentioned I would come back around to adoption Obviously, I think most of Let's see what we haven't talked through. I mentioned both clouds. So GKE and IBM cloud kubernetes service both using containerd
today Docker obviously has been using containerd for a while. I think the important point here is that Docker has been using the runtime side of containerd for a number of years now but the image So you can think of the docker code base having a set of features that now containerd has and so there'll be a set
of refactoring of the docker code base Probably mostly this year to start using more of containerd services and removing that code from docker And so you'll see an increase of the use of containerd From the docker engine going forward Linux kit uses containerd as its runtime within the immutable images you build
I mentioned rancher's rio project from Darren Shepard We've talked about cata and their shim and firecracker as well Balina is a moby project Subset so that's just the the docker engine side for iot
Cloud foundry has been using run C So they they basically wrote wrappers around the OCI run C for their container runtime And now the cloud foundry Garden project is actually using containerd and moving from run C
Which allows them to get rid of some of their code that was doing some of the image interactions and root file system Creation they can now leave that up to containerd And then of course if you've ever followed Kelsey Hightower's Kubernetes the hard way that also uses containerd as the Kubernetes runtime
a few other notes on integrations We already talked about the CRI being part of the containerd project now Yeah, so Derek actually put here that in 2019 docker should switch to actually use the containerd image back
Again, it's been using the runtime side of containerd for a number of years already Who's heard of buildkit? Just a few so a very interesting open source project Coming from Taunus at Docker Docker build has been a feature of
The docker engine for for obviously forever But buildkit is basically that build concept Separated out into its own project and it's possible to use buildkit standalone. It can drive run C and it can also drive containerd and so
Very recent versions of docker engine are now importing buildkit and it has a set of features that I don't have time to go into Very high-performing and a lot of interesting use cases with buildkit And so again, that's a that's an integration with containerd as well I mentioned Alibaba cloud from China
We have maintainers and reviewers From Alibaba working on containerd and they're using it very broadly within their cloud You can look at their open source pouch container project For more detail on how they're using containerd I mentioned cloud foundry, cata, firecracker and then a few personal projects Michael Crosby
One of our core maintainers has a boss project which is a great example of how to drive containerd From another go program and then Evan Hazlett has something that built around that called stellar that does multi-node clustering using containerd
At the beginning I talked a little bit about our CNCF maturity That our security review Was completed in December and that's now published and I already talked about the proposal and That we expect that graduation review sometime this year
So that's kind of a whirlwind tour through I wanted to save a few minutes at the end, I think I think we still have How much time do we have? One minute who has a very important question that will take one minute or less Or did I answer all okay, we have
We've got one question up here in the middle Stefan. Well right here What's about Creo that is developed also by Red Hat and why do you compete with yourself? That is not a question we can answer in one minute
But I'm happy to talk about that Dongsu was in here earlier and mentioned Creo My company happens to be purchasing Red Hat. So we're gonna figure that out this year but yeah, I There's many things that go into that. But yep. All right. I think we're totally out of time