Virtualization Redefined: Embedded virtualization through CGE7 and Docker. Paul Farmer Technical Solutions Engineering Manager MontaVista Software

Setting the Stage Docker is a new leading container based technology that offers a more efficient and lightweight approach to application deployment. Using this technology together with CGE7 creates a powerful solution for key use-cases in the datacenter and networking in general. This presentation focuses on introducing Docker interoperation with CGE7.

Agenda Virtualization Technologies Performance Benchmarks Use Cases Docker Advantages CGE7 Advantages Summary Q&A

Virtualization Technologies

History of Virtualization Technologies Hypervisor on CP-40 and CP-67 from IBM chroot Virtualization with bare metal performance from MontaVista VMware workstation ESX server from VMware Virtual Server from Microsoft OpenVZ Solaris Containers LXC KVM CGE & Virtual Resource Manager from MontaVista Deterministic KVM from MontaVista Docker CGE7 from MontaVista Xen & QEMU Hypervisor on UNIX from IBM Java

Complexity of Virtualization Technologies Complexity Time OS Emulation HW Emulation HW Simulation Application Protection (MMU) CPU Virtualization (VT-x) Device Virtualization (VT-d ) Containers

Virtualization Technologies Containers are lightweight: – share the host OS kernel – share the host OS root filesystem wherever appropriate

Virtualization Technologies Docker provides a unified access to – Linux container technology (cgroups, namespaces) – Various container implementations (lxc, libvirt, libcontainer, etc.) ‘libcontainer’ is Docker’s implementation of container technology

Virtualization Technologies Docker – Underlying Technology

Performance Benchmarks

I/O Performance

IBM Research Report July, 2014

Real-time Latency Cyclictest Intel Ivy bridge based 4 core with hyper-threading (8 logical cores) each 2.2 GHz. 8 GB RAM

Math Performance IBM Research Report July, 2014

Random Access Performance IBM Research Report July, 2014

Security of Docker Containers

How secure are Docker containers? Intrinsic security of containers – Depends on kernel namespaces and cgroups feature – The code base has been around for more than 6 years Attack surface of the Docker daemon – currently Docker daemon requires root privileges, and you should therefore be careful – Solution: Two additional security improvements – Map the root user of a container to a non-root user of the Docker host, to mitigate the effects of a container-to-host privilege escalation; – Allow the Docker daemon to run without root privileges "Hardening" security features of the kernel – Linux Kernel Capabilities – Kernel with grsecurity and PaX – Linux Security Modules

Security in CGE7 Standards Conformance – CGL 5.0, STIG 2.0, USGv6, OSPP “Hardening” security features of the kernel – PaX, Linux capabilities, SELinux, etc. CVE - Common Vulnerabilities and Exposures Wide Deployment

Use Cases

Platform-as-a-Service (PaaS) Cloud

Containers-Based Multi-Tenancy in the Cloud

Bundling/Consolidating HW+SW Configurations in Network Servers Consolidate certain legacy applications all on the same platform Bundle HW plugin and SW plugin components with automatic configuration: – Launch Docker image automatically based on hot plugging of certain HW

Migration Between Legacy Virtualization and Containers Move applications dynamically to and from KVM Hypervisor-based applications to Docker-based application contained in either virtual machines or containers domains.

Cloud RAN

Docker Advantages

Portability across machines – A containers-based virtualization solution suitable for dynamic multi- node cloud deployments. – Live Migration capabilities. Security and Isolation of services and applications – Comply with legal or contractual obligations to isolate an application. – Prevent flawed applications from compromising the rest of the system. Limit resource usage – Get higher density and run more workloads. Application-centric, easy and fast removal and addition

Docker Advantages Copy-on-write mechanism – Every instance of your Docker image uses the same files until one of them needs to change a file. – Better utilization of system memory. – Higher density of containers for a given resource than other container implementations. Version control Container Repository Component reuse – Reducing the cycle time of development, testing and deployment – Easy to deploy PaaS-type solutions Active Community

Docker Security If you really have to give root, give looks-like-root If that’s not enough, give root but build another wall Don’t run regular applications as root – Remove SUID binaries, SUID bit, mount file system with nosuid – Limit available syscalls (seccomp-bpf = whitelist/blacklist syscalls) – SELinux (assign different security contexts to containers) System services do not all have to be run as root – whitelist/blacklist devices – Prevent unauthorized access control (AppArmor, SELinux)

CGE7 Advantages

Virtualization in CGE7 Virtualization in CGE7 offers the best combination of flexibility, performance and ease of application development 1. KVM Hypervisor Full virtualization with Paravirtualization options 2. Linux Containers Operating system resource virtualization (lxc, Docker) 3. Core Isolation

Multicore I/O Symmetry Intel Multiprocessor Specification Version 1.4

“Carrier Grade Docker” Advantages Combining Docker with an embedded, Carrier Grade distributions, such as CGE7, offers several advantages over plain desktop distributions: 100% native Linux with real-time performance features including hrtimers, core isolation and other enhancements Support for various virtualization technologies – You can choose the right virtualization technology for the right problem. Long term commercial support options with customizable models for different use-cases The same advantages can be extended to Cloud components like OpenStack – Full use-case support using a single baseline.

Multi-Architecture support for Docker True multi-architecture platform with support for ARM64 exists today in Embedded Baselines (like MV CGE7) – Enables Docker on all these architectures Best approach is align with community development – Linaro Networking Group (LNG) – GNU GCC (4.9+) with Go support (gccgo) Support on a single Carrier-Grade Baseline provides the best stability and deployability on the field

Summary

Which Virtualization Solution Do You Choose? Performance Requirements? Functionality and ease of use? How much legacy content do you want to preserve?

Questions?

Backup / rough slides

Performance Benchmarks Host v/s Docker v/s KVM Real-time Latency Network Performance Process related latency File-system Performance

1. Real-time Latency Cyclictest

2. Network Performance netperf

3. Process Creation lat_proc (lmbench)

4. Page Fault lat_pagefault (lmbench)

4. File-system Read Performance IOzone

4. File-system Write Performance IOzone