<u>Containers</u> <br/> <br/> Ameya Shenoy <br/> <a href="https://github.com/codingcoffee" target="_blank">@codingcoffee</a> Note: Feel free to heckle. Interupt me. Ask questions in the middle, makes this fun, I like it. Or you can wait till the end, but interactive is good I'll be talking about containers, their basic underlying working, their functionality how eYantra can benefit it

What is a container? Note: - feels like a VM - we can SSH into it - but its not a VM - cgroups and namespaces - been around since 2008, as c-groups in linux, this paved the path for containers later on - cgroups are used to control CPU and Memory - namespaces --- <img data-src="./images/cgroups.jpg"></img> --- <img data-src="./images/vm_vs_container.jpg"></img> <br/> VM Vs Container Note: - VM: dedicated resource Container: shared resources - No inconcistency issues - Demo container - cp -r /usr/bin/ . - cp -r /usr/lib/ . - cp -r /usr/lib64/ . - touch sample.txt - pwd - I dont think setting up a VM is that easy! - examples of container runtimes: firejail, lxc, docker --- Limitations of VM - versioning - replication - upgrades Note: - originally traditional servers, perfect replication not possible, multiple variables - os, os version, os deps and versions, application deps and versions - probelems - versioning: i setup test env today, and setup production tomorrow, there may be inconcistency in the OS level deps, which may cause incompatibility - upgrade: - keeping all deps updated is important to avoid security vulns, but it comes at a cost of inconcistency - security upgrades and patching needs to be done across all VMs, in docker only on host OS - replication: b/w qa and prod env, local dev, works on my machine, doesnt work in prod, dev work on mac books, prod is centos --- Containers - filesystem isolation - process isolation - device isolation - network isolation - scaling Note: - now containres, package entire app, incluing the OS level deps, makes it easy to deploy and have concistency in the environemnts - now: - isolation - fs: file:///home/cc firefox demo, iso apps scannnig directories they are not supposed to, like chrome - process: app 1 isnt aware about app b running - d run -it --rm --name nginx nginx:alpine - d exec -it nginx sh - device: GPU - lxc exec steam -- sudo --login --user ubuntu bash - nvidia-smi - lxc exec matlab -- sudo --login --user ubuntu bash - nvidia-smi - network: - d run -it --rm python:3.9.4-alpine3.13 sh - d run -it --rm --network none python:3.9.4-alpine3.13 sh - ping 1.1.1.1 - scaling: better utilization of resources, resource allocation and sharing --- Kubernetes - 0 downtime upgrade <a href="https://nginx-blue-green.codingcoffee.me/" target="_blank">demo</a> - maintains state - scaling Note: - Production-Grade Container Orchestration Platform - Orchestration takes away a lot of operations workload from engg - SSL termination - Think of k8s as a knowledge base of all the best practicies for deployment of applications built at scale by Google

Refs - <a href="https://ieeexplore.ieee.org/abstract/document/7036275" target="_blank">To Docker or Not to Docker: A Security Perspective</a> - <a href="https://arxiv.org/abs/1501.02967" target="_blank">Analysis of Docker Security</a> - <a href="https://www.seltzer.com/margo/teaching/CS508.19/papers/merkel14.pdf" target="_blank">Lightweight Linux Containers for Consistent Development and Deployment</a> Note: - A few papers which I read, but I'd rather you practically use this stuff

Thanks for listening! <br/> <br/> <br/> <div style="text-align: left"> <small> <a href="https://gitea.codingcoffee.me/codingcoffee/slides" target="_blank">codingcoffee/slides</a> </small> </div> <div style="text-align: right"> <a href="https://codingcoffee.dev/" target="_blank">Ameya Shenoy</a> </div>