Containers, OCI, CNCF, Magnum, Kuryr, and You!

Containers, OCI, CNCF, Magnum, Kuryr, and You!Jeffrey BorekDaniel KrookVal Bercovici

Program Director, Open Tech, IBM Senior Software Engineer, IBMGlobal Cloud CTO, NetApp/SolidFire

@JeffBorek@DanielKrook@valb00

What you will learn today

• The benefits and tradeoffs of standalone container technology and its organic community based evolution over time

• How containerization fits into OpenStack, and in particular its role in the Magnum and Kuryr projects

• What the container focused Linux Foundation collaborative projects aim to achieve• Open Container Initiative opencontainers.org• Cloud Native Computing Foundation cncf.io

• How OCI and CNCF container standardization affects OpenStack

Our background is in open source and open standards

Jeffrey Borek• IBM representative to the OCI & CNCF, Chair of Docker Governance Advisory Board• WW Program Director, Open Technologies and Partnerships, Cloud Computing• @JeffBorek

Daniel Krook• Customer advocate for open technologies adoption (OpenStack, Cloud Foundry, Docker)• Senior Software Engineer, Cloud and Open Source Technologies, IBM• @DanielKrook

Val Bercovici• Governing Boards SNIA SSSI, CDMI, LF CNCF• Global Cloud CTO, NetApp/SolidFire• @valb00

Container technology today enables greater density, faster startup, and more consistent packaging of applications

Containers provide isolation for processes sharing compute, networking, and storage resources on a host system. They are logically similar to virtualized machine instances but share the host kernel and avoid hardware emulation.

Applications can be packaged with all the additional dependencies that they need, above what is provided by the host. This makes them efficient to run, easy to move from host to host, and enable more granular control of applications.

There are tradeoffs and drawbacks, however, including isolation. Consider the analogy of buying a house (VM) versus renting an apartment (container).

Diagram source: Exploring Opportunities: Containers and OpenStack

Abstractions required for VMs, not used by containers

Containers are not new. Many organic innovations from many independent organizations have brought them where we are today.

Jails

VServer

Zones

cgroups

Namespaces

LXC

Docker

FreeBSD Jails expand on Unix chroot to isolate files

2000Linux-VServer ports kernel isolation, but requires recompilation

Solaris Zones bring the concept of snapshots

Google introduces Process Containers, merged as cgroups

Red Hat adds user namespaces, limiting root access in containers

IBM creates LXC, providing user tools for cgroups and namespaces

Docker provides simple user tools and images. Containers go mainstream

20082004

20062001 20082013

Several OpenStack projects leverage containers to more efficiently use resources, deploy faster, and package services more consistently

A Docker hypervisor driver for Nova Compute to treat containers and images as the same type of resource as virtual machines.

Nova

A plugin template for orchestrating Docker resources on top of OpenStack resources. Allows access to full Docker API.

Heat

Containerizes the OpenStack control services themselves as microservices to simplify the operational experience.

Kolla

Provides an application catalog of containerized applications that can be deployed to an OpenStack cloud.

Murano

OpenStack is above all an integration engine, bringing various technologies together through common APIs. Therefore, containers have naturally been plugged

into several existing projects and will find their way into other areas as well.

Provides an API to manage multi-tenant Containers-as-a-Service leveraging Heat, Nova, and Neutron.

Magnum

Brings the Neutron networking model to containers. Providing consistency between bare metal, virtual machines, and containers.

Kuryr

Magnum provides APIs and tenant isolation for Container Orchestration Engines

• Complete management for containers within OpenStack• Orchestrates the underlying host machines with Heat• Implements multi-tenancy of separate clusters through Keystone• Provides multi-host networking with Neutron

• Supports several Container Orchestration Engines (COE) • Docker Swarm• Google Kubernetes• Apache Mesos

• Allows direct access to native container APIs• Docker CLI clients can access hosts and containers• The Kubernetes client can also directly manage pods, services, etc.

Magnum builds on several other mature OpenStack projects

Magnum components

Diagram source: Exploring Opportunities: Containers and OpenStack

Kuryr connects Docker and Kubernetes networks to OpenStack

• Kuryr provides networking to Docker containers by leveraging the Neutron APIs and services. It also provides containerized images for common Neutron plugins.

• Kuryr should address Magnum project use cases in terms of containers networking and serve as a unified interface for Magnum or any other OpenStack project that needs to leverage containers networking through Neutron API.

• Kuryr also builds on mature OpenStack projects• Keystone for authentication• Neutron client• Oslo libraries

DockerEngine

Kuryr

libnetwork

Neutron

Introducing the Linux Foundation Open Container Initiative (OCI)

A single, open container specification:

• Not bound to higher level constructs such as a particular client or orchestration stack

• Not tightly associated with any particular commercial vendor or project

• Portable across a wide variety of operating systems, hardware, CPU architectures, public clouds, etc.

The OCI is a lightweight, open governance structure for the express purpose of creating open industry standards around container formats and runtime

Announced June 22, 2015

opencontainers.org

The OCI aims to meld ecosystems towards an open standard

• Users should be able to package their application once and have it work with any container runtime

• The standard should fulfill the requirements of the most rigorous security and production environments

• The standard should be vendor neutral and developed in the open

The OCI governs a container specification and an implementation

Open Container Runtime Spec Docker container runtime implementation: runC (formerly libcontainer)

CoreOS runtime implementation: appC (formerly Rocket)

github.com/opencontainers

Spec and implementationupdated in concert

Innovation driven into the specOpen Container Initiative

ecosystem

Community innovation driven into

the spec

Open Image Format Spec

Good News!

• Open Specification for Container Image

• Starting with Docker v2.2

• Announced April 14, 2016

Introducing the Cloud Native Computing Foundation (CNCF)

• Container packaged: In order to improve the overall developer experience, foster code reuse and simplify operations

• Dynamically managed: Actively scheduled and managed by a central orchestrating process to radically improve machine efficiency

• Micro-services oriented: Loosely coupled with dependencies explicitly described through service endpoints for overall agility, maintainability of applications

The CNCF plans to create and drive the adoption of a new set of common container technologies, driven and informed by technical merit and end user value, inspired by Internet-scale computing

Announced July 21, 2015

cncf.io

CNCF: Supporting companies and initial high level architecture

Just as the OCI targets containerimage portability, the CNCF targets

cloud application portability…

CNCF: Incubation projects

Seed project:

Reported by the press for possible future inclusion:

bit.ly/k8s-cncf

“The acceptance of Kubernetes is a first step in establishing the CNCF as an organization that supports leading cloud native projects of production quality, but this is just the start. The future of cloud native will involve many projects and use cases, which we look forward to advancing.”

Keep an eye on developments in these areas as you formulate your organization's containerization strategy. Please get involved

to ensure standards reflect your own usage scenarios.

Container technology has evolved over the last 16 years with contributions from many organizations.

It will continue to do so with greater collaboration and governance through the Open Container Initiative and the Cloud Native Computing Foundation.

Containerization is used throughout OpenStack in Nova, Heat, Kolla, Murano and other big tent projects…

…but Magnum and Kuryr will be the most impacted by standards given the exposure of COE native APIs (Kubernetes, Swarm, Mesos) and separately governed container standards.

The OpenStack Foundation provides governance over Infrastructure-as-a-Service (compute, network, and storage) APIs.

The OCI and the CNCF will provide governance of container formats and standardize orchestration engine technologies.

Online resourcesThe OpenStack Magnum wiki bit.ly/mgm-wiki

OpenStack Magnum midcycle meetup presentation bit.ly/mgnm-mid

Austin Summit videos, with Kuryr deep dives bit.ly/aus-videos

Exploring Opportunities: Containers and OpenStack whitepaper bit.ly/ctrs-os

The Docker and Container Ecosystem TheNewStack publication bit.ly/tns-ctrs

Open Containers Initiative web site opencontainers.org

Cloud Native Computing Foundation web site cncf.io

The history of containers Red Hat EL blog post bit.ly/rh-ctrs

Moments in container history Pivotal infographic bit.ly/pvt-ctrs