7 characteristics of container-native infrastructure, Docker Zurich 2015-09-08

SecurityManagement Networking IntrospectionPerformance Utilization

7 characteristics of container-native infrastructure


container-native all the things


Public Cloud Triton Elastic Container Service. We run our customer’s mission critical applications on container native infrastructure

Private Cloud Triton Elastic Container Infrastructure is an on-premise, container run-time environment used by some of the world’s most recognizable brands


Public Cloud Triton Elastic Container Service. We run our customer’s mission critical applications on container native infrastructure

Private DataCenter Triton Elastic Container Infrastructure is an on-premise, container run-time environment used by some of the world’s most recognizable brands

it’s open source!fork me, pull me: https://github.com/joyent/sdc

https://github.com/joyent/sdc

The best place to run Docker

Portability From laptop to any public or private cloud

Great for DevOps Tools for management, deployment & scale

Productivity Faster code, test and deploy

backgroundsome

Infrastructure containers• We use them like VMs • They perform like bare metal • We can pack 3x more containers than VMs on a

single compute node • They require no changes in application architecture • First appeared in FreeBSD as jails in 1999-ish;

defined for Solaris in 2002; Linux implementation in progress (user namespaces mainlined in 2013)

• Joyent has been using them to power our public cloud for almost a decade

http://us-east.manta.joyent.com/jmc/public/opensolaris/ARChive/PSARC/2002/174/zones-design.spec.opensolaris.pdf












































































































































SmartOS container hypervisor• Forked from Open Solaris in 2010 • Part of the Illumos community • Open source • Includes the core compute, network, and storage

virtualization components: • Zones = truly secure containers • Crossbow = in-kernel network virtualization,

offers unique NIC(s) for each container • ZFS = fast and secure virtualized filesystems

Triton (was SmartDataCenter)• Open source, Mozilla licensed • Complete data center automation; including… • Automated boot and configuration of compute nodes • Multi-tenant management layer for compute, network,

and storage across N compute nodes • Turns an entire data center into a single, massive

container host • Customer-facing services, including Docker and CloudAPI

to support self-service provisioning and management • Bring your own application scheduling and orchestration

Like bare metal virtual machinesInfrastructure containers

Secure container hypervisorSmartOS

Container infrastructure automationTriton

but…

application containersand

differentare

Container spectrum

application containers

infrastructure containers

Container spectrum

infrastructure containersslimmed-down



Container spectrum



multi-process Docker containers


implementationare an opinionated

Docker container advantages• Convenient imaging toolchain • Easy sharing and re-use of images • Dockerfiles are machine+human readable documentation

for everything needed to build and run the application • Docker Compose yamls are machine+human readable

documentation for how to assemble a set of containers into a larger application

• Docker begs us to automate discovery and configuration • Docker allow us to imagine deployment and execution

as a single step

commoditizesDocker

the possibility of• immutable infrastructure • automated, testable, repeatable deploys • the kind of apps we all dream of

http://stackshare.io/500px/how-500px-serves-up-over-500tb-of-high-res-photos




it didn’torphotos

happen

it didn’torphotos

happen

it doesn’torrepo

work

it doesn’tor

work

public repo

withpublic repo

1. Dockerfile 2. docker-compose.yml 3. documentation, etc…

but…

https://twitter.com/philsturgeon/status/560974462091538432







































https://twitter.com/tjbyte/status/560984424037093377























containers in VMsdeploying

slows performance


adds complexity


slows scaling


wastes power


causes global warming


defeats the purpose

source

http://s1192.photobucket.com/user/girlfridaydb/media/drama/2013/school/school04/school04-00338.jpg.html

source


source


source


VMs cause complexity by…• Requiring pre provisioning and configuration before they can

host containers • Mixing VM and container life cycles • Reducing surface area for deployments, making pockets of

unused capacity inevitable • Reducing performance due to hardware virtualization • Adding layers to networking • Allowing room for us to turn them into pets • Requiring re-packing of containers when scaling down

but…

on bare metal Linuxcontainers

struggle withup-front costs


struggle withelasticity


struggle withdata center automation


struggle withmulti-tenant security

–Docker's Jérôme Petazzoni

http://www.slideshare.net/jpetazzo/is-it-safe-to-run-applications-in-linux-containers

http://stackoverflow.com/a/26304928

Bare metal Linux complexities• No data center automation • No security domain • No performance isolation • No elasticity…where do you scale to?

but…

there isanother way

mostinfrastructure

twoscenario

pick

two:• elasticity • security • performance

pick

bare metal{

two:• elasticity • security • performance

pick

hardware virtual

machine{

container-nativeinfrastructure

threescenario

pick

three:• elasticity • security • performance

pick

bare metal

containers{

how do yousecure it for

So…

bare metal?

Container anatomy

Applicationpackage

Runtimeenvironment

Container anatomy

Applicationpackage

Executiondriver

}Dock

er

Container anatomy

Applicationpackage

LXC }Dock

er

Container anatomy

Applicationpackage

libcontainer }Dock

er

Container anatomy

Applicationpackage

rkt }Core

OS

Container anatomy

Applicationpackage

runC }O

pen

Cont

ainer

Fou

ndat

ion

Container anatomy

Applicationpackage

SmartOSZone

}Dock

er o

n Tri

ton

can i run myLinux images

So…

on Triton?

yes!

https://insights.ubuntu.com/2015/06/18/certified-ubuntu-images-now-optimized-for-joyent-triton-containers/


























































































































































so…

promised youa list

i

the unit of computeis a container

1:

you provisioncontainers

2:

the containers runon bare metal

3:

the kernel offersreal security4:

no escapeno incursion

that means

the containers are protectedfrom noisy neighbors

5:

48 cores of bare metalif a single container can

dominate them all?

what’s the point of

every container getsa VNIC

6:


6:

(or two)


6:

(or more)

well-connected containeris a happy container

because a

You pay forcontainers

7:

You pay forcontainers

7:

(not VMs)

science fictionthis is not

availablenow

this is

The best place to run containers. Making Ops simple and scalable.


Demotime

Container-native everythingApplication architecture • Design for automated discovery and configuration Workflow • Embrace containerization in every step, from dev to deploy Infrastructure • Automates the infrastructure from the silicon to the container • Enforces a single lifecycle: the container • Eliminates pet VMs and servers • Makes provisioning and execution a single step • Delivers the promise of containers: automatable, testable,

repeatable deploys


thank you

The 7 characteristics of container-native infrastructure1. The unit of compute is a container, not a VM 2. You provision containers, not VMs 3. The containers run on bare metal 4. The containers are multi-tenant bare metal secure 5. Every container gets its share 6. Every container gets one or more VNICs 7. You pay for containers, not VMs

Technology

7 characteristics of container-native infrastructure, Docker Zurich 2015-09-08