This Is an Example of a Long Presentations Title Flowing To

Xen Containers: Better way to run Docker Containers

Sainath Grandhi [email protected]

Contributions: Jun Nakajima

1 Motivation

 “Containers” being adopted for application development/deploying

 Containers looked upon as lightweight alternative for traditional VMs

 VMs offer stronger application isolation

 Benefits of VMs can be reaped if they are made lightweight and run like containers

2 Agenda

Containers

Xen Containers

Numbers

Next Steps

3 Namespaces Namespaces Namespaces

Container A Container B Container C Container D

Application Application Application Application

Middleware Middleware Middleware Middleware Libraries Libraries Libraries Libraries

Cgroups Namespaces Union FS Host OS

Server Hardware

4 4 Docker Containers Docker – a one stop solution for running, building and packaging containers

Running Container A • docker run/create/stop

Building Application

• docker build Docker Packaging client Middleware Libraries • docker push/pull/commit Docker Parent/child command Docker Docker daemon image

Cgroups Namespaces Union FS Host OS

5 Bare metal containers - Isolation

Isolation provided by Host OS  Security compromised kernel can be exploited by malicious images/applications for namespace Namespaces intrusion Container A Container B  Enabling cgroups and namespaces in the kernel increases the kernel attack surface Malicious public images Application Application  Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities Middleware Middleware http://www.banyanops.com/blog/analyzing-docker-hub/ Libraries Libraries Multi-tenant Cloud Providers  Google: “we see the VM as the only truly safe isolation.… Until we see foolproof security for containers, we will always double-bag our customers' workloads” http://www.informationweek.com/cloud/infrastructure-as-a- service/google-docker-does-containers-right/d/d-id/1319146 6 Agenda

Containers

Xen Containers

Numbers

Next Steps

7 Containers

Namespaces Namespaces Namespaces

Container A Container B Container C Container D

Application Application Application Application

Middleware Middleware Middleware Middleware Libraries Libraries Libraries Libraries

Cgroups Namespaces Union FS Host OS

Server Hardware

8 8 VM Containers

VM VM VM Container Container Container A Container B

Application Application Application Application

Middleware Middleware Middleware Middleware Libraries Libraries Libraries Libraries

Cgroups Union FS Host OS/Dom0 Hypervisor Server Hardware

9 9 Xen PVH Containers

• VM containers good for multi-tenant cloud providers  Group containers from a tenant onto a VM • Great infrastructure in place for guest isolation • PVH for app containers  Boot to guest kernel in protected mode  PV performance for disk and network  Hardware virtualized performance for CPU and memory • Why PVH (vs. HVM)  No dependence on QEMU  No BIOS  Faster Boot time

10 Xen Containers with Docker

Dom0 PVH DomU Docker client Application

Docker Init User Daemon User Kernel Kernel Docker storage Container devices Root device vNIC

Xen- Xen- Xen- Xen- blkback netback blkfront netfront

Hypervisor Server Hardware

11 Xen Containers with Docker – Guest Anatomy

Minimal Kernel PVH DomU  Minimally configured kernel Application Init Init  Init service to mount application rootfs and User configure network Kernel Container Root device vNIC Storage  Docker container volume as rootfs Xen- Xen- blkfront netfront Networking  Docker subnet IP and docker bridge gateway

12 Xen Containers with Docker – Guest Configuration

Storage k Container e i  Docker devicemapper block device r n Application PVH storage backend – container n i DomU volume Dom0 e t Docker host /bin/bash l Application path IP:172.17. xx.xx  Application path from docker run docker run/exec command ubuntu Network IP /bin/bash  DHCP/docker subnet for interoperability with docker containers

13 Agenda

Containers

Xen Containers

Numbers

Next Steps

14 Numbers

PVH HVM Comments Domain 224 184 Time spent by xl toolstack to Creation setup domain To drop into 1380 2503 Time taken to boot the container shell minimal kernel and drop into shell from container rootfs

Guest Memory Used – 16MB

Config: Host Guest Xeon® CPU E5-2699 v3 Memory – 128MB Memory – 60GB vCPU - 1 Dom0 Memory – 4GB Dom0 vCPUs – 8

15 Agenda

Containers

Xen Containers

Numbers

Next Steps

16 Next Steps

Docker Volumes  PV VirtFS for supporting docker volumes

Pods (Multiple applications in a VM)  Leverage systemd as the init service inside VM to resource control multiple applications

17 Q & A