containers

FastCDC, puzzlefs, and de-duplicating container and VM images

Since about 2017, a group at Cisco has been working on an “OCI native operating system” under the title “project machine”, which is a terrible project name. I note that most of the people publicly involved in the project according to github commits no longer work at Cisco, so I cannot vouch for the health of the overall project. That said, they did come up with some interesting ideas along the way and given its a quiet time of year I figured I could do some reading.

(more…)

Continue ReadingFastCDC, puzzlefs, and de-duplicating container and VM images

The Kubernetes Book (2024 edition)

  • Post author:
  • Post category:Book

This is yet another accidental purchase of a self-published book, although I think this one makes a lot of sense as a self published work. Writing a technical reference book isn't a particularly lucrative pastime for most authors, and self publishing likely makes it more worthwhile than the traditional publisher route, especially if you can rustle up a good set of technical editors and reviewers yourself. That said, I think one of the risks with self published technical books like this is that they are overly credulous, and I think this book falls into that trap early by describing Kubernetes as the "cloud operating system". Like I get it, you're excited about Kubernetes, but making claims that all of the cloud runs on Kubernetes just undermines your work before you've even really started. I can't find any public data, either academic or anecdotal, which supports the assertion that Kubernetes is even the most popular way to run workloads in clouds. I'm sure that AWS has more VMs not running Kubernetes for example than they do have running it. That said, it is clear at this point that Kubernetes is the dominant player for container clustering. So why not just say…

Continue ReadingThe Kubernetes Book (2024 edition)

On-demand Container Loading in AWS Lambda

  • Post author:
  • Post category:AWS

My team at work now has a daily personal learning time called “egg time” — its a slightly silly story involving a manager who was good at taking some time to learn things each day, and an egg shaped chair.

Today I decided that I should read this paper about container image loading in AWS lambda, as recommended by Robert Collins on LinkedIn. The paper details the work they had to do to transition from all Lambda functions being packaged as relatively small zip files (250mb), to relatively large Docker containers (10gb+) while maintaining their aggressive target cold-start time of 50ms.

(more…)

Continue ReadingOn-demand Container Loading in AWS Lambda

Interpreting whiteout files in Docker image layers

I've been playing again with Docker images and their internal layers a little more over the last week -- you can see some of my previous adventures at Manipulating Docker images without Docker installed. The general thrust of these adventures is understanding the format and how to manipulate it by building a tool called Occy Strap which can manipulate the format in useful ways. My eventual goal there is to be able to build OCI compliant image bundles and then have a container runtime like runc execute them, and I must say I am getting a lot closer. This time I was interested in the exact mechanisms used by whiteout files in those layers and how that interacts with Linux kernel overlay filesystem types. Firstly, what is a whiteout file? Well, when you delete a file or directory from a lower layer in the Docker image, it doesn't actually get removed from that lower layer, as layers are immutable. Instead, the uppermost layer records that the file or directory has been removed, and it is therefore no longer visible in the Docker image that the container sees. This has obvious security implications if you delete a file like a password you…

Continue ReadingInterpreting whiteout files in Docker image layers

Manipulating Docker images without Docker installed

Recently I've been playing a bit more with Docker images and Docker image repositories. I had in the past written a quick hack to let me extract files from a Docker image, but I wanted to do something a little more mature than that. For example, sometimes you want to download an image from a Docker image repository without using Docker. Naively if you had Docker, you'd do something like this: docker pull busybox docker save busybox However, that assumes that you have Docker installed on the machine downloading the images, and that's sometimes not possible for security reasons. The most obvious example I can think of is airgapped secure environments where you need to walk the data between two networks, and the unclassified network machine doesn't allow administrator access to install Docker. So I wrote a little tool to do image manipulation for me. The tool is called Occy Strap, is written in python, and is available on pypi. That means installing it is relatively simple: python3 -m venv ~/virtualenvs/occystrap . ~/virtualenvs/occystrap/bin/activate pip install occystrap Which doesn't require administrator permissions. There are then a few things we can do with Occy Strap. Downloading an image from a repository and…

Continue ReadingManipulating Docker images without Docker installed

Coming to grips with Kubernetes in 2020: online training

  • Post author:
  • Post category:Kubernetes

There are a few online training resources I've had a play with while learning Kubernetes, so I figure that's worth a quick write up. This is a follow on from my post about Kubernetes podcasts I've tried. I've tried three training providers so far: The Linux Foundation Kubernetes course (LFS258 Kubernetes Fundamentals) is probably the "go to" resource for many people, and is often sold bundled with the certification exams. Unfortunately, it is really terrible. It is by far the worst course I've seen so far. On the other hand, the Linux Academy Kubernetes course is really good. It is flaw is that you have to sign up to Linux Academy, which provides you with all you can eat courses for a rather steep annual fee. Finally, I discovered Mumshad Mannambeth's Udemy courses, and frankly they're excellent. He's put a huge amount of effort into them and it really shows. Even better, with Udemy's regular sales you can pick up his three Kubernetes courses (intro, admin certification, and developer certification) for under $50 AUD. There are even plenty of online quizzes. If I was going to pick a course to try, I'd definitely go with Mumshad.

Continue ReadingComing to grips with Kubernetes in 2020: online training

Coming to grips with Kubernetes in 2020: podcasts

  • Post author:
  • Post category:Kubernetes

It has become clear to me that it is time to care about Kubernetes more. I'm sure many people have cared for ages, but the things I want to build at the moment are starting to be more container based now that I am thinking more at the application layer than the cloud infrastructure layer. So how to do that? I thought I'd write down some notes on what has worked (or not) for me, in the hope it will help others. In this post, podcasts. I thought podcasts would be an interesting way to get started with some nice overviews. This is especially true because I'm already a pretty heavy podcast user, so it was easy to slot into my existing routine. Unfortunately this hasn't really worked out. I started with the podctl podcast, but they only ever talk about Red Hat stuff. It is very rare for a guest to not be a Red Hat employee for example. The presenters of this podcast seem to also really dislike OpenStack for reasons they never explain, which is annoying. Then I figured maybe the Google Kubernetes podcast would be better, but it often lacks the depth I am interested in. I…

Continue ReadingComing to grips with Kubernetes in 2020: podcasts

Quick hack: extracting the contents of a Docker image to disk

Hello! Please note I've written a little python tool called Occy Strap which makes this a bit easier, and can do some fancy things around importing and exporting multiple images. You might want to read about it? For various reasons, I wanted to inspect the contents of a Docker image without starting a container. Docker makes it easy to get an image as a tar file, like this: docker save -o foo.tar image But if you extract that tar file you'll find a configuration file and manifest as JSON files, and then a series of tar files, one per image layer. You use the manifest to determine in what order you extract the tar files to build the container filesystem. That's fiddly and annoying. So I wrote this quick python hack to extract an image tarball into a directory on disk that I could inspect: #!/usr/bin/python3 # Call me like this: # docker-image-extract tarfile.tar extracted import tarfile import json import os import sys image_path = sys.argv[1] extracted_path = sys.argv[2] image = tarfile.open(image_path) manifest = json.loads(image.extractfile('manifest.json').read()) for layer in manifest[0]['Layers']: print('Found layer: %s' % layer) layer_tar = tarfile.open(fileobj=image.extractfile(layer)) for tarinfo in layer_tar: print(' ... %s' % tarinfo.name) if tarinfo.isdev(): print(' -->…

Continue ReadingQuick hack: extracting the contents of a Docker image to disk

Kubernetes Fundamentals: Setting up nginx ingress

  • Post author:
  • Post category:Kubernetes

I’m doing the Linux Foundation Kubernetes Fundamentals course at the moment, and I was very disappointed in the chapter on Ingress Controllers. To be honest it feels like an after thought — there is no lab, and the provided examples don’t work if you re-type them into Kubernetes (you can’t cut and paste of course, just to add to the fun).

I found this super annoying, so I thought I’d write up my own notes on how to get nginx working as an Ingress Controller on Kubernetes.

(more…)

Continue ReadingKubernetes Fundamentals: Setting up nginx ingress

Juno nova mid-cycle meetup summary: containers

  • Post author:
  • Post category:OpenStack

This is the second in my set of posts discussing the outcomes from the OpenStack nova juno mid-cycle meetup. I want to focus in this post on things related to container technologies. Nova has had container support for a while in the form of libvirt LXC. While it can be argued that this support isn't feature complete and needs more testing, its certainly been around for a while. There is renewed interest in testing libvirt LXC in the gate, and a team at Rackspace appears to be working on this as I write this. We have already seen patches from this team as they fix issues they find on the way. There are no plans to remove libvirt LXC from nova at this time. The plan going forward for LXC tempest testing is to add it as an experimental job, so that people reviewing libvirt changes can request the CI system to test LXC by using "check experimental". This hasn't been implemented yet, but will be advertised when it is ready. Once we've seen good stable results from this experimental check we will talk about promoting it to be a full blown check job in our CI system. We have…

Continue ReadingJuno nova mid-cycle meetup summary: containers

End of content

No more pages to load