Virtualization, Containerization
(and Docker)
Who is Billy Conn
- Chief Architect at
- Long winded
- Ring System
- Virtualization
- Containerization
- Docker
Topics
Kernel
Userland
Rings
Gates
Instructions
Privileged Instructions
Ring System
Kernel
Software that talks directly with your hardware
Userland
Everything not in the kernel
A mechanism to protect data and functionality from errors and malicious behaviour
Rings
Allows communication between outer and inner rings
Gates
Statements that run directly on your CPU
Instructions
Priviledged Instructions
Statements that run directly on your CPU
that can only be called from the kernel
The Monastary Metaphor
- Neighborhoods
- Monastery Gates
- Villagers
- Monk
= Rings
= Gates
= Instructions
= Privileged
Instructions
The Monastary Metaphor
Monks (privileged instructions) can never leave the monastery (ring 0, kernel land) and can only be addressed in the monastery.
Villagers(instructions) from the neighboring settlement (userland) may come to and from the monastery (ring 0, kernel land).
Virtualization
What is Virtualization?
The creation of simulated resources to logically separate execution environments.
Why Virtualize?
- Non-homogenous environments
- Security
- Flexibility
- Partitioning of Resources
Types of Virtualization
- Hardware Virtualization
- Operating System Level Virtualization
When someone says virtualization, they mean Hardware Virtualization
Hardware Virtualization
Can run multiple virtual computers under a physical one.
Hardware Virtualization
- The Kernel no longer gets direct access to hardware
- A hypervisor gets access instead
Hosts
Underlying hardware that
provides shared computing resources
Guests
Secondary computers whose hardware is really provided by software running on the host
Hardware Virtualization
Can run multiple virtual computers under a physical one
Virtualization History
-
Virtualization
Theory: 1959
Practice: 1966 -
Paravirtualization
Theory: 1959
Practice: 1974 -
Binary Translation
Theory: 1963
Practice: 1974 -
Hardware Virtualization
Theory: 1959
Practice: 1972
A Very Short List of Unvirtualizable Things
- The Intel x86 Architecture
Surprising to everyone doing it!
- Binary Translation
- Paravirtualization
- VT-x
A Slightly Longer List of Ways to Virtualize Them
Containerization
Operating System Level Virtualization
Single Kernel, Multiple Userlands
But they have to be the same
"Operating System-Level virtualization"
-
Uses the underlying OS
- Creates siloed userlands
- Kernel and Hardware are shared
-
Requires OS Level Support
- Host Kernel must have support
- Usually runs the same userland as a master
Containerization History
- Containerization
Theory: 1974
Practice: 1982 - "Multiple Userlands"
Theory: 1960
Practice: 1966
Containerization
vs Virtuzaliztion
Hardware Virtualization
Pros
- Operating System Agnostic
- Allows Heterogenous OSes
- Possible to run fully in userland
- Possibly more secure
Cons
- Requires another operating system
- Performance can take a hit
- Configuration can be difficult
Containerization
Pros
- Fast
- No full Operating System
Cons
- Requires Homogenous Operating System
- Easier to break out when being exploited
- No hardware support
Overview
Docker Basics
- Uses a series of subcommand options
- Helps solve configuration issues
How Do I Docker?
-
Create a docker Image
- A layered filesystem
- Contains metadata on the underlying Operating System
-
In programming terms:
- Class = Docker Image
- Object = Container
Docker History
-
Not a new idea
- Most of the components are at least 10 years old
-
Why is it so popular now?
- Recent tools have made it usable
Docker internals
-
Kernel Namespaces to create siloed userlands
- similar to BSD Jails
-
Uses Linux built-ins
- CGroups- to manage resources
- Capabilities- Containerization version of rings
- Layered FS (AUFS) - Git for filesystems
The Good
- Shipping applications is easier
- Ships with dependencies
- Can simply send an image to send a working app
- Image can be easily copied for debugging
- Adds a small level of security
The Bad
- Logging is problematic
- Doesn't work well with SELinux
- Requires root to manage
- Has resource management issues
- Container exploits as are bad as on-metal exploits
- Requires the same OS
Mythology
MYTH: Hardware Virtualization is going away
- Likely to lose focus in the next few years
-
Some systems are easier to virtualize via hardware than software
-
Additional layer makes it difficult for suspected bad-actors to interact with other systems
MYTH: Hardware Virtualization has terrible performance
- Not as performant as bare-metal or containerization
- "Good enough"
- Hardware support for virtualization is promising
MYTH: Containerization is slow
- Docker initially had speed problems due to the filesystem type involved
- Is largely solved today
MYTH: Containerize all the things!
- Popular as a new hot technology
- Makes sense in many scenarios
- Doesn't make sense in others
- Not for Databases
- Not for minimal SSH
MYTH: Containerization is just as secure as Virtualization
- There's no simple answer in reality
-
In Theory, Virtualization is more secure
- It has extra layers and potential hardware support
MYTH: Dockers means no more DevOps
- Docker allows for easier deployment and dependency
- Someone still has to manage:
- Hardware
- Network
- Monitoring
- Logging
Review
- Rings
- Virtualization
- Containers
- Docker
Rings
Protect data and functionality from faults (by improving fault tolerance) and malicious behaviour
Virtualization
The creation of simulated resources to logically separate execution environments
Hardware
Virtualization
Lets you run multiple virtual computers under a physical one
Containers
Uses the underlying OS to create siloed userlands
Docker
Configuration tool that allows the deployment of containers via cgroups and kernel namespaces
Virtualization, Containerization,
By Billy Conn
Virtualization, Containerization,
- 2,408