openshift in action

Jamie Duncan
Cloud Guy @ Red Hat
jduncan@redhat.com
@jamieeduncan

 

SuperCompute '16

agenda

We've only got 15 minutes, so we ain't time for no stinkin' agenda!

TBH, we ain't even got time for OpenShift!

about jduncan

I've been at Red Hat for 5 years

My daughter Elizabeth.
#cutestthingever

#truth

containers defined

Container managers/engines (like docker) are applications that manage a set of tools that have existed within Linux for a long time to better isolate your applications. Tools like...

SELinux

CGroups

Kernel namespaces

Let's containerize all of the things!

oh! i almost forgot...

But what does that actually mean?

mandatory container ship pic

now that that's out of the way... let's go!

cgroups

Kernel Control Groups (cgroups), allow sysadmins to have fine-grain control of the resources available to an application, user or group.

You can control access to system memory, CPU time, network access, and block devices. 

In RHEL 7, cgroups are tightly integrated into systemd

No, it's not just that thing you disable automatically.

SELinux is a kernel feature that allows for Mandatory Access Control within a Linux system.

Also, please read http://stopdisablingselinux.com/ carefully.
(h/t @majorhayden)

SElinux

namespaces

Kernel namespaces are the hardest concept to grasp when talking about containers. To users, they provide most of what we think of as 'isolation' to an application running in a container. We are concerned with 5 namespaces:

Mount Namespace

UTS Namespace

Network Namespace

IPC Namespace

PID Namespace

putting it all together

SELinux for Mandatory Access Control.

CGroups for resource limits

mount namespace so each container gets its own mountpoints.

uts namespace so each container can have its own domainname and hostname

network namespace gives each container its own network stack

memory isolation with the IPC namespace

each container gets its own PID counter

modern linux containers

...so give me a product already!

this docker thing

We are talking about docker, not Docker. That is important.

docker is open-source and the code it largely consists of (runc / libcontainer) have been donated to the Open Container Initiative.

docker is the standard container engine for RHEL 7 and all of its downstream distros

Docker, Inc. is a company on the West Coast that is in Round E of the Venture Funding to the tune of ~$185M. They have created a set of proprietary tools around docker that they sell.

The whale's name is Moby Dock.

kubernetes

Container Orchestration Manager

Project started by Google

Red Hat is the biggest contributor outside of Google

Allows multiple hosts running docker to be clustered together to serve highly available and scaleable workloads

is built into Atomic Host by default

the de facto standard for container orchestration in IT

It has a pretty amazing scheduler cooked right in

omg openshift!

Enterprise-grade implementation of docker/k8s

Extended with features and workflows that don't exist (and often won't exist) in 'raw' kubernetes

Might be a little opinionated...

that's all well and good. but...
what does that mean for you?

The answer? Anything. Everything. Maybe a whole new thing.

Running jobs in a container may not be as hard as you think it would be... (remember, some people say I'm an expert)

It's all about getting the most out of every piece of hardware.

It's about getting the most work out of every line of code we all have to write.

resources

RHEL Blog - User Namespaces

RHEL 7 SELinux Guide

Atomic Host - Getting Started Guide

THANK YOU!

OpenShift in Action - SC '16

By Jamie Duncan

OpenShift in Action - SC '16

  • 519
Loading comments...

More from Jamie Duncan