SlideShare a Scribd company logo
THINKING INSIDE THE BOX
Can Containers Solve the Package Problem?
Joe Brockmeier
Senior Evangelist, Linux Containers
2 November 2016
2
3
A Brief History of Packaging
The Problems We Face
Mistakes We’re Making (Again)
Some Solutions
WHAT WE’LL COVER
A complete treatise on software packaging in 45 minutes or less…
4
THE PROBLEM
We need to be able to move
software from development
to test to production. It
needs to be distributed over
insecure networks.
Operators need to be able
to manage the software,
developers need to be able
to deliver with minimal
friction.
5
We had the source, and found that it was
good.
● Worked on a variety of systems
(maybe)
● You did your own configuration.
● Was appropriate for speed of
development circa 1990-1997.
The Early Days...
./configure; make; make install
6
UNIX make
‘77
GNU make
‘88
A Brief (and incomplete) History of Packaging*
From `make install` to Docker (and beyond)
* not to scale...
Linux
released
‘91
dpkg
‘94
RPM
‘97 ‘98
APT
YUM
‘03
?
‘17
OVF
‘08
Docker
‘13
Kubernetes
‘14
7
UNIX make
‘77
GNU make
‘88
Rise of the Package Manager
No More ‘make install’
* not to scale...
Linux
released
‘91
dpkg
‘94
RPM
‘97 ‘98
APT
YUM
‘03
?
‘17
OVF
‘08
Docker
‘13
Kubernetes
‘14
8
UNIX make
‘77
GNU make
‘88
Evolution of Package Management
From `make install` to Docker (and beyond)
* not to scale...
Linux
released
‘91
dpkg
‘94
RPM
‘97 ‘98
APT
YUM
‘03
?
‘17
OVF
‘08
Docker
‘13
Kubernetes
‘14
9
This was great, briefly, but....
● Upstream speed + distribution speed
rarely matched
● Developers wanted newer releases of
$language or $library than in the
distribution
● You can never package everything
● Upstreams didn’t like decisions made
by distributions…
● Packaging guidelines not widely
loved
Linux Distributions as the Center of Gravity
To be relevant, you had to be packaged
10
FRAGMENTATION
Should I use dpkg, or RPM?
Package for Red Hat, or SUSE,
or Debian, or Ubuntu, or…?
COMPLICATED
Packaging guidelines tend to
be complicated. Developers
do not love creating RPMs
and Debian packages.
PACKAGING
APPLICATIONS IS HARD
It’s easy to package
WordPress. It’s hard to get it
into a usable state from RPM
or dpkg.
Packaging Headaches
Not quite there yet….
11
More Packaging Thoughts
Imperfect, but still useful
Additional pros and cons for package formats…
● Forward “only” -- it’s difficult to back out packages, it’s super difficult to return to an
arbitrary state for a system.
● We have an enormous investment in tooling. We don’t want to throw that away.
● We have an enormous investment in training. We don’t want to throw that away.
● For all its flaws, standard Linux packaging has tens of thousands of hours of
accumulated wisdom that has been poured into its design + tooling. Ignore this at your
peril.
12
UNIX make
‘77
GNU make
‘88
Virtual Appliances
Let’s just ship the whole $%@^ thing!
* not to scale...
Linux
released
‘91
dpkg
‘94
RPM
‘97 ‘98
APT
YUM
‘03
?
‘17
OVF
‘08
Docker
‘13
Kubernetes
‘14
13
If you have the control of the “full stack” it’s
easy to ship applications.
● Virtual appliances can be
pre-configured
● There’s no “installation” -- just spin up
the VM and go
● No need to package software.
Virtual Appliances
Portable & predictable: What could go wrong?
14
A few of the problems with Virtual
Appliances
● VM “sprawl” -- easy to start VMs,
harder to keep track of
● Heavier on resource utilization &
scaling is a problem
● Tracking updates, etc. in virtual
appliances can be a nightmare
● Standardization? One ISV uses RHEL,
another Debian, another SUSE…
Virtual Appliance Problems
The old saying about regular expressions applies…
CONTAINERS TO THE RESCUE(?)
16
UNIX make
‘77
GNU make
‘88
A Brief (and incomplete) History of Packaging*
From `make install` to Docker (and beyond)
* not to scale...
Linux
released
‘91
dpkg
‘94
RPM
‘97 ‘98
APT
YUM
‘03
?
‘17
OVF
‘08
Docker
‘13
Kubernetes
‘14
RED HAT AND CONTAINERS
History of Containers
2000
2010
2005
2015
2000:
JAILS ADDED
TO FREEBSD
2006:
GENERIC PROCESS
CONTAINERS
2008:
KERNEL AND USER
NAMESPACES
2014:
GOOGLE
KUBERNETES
2008:
LINUX CONTAINER
PROJECT (LXC)
2015:
STANDARDS VIA
OCI AND CNCF
2013:
RED HAT
ENTERPRISE LINUX
2013:
DOTCLOUD
BECOMES DOCKER
2007:
GPC RENAMED
CONTROL GROUPS
2003:
SELINUX ADDED TO
LINUX MAINLINE
2015:
RHT CONTAINER
PLATFORMS
2015:
RHEL ATOMIC HOST
2001:
LINUX -VSERVER
PROJECT
2013:
DOT CLOUD PYCON
LIGHTNING TALK
2005:
FULL RELEASE OF
SOLARIS ZONES
18
WHAT ARE CONTAINERS?
It depends who you ask
● Isolated application processes on a
shared Linux OS kernel
● Simpler, lighter, and denser than
virtual machines
● Portable across different
environments
● Packages my application and all of
its dependencies
● Deploy to any environment in
seconds and enable CI/CD
● Easily access and share
containerized components
INFRASTRUCTURE APPLICATIONS
ALL DONE, RIGHT?
EVERYBODY GO HOME
20
Container Gaps
Once again, the technology du jour didn’t solve all the problems...
Docker solved many problems, but it introduced a few new ones, and failed to address some
solved problems with packages.
● Dev-centric - maybe to the detriment of Ops?
● Shipping multi-container applications.
● Container provenance -- where did this container come from?
● Container lifecycle and maintenance -- updating containers, maintaining the OS, etc.
● Best practices?
● Auditing software in containers is harder.
● Host/container mis-matches.
● Server-specific
● Run as root
RED HAT AND CONTAINERS
What’s Inside the Container Matters
36% of official images in Docker Hub contain high priority security vulnerabilities
● High vulnerabilities: ShellShock (bash),
Heartbleed (OpenSSL), etc.
● Medium vulnerabilities: Poodle
(OpenSSL), etc.
● Low vulnerabilities: gcc: array memory
allocations could cause integer overflow
Source: Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities, Jayanth Gummaraju, Tarun Desikan,
and Yoshio Turner, BanyanOps, May 2015 (http://www.banyanops.com/pdf/BanyanOps-AnalyzingDockerHub-WhitePaper.pdf)
RED HAT AND CONTAINERS
Container Orchestration, Scheduling and
Management via Kubernetes
Critical for Building Containerized Application Infrastructure
● Orchestrate application services that span
multiple containers across multiple Linux
hosts
● Schedule containers across multiple hosts
in desired topology
● Enable manual and automated scaling up
& down
● Manage container lifecycle with declarative
model for health management to detect
and restart on failure
ORCHESTRATION
VIA KUBERNETES
SOLVING PACKAGING PROBLEMS
Thinking inside the box (shared)
Thinking inside the box (shared)
Thinking inside the box (shared)
IMPROVING THE HOST/DISTRO
INSERT DESIGNATOR, IF NEEDED28
Minimal Appliance-Like Trusted
Improving the Distribution
Creating a Container Host
29
RHEL Atomic is built from the same packages as RHEL, but deployed as a single image that
makes updates easy.
● Atomic updates: every server gets exactly the same set of packages.
● “git for your OS”: rpm-ostree enables you to deploy a specific version or rollback an
update.
● Immutable OS: Applications are deployed as containers, ensuring they do not interfere
with the host OS.
● Layered packages: In RHEL Atomic 7.2.6 we add the ability to “layer” packages on top
of the host. This is meant to add hardware support or other limited components.
Applications are still delivered in containers.
Atomic Updates: rpm-ostree
Updates are a single, reversible transaction.
30
RHEL Atomic 7.3 adds support for simple
image signing.
● Images may be signed as a whole.
● Can set policy to refuse to run
unsigned images or only images with
specific signatures.
● OpenShift/Kubernetes integration are
coming soon.
Laying a foundation for a strong chain of trust for container images
SIMPLE IMAGE SIGNING
31
The atomic command is used to manage the host and containers on the system.
● Updates -- “atomic host” command can be used to update the system or roll back to a
previous release.
● Scan -- “atomic scan” lets you check containers to see if they have any known
vulnerabilities (CVEs).
● Run and manage containers -- using the atomic CLI you can install, run, and uninstall
application and system containers.
● Diff -- view file or rpm level differences between images and/or containers.
● Top -- see the activity of all containers on your system with a convenient “top”-like
interface.
Atomic CLI
A cohesive entrypoint into the Atomic Host
32
Atomic Host offers support for Docker-formatted containers.
● Atomic Host is streamlined and optimized to run applications comprising one or more
Docker-formatted containers.
● RHEL Atomic 7.3 offers docker 1.10 and docker-latest (1.12).
● System containers offer the ability to run services before Docker runs. This also allows
us to put fewer packages in the host OS.
● Limiting applications to containers simplifies life for operators and developers.
Linux Containers
Run applications and system services in containers.
33
WHAT ABOUT THE DESKTOP?
34
● Uses OCI format
● Sandboxes applications using
Bubblewrap
(https://github.com/projectatomic/bub
blewrap)
● Uses systemd to set cgroups for
Sandbox (so requires a Linux distro
w/systemd)
● Formerly known as Xdg-app
● Desktop-oriented, not meant for
server apps at all
Flatpak - Sandboxing for the desktop
Some apps don’t fit in docker containers
35
Flatpak Use
A quick description - see Flatpak.org for more
Using Flatpak is easy-ish, but getting easier
● Add Flatpak repos separately (e.g., GNOME Nightly)
● Install and update applications separately from the rest of your Desktop
● KDE Runtime for Flatpak in development
● “might eat your pet or firstborn”
● Can use --user to install apps without root permissions
● Still early days, but shows promise for desktop apps distribution
OCI & CRI-O
INSERT DESIGNATOR, IF NEEDED37
We need a way to distribute and run
images that everybody agrees on -- even if
the implementations differ..
● cri-o: OCI-based implementation of
Kubernetes Container Runtime
Interface
● OCI Container Format: An agreed-on
on-disk format for Linux containers
Container Standards
Can’t we all just get along?
RED HAT AND CONTAINERS
Interoperability through Open Standards
Driving standards for containerization in four key areas
ISOLATION
FORMAT
ORCHESTRATION
DISTRIBUTION
NAMESPACES
SECURE ISOLATION
LOGICAL ENVIRONMENT
STATE MANAGER
RESOURCE MANAGEMENT
SELINUX
CGROUPS
HOST RUNTIME
RED HAT AND CONTAINERS
Interoperability through Open Standards
Driving standards for containerization in four key areas
CONTAINER FORMAT HOST RUNTIME
CONTAINER
BASE IMAGE
RHEL7
JAVA
SECURITY FIXES
APPLICATION
PLAY STOP PAUSE
ISOLATION
FORMAT
ORCHESTRATION
DISTRIBUTION
RED HAT AND CONTAINERS
Interoperability through Open Standards
Driving standards for containerization in four key areas
DESCRIBE MULTI-CONTAINER
APPLICATIONS
TRANSPARENT ORCHESTRATION
ACROSS CONTAINER HOSTS
ORCHESTRATION
VIA KUBERNETES
ISOLATION
FORMAT
ORCHESTRATION
DISTRIBUTION
RED HAT AND CONTAINERS
Interoperability through Open Standards
Driving standards for containerization in four key areas
ISV
REGISTRY
Docker search foo
ENTERPRISE
REGISTRY
RED HAT
REGISTRY
SEARCH
PULL
FEDERATE
ISOLATION
FORMAT
ORCHESTRATION
DISTRIBUTION
INSERT DESIGNATOR, IF NEEDED42
Legacy systems & applications aren’t going away soon
In most environments containerized apps must co-exist with legacy apps.
We have a lot to learn - but we should consider lessons of the past
The tools are evolving rapidly, we don’t know what the world is going to look like in a few
years -- or all the best practices, yet. But we can learn from the past.
Security has to come first
Speed and agility don’t help the business if you’re not secure. Everybody is a target.
Conclusion
The newfangled stuff is great, but we need to remember what we’ve learned the past 30+
years...
THANK YOU
plus.google.com/+RedHat
linkedin.com/company/red-hat
youtube.com/user/RedHatVideos
facebook.com/redhatinc
twitter.com/RedHatNews

More Related Content

What's hot (20)

PDF
Introduction to Docker and all things containers, Docker Meetup at RelateIQ
dotCloud
 
PDF
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...
Jérôme Petazzoni
 
PDF
JOSA TechTalk: Introduction to docker
Jordan Open Source Association
 
PDF
Rishidot research briefing notes Cloudscaling
Rishidot Research
 
PDF
Distro Recipes 2013 : Make Debian and compiler agnostic
Anne Nicolas
 
PDF
Docker based-pipelines
DevOps.com
 
PDF
Distro Recipes 2013 : Debian and quality assurance
Anne Nicolas
 
ODP
Docker engine - Indroduc
Al Gifari
 
PDF
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
dotCloud
 
PDF
Getting started with docker
JEMLI Fathi
 
PPTX
Linux Container Brief for IEEE WG P2302
Boden Russell
 
PDF
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Jérôme Petazzoni
 
PPTX
Dockerize the World - presentation from Hradec Kralove
damovsky
 
PDF
Containers technologies
Joris Bonnefoy
 
PPTX
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
Boden Russell
 
PDF
Evoluation of Linux Container Virtualization
Imesh Gunaratne
 
PDF
Docker in pratice -chenyifei
dotCloud
 
PDF
Docker to the Rescue of an Ops Team
Rachid Zarouali
 
PPTX
DockerCon EU 2015 Barcelona
Roman Dembitsky
 
PDF
SCALE 2011 Deploying OpenStack with Chef
Matt Ray
 
Introduction to Docker and all things containers, Docker Meetup at RelateIQ
dotCloud
 
Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...
Jérôme Petazzoni
 
JOSA TechTalk: Introduction to docker
Jordan Open Source Association
 
Rishidot research briefing notes Cloudscaling
Rishidot Research
 
Distro Recipes 2013 : Make Debian and compiler agnostic
Anne Nicolas
 
Docker based-pipelines
DevOps.com
 
Distro Recipes 2013 : Debian and quality assurance
Anne Nicolas
 
Docker engine - Indroduc
Al Gifari
 
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
dotCloud
 
Getting started with docker
JEMLI Fathi
 
Linux Container Brief for IEEE WG P2302
Boden Russell
 
Containers, docker, and security: state of the union (Bay Area Infracoders Me...
Jérôme Petazzoni
 
Dockerize the World - presentation from Hradec Kralove
damovsky
 
Containers technologies
Joris Bonnefoy
 
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
Boden Russell
 
Evoluation of Linux Container Virtualization
Imesh Gunaratne
 
Docker in pratice -chenyifei
dotCloud
 
Docker to the Rescue of an Ops Team
Rachid Zarouali
 
DockerCon EU 2015 Barcelona
Roman Dembitsky
 
SCALE 2011 Deploying OpenStack with Chef
Matt Ray
 

Viewers also liked (20)

PPTX
Taking the open cloud to 11
Joe Brockmeier
 
DOC
Biweekly Financial Commentary 06 10 23
Ant Wong
 
PDF
Designed for the Worst Case - Zurich's water supply
Memi Beltrame
 
DOC
Biweekly Financial Commentary 08 05 19
Ant Wong
 
PDF
Ib.2009
Ant Wong
 
PDF
M2M & D2D Communication Patents for IoT Innovation Ranking
Alex G. Lee, Ph.D. Esq. CLP
 
PDF
Prfm programming 2_with_notes
Yung-Luen Lan
 
PDF
HTC ITC Complaint to Apple
Alex G. Lee, Ph.D. Esq. CLP
 
PPS
Otoño en la Patagonia argentina
Luiz Carlos Dias
 
DOCX
넘버원 LTE코리아 LG전자
Alex G. Lee, Ph.D. Esq. CLP
 
PDF
Legal Issues in Collaboration Alliances for the University Spinouts & Technol...
Alex G. Lee, Ph.D. Esq. CLP
 
PDF
Sessa a. polt soc.
Alain Denis
 
PDF
Article finansavisen 18sep2010
Lars Bjørge
 
PDF
Artificial Intelligence for Internet of Things Insights from Patents
Alex G. Lee, Ph.D. Esq. CLP
 
PPT
劉宗儒
crystal825
 
PPS
Abadia de Melk - Áustria
Luiz Carlos Dias
 
PPT
Intervento K Ma C Pacini
aprovisi
 
PPS
Com navegar pel blog
bloc marina alta
 
PPS
презентация акс бизнес 1
guest4ab0dd
 
PDF
Emotion-Aware Internet of Things Insights from Patents
Alex G. Lee, Ph.D. Esq. CLP
 
Taking the open cloud to 11
Joe Brockmeier
 
Biweekly Financial Commentary 06 10 23
Ant Wong
 
Designed for the Worst Case - Zurich's water supply
Memi Beltrame
 
Biweekly Financial Commentary 08 05 19
Ant Wong
 
Ib.2009
Ant Wong
 
M2M & D2D Communication Patents for IoT Innovation Ranking
Alex G. Lee, Ph.D. Esq. CLP
 
Prfm programming 2_with_notes
Yung-Luen Lan
 
HTC ITC Complaint to Apple
Alex G. Lee, Ph.D. Esq. CLP
 
Otoño en la Patagonia argentina
Luiz Carlos Dias
 
넘버원 LTE코리아 LG전자
Alex G. Lee, Ph.D. Esq. CLP
 
Legal Issues in Collaboration Alliances for the University Spinouts & Technol...
Alex G. Lee, Ph.D. Esq. CLP
 
Sessa a. polt soc.
Alain Denis
 
Article finansavisen 18sep2010
Lars Bjørge
 
Artificial Intelligence for Internet of Things Insights from Patents
Alex G. Lee, Ph.D. Esq. CLP
 
劉宗儒
crystal825
 
Abadia de Melk - Áustria
Luiz Carlos Dias
 
Intervento K Ma C Pacini
aprovisi
 
Com navegar pel blog
bloc marina alta
 
презентация акс бизнес 1
guest4ab0dd
 
Emotion-Aware Internet of Things Insights from Patents
Alex G. Lee, Ph.D. Esq. CLP
 
Ad

Similar to Thinking inside the box (shared) (20)

PDF
Docker and DevOps - Why it matters
Jeremy Brown
 
PDF
Docker handons-workshop-for-charity
Yusuf Hadiwinata Sutandar
 
PDF
Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies
Daniel Oh
 
PDF
Docker Containers Deep Dive
Will Kinard
 
PDF
Evolution of containers to kubernetes
Krishna-Kumar
 
PDF
Shipping NodeJS with Docker and CoreOS
Ross Kukulinski
 
PDF
Navigating container technology for enhanced security by Niklas Saari
Metosin Oy
 
PDF
Deploying OpenStack Services with Linux Containers - Brisbane OpenStack Meetu...
Ken Thompson
 
PDF
Introduction to Atomic: Tailoring a Trusted OS for Containers
Joe Brockmeier
 
PDF
Docker In Action Second Edition 2nd Edition Jeff Nickoloff
chabokhewin
 
PDF
Going Atomic with your Container Infrastructure
Red Hat India Pvt. Ltd.
 
PDF
Introduction to Containers
Dharmit Shah
 
PPTX
The challenge of application distribution - Introduction to Docker (2014 dec ...
Sébastien Portebois
 
PDF
Docker_AGH_v0.1.3
Witold 'Ficio' Kopel
 
PDF
Containers for grownups migrating traditional & existing applications[1...
DevOps.com
 
PDF
Docker Intro at the Google Developer Group and Google Cloud Platform Meet Up
Jérôme Petazzoni
 
PDF
The ABC of Docker: The Absolute Best Compendium of Docker
Aniekan Akpaffiong
 
PDF
Introduction to Containers - From Docker to Kubernetes and everything in between
All Things Open
 
PDF
Securing the container DevOps pipeline by William Henry
DevSecCon
 
PDF
More terrible ideas for containers
Andy Henroid
 
Docker and DevOps - Why it matters
Jeremy Brown
 
Docker handons-workshop-for-charity
Yusuf Hadiwinata Sutandar
 
Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies
Daniel Oh
 
Docker Containers Deep Dive
Will Kinard
 
Evolution of containers to kubernetes
Krishna-Kumar
 
Shipping NodeJS with Docker and CoreOS
Ross Kukulinski
 
Navigating container technology for enhanced security by Niklas Saari
Metosin Oy
 
Deploying OpenStack Services with Linux Containers - Brisbane OpenStack Meetu...
Ken Thompson
 
Introduction to Atomic: Tailoring a Trusted OS for Containers
Joe Brockmeier
 
Docker In Action Second Edition 2nd Edition Jeff Nickoloff
chabokhewin
 
Going Atomic with your Container Infrastructure
Red Hat India Pvt. Ltd.
 
Introduction to Containers
Dharmit Shah
 
The challenge of application distribution - Introduction to Docker (2014 dec ...
Sébastien Portebois
 
Docker_AGH_v0.1.3
Witold 'Ficio' Kopel
 
Containers for grownups migrating traditional & existing applications[1...
DevOps.com
 
Docker Intro at the Google Developer Group and Google Cloud Platform Meet Up
Jérôme Petazzoni
 
The ABC of Docker: The Absolute Best Compendium of Docker
Aniekan Akpaffiong
 
Introduction to Containers - From Docker to Kubernetes and everything in between
All Things Open
 
Securing the container DevOps pipeline by William Henry
DevSecCon
 
More terrible ideas for containers
Andy Henroid
 
Ad

More from Joe Brockmeier (11)

PDF
Community Over Code: How to Build a Successful Project
Joe Brockmeier
 
PDF
Sharing Apache's Goodness: How We Should be Telling Apache's Story
Joe Brockmeier
 
ODP
Solving the Package Problem
Joe Brockmeier
 
PPTX
Apache CloudStack: API to UI (STLLUG)
Joe Brockmeier
 
PDF
Apache CloudStack: From API to UI (NYLUG)
Joe Brockmeier
 
PPTX
Deploying Apache CloudStack from API to UI
Joe Brockmeier
 
PPTX
Getting Started with Apache CloudStack
Joe Brockmeier
 
PDF
How I Learned to Stop Worrying, and Love Open Source Software Foundations
Joe Brockmeier
 
PPTX
Intro to CloudStack
Joe Brockmeier
 
PDF
Txlf2012
Joe Brockmeier
 
PDF
Bootstrapping coverage
Joe Brockmeier
 
Community Over Code: How to Build a Successful Project
Joe Brockmeier
 
Sharing Apache's Goodness: How We Should be Telling Apache's Story
Joe Brockmeier
 
Solving the Package Problem
Joe Brockmeier
 
Apache CloudStack: API to UI (STLLUG)
Joe Brockmeier
 
Apache CloudStack: From API to UI (NYLUG)
Joe Brockmeier
 
Deploying Apache CloudStack from API to UI
Joe Brockmeier
 
Getting Started with Apache CloudStack
Joe Brockmeier
 
How I Learned to Stop Worrying, and Love Open Source Software Foundations
Joe Brockmeier
 
Intro to CloudStack
Joe Brockmeier
 
Txlf2012
Joe Brockmeier
 
Bootstrapping coverage
Joe Brockmeier
 

Recently uploaded (20)

PPTX
Agentic AI in Healthcare Driving the Next Wave of Digital Transformation
danielle hunter
 
PDF
TrustArc Webinar - Navigating Data Privacy in LATAM: Laws, Trends, and Compli...
TrustArc
 
PDF
Market Insight : ETH Dominance Returns
CIFDAQ
 
PDF
The Past, Present & Future of Kenya's Digital Transformation
Moses Kemibaro
 
PPTX
Earn Agentblazer Status with Slack Community Patna.pptx
SanjeetMishra29
 
PDF
introduction to computer hardware and sofeware
chauhanshraddha2007
 
PDF
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
PDF
Per Axbom: The spectacular lies of maps
Nexer Digital
 
PPTX
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
PDF
Lecture A - AI Workflows for Banking.pdf
Dr. LAM Yat-fai (林日辉)
 
PDF
Build with AI and GDG Cloud Bydgoszcz- ADK .pdf
jaroslawgajewski1
 
PDF
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
PDF
Basics of Electronics for IOT(actuators ,microcontroller etc..)
arnavmanesh
 
PPTX
Farrell_Programming Logic and Design slides_10e_ch02_PowerPoint.pptx
bashnahara11
 
PPTX
python advanced data structure dictionary with examples python advanced data ...
sprasanna11
 
PDF
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
PDF
State-Dependent Conformal Perception Bounds for Neuro-Symbolic Verification
Ivan Ruchkin
 
PDF
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
PPTX
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
PDF
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
Agentic AI in Healthcare Driving the Next Wave of Digital Transformation
danielle hunter
 
TrustArc Webinar - Navigating Data Privacy in LATAM: Laws, Trends, and Compli...
TrustArc
 
Market Insight : ETH Dominance Returns
CIFDAQ
 
The Past, Present & Future of Kenya's Digital Transformation
Moses Kemibaro
 
Earn Agentblazer Status with Slack Community Patna.pptx
SanjeetMishra29
 
introduction to computer hardware and sofeware
chauhanshraddha2007
 
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
Per Axbom: The spectacular lies of maps
Nexer Digital
 
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
Lecture A - AI Workflows for Banking.pdf
Dr. LAM Yat-fai (林日辉)
 
Build with AI and GDG Cloud Bydgoszcz- ADK .pdf
jaroslawgajewski1
 
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
Basics of Electronics for IOT(actuators ,microcontroller etc..)
arnavmanesh
 
Farrell_Programming Logic and Design slides_10e_ch02_PowerPoint.pptx
bashnahara11
 
python advanced data structure dictionary with examples python advanced data ...
sprasanna11
 
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
State-Dependent Conformal Perception Bounds for Neuro-Symbolic Verification
Ivan Ruchkin
 
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 

Thinking inside the box (shared)

  • 1. THINKING INSIDE THE BOX Can Containers Solve the Package Problem? Joe Brockmeier Senior Evangelist, Linux Containers 2 November 2016
  • 2. 2
  • 3. 3 A Brief History of Packaging The Problems We Face Mistakes We’re Making (Again) Some Solutions WHAT WE’LL COVER A complete treatise on software packaging in 45 minutes or less…
  • 4. 4 THE PROBLEM We need to be able to move software from development to test to production. It needs to be distributed over insecure networks. Operators need to be able to manage the software, developers need to be able to deliver with minimal friction.
  • 5. 5 We had the source, and found that it was good. ● Worked on a variety of systems (maybe) ● You did your own configuration. ● Was appropriate for speed of development circa 1990-1997. The Early Days... ./configure; make; make install
  • 6. 6 UNIX make ‘77 GNU make ‘88 A Brief (and incomplete) History of Packaging* From `make install` to Docker (and beyond) * not to scale... Linux released ‘91 dpkg ‘94 RPM ‘97 ‘98 APT YUM ‘03 ? ‘17 OVF ‘08 Docker ‘13 Kubernetes ‘14
  • 7. 7 UNIX make ‘77 GNU make ‘88 Rise of the Package Manager No More ‘make install’ * not to scale... Linux released ‘91 dpkg ‘94 RPM ‘97 ‘98 APT YUM ‘03 ? ‘17 OVF ‘08 Docker ‘13 Kubernetes ‘14
  • 8. 8 UNIX make ‘77 GNU make ‘88 Evolution of Package Management From `make install` to Docker (and beyond) * not to scale... Linux released ‘91 dpkg ‘94 RPM ‘97 ‘98 APT YUM ‘03 ? ‘17 OVF ‘08 Docker ‘13 Kubernetes ‘14
  • 9. 9 This was great, briefly, but.... ● Upstream speed + distribution speed rarely matched ● Developers wanted newer releases of $language or $library than in the distribution ● You can never package everything ● Upstreams didn’t like decisions made by distributions… ● Packaging guidelines not widely loved Linux Distributions as the Center of Gravity To be relevant, you had to be packaged
  • 10. 10 FRAGMENTATION Should I use dpkg, or RPM? Package for Red Hat, or SUSE, or Debian, or Ubuntu, or…? COMPLICATED Packaging guidelines tend to be complicated. Developers do not love creating RPMs and Debian packages. PACKAGING APPLICATIONS IS HARD It’s easy to package WordPress. It’s hard to get it into a usable state from RPM or dpkg. Packaging Headaches Not quite there yet….
  • 11. 11 More Packaging Thoughts Imperfect, but still useful Additional pros and cons for package formats… ● Forward “only” -- it’s difficult to back out packages, it’s super difficult to return to an arbitrary state for a system. ● We have an enormous investment in tooling. We don’t want to throw that away. ● We have an enormous investment in training. We don’t want to throw that away. ● For all its flaws, standard Linux packaging has tens of thousands of hours of accumulated wisdom that has been poured into its design + tooling. Ignore this at your peril.
  • 12. 12 UNIX make ‘77 GNU make ‘88 Virtual Appliances Let’s just ship the whole $%@^ thing! * not to scale... Linux released ‘91 dpkg ‘94 RPM ‘97 ‘98 APT YUM ‘03 ? ‘17 OVF ‘08 Docker ‘13 Kubernetes ‘14
  • 13. 13 If you have the control of the “full stack” it’s easy to ship applications. ● Virtual appliances can be pre-configured ● There’s no “installation” -- just spin up the VM and go ● No need to package software. Virtual Appliances Portable & predictable: What could go wrong?
  • 14. 14 A few of the problems with Virtual Appliances ● VM “sprawl” -- easy to start VMs, harder to keep track of ● Heavier on resource utilization & scaling is a problem ● Tracking updates, etc. in virtual appliances can be a nightmare ● Standardization? One ISV uses RHEL, another Debian, another SUSE… Virtual Appliance Problems The old saying about regular expressions applies…
  • 15. CONTAINERS TO THE RESCUE(?)
  • 16. 16 UNIX make ‘77 GNU make ‘88 A Brief (and incomplete) History of Packaging* From `make install` to Docker (and beyond) * not to scale... Linux released ‘91 dpkg ‘94 RPM ‘97 ‘98 APT YUM ‘03 ? ‘17 OVF ‘08 Docker ‘13 Kubernetes ‘14
  • 17. RED HAT AND CONTAINERS History of Containers 2000 2010 2005 2015 2000: JAILS ADDED TO FREEBSD 2006: GENERIC PROCESS CONTAINERS 2008: KERNEL AND USER NAMESPACES 2014: GOOGLE KUBERNETES 2008: LINUX CONTAINER PROJECT (LXC) 2015: STANDARDS VIA OCI AND CNCF 2013: RED HAT ENTERPRISE LINUX 2013: DOTCLOUD BECOMES DOCKER 2007: GPC RENAMED CONTROL GROUPS 2003: SELINUX ADDED TO LINUX MAINLINE 2015: RHT CONTAINER PLATFORMS 2015: RHEL ATOMIC HOST 2001: LINUX -VSERVER PROJECT 2013: DOT CLOUD PYCON LIGHTNING TALK 2005: FULL RELEASE OF SOLARIS ZONES
  • 18. 18 WHAT ARE CONTAINERS? It depends who you ask ● Isolated application processes on a shared Linux OS kernel ● Simpler, lighter, and denser than virtual machines ● Portable across different environments ● Packages my application and all of its dependencies ● Deploy to any environment in seconds and enable CI/CD ● Easily access and share containerized components INFRASTRUCTURE APPLICATIONS
  • 20. 20 Container Gaps Once again, the technology du jour didn’t solve all the problems... Docker solved many problems, but it introduced a few new ones, and failed to address some solved problems with packages. ● Dev-centric - maybe to the detriment of Ops? ● Shipping multi-container applications. ● Container provenance -- where did this container come from? ● Container lifecycle and maintenance -- updating containers, maintaining the OS, etc. ● Best practices? ● Auditing software in containers is harder. ● Host/container mis-matches. ● Server-specific ● Run as root
  • 21. RED HAT AND CONTAINERS What’s Inside the Container Matters 36% of official images in Docker Hub contain high priority security vulnerabilities ● High vulnerabilities: ShellShock (bash), Heartbleed (OpenSSL), etc. ● Medium vulnerabilities: Poodle (OpenSSL), etc. ● Low vulnerabilities: gcc: array memory allocations could cause integer overflow Source: Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities, Jayanth Gummaraju, Tarun Desikan, and Yoshio Turner, BanyanOps, May 2015 (http://www.banyanops.com/pdf/BanyanOps-AnalyzingDockerHub-WhitePaper.pdf)
  • 22. RED HAT AND CONTAINERS Container Orchestration, Scheduling and Management via Kubernetes Critical for Building Containerized Application Infrastructure ● Orchestrate application services that span multiple containers across multiple Linux hosts ● Schedule containers across multiple hosts in desired topology ● Enable manual and automated scaling up & down ● Manage container lifecycle with declarative model for health management to detect and restart on failure ORCHESTRATION VIA KUBERNETES
  • 28. INSERT DESIGNATOR, IF NEEDED28 Minimal Appliance-Like Trusted Improving the Distribution Creating a Container Host
  • 29. 29 RHEL Atomic is built from the same packages as RHEL, but deployed as a single image that makes updates easy. ● Atomic updates: every server gets exactly the same set of packages. ● “git for your OS”: rpm-ostree enables you to deploy a specific version or rollback an update. ● Immutable OS: Applications are deployed as containers, ensuring they do not interfere with the host OS. ● Layered packages: In RHEL Atomic 7.2.6 we add the ability to “layer” packages on top of the host. This is meant to add hardware support or other limited components. Applications are still delivered in containers. Atomic Updates: rpm-ostree Updates are a single, reversible transaction.
  • 30. 30 RHEL Atomic 7.3 adds support for simple image signing. ● Images may be signed as a whole. ● Can set policy to refuse to run unsigned images or only images with specific signatures. ● OpenShift/Kubernetes integration are coming soon. Laying a foundation for a strong chain of trust for container images SIMPLE IMAGE SIGNING
  • 31. 31 The atomic command is used to manage the host and containers on the system. ● Updates -- “atomic host” command can be used to update the system or roll back to a previous release. ● Scan -- “atomic scan” lets you check containers to see if they have any known vulnerabilities (CVEs). ● Run and manage containers -- using the atomic CLI you can install, run, and uninstall application and system containers. ● Diff -- view file or rpm level differences between images and/or containers. ● Top -- see the activity of all containers on your system with a convenient “top”-like interface. Atomic CLI A cohesive entrypoint into the Atomic Host
  • 32. 32 Atomic Host offers support for Docker-formatted containers. ● Atomic Host is streamlined and optimized to run applications comprising one or more Docker-formatted containers. ● RHEL Atomic 7.3 offers docker 1.10 and docker-latest (1.12). ● System containers offer the ability to run services before Docker runs. This also allows us to put fewer packages in the host OS. ● Limiting applications to containers simplifies life for operators and developers. Linux Containers Run applications and system services in containers.
  • 33. 33 WHAT ABOUT THE DESKTOP?
  • 34. 34 ● Uses OCI format ● Sandboxes applications using Bubblewrap (https://github.com/projectatomic/bub blewrap) ● Uses systemd to set cgroups for Sandbox (so requires a Linux distro w/systemd) ● Formerly known as Xdg-app ● Desktop-oriented, not meant for server apps at all Flatpak - Sandboxing for the desktop Some apps don’t fit in docker containers
  • 35. 35 Flatpak Use A quick description - see Flatpak.org for more Using Flatpak is easy-ish, but getting easier ● Add Flatpak repos separately (e.g., GNOME Nightly) ● Install and update applications separately from the rest of your Desktop ● KDE Runtime for Flatpak in development ● “might eat your pet or firstborn” ● Can use --user to install apps without root permissions ● Still early days, but shows promise for desktop apps distribution
  • 37. INSERT DESIGNATOR, IF NEEDED37 We need a way to distribute and run images that everybody agrees on -- even if the implementations differ.. ● cri-o: OCI-based implementation of Kubernetes Container Runtime Interface ● OCI Container Format: An agreed-on on-disk format for Linux containers Container Standards Can’t we all just get along?
  • 38. RED HAT AND CONTAINERS Interoperability through Open Standards Driving standards for containerization in four key areas ISOLATION FORMAT ORCHESTRATION DISTRIBUTION NAMESPACES SECURE ISOLATION LOGICAL ENVIRONMENT STATE MANAGER RESOURCE MANAGEMENT SELINUX CGROUPS HOST RUNTIME
  • 39. RED HAT AND CONTAINERS Interoperability through Open Standards Driving standards for containerization in four key areas CONTAINER FORMAT HOST RUNTIME CONTAINER BASE IMAGE RHEL7 JAVA SECURITY FIXES APPLICATION PLAY STOP PAUSE ISOLATION FORMAT ORCHESTRATION DISTRIBUTION
  • 40. RED HAT AND CONTAINERS Interoperability through Open Standards Driving standards for containerization in four key areas DESCRIBE MULTI-CONTAINER APPLICATIONS TRANSPARENT ORCHESTRATION ACROSS CONTAINER HOSTS ORCHESTRATION VIA KUBERNETES ISOLATION FORMAT ORCHESTRATION DISTRIBUTION
  • 41. RED HAT AND CONTAINERS Interoperability through Open Standards Driving standards for containerization in four key areas ISV REGISTRY Docker search foo ENTERPRISE REGISTRY RED HAT REGISTRY SEARCH PULL FEDERATE ISOLATION FORMAT ORCHESTRATION DISTRIBUTION
  • 42. INSERT DESIGNATOR, IF NEEDED42 Legacy systems & applications aren’t going away soon In most environments containerized apps must co-exist with legacy apps. We have a lot to learn - but we should consider lessons of the past The tools are evolving rapidly, we don’t know what the world is going to look like in a few years -- or all the best practices, yet. But we can learn from the past. Security has to come first Speed and agility don’t help the business if you’re not secure. Everybody is a target. Conclusion The newfangled stuff is great, but we need to remember what we’ve learned the past 30+ years...