The fourth incarnation of Container Camp, and the second in San Francisco, took place on Friday April 15th. YLD were in attendance and we've put together this follow-up blog post for those who couldn't be there.
One of the great things about Container Camp has always been the broad representation of the container ecosystem, rather than focusing on one container runtime or platform. This year was no exception, with talks about Docker, rkt, Kubernetes, Deis and Flynn, as well as covering important subjects like container security, cgroups and namespaces, unikernels and some production use-cases from Kaggle and Netflix.
Videos for the talks are now being released and can be found here.
Keynote: The New Stack Research: Clarity About Container Orchestration for a Very Confused Market
Alex Williams, Founder and Editor-in-Chief, The New Stack
Alex presented some new research about container orchestration. The container ecosystem is still young and maturing, we are all still figuring out not only how to orchestrate containers in distributed applications, but also what terms like orchestration even mean in this new world. With new technologies come new skillsets and new, and sometimes redefined, terminology.
Kubernetes is the most used platform, followed by Mesos and then Docker Swarm. For service discovery Consul was the most popular, followed by ZooKeeper (used in Mesos) and Etcd. Traditional configuration management tools were not in common usage with containers, but Ansible figured highly in people's plans, suggesting that configuration management has not been forgotten but that the vendors are yet to fully integrate them.
I was surprised by the popularity of Docker Swarm, which in my experience has felt immature. This shows how Docker are really nailing the developer experience, though.
Everything we need to know about DevOps we learned from sci-fi movies
Casey Bisson, Director of Product, Joyent
Casey took us on an entertaining journey through sci-fi films that depict how we've viewed the future of computing in popular culture, positing that their depiction as being self-operating, self-healing and environment-independent should inform how we design cloud-native applications today. Casey proposes the "autopilot" pattern, discussed at Day Zero, as a way to achieve this vision.
This approach is contrary to the common practice of a centralised orchestrator doing this work, an approach I prefer but Casey's talk convinced me to at least take another look at this approach. I did, however, feel that his argument against a centralised orchestrator was a straw-man, and that good DevOps practices (i.e. not "throwing code over the wall" to ops) will address all of the issues he raised.
What's new in Docker
Mano Marks, Director of Developer Relations, Docker
Mano gave us a brief outline of the new features in the latest Docker release: 1.11.
The biggest news is that this is the first version with an OCI-compatible runtime: it now uses containerd and runc. This was the big focus of 1.11, hence not otherwise a feature-rich release. To read more about this, check out my container ecosystem overview and also my recent talk about rkt.
Other features of note include:
- DNS round-robin load balancing in Swarm
- Swarm rescheduling is no longer experimental
- Docker Machine Azure driver
The beta of Docker for Mac and Windows is also big news, and was the subject of many audience questions.
Container Standards and Interfaces: An Update
Brandon Philips, CTO, CoreOS
Brandon's talks are always great and this was no exception. He brought us up to date on the latest OCI news in relation to container standards.
This talk was the highlight of the day, in my opinion.
What's New in Kubernetes
Tim Hockin, Kubernetes Technical Lead, Google
After a quick intro to Kubernetes, Tim moved on to an overview of new features in 1.2, with demos, and then a peek into the future.
New features include:
- Multi-zone clusters with automatic balancing, no API changes, using labels. Works for GKE, GCE, AWS and can be done manually for on-premise installations
- "Deployments" are a new abstraction over replication controllers that will automatically nurse your new containers into production with zero-downtime and smooth rollback
- "DaemonSets" allow you to run something once and once only on all nodes (or a subset of nodes, using label-based selection)
- "HorizontalPodAutoScalers" are just what the name suggests- automatically scale pods as needed, based on CPU usage (for now; custom metrics are in alpha)
- "Jobs" are short-lived containers with result aggregation
- "Secrets" allow you to grant a pod access to a secured information such as secrets. The secrets are injected as virtual volumes that can be changed at runtime. Also supports environment variables
- "ConfigMaps" work like Secrets, but for injecting non-secret config
- "Ingress" - A new L7 HTTP load balancer with SSL
- "PersistentVolumes" abstracts storage from your app, and the volumes will live until they have no more users
Plus a plethora of performance & scalability improvements.
Kubernetes + PaaS: Bringing Containers to Production
Jason Hansen, Chief Architect, Deis
Jason makes a compelling case for PaaS as a pain-reducer and enabler of fast-paced change. He presented the latest incarnation of the Deis PaaS, now re-platformed onto Kubernetes.
Early versions of Deis worked by
git pushing code to the PaaS and it would make Heroku buildpacks for your app. However, now it can pull images from Docker registries, which is much more useful for production workflows.
An Introduction to Container Security
Thomas Cameron, Global Solutions Architect Leader, Redhat
Thomas walked us through what a container is, explaining
libcap, as well as various other security features of Linux (including SELinux), putting Linux container security in context.
Thomas also explored how having root in a container maps to the underlying kernel, and how these various tools can effectively block any access to kernel subsystems that are not needed, one example was giving a user root access, filtering their access and then demonstrating that this "root" user was unable to disable their filters.
Security is pretty. Security is good. But it should never be pretty good
Cynthia Thomas, Systems Engineer, Midokura
Cynthia's talk was something of a call to arms to improve network security in the container world; it shouldn't be an afterthought.
As we move to containerised, microservice architectures for our applications we get increased network complexity due to running multiple applications on each host. This results in increased network policy complexity.
Neutron, a virtual network service for OpenStack, can be used to secure Docker container networks via kuryr, a Docker libnetwork remote driver. It doesn't require a full OpenStack installation.
Jonathan Rudenberg, Founder & CTO, Flynn
An early pioneer in the Docker PaaS space, Flynn is a project I've been watching for a few years. You can read more about Flynn at (https://flynn.io).
Jonathan talked about Flynn's database replication. Flynn uses a mixture of synchronous and asynchronous replication to provide highly available databases that survive network partitions.
Application Sandboxes vs. Containers
Jessica Frazelle, Security Engineer, Mesosphere
Jessie gave us an overview of what containers are at a low level, before discussing application sandboxes. Google Chrome is an example of an application sandbox; it uses container-like primitives to achieve some isolation between processes, but without running as root. Chrome uses user namespaces and seccomp but not cgroups.
Jessie gave us a demo of a pretty cool project she has been working on: a tool that generates an executable containing a container image that can run as a non-root user using runc.
Pretty cool stuff.
Unikernels: Practical Advice for Juggling Chainsaws
John Feminella, Technical Advisor Cloud Foundry, Pivotal
John's talk was a entry-level introduction to unikernel concepts, benefits and challenges, as well as some of the low-level Linux isolation features underpinning containers.
Docker and Reproducible Data Science
Ben Hamner, Co-Founder & CTO, Kaggle
Kaggle have built a container-based platform for running reproducible scientific data analysis, and Ben discussed some of the unique features of containers that make it suitable for this task.
Slaying Monoliths with Docker and Node.js, a Netflix Original
Yunong Xiao, Software Engineer, Netflix
Netflix's Global expansion and rise in popularity means they have some unique scaling challenges. Yunong talked us through their journey from a multi-tiered, REST-based architecture to a self-service container-based system for Netflix client application developers, using Node.js.
Congratulations to organisers Angie and Chris for a smooth operation and a great selection of talks. Container Camp continues to carve out its niche as an independent, fun and deeply technical event for developers that caters for beginners and experts alike.