Container,rkt,Kubernetes顾宜凡(YifanGu)SoftwareEngineer@CoreOSgithub.com/yifan-gu1.Containers,OCI,Appc2.rkt3.Kubernetes,andrkt+KubernetesOverviewContainerIsHOTContainerisnotanewtechnology,Why?Container=Docker?So,whatiscontainer?Controlgroup-CPU-Memory-IO-Devices-...-Namespaces-Network-IPC-ProcessID-...So,whatiscontainer?Container=Docker?NoSo,whatiscontainer?Container=Docker?NoContainer=cgroup+namespace?NoSo,whatiscontainer?SolarisZones~2005FreeBSD~2000So,whatiscontainer?Container=package+runtime!So,whatiscontainer?Container=package+runtime!●Easypackaging(build/push/pull)●Isolated,controlled(run/stop)So,whatiscontainer?Ifit’shot,thenstandardizeitContainer~1950Container~2010Ifit’shot,thenstandardizeit2013.3Docker1.02016.32015.62014.12Appc0.1OCI(RuntimeSpec)OCI(ImageSpec)ContainerSpecTimelineOpenContainerSpecifications-RuntimeSpec-config.json-runtime.json-rootfs-ImageSpec-startedfromDockerv2-absorbfromAppc-discovery-signing-appconfigsContainerSpecgithub.com/coreos/rktrktisaCLIforrunningappcontainersonLinux.rktisdesignedtobesecure,composable,andstandards-based.rktdoesn’trequirealong-runningdaemonandprovidesapowerful,pluggable,abstractionaroundisolationandruntimeinitialization.Whatisrkt?●GPGsignaturestoverifyimages●SELinuxcontexts●Canruncontainersinhypervisor●CandoTPMmeasurements,providesatamper-proofauditlogHowrktdoessecurity●Integratingwellwithinitsystems●Aimstoworkwellwithotherprojects●rkthastheconceptofa“stage1”,whichisaswappablecomponentthatactuallyrunsthecontainer●Availablestage1s○chroot○Linuxnamespaces(default)○LKVMHowrktdoescomposability●ImplementationofAppC,awelldefinedspec●UsesCNIfornetworking,commonplumbingusedbymanyotherprojects●Canrundockerimages●WillbefullyOCIcompliantHowrktdoesstandards/compatibilityDistributedTrustedComputingDistributedTrustedComputingStackDistributedTrustedComputingStackrktinternalsmodulararchitectureexecutiondividedintostagesstage0→stage1→stage2●Imagediscoveryandfetching-LocateanddownloadACIandDockerimages●U...
