{"id":104,"date":"2020-04-07T15:18:31","date_gmt":"2020-04-07T13:18:31","guid":{"rendered":"http:\/\/blog.nikster.de\/wordpress\/?p=104"},"modified":"2020-04-07T15:18:31","modified_gmt":"2020-04-07T13:18:31","slug":"glossary-on-linux-container-technology-runtimes-and-orchestrators","status":"publish","type":"post","link":"https:\/\/blog.nikster.de\/wordpress\/index.php\/2020\/04\/07\/glossary-on-linux-container-technology-runtimes-and-orchestrators\/","title":{"rendered":"Glossary on Linux container technology, runtimes and orchestrators"},"content":{"rendered":"\n
Microservices<\/td>Lots of \u201eslim\u201c and “autonomous” Processes, scalable seperately and, in the best case, replicable.

Pro:<\/strong> scalability and resilience
Con:<\/strong> complexity and traceability\/transparency (Zipkin \u2192 Tracetool)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Container \/ Vms<\/td>Container technologies (here: Docker, rkt, etc.) use Linux Namespaces to enable runtime isolation for processes on the underlying OS (read: underlying Kernel, LXC, runc, etc.).
Example Namespaces are:<\/em>
– mnt
– pid
– network
– user
– etc. (uts, ipc)

a little bit<\/em> like chroot (->mnt) but much more granular.
different from<\/em> (e.g.) Vms<\/strong> \u2192 Hypervisor on Ring X + dedicated OS, sep. Kernel) or<\/em> Jboss<\/strong> as Containers (Runtime environments are located somewhere in between on the OS, Isolation through standard OS utils).

Pro<\/strong> \u201eContainer\u201c:<\/strong> saves resources, replicable (e.g. Images w. Pipeline)
Pro Vms:<\/strong> security<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Namespaces + cgroups<\/td>Linux Namespaces<\/strong>:
“quasi pseudo virtual machines” (overlay for Filesystem (mnt), Network, Pid, etc.).

build them yourself:<\/em>
“unshare –fork –pid –mount-proc bash”
(forks a new PID Namespace through the syscall unshare and starts a bash)

there you go:<\/em>
PID 1 in a new space (and a second to see the first one with ps).
“Ps aux” \u2192 note pts and call “ps aux” from outside<\/em> the new namespace to see it’s “real<\/em>” PID.

nsenter:<\/em>
calls a programm in the respective namespace (from the outside, read: the OS, just lookup the PID and go ahead).
Example:<\/em>
“sudo nsenter -t 13582 –pid htop, -t = “PID of the \u201enamespace Bash\u201c –pid = “type of space”, Programm”

Cgroups:<\/em>
they limit and\/or prioritize the resources of the respective Space.
(similar to nice or quota).
Example:<\/em>
“cgcreate -a nkalle -g memory:memgrp”
(create cgroup, -a Allowed User, -g Controller(in this case: Mem):Path(specify your own)

Seccomp-bpf:<\/em>
Use it to limit syscalls in your namespace (read, write, kill, etc.).
In docker it is implemented via “–security-opt<\/strong>” and in kvm through “–sandbox<\/strong>“<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Container Runtime<\/td>There exist several types of “container runtime”.
In Principle, everything that runs inside a container, can be called “Container Runtime”.

But:
There exist some standards though, created by the OCI<\/strong> (open container initiative).
For example: the runc<\/strong> Library (reference Implementation of OCI runtime specification).

Dockers contribution to containerization is “only” the ease of running containers through more or less standardization, one could say.
Anyway:

Runtimes can be distinguished in High- and Low-Level runtimes.<\/strong>

Low<\/strong> (\u201ereal\u201c runtime): lxc, runc (\u201erun\u201c Containers based on Namespaces and CGroups)
High<\/strong>: CRI-O (Container Runtime Interface), containerd (Docker) \u2192 implement additional Features like APIs (Docker uses it to implement additional Features implementiert, like downloading Images, unpacking, etc., the High-Level runtimes themselves use runc, though.)
RKT<\/em> could be considered high-level (it uses runc, implements lots of Features, said to be more secure than Docker)

build your own “container runtime” with standard Linux Tools:
create cgroup (cgcreate)
set attributes for cgroup (attr -s)
execute commands (sudo cgexec -g memory:memgrp bash)
move it into it’s own namespace (unshare) <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Docker<\/td>Docker consist of:
dockerd<\/strong> (Image building, e.g..: \u201edocker build\u201c with dockerfile)
containerd<\/strong> ((Image)managment, e.g..: \u201edocker image list\u201c, etc.) (High-Level Runtime), https:\/\/containerd.io\/img\/architecture.png
runc<\/strong> the Library containerd includes to spawn containers, etc.
Docker images<\/strong> consist of Layers (e.g..: Debian Base Image).
So the Baseimage may be the same for all Containers gleich sein but the applications may be different ones.
For example: all Applications may use the same Libs (write-protected Layer) but also bring their own Libs (\u201eopen\u201c Layer).
If something must be written to one of the underlying Layers, it is done in a copy of that layer, which resides in Memory.

important commands:
docker import<\/strong> (imports an Image – from a Tarball for example)
docker image ls<\/strong> (shows all Images)
docker tag<\/strong> (names the image)
docker run -i -t stretchbase bash<\/strong> (executes a command Command (Bash) in a Container (named stretchbase and attaches you to that bash)
docker run -d –name “apache-perl-test” –network test-net -p 8082:80 apacheperl<\/strong>
docker login<\/strong> (logs you into the respective docker repo, defaul is dockerhub)
docker push<\/strong> (pushes the Image to the respective hub)
docker build<\/strong> (builds the new Image, based on the base image and a dockerfile)
docker exec<\/strong> (executes a command in an existing container, good for debugging)
docker info<\/strong> (status information)
docker logs<\/strong> (shows the Logs of a specific Container)
docker inspect<\/strong> (shows Properties of a specific Container)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
Kubernetes<\/td>could be defined as: <\/em>
Super-High Level Container Runtime<\/em> with CRI (Container Runtime Interface) as the Bridge between kubelet (\u201ethe heart\u201c of Kubernetes: Agent on Master and Nodes that manages everything) and the runtime.

A Container runtime that wants to work with Kubernetes, must support CRI.
https:\/\/storage.googleapis.com\/static.ianlewis.org\/prod\/img\/772\/CRI.png
supported (CRI)Runtimes:
Docker<\/em>
containerd<\/em> (this is docker more or less)
CRI-O<\/em>

CRI Specs:
CRI is a gRPC API (modern RPC) with a google specific Protocol.
(Protocol Buffers: https:\/\/developers.google.com\/protocol-buffers\/) \u2192 serialization Interface ala XML

Kubelet uses CRI to communicate with the Runtime (RPC: e.g.: pull Image, start\/stop Image\/Pod, etc.)
This can also be done manually via crictl<\/em>.

Kubernetes consists of Masters and Workers.

One (or more) Master<\/strong>s contain the management tools:
API-Server<\/em> <\/strong>(connects the components of the cluster)
Scheduler<\/em> <\/strong>(assigns the components (e,g. Applications, Pods, etc.) to the workers)
Controller-Manager<\/em><\/strong> (manages Cluster outages, Replication, Worker status, etc.)
ETCD<\/em><\/strong> distributed Data storage, which always contains the cluster status as a whole.

One (or more) Worker<\/strong>s contain the Pods<\/strong> and\/or Applications:
Docker<\/strong><\/em> (or another Runtime is running there (may also run on the masters))
Kubelet<\/em><\/strong> (the Agent, responsible for communication between master and worker, which manages the containers, etc.)
Kube-Proxy<\/em><\/strong> (Network- and Application Proxy)

How does it work?<\/strong>
To run an application (maybe consisting of several micro services), it must be described (yaml manifest) and published to the API.

The Manifest<\/em><\/strong> contains all Information about the Components\/Applications, how they relate to each other (e.g. Pods), the workers they should be running on (optional), how many Replicas there should be (optional) and much more (more on the Topic and Formats: here<\/a>).

The Scheduler<\/strong><\/em> manages which Container group (Pod) should run on which Node (monitoring the cluster resources and doing some magic).

The Kubelet<\/em><\/strong>, for example, tells the runtimes to download images, execute the Pods and much more.

ETCD<\/em><\/strong> continually tracks and monitors the status of the cluster.
And, in case of malfunction of a component (e.g.: death of a node), a Pod would be restarted on another node by the controller manager and kubelet.

important Commands<\/em><\/strong>:
kubectl<\/em> (main command for Mgmt., Settings, Deployments, etc.)

kubectl cluster-info (statusinfo)
kubectl cluster-info dump (dumps etcd content to the Console)
kubectl get nodes (lists all nodes)
kubectl describe node $nodename (returns Properties for the Node, CPU, Mem, Storage, OS, etc. pp.)
kubectl get pods (lists all pods) (tip: -o wide)
(tip: -o yaml, returns Pod descrition as yaml, useful for defining new Pods)
kubectl get services (lists exposed pods\/replicasets = services)
kubectl delete (service|pod|etc) (deletes)
kubectl port-forward $mypod 8888(localhost):8080(pod) (creates portforwarding on localhost, useful for debugging)
kubectl get po \u2013show-labels bzw. -L $labelname (groups pods by lables)

how to create pods manually<\/strong><\/em> (not recommended, except for testing)

kubectl run<\/em> blabb \u2013image=gltest01.server.lan:4567\/nkalle\/jacsd-test\/jacsd:master
–port=8081 \u2013generator=run-pod\/v1 \u2013replicas=1 (creates a replication controller with 1 replica, without \u201ereplicas = normal pod)

kubectl scale<\/em> rc blabb –replicas=3 (scales replicas manually)

kubectl expose<\/em> (rc|pod) \u2013type=(ClusterIP|LoadBalancer|etc.)\\
\u2013name blabb-http \u2013(external|load-balancer)-ip=10.88.6.90 \u2013target-port=8080 \u2013port=6887 (target-port is inside the Container, port is on the ext. IP)
(exposes pod\/service outside the cluster\/node)

API-Doku: https:\/\/kubernetes.io\/docs\/reference\/

Pods<\/em><\/strong>
Pods are groups of containers, which exist in the same namespace and on one worker.
If a pod contains several containers, they run on the same worker (a pod may never use multiple workers).
A Process should run inside one contianer and a container should run inside a pod.
Everything that should be able to scale separateley, should also get it’s own pod.
(Example: Apache Frontend\/Mysql-Backend \u2192 2 Pods).

create Pods with yaml<\/strong><\/em>

Usually Pods aren’t created manually with the above commands, but through yaml Files which are published to the kubernetes API.
Read more about it here<\/a>.

\u201eKubectl get pods $podname -o yaml\u201c is a good start to create a new Pod based on an already existing one.

important parts of the yaml description:<\/strong><\/em>
API Version<\/em>: which version to use v1 – stable, v1\/beta – Beta (Check the Link above).
metadata<\/em> (Name (name:), Namespace, Lables, Infos)
spec<\/em> (Content\/Container (containers:), Volumes, Daten)
status<\/em> (Status, internal IP, basics, not writable, Kubernetes Info!)

For orientation check the above API-Reference, but also explain<\/em>:
kubectl explain<\/em> pods (describes all Attributes of the Object)
kubectl explain<\/em> pods.spec (describes all Fields of the Attribute: spec)
you get the idea.

kubectl create -f mypoddefinition.yaml (API is used through kubectl)

Volumes:<\/em><\/strong>
A Volume may be used by the entire Pod, but has to be mounted first.
popular Storage Solutions out there: nfs, cinder, cephfs, glusterfs, gitRepo \u2013 but there are way more…

Without a volume for shared use and persistence of Data, most Pods are useless.
For Testing, one may use emptyDir, which adds volatile storage to the pod.

For real persistence though, one will need one of the storage solutions mentioned above (nfs for example as it doesn’t take much effort to set it up).
This is called a Persistent Volume (or PV).
A PV can be configured for the whole cluster via the API:
– PV: kind_PersistentVolume

Next a “Persistent Volume Claim” has to be made.
– PVC: kind_persistentVolumeClaim

Now one may create a pod that references the PVC.

As everything Kubernetes, this is highly customizable and volumes may be claimed and provided dynamically or statically.

Read this:
https:\/\/kubernetes.io\/docs\/concepts\/storage\/persistent-volumes\/
https:\/\/kubernetes.io\/docs\/tasks\/configure-pod-container\/configure-persistent-volume-storage\/<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Microservices Lots of \u201eslim\u201c and “autonomous” Processes, scalable seperately and, in the best case, replicable. Pro: scalability and resilienceCon: complexity and traceability\/transparency (Zipkin \u2192 Tracetool) Container \/ Vms Container technologies (here: Docker, rkt, etc.) use Linux Namespaces to enable runtime isolation for processes on the underlying OS (read: underlying Kernel, LXC, runc, etc.).Example Namespaces are:– … <\/p>\n

Continue reading “Glossary on Linux container technology, runtimes and orchestrators”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[44,40,3,31,43,39,42,41],"class_list":["post-104","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-cgroup","tag-chroot","tag-docker","tag-kubernetes","tag-namespace","tag-runc","tag-runtime","tag-virtual-machines","entry"],"_links":{"self":[{"href":"https:\/\/blog.nikster.de\/wordpress\/index.php\/wp-json\/wp\/v2\/posts\/104","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.nikster.de\/wordpress\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.nikster.de\/wordpress\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.nikster.de\/wordpress\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.nikster.de\/wordpress\/index.php\/wp-json\/wp\/v2\/comments?post=104"}],"version-history":[{"count":9,"href":"https:\/\/blog.nikster.de\/wordpress\/index.php\/wp-json\/wp\/v2\/posts\/104\/revisions"}],"predecessor-version":[{"id":114,"href":"https:\/\/blog.nikster.de\/wordpress\/index.php\/wp-json\/wp\/v2\/posts\/104\/revisions\/114"}],"wp:attachment":[{"href":"https:\/\/blog.nikster.de\/wordpress\/index.php\/wp-json\/wp\/v2\/media?parent=104"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.nikster.de\/wordpress\/index.php\/wp-json\/wp\/v2\/categories?post=104"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.nikster.de\/wordpress\/index.php\/wp-json\/wp\/v2\/tags?post=104"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}