The Open Container Initiative

developerWorks Open Tech Talk

July 13, 2016

https://developer.ibm.com/open/videos/open-con

tainer-initiative-at-12-months/

The OCI at 12 Months

https://opencontainers.org

Jeff Borek Rob DolinMichael Crosby Mrunal PatelMichael Dolan

Brief Introductions

• Michael Dolan (@mdolan)– Linux Foundation

• Jeff Borek (@JeffBorek)– OCI TB Certification WG Co-Chair

• Michael Crosby (@CrosbyMichael)– OCI Runtime spec Lead Maintainer

• Rob Dolin (@RobDolin)– OCI TB Certification WG Co-Chair

• Mrunal Patel (@MrunalP)– OCI Runtime spec Maintainer

Agenda

• Panel (15 minutes)

– Introduction

– What is the OCI and Open Governance

– OCI at 12 Months

– OCI Release Process

– OCI Certification Process

– Getting Involved with the OCI community

• Demo: OCI Tools and Runc (10 minutes)

• Q&A (15 minutes)

What is the Open Container Initiative (OCI)

An open source community (hosted by the Linux Foundation) for building avendor-neutral, portable and open specification/runtime that delivers on thepromise of containers as a source of application portability backed by acertification program.

OCI Membership (46 organizations as of May 2016)

OCI Governance Structure

• Trademark Board (TB)– The Trademark Board shall be composed of one representative

appointed by each OCI Member; responsible for trademarks, certification,budget

• Technical Development Community (TDC)– open to any individual or any open source contributor

• Technical Oversight Board (TOB)– responsible for managing conflicts, violations of procedures or guidelines

and any cross-project or high-level issues that cannot be resolved in theTDC for OCI Projects. The TOB shall also be responsible for adding,removing or re-organizing OCI Projects.

OCI Release Process

• https://github.com/opencontainers/tob/pull/15 (draft)

• “Major specification releases MUST release at least three release candidatesspaced a minimum of one week apart. This means a major release like av1.0.0 or v2.0.0 release will take 1 month at minimum: one week for rc1, oneweek for rc2, one week for rc3, and one week for the major release itself.Maintainers SHOULD strive to make zero breaking changes during this cycleof release candidates and SHOULD add restart the three-candidate countwhen a breaking change is introduced. For example if a breaking change isintroduced in v1.0.0-rc2 then the series would end with v1.0.0-rc4 andv1.0.0.”

• runtime-spec– a specification for the creation and lifecycle of a container– https://github.com/opencontainers/runtime-spec

• image-spec– a software shipping container image format spec with security

and naming as components– https://github.com/opencontainers/image-spec

What is the current state of the OCI specifications?

What is the current state of the OCI specifications?

• Runtime spec: https://github.com/opencontainers/runtime-spec/releases– v1.0.0-rc1 (June 5th 2016)– v0.5.0 (April 12th 2016)– v0.4.0 (Mar 10th 2016)– v0.3.0 (Feb 5th 2016)– v0.2.0 (Jan 12th 2016)– v0.1.0 (Sep 11th 2015)

• Image spec: https://github.com/opencontainers/image-spec/releases– v0.3.0 (Jun X 2016)– v0.2.0 (May 31st 2016)– v0.1.0 (May 6th 2016)

What open source code is available?

OCI Runtime reference implementation:runc: https://github.com/opencontainers/runc

OCI Tools: https://github.com/opencontainers/ocitools

• The Certification Program WG is a committee of the OCI Trademark Boardworking to propose a set of criteria for implementations to meet if they wantto use OCI trademarks (Open Container Initiative, OCI Certified, etc.)

• Implementers whose implementations meet the bar of OCI certificationcan use OCI trademarks in marketing their solution

• Users/customers can look for OCI Certified implementations to know thatthey are getting interoperable solutions

• Implementers who want to build solutions can leverage/target OCIinteroperability surfaces rather than having to build for multiple, inconsistentinteroperability surfaces

What does the certification working group do andwhat value can a certification program bring?

What are key factors for establishing a certificationprogram for container technology?

Questions being considered by the OCI Cert WG:• Implementations:

– Runtime spec– Image format spec– Both

• Levels of compliance:– MUST/REQUIRED == Compliant– MUST/REQUIRED + SHOULD/RECOMMENDED == Unconditionally compliant

• Testing:– Automation vs. manual: Can we fully automate?– Lab vs. peer vs. self: What optimizes cost and compliance

Demo: OCI Tools

[root@dhcp-16-129 ~]# mkdir gopath[root@dhcp-16-129 ~]# export GOPATH=~/gopath[root@dhcp-16-129 ~]# go get github.com/opencontainers/ocitools[root@dhcp-16-129 ~]# cd $GOPATH/src/github.com/opencontainers/ocitools[root@dhcp-16-129 ocitools]# makego build -tags "" -o ocitools .go build -tags "" -o runtimetest ./cmd/runtimetest[root@dhcp-16-129 ocitools]# make install[root@dhcp-16-129 ocitools]# ./test_runtime.sh -l debug-----------------------------------------------------------------------------------VALIDATING RUNTIME: runc-----------------------------------------------------------------------------------time="2016-06-10T21:50:02Z" level=debug msg="validating root filesystem"time="2016-06-10T21:50:02Z" level=debug msg="validating container process"time="2016-06-10T21:50:02Z" level=debug msg="validating capabilities"time="2016-06-10T21:50:02Z" level=debug msg="validating hostname"time="2016-06-10T21:50:02Z" level=debug msg="validating rlimits"time="2016-06-10T21:50:02Z" level=debug msg="validating sysctls"time="2016-06-10T21:50:02Z" level=debug msg="validating maskedPaths"time="2016-06-10T21:50:02Z" level=debug msg="validating readonlyPaths"time="2016-06-10T21:50:02Z" level=debug msg="validating mounts exist"Runtime runc passed validation

Demo: runc

https://github.com/opencontainers/runc

Get involved with the OCI community!

•Join the technical community and projects!– Weekly technical meetings open to all

• https://github.com/opencontainers/specs#weekly-call

– IRC: #opencontainers at irc.freenode.net– GitHub

• https://github.com/opencontainers/runtime-spec• https://github.com/opencontainers/image-spec• https://github.com/opencontainers/ocitools

– Mailing list: dev@opencontainers.org– Roadmap (milestones)

• https://github.com/opencontainers/runtime-spec/milestones• https://github.com/opencontainers/image-spec/milestones

•Consider joining and what role you would like to play in the initiative– https://opencontainers.org/join

Open Q&A

https://opencontainers.org