Containerization

Summary

Milestones

Discussion

• What's a Container and what's in it?

  Understand containers by contrasting them against VMs. Source: Janetakis 2017.

  Containers consists of the runtime environment: an application, dependencies, libraries, binaries, and configuration files needed to run an application, bundled into one package. By containerizing the application platform and its dependencies, differences in OS distributions and underlying infrastructure are abstracted.

  Following are the components of container:

  • Include the application and all of its dependencies
  • Share the OS kernel with other containers
  • Not tied to infrastructure — only needs Docker Engine (or equivalent) installed on host
  • Run an isolated process in user space on the host OS
• What are the benefits of Containers?

  Containers have a wide range of benefits:

  Benefits to Applications

  • Portable
  • Packaged in a standard way
  • Automated testing, packaging and integrations
  • Support newer microservices architectures
  • Alleviate platform compatibility issues

  Benefits to Deployment

  • Easy
  • Repeatable
  • Reliable deployments: improved speed and frequency of deployments
  • Consistent application lifecycle: configure once and run multiple times
  • Consistent environments: no more process differences between local, dev and staging environments
  • Simple scaling: Fast deployments ease the addition of workers and permit workload to grow and shrink for on-demand use cases
• How is Virtualization different from Containerization?

  

  Comparing Virtual Machines and Containers. Source: https://medium.com/@faizanbashir/docker-containers-101-e47f594a0ed

  With virtualization technology, the package that can be passed around is a Virtual Machine (VM). It includes an OS as well as the application. A server running three VMs would have a hypervisor and three separate operating systems running on top of it. By contrast, a server running three containerized applications runs on top of a single OS, all containers sharing the same OS kernel. Shared parts of the operating system are read only, while each container has its own mount (i.e., a way to access the container) and volumes for reading from and writing to the file system. This means that the containers are much more lightweight and use far fewer resources than virtual machines.

  Containerization has been called an operating system level virtualization, an operating system feature in which the OS kernel allows the existence of multiple isolated user-space instances. Instances are created from images that we can build and share. Instances created from images are called containers, partitions, virtualization engines or jails (FreeBSD). Applications running inside a container can only see the container's contents and devices assigned to the container.

• What's the typical size of a container?

  Containers can only be tens of megabytes in size. For example, the Docker Alpine image is about 5 MB. A virtual machine with its entire OS may be several gigabytes in size. For this reason, a single server can host far more containers than virtual machines. Virtual machines may take several minutes to boot up their operating systems and start running the applications they host. However, containerized applications can be started almost instantly.

• What is Linux Kernel Containment?

  

  The Linux container stack. Source: https://www.engineyard.com/blog/isolation-linux-containers

  Linux Containers (LXC) is a more modern method of virtualizing an application. LXC leverages cgroups to isolate the CPU, memory, file/block I/O and network resources. LXC also uses namespaces to isolate the application from the operating system and separates the process trees, network access, user IDs, and file access.

  LXC is considered a technique that falls between chroot and a virtual machine. In version 1.0 of LXC, unprivileged containers are more secure because they run as regular unprivileged users.

• What is Docker?

  

  A Docker image is built as multiple layers. Source: https://blog.docker.com/2015/10/docker-basics-webinar-qa/

  Docker is built on top of LXC and adds image management and deployment assistance for virtualizing applications. Docker provides for automation and rapid provisioning of LXC cgroups without requiring a VM. Docker provides an API that extends the functionality of LXC for building Platform as a Service (PaaS) offerings. Since Docker is an open-source system, it could be used for a whole host of purposes.

  A runtime instance of a Docker image contains three things:

  • A Docker image
  • An execution environment
  • A standard set of instructions
• Could you name some container implementations?

  Docker is the most popular one. Others include Linux OpenVZ, Linux-VServer, FreeBSD Jails, AIX Workload Partitions (WPARs), HP-UX Containers (SRP), and Solaris Containers.

• How are containers used in mobile phones?

  Mobile phones also use containers to separate and run their apps securely. In fact, Android phones like the Nexus One use LXC on the Android kernel. McAfee provides a Secure Container for Android. Apple iPhones also use containers to compartmentalize applications and their data.

• Which Linux distributions are suitable for use as a container host?

  Most Linux distributions are unnecessarily feature-heavy if their intended use is simply to act as a container host to run containers. For that reason, a number of Linux distributions have been designed specifically for running containers. Here are some examples:

  • Container Linux (formerly CoreOS Linux) — one of the first lightweight container operating systems built for containers
  • RancherOS — a simplified Linux distribution built from containers, specifically for running containers
  • Photon OS — a minimal Linux container host, optimized to run on VMware platforms
  • Project Atomic Host — Red Hat's lightweight container OS has versions that are based on CentOS and Fedora, and there's also a downstream enterprise version in Red Hat Enterprise Linux
  • Ubuntu Core — the smallest Ubuntu version, Ubuntu Core is designed as a host operating system for IoT devices and large-scale cloud container deployments
  • Alpine Linux — is a very tiny Linux distribution focused on security
• What is Copy on Write (CoW)?

  Some operating-system-level virtualization implementations provide file-level copy-on-write (CoW) mechanisms. (Most commonly, a standard file system is shared between partitions, and those partitions that change the files automatically create their own copies.) This is easier to back up, more space-efficient and simpler to cache than the block-level copy-on-write schemes common on whole-system virtualizers. Whole-system virtualizers, however, can work with non-native file systems and create and roll back snapshots of the entire system state.

• What is the importance of Container Security?

  With the wide adoption of container-based applications, systems became more complex and risk increased, laying the groundwork for container security. Vulnerabilities like dirty copy-on-write only furthered this thinking. This led to a shift left in security along the software development lifecycle, making it a key part of each stage in container app development, also known as DevSecOps. The goal is to build secure containers from the ground up without reducing time to market.

References

1. Hogg, Scott. 2014. "Software Containers: Used More Frequently than Most Realize." Network World, May 26. Accessed 2018-04-26.
2. Janetakis, Nick. 2017. "Virtual Machines vs Docker Containers - Dive Into Docker." YouTube, July 2. Accessed 2018-05-13.
3. Novoseltseva, Ekaterina. 2017. "Top 10 benefits you will get by using Docker." Apiumhub, March 4. Accessed 2018-05-11.
4. Osnat, Rani. 2018. "A Brief History of Containers: From the 1970s to 2017." Aqua Blog, March 21. Accessed 2018-04-26.
5. Rubens, Paul. 2017. "What are containers and why do we need them?" CIO, Jun 27. Accessed 2018-04-26.
6. Wikipedia. 2018a. "Docker Software." Wikipedia, May 3. Accessed 2018-04-26.
7. Wikipedia. 2018b. "Operating System Level Virtualization." Wikipedia, May 8. Accessed 2018-04-26.