Kernel Developer
Chair of Linux Foundation TAB
@jejb_ and #OpenStack for twitter
1999 SWSoft Virtuozzo Containers
2004 Became Parallels
2005 Open Source version: OpenVZ
Concentrates on Service Providers
Also do Containers for Windows
↑
|
|
|
Gigabytes
|
|
|
↓
↑
Megabytes
↓
Just the lightness of containers makes them far more dense and elastic
But there's more: containers can be scaled instantly up or down (instant vertical scaling)
Small size makes them easily transferrable to other systems (instant horizontal scaling)
None of this messy hypervisor junk like booting a kernel or doing balloon inflation
All of this makes containers much more elastic than hypervisors (i.e. much better for the cloud) simply because there's far less junk to move around
However, it is often argued that since the application is the same, anything you can do with a hypervisor, you can do with a container.
2005 Open Source Virtuozzo (OpenVZ)
2006 Process Containers (CGroups)
2007 use cgroups to containerise search
2008 LXC version 0.1.0 released
2011 Container Unification agreement on fringes of Kernel Summit
Saw the disaster that resulted with KVM and Xen
Agreed there would be one container technology in Linux
And it would be the best from all of us
So work began on Container Unification at the Kernel API level
CGroups and Namespaces now agreed API
2013 First Linux Kernel Supporting OpenVZ with no patches (3.12) released
Control resources allocated to groups of processes
Buckets are: CPU, Memory, I/O Bandwidth, network, device ...
Network, UTS (hostname), Mount, IPC, Process ID, User
Containers can use all of these or any combination
The less you use, the lighter weight your container is
Parallels/Virtuozzo always had secure containers
Hostile root is a requirement for VPS Containers
Achieved with root capability for non-root user
Security contexts nice to have but don't provide enough security for hostile roots
Root in the container is still root in the host
As Part of agreement in Prague, User Namespaces became the container security mechanism
2014 Distributions begin enabling user namespaces
Design systems specifically to take advantage of containers
Docker is not Containers, docker is an application which uses containers.
Want to encourage more applications which use containers
Most obvious application use is tenancy
Tenancy is a big problem for cloud applications
Most applications are specially written to be multi-tenant
However, you can take a single non-multitenant application
Give it a mount namespace with a private data store and a net namespace for a new IP address
fork n times with different namespaces for each fork
gives instant multi-tenant application
And one which will scale across nodes with container migration.