Innovating Out in the Open Phil Estes, IBM <estesp@us.ibm.com> Twitter/IRC: @estesp

Intro Phil Estes Senior Technical Staff Member IBM Open Cloud Technologies @estesp > Docker core engine maintainer > Member of “Docker Captains” program > 10+ years involved in Linux/OSS > Interests: cloud/containers/Linux Key upstream accomplishments > Brought user namespace support to the Docker engine > Helped design v2.2 image specification with multi-platform support > Implemented first tool to create multi-platform images in Docker v2.3 registry

Open Container Initiative (OCI) An open governance structure for creating open industry standards: a common container runtime and image format. A Linux Foundation Collaborative Project Free from control by any particular vendor’s specific cloud stack or ecosystem Includes a specification, reference runtime* and now, a specified image format *seeded with runc + libcontainer by Docker

https://github.com/opencontainers OCI: Specs and Status > Runtime specification: Release 0.5.0 / April 2016 https://github.com/opencontainers/runtime-spec/releases/tag/v0.5.0 Goal is to reach a 1.0 release by mid-June Includes required core for containerization on Linux & Windows > Image format specification: Release 0.1.0 / May 2016 https://github.com/opencontainers/image-spec/releases/tag/v0.1.0 Seeded with Docker registry v2.2 specification Work just beginning in the repository; 0.1 is a “stake in the ground” Announced June 20th, 2015 Charter signed on December 8th, 2015 46 current member companies Target of a 1.0 specification (runtime) by June https://opencontainers.org https://github.com/opencontainers

Introduction to `runc` > runc is a client wrapper around libcontainer > Libcontainer is the OS level interface for containers Other platforms and architectures can implement the libcontainer API via their own primitives/system-level container concepts config.json { "ociVersion": "0.6.0-dev", "platform": { "os": "linux", "arch": "amd64" }, "process": { "terminal": true, "args": [ "sh" ], "env": [ "PATH=/usr/local/sbin:/usr/local/bin:/bin” $ docker run -it --read-only -v /host:/hostpath alpine sh /#

Runc In The Wild CloudFoundry Garden OCI implementation https://github.com/cloudfoundry-incubator/guardian Uses runc as a backend for container execution Docker 1.11 (and above) Switched from direct libcontainer API linkage to calling runc as container executor Uses containerd as a gRPC daemon to disconnect Docker daemon (API/mgmt) from container execution (allows daemon restart in future without container runtime impact)

runC: An open innovation platform for containers INTEREST Implement low-level container features Operating system level features should be defined in the OCI runtime specification New capabilities (PID cgroup controls, checkpoint/restore, seccomp) implemented in runC OCI compliance/pluggable execution engine Implement a OS/environment for containers via an OCI spec compliant binary Examples: runz (Solaris zones), runv (hypervisor-based), Intel Clear Containers Iterative container configuration test/debug Simple variant of “Docker-like” containers with less friction for quick modifications Low bar for dependencies: single binary + physical rootfs bundle + JSON config INTEREST INTEREST Top 10 Contributors to opencontainers/runc 1. Docker 2. OpenVZ 3. Huawei 4. Redhat 5. Google 6. IBM 7. SuSE 8. Pivotal 9. Fujitsu 10. Microsoft

What I’m going to show you: Let’s Demo What I’m going to show you: runc runC binary (in my case, shared with Docker 1.11 installation github.com/opencontainers/runc ocitools Command-line JSON OCI spec generator github.com/opencontainers/ocitools riddler Docker container → JSON OCI spec converter github.com/jfrazelle/riddler uidmapshift Filesystem ownership shift tool for user namespace mappings http://bazaar.launchpad.net/~serge-hallyn/+junk/nsexec/view/head:/uidmapshift.c netns Netlink-based bridge networking implemened as an OCI pre-start hook github.com/jfrazelle/netns

OCI Futures Image format specification Just getting underway More users and contributed implementations runC innovations moving into higher level implementations Checkpoint+restore under consideration for exposure via Docker API Seccomp, user namespaces, and PID limits are prior examples What do you plan to do with OCI and/or runC?

Questions? @estesp github.com/estesp estesp@gmail.com http://integratedcode.us IRC: estesp CONTACT INFO