There’s no surprise that Linux containers continue to be of interest to developers, especially with the docker project providing a great user experience around building containerized applications. It’s this experience and ease-of-use that make Linux containers such a valuable tool to application development, and has made containers an essential tool in a developer’s toolbox, enabling them to package application services and dependencies for consistent deployment, from the desktop across the hybrid cloud.
Increasingly, many enterprises want to bring this same Linux container innovation to their production environments. Containers can provide greater efficiency for infrastructure utilization and operational management, allow for application portability across physical, virtual, and cloud environments, and support both traditional and modern, cloud-native applications. That’s why Red Hat works with many enterprise organizations that are using solutions like Red Hat Enterprise Linux and OpenShift Container Platform, all to provide a trusted container platform from development to production today.
In order to continue expanding the usage of containers in production, these organizations need a simple, stable environment for running production applications in containers. Providing this environment is the focus of a new, Red Hat-backed project in the Kubernetes incubator called OCID (Open Container Initiative Daemon). The OCID project aims to help organizations optimize containers running in production environments and the IT operations teams managing these deployments.
Taking containers beyond development
The OCID project is aimed at exploring new innovations in container runtime, image distribution, storage, signing and more, with an emphasis on driving container standards through the Open Container Initiative (OCI). OCID is not competitive with the docker project - in fact it shares the same OCI runC container runtime used by docker engine, the same image format, and allows for the use of docker build and related tooling. We expect to bring developers more flexibility by adding other image builders and tooling in the future. As we provide new innovations through OCID, our goal will be to drive these technologies as OCI standards, working together with Docker Inc., and other OCI members.
Running containers at scale, in production environments, also requires robust container orchestration and cluster management. Red Hat is a leader in driving these types of capabilities in the Kubernetes project and, together with Google and a growing number of contributors, we are working to provide governance and standardization around Linux container orchestration through the Cloud Native Computing Foundation (CNCF). We also deliver an enterprise Kubernetes solution to customers in the form of OpenShift, which is built on a foundation of Red Hat Enterprise Linux.
Container orchestration engines like Kubernetes must have native, optimized integration with the container runtime daemon, and OCID will work to provide this by implementing the Kubernetes standard container runtime interface. Kubernetes is a great proving ground for OCID and, as OCID is a Kubernetes incubator project, Red Hat plans to continue working with the Kubernetes community to drive innovations for running containers at scale, across development, test and production environments.
What is OCID?
OCID is an implementation of the Kubernetes standard container runtime interface. In order to run containers, the daemon needs to be able to pull, store and execute the container images.
OCID follows the time-tested Unix philosophy of modular programming by breaking out its functionality across the following sub-projects:
-
OCI Container Runtime Environment (runC)
-
OCI Runtime Tools
-
Containers/image
-
Containers/storage
-
CNI (Container Network Interface)
What is runC?
The Open Container Initiative introduced the Container Runtime specification and a default implementation of it, called runC. At a basic level, a “runtime” is software that supports the execution of a computer program; in this case, runC is the runtime supporting the execution of Linux containers according to the OCI specification. As of docker-1.11, upstream docker uses runC by default for running its containers. OCID plans to also use runC as the default runtime for its containers, and contributors will work on various ways to improve runC functionality for upstream docker as well as the standalone tool.
What are oci-runtime-tools?
OCI runtime tools are a set of utilities to work with an OCI runtime. oci-runtime-tools can be used to generate an OCI Runtime specification that runC can be used to run a container. In OCID, we use the config generation library from this project to generate configuration for the containers running in a pod in OCID.
```
# oci-runtime-tool generate --bind /var/lib/data:/data1 --tmpfs /run --rootfs /mnt/fedora /bin/bash
# runc start -b /mnt/fedora
```
What is containers/image?
This library allows OCID to pull and push container images from a registry. With the creation of Project Atomic, we began building tools like `atomic verify` that would look at the version of a container image and compare it to the container image on a docker registry. We did not want to pull down the image, but rather just look at the image data - sort of like “looking without touching.” The docker community showed little interested in such a capability, so we decided to build a small tool to meet our need, leading to the birth of skopeo, which means “remote viewing” in Greek. Eventually skopeo expanded in functionality to be able to pull and push images (“touching”) as well as just looking at image data - for the future, we’re even considering making simple image signing a capability of the tool. Since skopeo is a command line tool we decided to split it into skopeo plus a library called containers/image to pull and push container images from a registry.
What is containers/storage?
This library aims to provide methods for storing filesystem layers, container images, and containers. Originally, we set out to build a tool called `atomic mount`, which would allow users to mount a container image stored in docker on the host file system. For example, `atomic mount fedora /mnt` will mount the image onto /mnt and allow you to explore the image. The problem with this is that doing so is somewhat tricky, in that the docker daemon has no way of knowing that the image is mounted, and someone could attempt to remove the image using `docker rmi fedora.`
The docker daemon stores its images into something called a graph. We wanted to separate out the graphdriver into a separate library and, instead of using in-memory locks which are only visible to the docker daemon, move to file system locks which could be shared by multiple cooperating processes. As we worked on this, upstream docker was changing at a rate that made it difficult to build off of. We decided to split out storage altogether, allowing us to experiment with using COW (Copy On Write - like overlayfs, or devicemapper graphdrivers for docker) as well as read-only file systems on non-COW systems, and also experiment with using tools like NFS for remote storage of container images. This efforted has culminated in http://github.com/containers/storage for the continued development of this effort. Once we are happy with how this is working, we would like to open a pull request with docker to potentially use this storage library.
For both containers/image and containers/storage, we want to drive broad collaboration. To do so, we will look to work with rkt and other tools by encouraging them to incorporate these technologies into their respective projects.
What is CNI?
CNI is a standard for providing networking support to containers. OCID plans to integrate and use CNI for container networking so that it can reuse existing CNI plugins in the Kubernetes ecosystem.
With OCID, the goal is to build a new, more stable container runtime option for Kubernetes clusters, emphasizing running containers in production as opposed to just developing containerized applications. As always, Red Hat achieves this goal by engaging with upstream open source communities and contributing our ideas and code. OCID will be designed to work well with docker and the existing Linux container ecosystem, so developers can continue to use docker and the other tools that they are comfortable with to build OCI images. As the OCI Image format formalizes into a full-fledged standard, we look forward to keeping this work going by engaging with other emerging tools to build images that can be deployed into production, and that incorporate enterprise requirements of stability, reliability, security and performance.
저자 소개
Daniel Walsh has worked in the computer security field for over 30 years. Dan is a Senior Distinguished Engineer at Red Hat. He joined Red Hat in August 2001. Dan leads the Red Hat Container Engineering team since August 2013, but has been working on container technology for several years.
Dan helped developed sVirt, Secure Virtualization as well as the SELinux Sandbox back in RHEL6 an early desktop container tool. Previously, Dan worked Netect/Bindview's on Vulnerability Assessment Products and at Digital Equipment Corporation working on the Athena Project, AltaVista Firewall/Tunnel (VPN) Products. Dan has a BA in Mathematics from the College of the Holy Cross and a MS in Computer Science from Worcester Polytechnic Institute.
채널별 검색
오토메이션
기술, 팀, 인프라를 위한 IT 자동화 최신 동향
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
오픈 하이브리드 클라우드
하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
오리지널 쇼
엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리
제품
- Red Hat Enterprise Linux
- Red Hat OpenShift Enterprise
- Red Hat Ansible Automation Platform
- 클라우드 서비스
- 모든 제품 보기
툴
체험, 구매 & 영업
커뮤니케이션
Red Hat 소개
Red Hat은 Linux, 클라우드, 컨테이너, 쿠버네티스 등을 포함한 글로벌 엔터프라이즈 오픈소스 솔루션 공급업체입니다. Red Hat은 코어 데이터센터에서 네트워크 엣지에 이르기까지 다양한 플랫폼과 환경에서 기업의 업무 편의성을 높여 주는 강화된 기능의 솔루션을 제공합니다.