openshift in action
Cloud Guy @ Red Hat
We've only got 15 minutes, so we ain't time for no stinkin' agenda!
TBH, we ain't even got time for OpenShift!
I've been at Red Hat for 5 years
My daughter Elizabeth.
Container managers/engines (like docker) are applications that manage a set of tools that have existed within Linux for a long time to better isolate your applications. Tools like...
Let's containerize all of the things!
oh! i almost forgot...
But what does that actually mean?
mandatory container ship pic
now that that's out of the way... let's go!
Kernel Control Groups (cgroups), allow sysadmins to have fine-grain control of the resources available to an application, user or group.
You can control access to system memory, CPU time, network access, and block devices.
In RHEL 7, cgroups are tightly integrated into systemd
No, it's not just that thing you disable automatically.
SELinux is a kernel feature that allows for Mandatory Access Control within a Linux system.
Kernel namespaces are the hardest concept to grasp when talking about containers. To users, they provide most of what we think of as 'isolation' to an application running in a container. We are concerned with 5 namespaces:
putting it all together
SELinux for Mandatory Access Control.
CGroups for resource limits
mount namespace so each container gets its own mountpoints.
uts namespace so each container can have its own domainname and hostname
network namespace gives each container its own network stack
memory isolation with the IPC namespace
each container gets its own PID counter
modern linux containers
...so give me a product already!
this docker thing
We are talking about docker, not Docker. That is important.
docker is open-source and the code it largely consists of (runc / libcontainer) have been donated to the Open Container Initiative.
docker is the standard container engine for RHEL 7 and all of its downstream distros
Docker, Inc. is a company on the West Coast that is in Round E of the Venture Funding to the tune of ~$185M. They have created a set of proprietary tools around docker that they sell.
The whale's name is Moby Dock.
Container Orchestration Manager
Project started by Google
Red Hat is the biggest contributor outside of Google
Allows multiple hosts running docker to be clustered together to serve highly available and scaleable workloads
is built into Atomic Host by default
the de facto standard for container orchestration in IT
It has a pretty amazing scheduler cooked right in
Enterprise-grade implementation of docker/k8s
Extended with features and workflows that don't exist (and often won't exist) in 'raw' kubernetes
Might be a little opinionated...
that's all well and good. but...
what does that mean for you?
The answer? Anything. Everything. Maybe a whole new thing.
Running jobs in a container may not be as hard as you think it would be... (remember, some people say I'm an expert)
It's all about getting the most out of every piece of hardware.
It's about getting the most work out of every line of code we all have to write.
RHEL Blog - User Namespaces
RHEL 7 Resource Guide
RHEL 7 SELinux Guide
Atomic Host - Getting Started Guide
SECCOMP - Definition and Further Documentation
OpenShift in Action - SC '16
By Jamie Duncan