OCI, CRI, ??: Making Sense of the Container Runtime Landscape in Kubernetes - Phil Estes, IBM

00:01

my goal is in 25 minutes which is goes

00:05

by fairly quickly with the topic is to

00:09

kind of help you see why we are where we

00:11

are with container runtimes demystify

00:15

some terms like OCI and CRI and

00:18

hopefully make that at least a little

00:20

bit informative and not just a bunch of

00:23

boring information and so we'll see see

00:27

how we do on that so clearly even though

00:32

those of you who are maybe have a deeper

00:37

layer of understanding about what what

00:38

we even call containers that they're

00:40

made up of see groups and namespaces and

00:42

and that these concepts and technologies

00:46

have existed quite a while before docker

00:48

so for example some of the namespaces

00:51

and the Linux kernel have been there for

00:52

over a decade but I think we can't all

00:55

agree that it was docker in 2014 2015

00:59

coming on the stage and sort of exciting

01:02

the developers mind with the simplicity

01:04

of some of these commands you see on the

01:06

screen now all of a sudden I just type

01:09

docker run and some sort of standard

01:11

open-source software package like Redis

01:14

or my sequel or Apache or nginx and in

01:19

less than you know 500 milliseconds this

01:22

service is running and that was magical

01:24

for for lots of developers and so that's

01:28

kind of become synonymous with

01:30

containers in the last four or five

01:33

years but that doesn't mean that docker

01:35

is the only container runtime in fact

01:38

soon after docker came on the scene core

01:40

OS had some other ideas about how to

01:44

actually connect a developer with some

01:47

of those features in the Linux kernel

01:48

the same features built around the same

01:50

namespaces and C groups but they came

01:53

out with rocket with some new ideas

01:55

since then container D crea there was a

01:59

there was a great talk in here earlier

02:01

about cat o we'll talk about sandbox and

02:04

isolation a little bit later in the talk

02:07

but even Cloud Foundry and there were

02:10

some talks that referred to Cloud

02:11

Foundry here earlier today

02:13

Cloud Foundry under the covers was

02:15

packaging up and using these same

02:16

features below their their platform as a

02:22

service model to run containers as well

02:24

and even stepping away from kind of this

02:27

docker application model LXE and lxd

02:31

have been around produced by canonical

02:33

and a team there for a number of years

02:35

and the high-performance computing space

02:37

has also been interested in containers

02:39

with tools like singularity and some

02:42

others and so in this kind of explosion

02:47

of runtimes and and ideas for how to use

02:50

containers obviously the the market

02:55

didn't want there to be a hundred

02:57

different ideas of what it meant to be a

02:58

container or how to run a container how

03:01

to create a container image and so

03:03

that's really how the OCI was born was

03:06

this idea could we all get together and

03:08

even if there are different runtimes

03:10

that exists in different ways of

03:12

building and running containers could we

03:15

all agree on a specification for what

03:17

that means to have a a runtime and an

03:20

image format and how to distribute those

03:22

images and so many of us got together

03:26

and were involved in founding that in

03:28

2015 many member companies have joined

03:32

since and out of that has come a runtime

03:35

spec which is at a1 oh really since the

03:38

middle of 2017 a implementation of that

03:42

called run see that many of you have

03:44

heard of you know that at least you

03:47

probably know that when you run docker

03:48

that talks to container D and container

03:51

D drives run C and also an image format

03:55

that has then led to the distribution

03:58

spec so how do I talk to a registry and

04:01

so docker obviously had a way to do that

04:05

that many people again use docker pull

04:08

docker push these are registry

04:10

operations and so now that is also part

04:13

of the OCI and we're hoping to finalize

04:15

the one o virgin of the distribution

04:17

spec next year so again the idea bring

04:23

all these communities together to an

04:25

agreement what it means

04:27

to have a image what it means to run a

04:30

container and then people can go

04:32

different directions and as long as

04:33

they're OCI compliant we can actually

04:35

have interoperability among many many

04:38

different tools and so I would say you

04:43

know in the years that followed we're in

04:46

a pretty good place with this common

04:47

substrate of container runtimes and

04:50

container registries that are meeting

04:52

these OCI specs and the specs that are

04:54

in process and these drive how we

04:57

actually run containers on Linux and

04:59

also Microsoft has evolved and the OSI

05:02

high specs also provide a way to talk

05:05

about how we run containers on Windows

05:08

and so you can think of that kind of

05:10

bubbling up to again this mix of

05:13

runtimes whether we're talking about

05:14

cata

05:15

containers or Nadler container to your

05:18

docker cRIO and then of course there are

05:21

many many different registries there are

05:23

some in the CN CF like project harbor

05:25

docker hub is a instance of an open

05:29

source project called docker

05:30

distribution all the major cloud

05:33

providers have registries some of them

05:35

have been written themselves jay frog

05:38

has a registry queda i/o is recently

05:42

open sourced so again we're at this

05:44

place where thankfully you as a

05:46

developer an operator you don't have to

05:48

worry about whether your developers are

05:50

using docker container D or creo or

05:52

whether they're playing around with cata

05:54

containers or AWS firecracker we can

05:58

actually interoperate you know your

06:00

container image and docker hub can also

06:02

be pushed to clay it can also be pushed

06:04

to Asher's or IBM cloud registry and so

06:08

that's a great place so that's really

06:10

what we intended to do with the OCI when

06:13

we started in 2015 but just to give you

06:16

a little taste that we aren't done yet

06:19

we'd like to see more areas sort of

06:22

standardized and finalized things that

06:24

are in process there's some great works

06:26

around artifacts that was added to the

06:28

OCI this year it's the idea that you

06:32

know just have to store layers and image

06:34

configs and registries maybe you'd like

06:37

to sort helmet charts or C NAB like the

06:39

other talk that's

06:40

right now or maybe you'd like to include

06:44

a bill of materials like the SPD acts

06:46

format so there's some great work about

06:49

defining sort of standard media types

06:51

and how registries would implement

06:52

understanding them searching them like I

06:55

said we'd like to finish the

06:56

distribution spec this year there's a

06:59

lot of interest in image signing so

07:01

security in kubernetes and containers is

07:05

a hot topic and so there's a set of of

07:07

registry operators who would like to say

07:10

it'd be nice we have these CN CF

07:12

projects notary tough and Red Hat also

07:17

has a PGP based signing process so I

07:20

believe there was actually a meeting

07:22

yesterday in the u.s. time that I wasn't

07:25

able to attend to kind of kick off this

07:27

new topic about image signing and see if

07:30

we can agree on what it looks like to

07:32

sign an image run c1o is finally

07:36

finishing up like I said the

07:38

distribution spec what comes after one

07:41

so kind of one plus and then a lot of

07:43

new ideas have been presented in the

07:45

last year about container images have we

07:47

picked the best model for how we create

07:49

these tarballs of layers and so there's

07:52

a lot of great information if you go

07:54

searching on sort of OCI v2 which is not

07:57

an official name of any kind of spec but

07:59

just kind of a moniker for those

08:01

discussions so that's kind of a

08:05

whirlwind tour of OCI why it was created

08:08

what it's done what we're still trying

08:09

to do let's turn our attention to

08:12

kubernetes so you probably know this but

08:17

just in case you don't kubernetes has

08:19

never had a run time in kubernetes

08:21

itself it doesn't know how to run

08:23

containers it's an Orchestrator it's

08:26

always relied on some container run time

08:29

to do the work of actually running your

08:31

containers since the earliest days of

08:35

kubernetes that was docker via this

08:37

docker shim code which you can still

08:40

find if you go out and github poke down

08:43

in the kubernetes code base you can find

08:46

the docker shim code that drives the dr

08:48

engine to do things like when you start

08:50

a pod docker

08:52

has to actually start that container

08:54

has to interact with the couplet about

08:58

statistics operations like stopping

09:01

removing etc pulling images from the

09:04

registry and so again this is kind of

09:07

where we were

09:09

again as other runtimes appeared on the

09:11

scene there were variants of this like

09:14

rocket Nettie's to use rocket as the

09:17

runtime but as the idea of more runtimes

09:23

were kind of on the horizon it was clear

09:26

that it wasn't going to be feasible to

09:28

keep kind of integrating code with the

09:30

couplet and container runtimes and sort

09:32

of having this mess of different code

09:34

bases and and trees for different

09:36

runtimes and so the CRI interface the

09:40

container runtime interface was

09:41

announced in late 2016 as a way to

09:44

abstract out the idea of a container

09:47

runtime and how it interfaces to

09:49

kubernetes so a set of responsibilities

09:52

defined by the CRI API would be given

09:56

and if you are a runtime and wanted to

09:58

plug into cuber days all you have to do

09:59

is respond to the CRI API calls start

10:03

stop remove pull image etc then you can

10:07

go read up on sort of that whole

10:09

interface spec and there again continues

10:12

to be growth there and changes over time

10:14

as a new features are requested for how

10:17

kubernetes interacts and what kind of

10:19

information needs to be shared between

10:21

kubernetes and runtimes so kind of the

10:26

current landscape today of who is

10:28

actually implementing this interface

10:31

obviously docker continues to be

10:33

somewhat a default many people still use

10:37

the docker engine docker shim is sort of

10:40

grandfathered in it's not a real sort of

10:42

CRI implementation but when we talk

10:45

about kubernetes using runtimes

10:47

it makes sense for us to list it but CRI

10:50

and creo are kind of the the major

10:53

implementers of the CRI today I also

10:56

breakout container D to show that you

10:59

can run other Isolators underneath

11:01

container D you can also do some of

11:03

these under creo simply by just

11:06

replacing run C with other

11:07

binary's but container d developed a

11:10

shim api so that there could actually be

11:13

sort of a richer level of communication

11:16

between the runtime and these Isolators

11:19

like cata or firecracker or Google's G

11:22

Weiser singularity which I mentioned

11:25

maybe you haven't heard of it from the

11:28

high-performance computing space they

11:30

created a runtime specific to the needs

11:33

of HPC cluster workloads but over time

11:38

they added OCI compliance and then more

11:41

recently last year they added an

11:42

implementation of the CRI that again if

11:46

you wanted a kubernetes cluster in an

11:49

HPC environment and your choice was

11:51

singularity you can now actually plug

11:53

that into a kubernetes cluster and that

11:55

will drive singularity to do those

11:57

operations on containers if you were

12:01

creating your own cluster the way you

12:02

would do this sort of if you're

12:04

following Kelsey Hightower's kubernetes

12:08

the hard way when you start the Kubla

12:09

you can actually point it at a runtime

12:11

point it to the socket that's going to

12:13

actually respond to the CRI API and then

12:17

we don't have a ton of time to go into

12:19

runtime class but that's a feature

12:22

slightly newer that then allows you to

12:25

actually register runtimes with

12:26

kubernetes and use that as a way like in

12:30

your pod spec to say actually I would

12:32

like this pod run with this runtime and

12:35

then you can interface with container D

12:37

for example to place a specific workload

12:41

on firecracker or a cat or G visor so

12:44

that's kind of the the path to using

12:46

different runtimes within kubernetes

12:50

obviously if you're using a managed

12:51

service from one of the cloud providers

12:53

if your company's operations team is

12:57

running your clusters they're going to

12:58

make this choice for you and you're

13:00

going to default to whatever runtime

13:02

that they choose for your needs so kind

13:06

of where we are today Cystic just put

13:10

out a report I think within the last

13:12

month or so and this was a graphic that

13:15

they added to that report which has a

13:18

little more detail sort of textually if

13:20

you want to follow through to this link

13:22

you can read more about it but not

13:25

totally unexpected

13:26

then again docker has been the default

13:28

runtime under so many clusters operated

13:33

and in production today that that as you

13:37

would expect docker is the lion's share

13:39

of results in their survey container D

13:43

up to 18% and crea 4% and growing again

13:48

creo has become the default in Red Hat's

13:51

OpenShift

13:52

and so you can expect that that number

13:54

will grow as well so we put out a blog

13:59

post early last year just talking about

14:01

our work to integrate container D so I'm

14:03

a maintainer in the CNC F container D

14:05

project and so you can read more about

14:09

our work to bring that to GA and that's

14:12

led to IBM's managed kubernetes service

14:15

ease in container D is a runtime gke has

14:18

it as an option and then last week at a

14:21

BBS reinvent Amazon announced that they

14:26

were using container D with as the

14:29

default runtime for Fargate and so we

14:32

see again a lot of movement in the space

14:34

as people make other choices and sort of

14:36

defaulting to docker and so be

14:39

interesting in a year to see where this

14:41

goes now in 25 minutes it's really

14:45

almost impossible to kind of detail why

14:48

would I choose if it was up to me if I

14:51

was creating the clusters why would I

14:53

choose different runtimes there's

14:55

obviously maybe a myriad of choices

14:58

around performance or stability

15:00

extensibility maybe you're really

15:03

interested in your runtime being

15:05

directly compatible to a kubernetes

15:07

release and so the creo team has made

15:10

that kind of a tenant of how they exist

15:14

so creo 1.16 you know for sure that was

15:17

tested fully ended and passes all the

15:20

sweets for kubernetes 1.16 maybe you're

15:23

interested in additional isolation like

15:25

cata nabla G visor etc etc I did try and

15:32

sort of answer these questions in a talk

15:34

at

15:36

coupe con San Diego last month so you

15:39

can watch that or see the slides as well

15:41

if you want to dig deeper into that

15:43

topic I would like to highlight that

15:46

there is increased interest in this

15:49

whole idea of maybe default container

15:52

isolation isn't enough for my workloads

15:55

for my threat models and so there's a

15:58

lot of people in the security community

16:00

talking about this such as this tweet

16:01

that came out around coupe con last

16:05

month and again it was an area I would

16:08

because I've worked in run times I've

16:11

been interested to see sort of the

16:12

announcements and the the rollouts of

16:14

different use cases and if you were in

16:18

this room a few hours ago

16:20

Atlassian talked about their use of cata

16:23

which was quite interesting as a

16:26

additional isolation layer in their

16:28

pipelines capability so I read an

16:31

article in info queue published in

16:33

October again a lot more detail about

16:36

why are people interested in sandboxes

16:38

who's using them and kind of where where

16:40

they might be going from here so the

16:43

good news is no matter who's choosing a

16:46

runtime there's a there's a way to

16:51

interface with it that doesn't rely on

16:53

your operators having to know the the

16:56

client tooling or the specifics of a

16:58

specific runtime and so that tool is

17:01

called CRI CTL and so if your cloud

17:05

provider creates you a kubernetes

17:08

cluster and gives you access to a worker

17:10

node hopefully you'd be able to find

17:12

this command and you can start talking

17:14

directly to the CRI socket four-year

17:18

runtime so no matter if that's docker

17:19

carrillo container d you can do things

17:22

that sort of feel natural things you'd

17:25

expect to do like PS commands there's

17:28

some sort of special commands with extra

17:30

characters like stop p4 stop a pod

17:33

versus topic container removing pulling

17:36

images listing images so again this is a

17:39

way for your operators to again abstract

17:42

away from this idea that we have to know

17:45

exactly the runtime and so you can read

17:48

there's

17:49

a user guide the CRI team for container

17:52

D put together and obviously the code

17:54

for that is within kubernetes so I think

18:01

you know summarizing what I hope to have

18:05

to have shared is that the OCI was a

18:07

really valuable step in kind of this

18:10

explosion of interest in the container

18:12

ecosystem to have a level playing field

18:14

so that we're not all fighting each

18:16

other with different tool choices that

18:18

mean we can't work together so the fact

18:21

that that as of you know these last few

18:24

years that that we don't have to worry

18:26

about whether our developers are using

18:28

the same exact runtime as our operations

18:31

or production team and these higher

18:33

layer layer as abstractions can have

18:37

real interoperability that that's been

18:40

proven and the fact that we got all the

18:43

right people together to collaborate and

18:45

put that together hopefully means we've

18:48

delivered on kind of maybe making the

18:50

runtime space boring after all the talk

18:52

of sort of the container runtime wars of

18:55

of 2015 another I think sort of side

19:00

effect which I call the network effect

19:02

of having this this positive peer

19:06

pressure to be OCI compliant is that the

19:09

LXE team and the singularity team added

19:13

OCI compatibility to their runtimes

19:16

which are not necessarily docker like

19:18

and so that was great to see that the

19:23

expectation is that in the container

19:25

ecosystem OCI compliance is valuable and

19:29

useful for users and so add to that the

19:33

CRI and we really have gotten to the

19:36

place where sort of plug ability with

19:38

your kubernetes cluster is a reality and

19:41

again we can hear from other talks that

19:44

people are actually using these features

19:45

they're actually doing this and

19:47

implementing this again whenever we I

19:51

think some things that are still in

19:53

progress choice is always confusing

19:57

because people want to know why what

19:59

should I choose just tell me the right

20:01

answer and

20:02

it's not always easy in a world where

20:03

there's lots of choices and so one of

20:09

the reasons I give this talk and

20:10

hopefully others are sharing their

20:13

experiences is so people have some data

20:15

and some information to make these

20:17

choices themselves and so it doesn't

20:18

become just a a crazy set of choices and

20:22

and confusing decisions so hopefully

20:26

we're helping users make those choices

20:27

to determine you know do I need

20:30

sandboxing isolation like G Weiser

20:32

ricotta are the default runtimes good

20:35

enough for my use cases what are the

20:37

threat models and again there's a lot

20:39

going on the security space in

20:40

kubernetes to try and help people figure

20:43

those things out I think also in a world

20:46

where a lot of this is still maturing is

20:49

obviously companies do like common

20:51

tooling choices enterprises like to know

20:54

that people are sort of all using a

20:56

standardized thing so in a world where

20:58

we're seeing a lot of docker migration

21:01

to other other tools and other platforms

21:05

you know where where do we send people

21:07

for this kind of docker run use case

21:10

that everyone has sort of accepted over

21:12

the years and then finally as I tried to

21:16

hint at I think we're trying to keep

21:19

momentum in the OCI for challenges that

21:21

still exists things that are still of

21:23

interest to users to standardize so

21:26

though for example we don't have a

21:28

myriad of choices if I use Azure

21:31

registry or IBM cloud or Google that we

21:34

have different ways to sign images or to

21:36

verify or validate images and so

21:38

hopefully the OCI will continue on being

21:41

a valuable place where we have those

21:44

discussions figure out a common path

21:46

forward and and make this

21:48

straightforward for users and operators

21:51

to continue using these valuable tools

21:54

so with that that's what I wanted to

21:57

share today we have a two and a half

22:00

minutes officially on the clock but it's

22:03

also break time in a few minutes so I'm

22:06

happy to answer questions here I'm happy

22:08

just to to hang around so anyone have a

22:11

burning question before we officially

22:13

close

22:15

and I can barely see but I'm happy to

22:20

pass a mic if if so and I think people

22:24

are maybe more interested in break-in

22:26

questions so let's end there and thanks

22:29

very much for listening

22:30

[Applause]