cloud & container

A more generic approach to ensure you have what you'd expect to have A side effect of the many new ways to package filesystems (here's looking at you, containers!), is that filesystems are being copied around without many of the features that traditional packaging provided (i.e. `rpm -qV ...`). Much progress has been made for reproducible digests of containers. In this talk Vincent Batts will review options for distributing filesystems with reproducibility, and verifying the at-rest outcomes. about this event: https://cfp.all-systems-go.io/en/ASG2018/public/events/185

System containers, the oldest type of containers, focus on running an entire Linux distribution, including all its services in very much the same way it would on a physical system or virtual machine. System containers come with some unique challenges, users of those containers expect to be able to do pretty much everything that they can on a normal system. This means it’s not possible to restrict those containers quite as much as application containers can be. It also means that there are extra expectations to be met:

• Being able to add/remove devices to/from a running container
• Loading security profiles inside a container
• Using file capabilities in the container
• Mounting file systems
• Proper reporting of uptime, resource consumption and limits
• Live-migration

In this presentation, we’ll explore some of the existing technologies in use by LXC and LXD to address some of those expectations as well as upcoming kernel and userspace features that will allow system containers to do even more than they do today. about this event: https://cfp.all-systems-go.io/en/ASG2018/public/events/224

This talk will describe all of the reasons for podman, all of its features demonstrate its functionality, I will cover the background of podman, how we built it, why we built it, I will demonstrate using it in multiple different ways, Running containers building container images Communicating with it via var link, cockpit integration. Communicating with it from a remote machine. about this event: https://cfp.all-systems-go.io/en/ASG2018/public/events/177

CRI-O is a brand new container runtime dedicated and optimized to support kubernetes workload. Its goal is to be a stable container runtime tied to kubernetes releases, replacing the docker daemon. Historically every update of Docker has broken Kubernetes. This has led to major rewriting and fixes of Kubernetes, which is understandable since Docker is not primarily for Kubernetes. Kubernetes needs a container runtime dedicated to its specifications. CRI-O, the name comes from the Container Runtime Interface for Open container runtimes, takes advantages of emerging standards like OCI Runtime and Image Specification, as well as open source projects to handle container images (github.com:containers/image, github.com:containers/storage) . This means as these projects advance CRI-O will be able to take advantage of the improvements and features, but all the while guaranteeing that it will not break any functionality required by the Kubernetes CRI. CRI-O works with runc and Clear Containers runtimes. CRI-O was designed from the ground up to satisfy Kubernetes Container Runtime Interface, and currently passes all node and E2E tests. The github repository has been setup to not accept any pull requests that causes these tests to break. We will be tying the versions of CRI-O to the Kubernetes versions, to maintain complete compatibility. This talk will describe the CRI-O architecture as well as demonstrate different kubernetes features running on top of CRI-O exercising the CRI API. The attendees will learn how to configure CRI-O with kubernetes and use it for their workloads. about this event: https://cfp.all-systems-go.io/en/ASG2018/public/events/211

Future of connecting to the container runtime as docker phases out Since docker came on the scene in 2013, for many it was the first they'd heard of containers. They existed before, and an have exploded since then. Today if you intend on running containers in production it means at the kubernetes level, though what is happening below that? what does this mean for direct access and on-going developer experience? about this event: https://cfp.all-systems-go.io/en/ASG2018/public/events/186

Container security often focuses on runtime best-practices whilst neglecting delivery of the software in the supply chain. Application, library, and OS vulnerabilities are a likely route to data exfiltration, and emerging technologies in the container ecosystem offer a new opportunity to mitigate this risk. Treating containers as immutable artefacts and injecting configuration allows us to "upgrade" images by rebuilding and shipping whole software bundles, avoiding configuration drift and state inconsistencies. This makes it possible to constantly patch software, and to easily enforce governance of artefacts both pre- and post-deployment. In this talk we detail an ideal, security-hardened container supply chain, describe the current state of the ecosystem, and dig into specific tools. Grafeas, Kritis, in-toto, Clair, Micro Scanner, TUF, and Notary are covered, and we demo how to gate container image pipelines and deployments on cryptographically verified supply chain metadata. about this event: https://cfp.all-systems-go.io/en/ASG2018/public/events/184

Cockpit makes Linux discoverable. But it's really a Linux session in a web browser, accessing the native system APIs and tools directly from javascript. Does that sound scary? How can we be sure that accessing Linux from a web browser is secure? What about the web server stack? What about authentication and privilege escalation? We'll talk about how Cockpit deals with security, authentication, privilege escalation, and browser lock down. I'll show you various techniques to tailor Cockpit's security options to your situation, like using bastion hosts. about this event: https://cfp.all-systems-go.io/en/ASG2018/public/events/231

CRI-O is a brand new container runtime dedicated and optimized to support kubernetes workload. Its goal is to be a stable container runtime tied to kubernetes releases, replacing the docker daemon. Historically every update of Docker has broken Kubernetes. This has led to major rewriting and fixes of Kubernetes, which is understandable since Docker is not primarily for Kubernetes. Kubernetes needs a container runtime dedicated to its specifications. CRI-O, the name comes from the Container Runtime Interface for Open container runtimes, takes advantages of emerging standards like OCI Runtime and Image Specification, as well as open source projects to handle container images (github.com:containers/image, github.com:containers/storage) . This means as these projects advance CRI-O will be able to take advantage of the improvements and features, but all the while guaranteeing that it will not break any functionality required by the Kubernetes CRI. CRI-O works with runc and Clear Containers runtimes. CRI-O was designed from the ground up to satisfy Kubernetes Container Runtime Interface, and currently passes all node and E2E tests. The github repository has been setup to not accept any pull requests that causes these tests to break. We will be tying the versions of CRI-O to the Kubernetes versions, to maintain complete compatibility. This talk will describe the CRI-O architecture as well as demonstrate different kubernetes features running on top of CRI-O exercising the CRI API. The attendees will learn how to configure CRI-O with kubernetes and use it for their workloads. about this event: https://cfp.all-systems-go.io/en/ASG2018/public/events/211

System containers, the oldest type of containers, focus on running an entire Linux distribution, including all its services in very much the same way it would on a physical system or virtual machine. System containers come with some unique challenges, users of those containers expect to be able to do pretty much everything that they can on a normal system. This means it’s not possible to restrict those containers quite as much as application containers can be. It also means that there are extra expectations to be met:

• Being able to add/remove devices to/from a running container
• Loading security profiles inside a container
• Using file capabilities in the container
• Mounting file systems
• Proper reporting of uptime, resource consumption and limits
• Live-migration

In this presentation, we’ll explore some of the existing technologies in use by LXC and LXD to address some of those expectations as well as upcoming kernel and userspace features that will allow system containers to do even more than they do today. about this event: https://cfp.all-systems-go.io/en/ASG2018/public/events/224

Container security often focuses on runtime best-practices whilst neglecting delivery of the software in the supply chain. Application, library, and OS vulnerabilities are a likely route to data exfiltration, and emerging technologies in the container ecosystem offer a new opportunity to mitigate this risk. Treating containers as immutable artefacts and injecting configuration allows us to "upgrade" images by rebuilding and shipping whole software bundles, avoiding configuration drift and state inconsistencies. This makes it possible to constantly patch software, and to easily enforce governance of artefacts both pre- and post-deployment. In this talk we detail an ideal, security-hardened container supply chain, describe the current state of the ecosystem, and dig into specific tools. Grafeas, Kritis, in-toto, Clair, Micro Scanner, TUF, and Notary are covered, and we demo how to gate container image pipelines and deployments on cryptographically verified supply chain metadata. about this event: https://cfp.all-systems-go.io/en/ASG2018/public/events/184

Cockpit makes Linux discoverable. But it's really a Linux session in a web browser, accessing the native system APIs and tools directly from javascript. Does that sound scary? How can we be sure that accessing Linux from a web browser is secure? What about the web server stack? What about authentication and privilege escalation? We'll talk about how Cockpit deals with security, authentication, privilege escalation, and browser lock down. I'll show you various techniques to tailor Cockpit's security options to your situation, like using bastion hosts. about this event: https://cfp.all-systems-go.io/en/ASG2018/public/events/231

A more generic approach to ensure you have what you'd expect to have A side effect of the many new ways to package filesystems (here's looking at you, containers!), is that filesystems are being copied around without many of the features that traditional packaging provided (i.e. `rpm -qV ...`). Much progress has been made for reproducible digests of containers. In this talk Vincent Batts will review options for distributing filesystems with reproducibility, and verifying the at-rest outcomes. about this event: https://cfp.all-systems-go.io/en/ASG2018/public/events/185

This talk will describe all of the reasons for podman, all of its features demonstrate its functionality, I will cover the background of podman, how we built it, why we built it, I will demonstrate using it in multiple different ways, Running containers building container images Communicating with it via var link, cockpit integration. Communicating with it from a remote machine. about this event: https://cfp.all-systems-go.io/en/ASG2018/public/events/177

Future of connecting to the container runtime as docker phases out Since docker came on the scene in 2013, for many it was the first they'd heard of containers. They existed before, and an have exploded since then. Today if you intend on running containers in production it means at the kubernetes level, though what is happening below that? what does this mean for direct access and on-going developer experience? about this event: https://cfp.all-systems-go.io/en/ASG2018/public/events/186

We’ll look at patterns and anti-patterns for self-contained, immutable runtime environment for applications using Habitat, with a focus on special cases, integrated testing and advanced hacks. about this event: https://cfp.all-systems-go.io/en/ASG2018/public/events/162

Titus is a multitenant scheduler that runs a variety of workloads that vary from online workloads which serve customer traffic to big data workloads which perform machine learning. Getting all of these workloads to cooperate on a shared pool of resources together. Just to add a bit of complexity to the mix, these workloads all run on the cloud, and a shared storage and network fabric. Come to this talk to learn about how our approach to multi-tenancy works, as well as some of the challenges we faced along the way. Titus is a system which allows users to submit arbitrary container workloads to the cloud, and get their workloads running across many thousands of cores or more. This comes with a variety of challenges. We attacked this problem with a three-pronged approach. Our approach to scheduling is multi-tenant first. Our scheduler understands different workloads and the fact that different workloads have different Service Level Objectives. In addition to this, it understands the cloud, and the fact it’s a shared control plane. Lastly, we’ve had to teach our scheduler to handling situations during failover, and when scaling up is key versus traditional scheduling. Our approach to systems is evolving. Historically, our fleet was many single-tenant VMs. We’ve attacked systems level multi-tenancy from the multiple perspectives. The first of these involved giving our user the APIs that were as close to what they had on the VM. Subsequently, we’ve tried to enable security mechanisms like seccomp and apparmor that allow us to run nearly any workload on Titus. Lastly, we’re still figuring out resource isolation. Cgroups have come a long way, but there is a long way to go ahead before we can be as good as VMs. All of our infrastructure runs on the cloud. We decided that our approach to scheduling, and systems multi-tenancy should be cloud native, and leverage as many mechanisms as possible that already exist in the cloud rather than invent our own. Although this gave us a massive head start, it didn’t come for free. We had to solve problems like coordination-free optimistic interactions with our SDN, and solutions to shared-storage. about this event: https://cfp.all-systems-go.io/en/ASG2018/public/events/203

A dive into the world of running systemd as an *in container* process manager at Facebook. At @FB we heavily utilize systemd on our servers. But, there's more! We also heavily utilize systemd inside our containers as well! Combined with our btrfs based image deployment mechanism we leverage all the good parts of systemd within our containers. I'll show how we utilize all the various components of systemd within a container, including how we use Portable Services! I'll talk about the philosophy of this design, our approach to building container images with systemd in mind, and our our approach to Runtime Composition of services. Come listen and enjoy a deep dive into how we use btrfs, systemd, and portable services, and what benefit it provides for us across our large container infrastructure. about this event: https://cfp.all-systems-go.io/en/ASG2018/public/events/179

What exactly is Red Hat up with CoreOS .....and what were they thinking when they announced a Fedora CoreOS? In this talk, we'll briefly look at some of the excellent work pioneered by the Container Linux team around the self-driving, container focused operating system. We'll also overlay how the container ecosystem has changed over the past 5 years and what we're doing at the OS-level to refocus and ultimately give users a better experience. about this event: https://cfp.all-systems-go.io/en/ASG2018/public/events/232

Open Container Initiative (OCI) started in 2015 to make different implementations of container runtimes and images compliant with well-defined specifications. Together with other folks at Kinvolk, I have been involved in various OCI projects since months, and encountered various issues that occur in runtime specs and runtime-tools for verification. Since we live in a real world, not everything works well as expected. I’m going to talk about practical issues, and possible ways to get it improved. Open Container Initiative (OCI) defines container runtime specs (https://github.com/opencontainers/runtime-spec) as well as container image specs (https://github.com/opencontainers/image-spec) and distribution spec (https://github.com/opencontainers/distribution-spec). There is also runtime-tools (https://github.com/opencontainers/runtime-tools) that helps container runtime to verify compliance of the runtime specifications. The standard container runtime is runc (https://github.com/opencontainers/runc) that is included in multiple high-level container managers like Docker or containerd. Most of the practical issues arise when specification is not clearly defined in the first place, or when container runtimes have own reasons for not being compliant with the specs, or when there’s no consensus in the community how it should proceed. On the other hand, container orchestration systems like Kubernetes have defined their own interfaces such as Container Runtime Interface (CRI). The different interfaces (OCI runtime and CRI) exist at different layers in the software stack. I'll show how CRI depends on OCI and some mismatches between them. In this talk I want to introduce such practical issues, and try to suggest how we should proceed regarding spec compliance. about this event: https://cfp.all-systems-go.io/en/ASG2018/public/events/195

What exactly is Red Hat up with CoreOS .....and what were they thinking when they announced a Fedora CoreOS? In this talk, we'll briefly look at some of the excellent work pioneered by the Container Linux team around the self-driving, container focused operating system. We'll also overlay how the container ecosystem has changed over the past 5 years and what we're doing at the OS-level to refocus and ultimately give users a better experience. about this event: https://cfp.all-systems-go.io/en/ASG2018/public/events/232