Your browser doesn't support the features required by impress.js, so you are presented with a simplified version of this presentation.

For the best experience please use the latest Chrome, Safari or Firefox browser.

The Future of Containers in Linux and OpenStack


James Bottomley
CTO of Server Virtualization
About Me

 

Kernel Developer

  • SCSI Subsystem Maintainer
  • PA-RISC architecture Maintainer

Chair of Linux Foundation TAB

 

Social Media
Luddite

 

 

 

 

 

 

@jejb_ and #OpenStack for twitter

About Parallels

 

1999 SWSoft Virtuozzo Containers

2004 Became Parallels

2005 Open Source version: OpenVZ

Concentrates on Service Providers

Also do Containers for Windows

Hypervisors are based on Emulating Virtual Hardware
Containers are based on Shared Operating Systems

|

|

|

Gigabytes

|

|

|

Megabytes

Just the lightness of containers makes them far more dense and elastic

But there's more: containers can be scaled instantly up or down (instant vertical scaling)

Small size makes them easily transferrable to other systems (instant horizontal scaling)

None of this messy hypervisor junk like booting a kernel or doing balloon inflation

All of this makes containers much more elastic than hypervisors (i.e. much better for the cloud) simply because there's far less junk to move around

However, it is often argued that since the application is the same, anything you can do with a hypervisor, you can do with a container.

Turing
Paradigm
Thinking in the wrong paradigm can make some problems seem insurmountable
Containers in Linux

2005 Open Source Virtuozzo (OpenVZ)

2006 Process Containers (CGroups)

2007 use cgroups to containerise search

2008 LXC version 0.1.0 released

2011 Container Unification agreement on fringes of Kernel Summit

Saw the disaster that resulted with KVM and Xen

Agreed there would be one container technology in Linux

And it would be the best from all of us

So work began on Container Unification at the Kernel API level

CGroups and Namespaces now agreed API

2013 First Linux Kernel Supporting OpenVZ with no patches (3.12) released

CGroups

Control resources allocated to groups of processes

Buckets are: CPU, Memory, I/O Bandwidth, network, device ...

Namespaces
Separate resources to make them visible only to processes within the Namespace

Network, UTS (hostname), Mount, IPC, Process ID, User

Containers can use all of these or any combination

The less you use, the lighter weight your container is

Container Security

Parallels/Virtuozzo always had secure containers

Hostile root is a requirement for VPS Containers

Achieved with root capability for non-root user

Security contexts nice to have but don't provide enough security for hostile roots

Root in the container is still root in the host

As Part of agreement in Prague, User Namespaces became the container security mechanism

2014 Distributions begin enabling user namespaces

Containers as the new Paradigm

Design systems specifically to take advantage of containers

uses containers to create lightweight packages for applications with instant portability

Docker is not Containers, docker is an application which uses containers.

Want to encourage more applications which use containers

Most obvious application use is tenancy

Tenancy is a big problem for cloud applications

Most applications are specially written to be multi-tenant

However, you can take a single non-multitenant application

Give it a mount namespace with a private data store and a net namespace for a new IP address

fork n times with different namespaces for each fork

gives instant multi-tenant application

And one which will scale across nodes with container migration.

Container Migration done via CRIU
CRIU is Checkpoint/Restore In Userspace
http://www.criu.org
Project is Open Source, sponsored by Parallels
Used as the basis to migrate all containers in Linux
Enabling Novel Uses of Containers
Key is providing containers in an easy to use form
Create a library for doing this
github.com/xemul/libct
Exposes container features directly to applications
But can also bridge to older containers technology
can deploy docker to OpenVZ kernels earlier than 3.8
Could also do backends for Solaris Zones and Parallels Virtuozzo containers for Windows
Gives Docker deployment to Windows and Solaris
Containers in the Enterprise
Enterprise has significant investments in Hypervisor hardware
SR-IOV and Network Functional Virtualization (NFV)
All work by projecting hardware interface into hypervisor
How can we do this with containers which share the same kernel?
Of course, can do this identically with NFV too
So Thinking Differently, even Hypervisor hardware can be re-used by containers
Containers in OpenStack
In tree Nova container drivers not very functional
However, are out of tree ones for Parallels, LXC and OpenVZ (Rackspace)
Longer term, might use libct as single container driver like libvirt is for hypervisors
Might also get Solaris and Windows Containers for free
Conclusions
Containers are here to stay
They have security and isolation features to match hypervisors
But they can also be used in a granular fashion
They can also make use of Hardware features like NFV and SR-IOV
We haven't even scratched the surface of the possibilities
But we definitely intend to enable you to try
Presented using impress.js by Bartek Szopka


Web Developer!
Thank You!
Questions?