The OCI at 12 Months

https://opencontainers.org

Chris Aniszczyk Rob DolinJeff Borek Mrunal PatelMichael Crosby

Brief Introductions

• Chris Aniszczyk (@cra)– Linux Foundation

• Jeff Borek (@jeffborek)– OCI TB Certification WG Co-Chair

• Michael Crosby (@crosbymichael)– OCI Runtime spec Lead Maintainer

• Rob Dolin (@robdolin)– OCI TB Certification WG Co-Chair

• Mrunal Patel (@mrunalp)– OCI Runtime spec Maintainer

Agenda

• Panel (15 minutes)– Introduction– What is the OCI and Open Governance– OCI at 12 Months– OCI Release Process– OCI Certification Process– Getting Involved with the OCI community

• Demo: OCI Tools and Runc (10 minutes)• Q&A (15 minutes)

What is the Open Container Initiative (OCI)

An open source community (hosted by the Linux Foundation) for building a vendor-neutral, portable and open specification/runtime that delivers on the promise of containers as a source of application portability backed by a certification program.

OCI Membership (46 organizations as of May 2016)

OCI Governance Structure

• Trademark Board (TB)– The Trademark Board shall be composed of one representative appointed

by each OCI Member; responsible for trademarks, certification, budget

• Technical Development Community (TDC)– open to any individual or any open source contributor

• Technical Oversight Board (TOB)– responsible for managing conflicts, violations of procedures or guidelines

and any cross-project or high-level issues that cannot be resolved in the TDC for OCI Projects. The TOB shall also be responsible for adding, removing or re-organizing OCI Projects.

OCI Release Process

• https://github.com/opencontainers/tob/pull/15 (draft)

• “Major specification releases MUST release at least three release candidates spaced a minimum of one week apart. This means a major release like a v1.0.0 or v2.0.0 release will take 1 month at minimum: one week for rc1, one week for rc2, one week for rc3, and one week for the major release itself. Maintainers SHOULD strive to make zero breaking changes during this cycle of release candidates and SHOULD add restart the three-candidate count when a breaking change is introduced. For example if a breaking change is introduced in v1.0.0-rc2 then the series would end with v1.0.0-rc4 and v1.0.0.”

• runtime-spec– a specification for the creation and lifecycle of a container– https://github.com/opencontainers/runtime-spec

• image-spec– a software shipping container image format spec with security

and naming as components– https://github.com/opencontainers/image-spec

What is the current state of the OCI specifications?

What is the current state of the OCI specifications?

• Runtime spec: https://github.com/opencontainers/runtime-spec/releases– v1.0.0-rc1 (June 5th 2016)– v0.5.0 (April 12th 2016)– v0.4.0 (Mar 10th 2016)– v0.3.0 (Feb 5th 2016)– v0.2.0 (Jan 12th 2016)– v0.1.0 (Sep 11th 2015)

• Image spec: https://github.com/opencontainers/image-spec/releases– v0.3.0 (Jun X 2016)– v0.2.0 (May 31st 2016)– v0.1.0 (May 6th 2016)

What open source code is available?

OCI Runtime reference implementation: runc: https://github.com/opencontainers/runc

OCI Tools: https://github.com/opencontainers/ocitools

• The Certification Program WG is a committee of the OCI Trademark Board working to propose a set of criteria for implementations to meet if they want to use OCI trademarks (Open Container Initiative, OCI Certified, etc.)

• Implementers whose implementations meet the bar of OCI certification can use OCI trademarks in marketing their solution

• Users/customers can look for OCI Certified implementations to know that they are getting interoperable solutions

• Implementers who want to build solutions can leverage/target OCI interoperability surfaces rather than having to build for multiple, inconsistent interoperability surfaces

What does the certification working group do and what value can a certification program bring?

What are key factors for establishing a certification program for container technology?

Questions being considered by the OCI Cert WG:● Implementations:

○ Runtime spec○ Image format spec○ Both

● Levels of compliance: ○ MUST/REQUIRED == Compliant○ MUST/REQUIRED + SHOULD/RECOMMENDED == Unconditionally compliant

● Testing:○ Automation vs. manual: Can we fully automate?○ Lab vs. peer vs. self: What optimizes cost and compliance

Demo: OCI Tools

[root@dhcp-16-129 ~]# mkdir gopath[root@dhcp-16-129 ~]# export GOPATH=~/gopath[root@dhcp-16-129 ~]# go get github.com/opencontainers/ocitools[root@dhcp-16-129 ~]# cd $GOPATH/src/github.com/opencontainers/ocitools[root@dhcp-16-129 ocitools]# makego build -tags "" -o ocitools .go build -tags "" -o runtimetest ./cmd/runtimetest[root@dhcp-16-129 ocitools]# make install[root@dhcp-16-129 ocitools]# ./test_runtime.sh -l debug-----------------------------------------------------------------------------------VALIDATING RUNTIME: runc-----------------------------------------------------------------------------------time="2016-06-10T21:50:02Z" level=debug msg="validating root filesystem"time="2016-06-10T21:50:02Z" level=debug msg="validating container process"time="2016-06-10T21:50:02Z" level=debug msg="validating capabilities"time="2016-06-10T21:50:02Z" level=debug msg="validating hostname"time="2016-06-10T21:50:02Z" level=debug msg="validating rlimits"time="2016-06-10T21:50:02Z" level=debug msg="validating sysctls"time="2016-06-10T21:50:02Z" level=debug msg="validating maskedPaths"time="2016-06-10T21:50:02Z" level=debug msg="validating readonlyPaths"time="2016-06-10T21:50:02Z" level=debug msg="validating mounts exist"Runtime runc passed validation

Demo: runc

https://github.com/opencontainers/runc

Get involved with the OCI community!

● Join the technical community and projects!○ Weekly technical meetings open to all

■ https://github.com/opencontainers/specs#weekly-call○ IRC: #opencontainers at irc.freenode.net○ GitHub

■ https://github.com/opencontainers/runtime-spec■ https://github.com/opencontainers/image-spec■ https://github.com/opencontainers/ocitools

○ Mailing list: dev@opencontainers.org○ Roadmap (milestones)

■ https://github.com/opencontainers/runtime-spec/milestones■ https://github.com/opencontainers/image-spec/milestones

● Consider joining and what role you would like to play in the initiative○ https://opencontainers.org/join

Open Q&A

https://opencontainers.org