1. Innovating Out in the Open
Phil Estes, IBM

2. Intro Phil Estes Senior Technical Staff Member
IBM Open Cloud Technologies
@estesp
> Docker core engine maintainer
> Member of “Docker Captains” program
> 10+ years involved in Linux/OSS
> Interests: cloud/containers/Linux
Key upstream accomplishments
> Brought user namespace support to the Docker engine
> Helped design v2.2 image specification with multi-platform support
> Implemented first tool to create multi-platform images in Docker v2.3 registry

3. Open Container Initiative (OCI)
An open governance structure for creating open industry standards: a common container runtime and image format.
A Linux Foundation Collaborative Project
Free from control by any particular vendor’s specific cloud stack or ecosystem
Includes a specification, reference runtime* and now, a specified image format
*seeded with runc + libcontainer by Docker

4. https://github.com/opencontainers
OCI: Specs and Status
> Runtime specification: Release / April 2016
Goal is to reach a 1.0 release by mid-June
Includes required core for containerization on Linux & Windows
> Image format specification: Release / May 2016
Seeded with Docker registry v2.2 specification
Work just beginning in the repository; 0.1 is a “stake in the ground”
Announced June 20th, 2015
Charter signed on December 8th, 2015
46 current member companies
Target of a 1.0 specification (runtime) by June

5. Introduction to `runc`
> runc is a client wrapper around libcontainer
> Libcontainer is the OS level interface for containers
Other platforms and architectures can implement the libcontainer API via their own primitives/system-level container concepts
config.json {
"ociVersion": "0.6.0-dev",
"platform": {
"os": "linux",
"arch": "amd64" },
"process": {
"terminal": true,
"args": [
"sh" ],
"env": [
"PATH=/usr/local/sbin:/usr/local/bin:/bin”
$ docker run -it --read-only -v /host:/hostpath alpine sh /#

6. Runc In The Wild CloudFoundry Garden OCI implementation
Uses runc as a backend for container execution
Docker 1.11 (and above)
Switched from direct libcontainer API linkage to calling runc as container executor
Uses containerd as a gRPC daemon to disconnect Docker daemon (API/mgmt) from container execution (allows daemon restart in future without container runtime impact)

7. runC: An open innovation platform for containers
INTEREST
Implement low-level container features
Operating system level features should be defined in the OCI runtime specification
New capabilities (PID cgroup controls, checkpoint/restore, seccomp) implemented in runC
OCI compliance/pluggable execution engine
Implement a OS/environment for containers via an OCI spec compliant binary
Examples: runz (Solaris zones), runv (hypervisor-based), Intel Clear Containers
Iterative container configuration test/debug
Simple variant of “Docker-like” containers with less friction for quick modifications
Low bar for dependencies: single binary + physical rootfs bundle + JSON config
INTEREST
INTEREST
Top 10 Contributors to opencontainers/runc
1. Docker 2. OpenVZ 3. Huawei 4. Redhat 5. Google 6. IBM 7. SuSE 8. Pivotal 9. Fujitsu 10. Microsoft

8. What I’m going to show you:
Let’s Demo
What I’m going to show you:
runc
runC binary (in my case, shared with Docker 1.11 installation
github.com/opencontainers/runc
ocitools
Command-line JSON OCI spec generator
github.com/opencontainers/ocitools
riddler
Docker container → JSON OCI spec converter
github.com/jfrazelle/riddler
uidmapshift
Filesystem ownership shift tool for user namespace mappings
netns
Netlink-based bridge networking implemened as an OCI pre-start hook
github.com/jfrazelle/netns

9. OCI Futures Image format specification
Just getting underway
More users and contributed implementations
runC innovations moving into higher level implementations
Checkpoint+restore under consideration for exposure via Docker API
Seccomp, user namespaces, and PID limits are prior examples
What do you plan to do with OCI and/or runC?

10. Questions?
@estesp
github.com/estesp
IRC: estesp
CONTACT INFO