How Container Runtimes Matter in Kubernetes?

How Container Runtimes Matter in Kubernetes?

How Container Runtimes matter in Kubernetes? Kunal Kushwaha NTT OSS Center Copyright©2018 NTT Corp. All Rights Reserved. About me • Works @ NTT Open Source Software Center • Contributes to containerd and other related projects. • Docker community leader, Tokyo @kunalkushwaha :2 Copyright©2018 NTT Corp. All Rights Reserved. Agenda • Kubernetes Architecture. • What is CRI (Container Runtime Interface) • What is OCI (Open Container Initiative) • CRI & OCI Implementations • Why runtimes affect Kubernetes. • Runtime Benchmarking results • Analyzing for various workloads • Summary :3 Copyright©2018 NTT Corp. All Rights Reserved. Kubernetes Architecture A typical Kubernetes cluster :4 Copyright©2018 NTT Corp. All Rights Reserved. Kubernetes Cluster Overview User kubectl - kubectl is tool for user to interact with k8s cluster. - Master node interpret the command and if required interact with worker nodes. :5 Copyright©2018 NTT Corp. All Rights Reserved. Master Node Overview Kubernetes Master Control Scheduler manager API Server etcd Important components of Kubernetes Master Node :6 Copyright©2018 NTT Corp. All Rights Reserved. Master Node Control Flow Kubernetes Master Control Scheduler manager REST kubectl API Server etcd - API Server plays a central part for cluster communication - etcd store all definition of kubernetes resources - Scheduler and Control Manager push commands for workers via API Server :7 Copyright©2018 NTT Corp. All Rights Reserved. Kubernetes Architecture User kubectl :8 Copyright©2018 NTT Corp. All Rights Reserved. Kubernetes Worker Overview Kubernetes Worker Service Proxy Pod Container Runtime Kubelet Pod Important components of Kubernetes Worker Node :9 Copyright©2018 NTT Corp. All Rights Reserved. Kubernetes Worker Control Flow Kubernetes Worker Service Proxy Pod Container Runtime Kubelet Pod - Kubelet is the primary Node agent. API Server talks to Kubelet. - Service Proxy enables user to access applications running on node. - Docker running on node is used for creating Pods. :10 Copyright©2018 NTT Corp. All Rights Reserved. Kubernetes Worker Control Flow Kubernetes Worker Service Proxy Pod Docker Kubelet Pod - Kubelet is the primary Node agent. API Server talks to Kubelet. - Service Proxy enables user to access applications running on node. - Docker running on node is used for creating Pods. :11 Copyright©2018 NTT Corp. All Rights Reserved. Kubernetes Worker Overview Kubernetes Worker 2014 Service Proxy Pod Kubelet Pod With alternative container runtimes, Kubelet code gets bloated to support each. :12 Copyright©2018 NTT Corp. All Rights Reserved. Container Runtime Interface Introduced in Kubernetes 1.5 *. (2016) Interfaces for gRPC service for Runtime & Image Management Container centric interfaces Pod containers as Sandbox containers Current status: v1alpha2 *https://github.com/kubernetes/kubernetes/blob/release-1.5/docs/proposals/container-runtime-interface-v1.md :13 Copyright©2018 NTT Corp. All Rights Reserved. Kubelet with CRI Kubernetes Worker C Docker R I Kubelet CRI S h I m CRI solves supporting various runtime alternatives with no change in Kubelet :14 Copyright©2018 NTT Corp. All Rights Reserved. Container Runtime Kubernetes Worker C R I Kubelet CRI Container S h Runtime I m :15 Copyright©2018 NTT Corp. All Rights Reserved. What is Container Runtime Provides core primitives to manage containers on host Container execution & supervision Network Interfaces and management Image management Manage local storage e.g. LXC, Docker, rkt :16 Copyright©2018 NTT Corp. All Rights Reserved. Open Container Initiative Container runtime & Image specification Runtime specs define input to create a container Multiple platform supported (Linux, Windows, Solaris & VM) runc is default implementation of OCI Runtime Specs Current Runtime Specs status : v1.0.1 :17 Copyright©2018 NTT Corp. All Rights Reserved. Gap between Kubelet & OCI runtime Kubelet Requirements for OCI Runtime Runtime Manage images (pull / push / rm ..) Do not understand concept of image Talks CRI / gRPC Input is OCI specs (json and rootfs) Prepare environment to successfully Consume the rootfs and container instantiate container. config file (json) Prepare network for pod Attach network as pre-start hook. :18 Copyright©2018 NTT Corp. All Rights Reserved. Runtime in Kubernetes Kubernetes Worker Kubelet Container Runtime OCI Runtime Apart from OCI, another runtime component is required :19 Copyright©2018 NTT Corp. All Rights Reserved. Runtime in Kubernetes Kubernetes Worker High-level Runtime Kubelet Container Runtime OCI Runtime CRI - High level runtime implement CRI gRPC services - Take care of all prerequisite to successfully operate OCI runtimes :20 Copyright©2018 NTT Corp. All Rights Reserved. Runtime in Kubernetes Kubernetes Worker High-level Runtime Low-level Runtime Kubelet Container Runtime OCI Runtime CRI OCI - OCI runtime works as low-level runtime - High-level runtime provides inputs to OCI runtime as per OCI Specs :21 Copyright©2018 NTT Corp. All Rights Reserved. CRI Implementations • Dockershim • CRI-O • Containerd • Frakti • rktlet :22 Copyright©2018 NTT Corp. All Rights Reserved. Dockershim Kubernetes Worker Kubelet Pod Containerd Dockershim runC (Old) CRI Pod - Embedded into Kubelet. - Dockershim talks to docker, which manage pods. - Default CRI implementation & enjoy majority in current kubernetes deployments :23 Copyright©2018 NTT Corp. All Rights Reserved. CRI-O Kubernetes Worker Kubelet Pod CRI OCI runC Pod - CRI-O reduces the one extra hop from docker. - CRI-O uses CNI for providing networking to pods. - Monolithic design (understands CRI and outputs OCI compatible) - Works with all OCI runtimes. :24 Copyright©2018 NTT Corp. All Rights Reserved. containerD Kubernetes Worker Kubelet Pod CRI OCI runC CRI Plugin Pod - containerD, with revised scope eliminates the extra hop required by docker. - Redesigned storage drivers for simplicity and better performance. - Extensible design, CRI service runs as plugin. - Uses CNI for networking - Works with all OCI runtimes. :25 Copyright©2018 NTT Corp. All Rights Reserved. Frakti Kubernetes Worker Kubelet Frakti Pod Dockershim OCI Hyped CRI runV VM Pod - Frakti runtime was designed to support VM based runtime to kubernetes. - It supports mixed runtimes - Linux containers for privilege containers and runV containers for rest - Though uses dockershim to use linux containers, result into extra hops - Also supports Unikernels :26 Copyright©2018 NTT Corp. All Rights Reserved. Frakti v2- Coming soon Kubernetes Worker Pod Kubelet runC CRI Frakti CRI Plugin Plugin Kata containers VM Pod - Frakti v2 will be implemented as runtime plugin for containerD. - Reduce extra hops and implementation effort too. :27 Copyright©2018 NTT Corp. All Rights Reserved. OCI Runtimes - Default OCI specs implementation runC - Isolation based on Namespace, cgroups, secomp & MAC (AppArmor, SELinux) runV Clear Containers kata-runtime gVisor :28 Copyright©2018 NTT Corp. All Rights Reserved. OCI Runtimes - Default OCI specs implementation runC - Isolation based on Namespace, cgroups, secomp & MAC (AppArmor, SELinux) - OCI compliant VM based runtime runV - Uses optimized qemu & KVM. - A light weight guest kernel is used. Clear Containers kata-runtime gVisor :29 Copyright©2018 NTT Corp. All Rights Reserved. OCI Runtimes - Default OCI specs implementation runC - Isolation based on Namespace, cgroups, secomp & MAC (AppArmor, SELinux) - OCI compliant VM based runtime runV - Uses qemu & KVM. - A light weight guest kernel is used. - Hardware-virtualized containers using Intel’s VT-x Clear Containers - Utilize DAX “direct access” feature of 4.0 kernel kata-runtime gVisor :30 Copyright©2018 NTT Corp. All Rights Reserved. OCI Runtimes - Default OCI specs implementation runC - Isolation based on Namespace, cgroups, secomp & MAC (AppArmor, SELinux) - OCI compliant VM based runtime runV - Uses qemu & KVM. - A light weight guest kernel is used. - Hardware-virtualized containers using Intel’s VT-x Clear Containers - Utilize DAX “direct access” feature of 4.0 kernel - Best of runV & cc-containers kata-runtime - 1.0 Release (22nd May, 2018) - Under active development gVisor :31 Copyright©2018 NTT Corp. All Rights Reserved. OCI Runtimes - Default OCI specs implementation runC - Isolation based on Namespace, cgroups, secomp & MAC (AppArmor, SELinux) - OCI compliant VM based runtime runV - Uses qemu & KVM. - A light weight guest kernel is used. - Hardware-virtualized containers using Intel’s VT-x Clear Containers - Utilize DAX “direct access” feature of 4.0 kernel - Best of runV & cc-containers kata-runtime - 1.0 Release (22nd May, 2018) - Under active development - Sandbox based containers - Intercepts application system call acts like kernel. gVisor - similar approach as User Mode Linux (UML) - Under active development :32 Copyright©2018 NTT Corp. All Rights Reserved. Final candidates for Evaluation High-level Runtime Low-level Runtime Dockershim runC runV CRI-O Kata containers containerD clear containers :33 Copyright©2018 NTT Corp. All Rights Reserved. Why runtimes affect kubernetes :34 Copyright©2018 NTT Corp. All Rights Reserved. Kubernetes Architecture Kubernetes Worker #1 Kubernetes Worker #n - Kubernetes offers variety of choices to tune the system :35 Copyright©2018 NTT Corp. All Rights Reserved. Kubernetes Architecture Kubernetes Worker #1 Kubernetes Worker #n - Kubernetes offers variety of choices to tune the system - Once rest of components finalized - for deployment and management runtime is only variable factor. - For application

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    56 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us