containerd update
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Alternativer Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 561 | |
| Autor | ||
| Lizenz | CC-Namensnennung 2.0 Belgien: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/44120 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
FOSDEM 2019208 / 561
1
9
10
15
18
19
23
24
27
29
31
33
34
35
38
39
40
43
47
49
52
53
54
55
58
59
60
63
65
67
69
70
78
80
82
87
93
95
97
102
103
104
107
110
111
114
116
118
120
122
123
126
127
131
133
136
137
139
141
142
148
153
155
157
159
163
164
168
169
170
171
172
173
174
181
183
185
187
188
193
196
197
198
199
200
201
205
207
208
209
211
213
214
218
221
223
224
226
230
232
234
235
236
244
248
250
251
252
253
255
256
257
262
263
264
268
269
271
274
275
276
278
280
281
283
284
288
289
290
293
294
296
297
300
301
304
309
311
312
313
314
315
317
318
321
322
327
332
333
334
335
336
337
338
339
340
343
345
346
352
353
355
356
357
359
360
362
369
370
373
374
375
376
377
378
383
384
387
388
389
390
391
393
394
395
396
406
408
409
412
413
414
415
419
420
425
426
431
432
433
434
435
436
438
439
440
441
445
446
447
448
453
455
457
459
466
467
471
473
474
475
476
479
480
484
485
486
489
491
492
496
499
500
502
505
507
508
512
515
517
518
529
531
533
534
535
536
539
540
546
550
551
552
553
554
555
557
558
559
560
561
00:00
MultiplikationsoperatorComputerarchitekturAnalytische FortsetzungBitComputeranimation
00:58
ClientSpeicherabzugSchlüsselverwaltungKomponente <Software>PunktwolkeKlasse <Mathematik>Gebäude <Mathematik>SchlüsselverwaltungSoftwarewartungQuick-SortStabilitätstheorie <Logik>Gemeinsamer SpeicherZahlenbereichDatenfeldLaufzeitfehlerMAPProjektive EbeneSpeicherabzugMailing-ListeCMM <Software Engineering>ComputersicherheitMultiplikationsoperatorGraphInformationStatistikWeb SiteKraftInhalt <Mathematik>ClientComputerspielPunktBitFlächeninhaltFokalpunktTwitter <Softwareplattform>TouchscreenSchnittmengeGüte der AnpassungRechenschieberMomentenproblemVerschlingungProdukt <Mathematik>CodeDirekte numerische SimulationBasis <Mathematik>Computeranimation
05:17
Stabilitätstheorie <Logik>Projektive EbeneGruppenoperationInterface <Schaltung>Plug inRepository <Informatik>LaufzeitfehlerSoftwarewartungImplementierungMultiplikationsoperatorSpeicherabzugComputerarchitekturFlussdiagramm
06:40
PunktwolkeComputerarchitekturLaufzeitfehlerCodeProjektive EbeneVerkehrsinformationMinkowski-MetrikRepository <Informatik>VorgehensmodellComputersicherheitCASE <Informatik>Web SiteIntegralCluster <Rechnernetz>Quick-SortTrennschärfe <Statistik>Programm/Quellcode
08:35
ClientMetrisches SystemLaufzeitfehlerPlug inArchitektur <Informatik>Dienst <Informatik>Interface <Schaltung>SystemplattformTaskInhalt <Mathematik>GammafunktionLokales MinimumIRIS-TLaufzeitfehlerNamensraumGraphDienst <Informatik>DateiverwaltungComputerarchitekturFlächeninhaltInterface <Schaltung>MetadatenFokalpunktTreiber <Programm>Bildgebendes VerfahrenIntegralBildschirmfensterImplementierungSchnittmengeRechenschieberOverlay-NetzFeasibility-StudieVirtualisierungHolographischer SpeicherDatenverwaltungFlussdiagramm
10:19
ClientPlastikkarteProgrammbibliothekInterface <Schaltung>KonfigurationsraumGerichtete MengeKomponente <Software>EreignishorizontTaskAdressraumMetrisches SystemVorgehensmodellLaufzeitfehlerPlug inOverlay-NetzBinärdatenProjektive EbeneClientLaufzeitfehlerEinfache GenauigkeitPlug inKonfigurationsraumInstallation <Informatik>Elektronische PublikationDokumentenserverOverlay-NetzMereologieIntelligentes NetzStandardabweichungDienst <Informatik>Metrisches SystemUmwandlungsenthalpieKomponente <Software>DistributionenraumTypentheorieEnterprise-Resource-PlanningBildgebendes VerfahrenFlächeninhaltRechenschieberFaserbündelDefaultProgrammbibliothekSoftwarewartungKonfigurationsdatenbankNichtlinearer OperatorCASE <Informatik>BildschirmfensterCodeHorizontaleFokalpunktVersionsverwaltungCodierung <Programmierung>SocketFlussdiagramm
14:44
VorgehensmodellPlastikkarteClientPlug inServerArchitektur <Informatik>Interface <Schaltung>Dienst <Informatik>Gerichtete MengeServerResolventePlug inInterface <Schaltung>Bildgebendes VerfahrenComputerarchitekturKonfigurationsdatenbankDienst <Informatik>Computeranimation
15:22
PunktwolkeLaufzeitfehlerNP-hartes ProblemProjektive EbeneLaufzeitfehlerInteraktives FernsehenWrapper <Programmierung>CodeWurzel <Mathematik>Bildgebendes VerfahrenZahlenbereichPunktPunktwolkeDateiverwaltungSchnittmengeSoftware Development KitDienst <Informatik>TeilmengeInternet der DingeRefactoringMobiles InternetComputeranimation
17:21
ATMComputersicherheitExplosion <Stochastik>Gebäude <Mathematik>CMM <Software Engineering>LaufzeitfehlerPlug inDienst <Informatik>ClientInterface <Schaltung>SpezialrechnerLokales MinimumSoftwarewartungLaufzeitfehlerBenutzerschnittstellenverwaltungssystemProjektive EbeneMultiplikationsoperatorCASE <Informatik>ProgrammierungOpen SourceIntegralPunktwolkeBildgebendes VerfahrenCMM <Software Engineering>Cluster <Rechnernetz>MereologieBitComputersicherheitZahlenbereichSchnittmengeVersionsverwaltungSpeicherabzugAffiner RaumSoftware Development KitMultiplikationProgramm/Quellcode
19:41
MultiplikationsoperatorFigurierte ZahlRechter WinkelComputeranimation
20:55
PunktwolkeComputeranimation
Transkript: Englisch(automatisch erzeugt)
00:05
All right next up we've got Phyllis that's gonna give us an update on container D All right, good to see everybody who's heard of container D
00:25
Alright, so I'm not going to spend a whole lot of time on Deep dive of the architecture. There's lots of great talks on that that you can find Most recently kubecon Seattle we did both an intro and a deep dive Where we had more time but in 20 minutes, I'm just going to kind of give you an update on the past year
00:45
I spoke in this room last year container D was a bit younger than we had just Reached our 1.0 a few months before that so I'm going to kind of start there and and let you know What's happened in the past year? A little bit of overview. I just threw a few slides in here from our
01:05
Graduation proposal to the CNCF just because it happened to be a good collection of information So sounds like again most of you have heard of container D again the reason it sort of came to life related to this idea of
01:23
Just a contentions around what Docker was becoming Kubernetes gaining popularity and an outcry of hey We just want a boring container runtime that can be this sort of level playing field on which Docker can build its its Projects and products the kubernetes community can have this sort of core container runtime that moves at a slower pace
01:46
And has well supported releases. So that was kind of the basis on which container D came to life And really the key tenants are that we focused on since we created the project is Reliability and stability so strong guarantees about the API about its life
02:05
you know EOL dates how long things are supported a Very clear and stable client API and so I think up on the screen those tweets are way too small to read I'll post all this online After the talk, but these are people saying hey the API is great
02:22
It's so easy to build on top of container D And we'll look at how that's grown in the past year to not just being used by Docker and kubernetes But others are finding that API attractive and using container D as a runtime in their own personal projects or even larger projects And then performance again is another key focus area that we've had
02:44
The community has grown quite a bit in the past year This graph again way too small for you to take too many meaningful things from it Although it's straight from the CNCF dashboard. So at any time you can go to the dev stats
03:00
Website on the CNCF and dig into any project and all the statistics We can see at some point when we join CNCF It's interesting to note a broad array of new contributors showed up and a lot more activity across a lot more companies We currently have 12 maintainers representing eight different companies and we also have a class of
03:23
Project maintainers we call reviewers who can LGTM and that even adds more companies who are involved in the building of container D Again I just mentioned the usage again that initial Kind of proposal for container D was let's have this stable boring container runtime that Docker can build on that kubernetes can build on
03:46
But since then we've definitely seen a huge increase in the number of adopters of Projects that are using container D and I'll come around toward the end of the talk and talk about a few of these
04:01
And show this list again as I mentioned those slides we just looked at came from the graduation proposal the CNCF has levels of maturity and Kubernetes has graduated and a few others core core DNS, I believe
04:21
You can find that on the CNCF website, but at the moment we Proposed to graduate last November. I think is when we open this PR You can read there again. The URL is at the top and I'll post this Set of slides as well so you can follow through to the links
04:42
Effectively We presented this to the CNCF late in the year Then there was kubecon and a TOC election. So we're just now getting back on the docket to to graduate That may or may not be important to some of you, but at least this document
05:01
collects up the requirements for graduation and you can see some things that we've done in the last year to approach Project health maturity of the codebase security audit all those things are referenced in here and maybe of interest To some of you. I'll skip this first one because that's history prior to last FOSDEM
05:23
This picks up here. We had just done 1.0 Late 2017. So last year at FOSDEM we were a few months into that and then a few months after FOSDEM We released our 1.1 release That's around the time that the CRI implementation so again the plug-in that implements the kubernetes CRI interface
05:46
Was a separate project and I think I may have said in the containers dev room last year that the CRI project was going to merge into our same github repo that did happen and now the CRI and
06:01
Containerd core itself are developed by the same group of people The maintainers for the CRI plug-in are also maintainers in containerd and vice-versa. So we've been working together now for just about a year and Then containerd 1.2 was released in October again, just about three months ago
06:23
the runtime shim API Stabilized and that's now being used by cata and firecracker as was mentioned in a prior talk here today Again, we've continued to focus on stability and also extensibility which we'll look at in the architecture
06:43
So I don't remember where we were a year ago with both IBM cloud and and Google's Google clouds managed kubernetes offering but now both of us both IBM cloud and GKE have adopted containerd as the runtime underneath our kubernetes offerings
07:02
and so again, you can go to GKE and Start to create a cluster and you can select containerd as the runtime For IBM cloud if you create kubernetes 1.12 or now 1.13 clusters You automatically get containerd as a runtime. I
07:22
Just mentioned for graduation the security audit. So the CNCF pays for a third-party Security company to do audits of your code base and your project and So that work completed in December and so that's now published on our github repo and on our website
07:43
And that's actually a really well done report on the code quality and security posture of containerd And I already talked about the graduation criteria The interesting thing That I wanted to mention that I that I said earlier is that we're seeing use cases not just in these sort of traditional Docker and
08:05
Kubernetes Models, but we're in discussions with CERN about use of containerd in the HPC space And we'll see why that may be interesting when we look at the plug-in model that we've matured in the last year You've already heard about firecracker if you were in the room earlier
08:22
That rust based VMM has an integration with containerd as well and again a lot of that coming out of Focusing on a pluggable design and having a clean usage API So this is The architecture I'm gonna again. I'm not doing a deep dive here today in 20 minutes because I really couldn't
08:46
Do that in a feasible way, but we'll look at some highlights and like I said, it's Very easy to go out to YouTube and find the talks from kubecon Seattle the deep dive talk especially digging into the architecture
09:01
But effectively there's a set of gRPC services that are organized around containers images and namespaces and the metadata around that And that those services sit over top of a runtime manager, which gives us the plug ability to not just use run C
09:20
But run HCS so we have full Windows support now That Microsoft has provided through their OCI implementation Cata containers has a shim again. You can actually with the Cata integration a firecracker You can use their shim to either drive their QMU KVM based Lightweight virtualization or you can now use it after the PR merged in December
09:46
to drive Firecracker from the Cata shim and again, that's pluggable and other shims can show up there as well and then snapshotters are the Interface to file systems like overlay. So traditionally in Docker you think of graph drivers
10:04
Snapshotters are a simpler interface that can also be extended and that's where CERN is interested in having a snapshotter that understands their Highly distributed file system So focus on a few few areas here the next few slides
10:23
The go API that I talked about the client library Is being used by Docker of course by our CTR tool our client tool by Alibaba's pouch container project And other projects as well
10:40
This is the area where you know, people have been very happy with the design Of this API it's clean. It's easy to use and it simply operates around the OCI specifications, so give me an OCI config and a bundle and Containerd can create and start containers. It also handles push-pull so it obviously can talk to registries
11:04
And actually is extensible if you want to do more interesting things than the standard Docker v2 and which is now becoming the OCI distribution spec Again that sits over top of the actual gRPC API if you wanted to use a specific service of containerd
11:24
Without using containerd as a whole Then you can go straight to the gRPC API and have low-level access to components There's some interesting projects we highlight that people have built just using the services themselves
11:40
It also has built-in metrics support exposed through Prometheus you can turn that on in your config And then I mentioned the CRI plug-in so this is obviously how Kubernetes support is provided through containerd The plug-in now obviously uses that same go client
12:01
So it's the CRI plug-in is written in go and becomes a client of containerd to handle the CRI API calls And in fact uses the same listener Unix socket so kubelet talks to the CRI Says create me a sandbox create me a container and the CRI plug-in obviously uses the containerd
12:23
Go API to to actually do that work in containerd So CRI is just one of many plugins again the the Design is pluggable CRI is one type of plug-in It's built in by default
12:41
So if you download a containerd release you automatically have the CRI plug-in and part of that is why we merge the repositories Snapshodder plugins like I said there's going to be built-ins like overlay, butterfs, aufs But now we actually in version 1.2 of containerd we support custom plugins and so you can actually have
13:03
Your own Snapshodder your own custom file system. This is what we're working on with CERN And this allows you to to basically not even build yourself into the containerd codebase to have containerd call your plug-in to do the Snapshodder operations
13:22
And I believe we actually have an example of that in the code base So if you want to see what it looks like to use an external Snapshodder Derek McGowan one of our maintainers actually wrote a simple one and I think the deep dive talk actually covers that in detail. I mentioned runtime plugins. So again, this is where you can
13:44
use custom shims for other runtimes other than run C Obviously the most common use case is VM based runtimes like Cata or firecracker But it's also used by the Windows team to support calling out to their windows shim
14:04
to support Windows containers The interesting thing is we actually have a client install command that works with images so you could create a container image Put your runtime plug-in In that image is a single file and you CTR install get it installed into your containerd
14:26
Installation and then begin using it and I think Darren Shepherd from rancher said this is an amazing feature that now he can basically package his whole project Use containerd to install it and run it without creating any other packaging
14:45
So again, the whole idea here was to have extensibility So anything you need to do that containerd hasn't provided for you These are all interfaces that you can implement yourself. I already mentioned the resolver interface
15:00
Say you have a special custom registry or some other way that you want to interact with container images. You can implement that And then again the server side also has the plug-in Architecture where you can register and then have your own plugins and have direct access to the rest of the containerd services
15:23
I mentioned I would come back around to adoption Obviously, I think most of Let's see what we haven't talked through. I mentioned both clouds. So GKE and IBM cloud kubernetes service both using containerd
15:42
today Docker obviously has been using containerd for a while. I think the important point here is that Docker has been using the runtime side of containerd for a number of years now but the image So you can think of the docker code base having a set of features that now containerd has and so there'll be a set
16:01
of refactoring of the docker code base Probably mostly this year to start using more of containerd services and removing that code from docker And so you'll see an increase of the use of containerd From the docker engine going forward Linux kit uses containerd as its runtime within the immutable images you build
16:25
I mentioned rancher's rio project from Darren Shepard We've talked about cata and their shim and firecracker as well Balina is a moby project Subset so that's just the the docker engine side for iot
16:44
Cloud foundry has been using run C So they they basically wrote wrappers around the OCI run C for their container runtime And now the cloud foundry Garden project is actually using containerd and moving from run C
17:00
Which allows them to get rid of some of their code that was doing some of the image interactions and root file system Creation they can now leave that up to containerd And then of course if you've ever followed Kelsey Hightower's Kubernetes the hard way that also uses containerd as the Kubernetes runtime
17:22
a few other notes on integrations We already talked about the CRI being part of the containerd project now Yeah, so Derek actually put here that in 2019 docker should switch to actually use the containerd image back
17:40
Again, it's been using the runtime side of containerd for a number of years already Who's heard of buildkit? Just a few so a very interesting open source project Coming from Taunus at Docker Docker build has been a feature of
18:01
The docker engine for for obviously forever But buildkit is basically that build concept Separated out into its own project and it's possible to use buildkit standalone. It can drive run C and it can also drive containerd and so
18:21
Very recent versions of docker engine are now importing buildkit and it has a set of features that I don't have time to go into Very high-performing and a lot of interesting use cases with buildkit And so again, that's a that's an integration with containerd as well I mentioned Alibaba cloud from China
18:41
We have maintainers and reviewers From Alibaba working on containerd and they're using it very broadly within their cloud You can look at their open source pouch container project For more detail on how they're using containerd I mentioned cloud foundry, cata, firecracker and then a few personal projects Michael Crosby
19:02
One of our core maintainers has a boss project which is a great example of how to drive containerd From another go program and then Evan Hazlett has something that built around that called stellar that does multi-node clustering using containerd
19:20
At the beginning I talked a little bit about our CNCF maturity That our security review Was completed in December and that's now published and I already talked about the proposal and That we expect that graduation review sometime this year
19:41
So that's kind of a whirlwind tour through I wanted to save a few minutes at the end, I think I think we still have How much time do we have? One minute who has a very important question that will take one minute or less Or did I answer all okay, we have
20:02
We've got one question up here in the middle Stefan. Well right here What's about Creo that is developed also by Red Hat and why do you compete with yourself? That is not a question we can answer in one minute
20:22
But I'm happy to talk about that Dongsu was in here earlier and mentioned Creo My company happens to be purchasing Red Hat. So we're gonna figure that out this year but yeah, I There's many things that go into that. But yep. All right. I think we're totally out of time