A very interesting day at Container Camp London with lots of very interesting talks and a few interesting conversations had with vendors during the breaks.
As I sit back and reflect on what was covered and what kept reoccurring, a few things immediately stand out.
There is start to be the realisation that its nuts spinning up a VM to then run containers on that
There are lots and lots of tools out there all with different ideas all with overlaps and no one is really sure if they are doing the right thing
LXD should be given more consideration (that's possibly more just my opinion)
Talks came from both large well known companies, think Google, Docker, Joyent, and smaller very container specific companies. Each talk was around 30 minutes long and covered a wide variety of topics, something I think that ties in with the huge amount of choice that is out there to do all the different things that you can do.
Opening talk was given by Bryan Cantrill of Joyent and what an excellent choice it was. While he was there to promote the idea that its silly running containers in VMs and that Joyents project Trident has removed the whole container on VM, the route he took to get us there, history, why VM are good and bad, every time you switch one on your pulling the 1960 with it and the idea that railway gauge sizes standardisations was the Victorian equivalent of hacker news, all made for an excellent, informative and interesting start to the day. The idea of running containers directly on the hypervisor layer was also demonstrated during a lightening talk given by Vmware at lunch. Particularly memorable as they spun up a container running DOS 6 and started doom. All very cool and a great way to show off to a bunch of geeks.
A few of the talks were given over to management, all of them different, all with core focus on slightly different layers but all with duplication and overlap of each other and other tool sets that are used around containerisation. Rancher, a SaaS service that allows you to see, build and deploy across all the big cloud providers as well as custom locations. Works with fleet, kubernetes and mesos, looks really interesting. Their talk was given by Shannon Williams, VP of Sales and marketing but you might know him more from being the co-founder of Cloud.com that was sold to Citrix. Google with kubernetes was demoed by Mandy Waite. A very interesting look at how Google thinks of containers and also, really the size that the developers work with, when your example starts with 5 and most people nod and then gets flipped to 10000 because, well that's what the normally need, it really gives an idea of the scale to which they need to go and why, even thought they were very much at the cutting edge of containers when the rest of us started to think about them, they got really excited at all the new found love. Later on Alissa Bonas of Redhat showed off a tool called ManageIQ. As I have said there is a lot of over lap with tools and there are certainly areas that this tool and Rancher both overlap but this had different functionality that was very interesting, such as giving information about the underlying machine that containers were running on. Something I can see being very useful if you have random container issues but you can tie them all back to a single VM. What is amazing about all of the tools that were demoed, they are all opensource, they are all looking for people to help with their development and yet they are all so polished. You might expect that from a Google core product but both Rancher and ManageIQ are very very slick looking products and well worth investigating.
There was an excellent talk given by Arjan Schaaf on container performance in the cloud. Arjan had dedicated a large amount of time comparing both Azure and AWS, trying to match machine sizes, for network bandwidth and then comparing the tools that make containers sing (Weave, Project Calico, Flannel UDP and Flannel VXLAN) and how well they then performed in bandwidth, latency and CPU. Some very interesting results, some of which can be found on his blog.
We then moved onto Miek Gieben and a talk around DNS (well he is one of the people that brought us the speed in 8.8.8.8) and a few other things that they do at Improbable.io. One of the cool things that came from his talk was the mention of a tool called Dinit, allowing you to run and control multiple processes within one container, yep, your not supposed to but it is possible....
Two very interesting talks around security, from two different sides. Ben Hall on his companies scrapbook project and what giving people free access to a container can do and then Diogo Mónica on tools that docker are providing so you can be sure that the container you are running is what you expect. Scrapbook gives root access to a container so certainly level of mischief were expected from a percentage of people, usual things such as deleting stuff, poking around to see what was running and so on. This talk was more around some of the bigger issues that were found. By default every container running on the same system can be found in the /etc/hosts file (to disable this start the containers with --icc=false). You can kill off the host if you run shutdown in the container with the --net=host command. No CPU restrictions and docker logs can grow very quickly, how simple a way to create a service denial attack... Kill all the CPU or fill the disk with logs (saying that I hope everyone runs their logs in a separate partition?), Bandwidth cant be restricted. Useful tools include docker diff, lets see what they have done to the container, Sysdig and great tool, also spoken about, that's really useful on monitoring what's happening within a container. The second talk around container security by Diogo, who works for Docker, was how the Docker team have taken the TUF (The Update Framework) developed for the TOR network and created a tool called Notary. While they are using it to sign containers it also has the potential to be used for securely signing any type of package, possibly anything at all. Working with key at multiple layers, including an off-line key, it provides multiple layers of signing protection. From Notary they have implemented Docker Container Trust. More on this can be found here. For now its disabled by default but they are hoping to make it default very soon. From the demo, it certainly looks like something that is worth investing the time in now and should, hopefully, help remove some of the concerns around is that image from where they say it is. One thing to remember it will not protect you from what is running in the container, so if you run a container that is called I_will_own_your_network and it says it from dirtyhacker with Container Trust, you can be sure that its dirtyhacker that owns your network...
Then there was Sysdig . This looks amazing and has built in container capabilities. Rather than go on about it here I will just point you at this or you can obviously get sysdig cloud if you want to pay and have really pretty dash boards.
So a very interesting day with lots of learning and I am very glad that I was allowed to go.