Transcript Virtualization-Redefined-11-10-2014x

Virtualization Redefined:
Embedded virtualization through CGE7 and
Docker.
Paul Farmer
Technical Solutions Engineering Manager
MontaVista Software
[email protected]
Setting the Stage
Docker is a new leading container based
technology that offers a more efficient and
lightweight approach to application deployment.
Using this technology together with CGE7 creates
a powerful solution for key use-cases in the
datacenter and networking in general.
This presentation focuses on introducing Docker
interoperation with CGE7.
Agenda
Virtualization Technologies
Performance Benchmarks
Use Cases
Docker Advantages
CGE7 Advantages
Summary
Q&A
Virtualization Technologies
History of Virtualization Technologies
Virtual Server
from
Microsoft
VMware workstation
1960 1982 1995 1999
2001
2003 2004 2005
Hypervisor on
UNIX from
IBM
chroot
Xen
&
QEMU
KVM
CGE7
from
MontaVista
CGE & Virtual
Resource Manager
from
MontaVista
ESX server from
VMware
Java
Deterministic KVM from
MontaVista
Solaris
Containers
Hypervisor on
CP-40 and CP-67 from
IBM
2007 2008 2009 2010
2013 2014
OpenVZ
Docker
LXC
Virtualization with bare
metal performance from
MontaVista
Complexity of Virtualization
Technologies
HW
Emulation
Complexity
OS
Emulation
HW
Simulation
Application
Protection
CPU
(MMU) Virtualization
Device
(VT-x)
Virtualization
(VT-d)
Containers
Time
Virtualization Technologies
Containers are lightweight:
– share the host OS kernel
– share the host OS root filesystem wherever appropriate
Virtualization Technologies
Docker provides a unified access to
– Linux container technology (cgroups, namespaces)
– Various container implementations (lxc, libvirt, libcontainer, etc.)
‘libcontainer’ is Docker’s implementation of container technology
Virtualization Technologies
Docker – Underlying Technology
Performance Benchmarks
I/O Performance
I/O Performance
IBM Research Report July, 2014
Real-time Latency
Cyclictest
Intel Ivy bridge based 4 core with hyper-threading
(8 logical cores) each running @ 2.2 GHz.
8 GB RAM
Math Performance
IBM Research Report July, 2014
Random Access Performance
IBM Research Report July, 2014
Security of Docker Containers
How secure are Docker containers?
Intrinsic security of containers
– Depends on kernel namespaces and cgroups feature
– The code base has been around for more than 6 years
Attack surface of the Docker daemon
– currently Docker daemon requires root privileges, and you should therefore be
careful
– Solution: Two additional security improvements
– Map the root user of a container to a non-root user of the Docker host, to
mitigate the effects of a container-to-host privilege escalation;
– Allow the Docker daemon to run without root privileges
"Hardening" security features of the kernel
– Linux Kernel Capabilities
– Kernel with grsecurity and PaX
– Linux Security Modules
Security in CGE7
Standards Conformance
– CGL 5.0, STIG 2.0, USGv6, OSPP
“Hardening” security features of the kernel
– PaX, Linux capabilities, SELinux, etc.
CVE - Common Vulnerabilities and Exposures
Wide Deployment
Use Cases
Platform-as-a-Service (PaaS) Cloud
Containers-Based Multi-Tenancy in
the Cloud
Bundling/Consolidating HW+SW
Configurations in Network Servers
Consolidate certain legacy applications all on the same platform
Bundle HW plugin and SW plugin components with automatic
configuration:
–
Launch Docker image automatically based on hot plugging of certain HW
Migration Between Legacy
Virtualization and Containers
Move applications dynamically to and from KVM Hypervisor-based applications
to Docker-based application contained in either virtual machines or containers
domains.
Cloud RAN
Docker Advantages
Docker Advantages
Portability across machines
– A containers-based virtualization solution suitable for dynamic multinode cloud deployments.
– Live Migration capabilities.
Security and Isolation of services and applications
– Comply with legal or contractual obligations to isolate an application.
– Prevent flawed applications from compromising the rest of the system.
Limit resource usage
– Get higher density and run more workloads.
Application-centric, easy and fast removal and addition
Docker Advantages
Copy-on-write mechanism
– Every instance of your Docker image uses the same files until one of
them needs to change a file.
– Better utilization of system memory.
– Higher density of containers for a given resource than other container
implementations.
Version control
Container Repository
Component reuse
– Reducing the cycle time of development, testing and deployment
– Easy to deploy PaaS-type solutions
Active Community
Docker Security
If you really have to give root, give looks-like-root
If that’s not enough, give root but build another wall
Don’t run regular applications as root
– Remove SUID binaries, SUID bit, mount file system with nosuid
– Limit available syscalls (seccomp-bpf = whitelist/blacklist syscalls)
– SELinux (assign different security contexts to containers)
System services do not all have to be run as root
– whitelist/blacklist devices
– Prevent unauthorized access control (AppArmor, SELinux)
CGE7 Advantages
Virtualization in CGE7
Virtualization in CGE7 offers the best combination of flexibility,
performance and ease of application development
1. KVM Hypervisor
Full virtualization with
Paravirtualization options
2. Linux Containers
Operating system resource virtualization
(lxc, Docker)
3. Core
Isolation
Multicore I/O Symmetry
Intel Multiprocessor Specification Version 1.4
“Carrier Grade Docker” Advantages
Combining Docker with an embedded, Carrier Grade distributions,
such as CGE7, offers several advantages over plain desktop
distributions:
100% native Linux with real-time performance features including
hrtimers, core isolation and other enhancements
Support for various virtualization technologies
– You can choose the right virtualization technology for the right problem.
Long term commercial support options with customizable models for
different use-cases
The same advantages can be extended to Cloud components like
OpenStack
– Full use-case support using a single baseline.
Multi-Architecture support for
Docker
True multi-architecture platform with support for
ARM64 exists today in Embedded Baselines (like MV
CGE7)
– Enables Docker on all these architectures
Best approach is align with community development
– Linaro Networking Group (LNG)
– GNU GCC (4.9+) with Go support (gccgo)
Support on a single Carrier-Grade Baseline provides
the best stability and deployability on the field
Summary
Which Virtualization Solution Do
You Choose?
Performance Requirements?
Functionality and ease of use?
How much legacy content do you want to
preserve?
Questions?
Backup / rough slides
Performance Benchmarks
Host v/s Docker v/s KVM
•
Real-time Latency
•
Network Performance
•
Process related latency
•
File-system Performance
1. Real-time Latency
Cyclictest
2. Network Performance
netperf
3. Process Creation
lat_proc (lmbench)
4. Page Fault
lat_pagefault (lmbench)
4. File-system Read Performance
IOzone
4. File-system Write Performance
IOzone