Virtualization, Containerization

(and Docker)

Who is Billy Conn

  • Chief Architect  at                           
  • Long winded
  • Ring System
  • Virtualization
  • Containerization
  • Docker

Topics

Kernel

Userland

Rings

Gates

Instructions

Privileged Instructions

Ring System

Kernel

Software that talks directly with your hardware

Userland

Everything not in the kernel

A mechanism to protect data and functionality from errors and malicious behaviour

Rings

Allows communication between outer and inner rings

Gates

Statements that run directly on your CPU

Instructions

Priviledged Instructions

Statements that run directly on your CPU

that can only be called from the kernel

The Monastary Metaphor

  • Neighborhoods
  • Monastery Gates
  • Villagers 
  • Monk

= Rings

= Gates

= Instructions

= Privileged 

     Instructions

The Monastary Metaphor

Monks (privileged instructions) can never leave the monastery (ring 0, kernel land) and can only be addressed in the monastery. 

 

Villagers(instructions) from the neighboring settlement (userland) may come to and from the monastery (ring 0, kernel land).

Virtualization

What is Virtualization?

The creation of simulated resources to logically separate execution environments.

Why Virtualize?

  • Non-homogenous environments
  • Security
  • Flexibility
  • Partitioning of Resources

Types of Virtualization

  1. Hardware Virtualization
  2. Operating System Level Virtualization

When someone says virtualization, they mean Hardware Virtualization

Hardware Virtualization

 

Can run multiple virtual computers under a physical one.

Hardware Virtualization

  • The Kernel no longer gets direct access to hardware
  • A hypervisor gets access instead 

Hosts

Underlying hardware that

provides shared computing resources

Guests

Secondary computers whose hardware is really provided by software running on the host

Hardware Virtualization

Can run multiple virtual computers under a physical one

Virtualization History

  • Virtualization

    Theory:     1959
    Practice:   1966

  • Paravirtualization

    Theory:    1959
    Practice:  1974

  • Binary Translation 

    Theory:    1963
    Practice:  1974

  • Hardware Virtualization

    Theory:    1959
    Practice:  1972

A Very Short List of Unvirtualizable Things

  • The Intel x86 Architecture

Surprising to everyone doing it!

  • Binary Translation
  • Paravirtualization
  • VT-x

A Slightly Longer List of Ways to Virtualize Them

Containerization

Operating System Level Virtualization

Single Kernel, Multiple Userlands

But they have to be the same

"Operating System-Level virtualization"

  • Uses the underlying OS
    • Creates siloed userlands
    • ​Kernel and Hardware are shared
  • Requires OS Level Support
    • Host Kernel must have support 
  • Usually runs the same userland as a master

 

Containerization History

  • Containerization

    Theory:   1974
    Practice: 1982

  • "Multiple Userlands"
    Theory:   1960
    Practice: 1966

Containerization

vs Virtuzaliztion

Hardware Virtualization

Pros

  • Operating System Agnostic
  • Allows Heterogenous OSes
  • Possible to run fully in userland
  • Possibly more secure

Cons

  • Requires another operating system
  • Performance can take a hit
  • Configuration can be difficult

Containerization

Pros

  • Fast
  • No full Operating System

Cons

  • Requires Homogenous Operating System
  • Easier to break out when being exploited
  • No hardware support

Overview

Docker Basics

  • Uses a series of subcommand options
  • Helps solve configuration issues

How Do I Docker?

  • Create a docker Image
    • A layered filesystem
    • Contains metadata on the underlying Operating System 
  • In programming terms:
    • Class = Docker Image 
    • Object = Container

Docker History

  • Not a new idea
    • Most of the components are at least 10 years old
  • Why is it so popular now?
    • Recent tools have made it usable

Docker internals

  • Kernel Namespaces to create siloed userlands
    • similar to BSD Jails 
  • Uses Linux built-ins
    • CGroups- to manage resources
    • Capabilities- Containerization version of rings
    • Layered FS (AUFS) - Git for filesystems

The Good

  • Shipping applications is easier
  • Ships with dependencies
  • Can simply send an image to send a working app
  • Image can be easily copied for debugging
  • Adds a small level of security

The Bad

  • Logging is problematic
  • Doesn't work well with SELinux
  • Requires root to manage
  • Has resource management issues
  • Container exploits as are bad as on-metal exploits
  • Requires the same OS

Mythology

MYTH: Hardware Virtualization is going away

  • Likely to lose focus in the next few years
  • Some systems are easier to virtualize via hardware than software

  • Additional layer makes it difficult for suspected bad-actors to interact with other systems

MYTH: Hardware Virtualization has terrible performance

  • Not as performant as bare-metal or containerization 
    • "Good enough"
  • Hardware support for virtualization is promising

MYTH: Containerization is slow

  • Docker initially had speed problems due to the filesystem type involved
  • Is largely solved today

MYTH: Containerize all the things!

  • Popular as a new hot technology
  • Makes sense in many scenarios
  • Doesn't make sense in others
    • Not for Databases
    • Not for minimal SSH

 

MYTH: Containerization is just as secure as Virtualization

  • There's no simple answer in reality
  • In Theory, Virtualization is more secure
    • It has extra layers and potential hardware support

MYTH: Dockers means no more DevOps

  • Docker allows for easier deployment and dependency 
  • Someone still has to manage:
    • Hardware
    • Network
    • Monitoring
    • Logging 

Review

  • Rings
  • Virtualization
  • Containers
  • Docker

Rings

Protect data and functionality from faults (by improving fault tolerance) and malicious behaviour 

Virtualization

The creation of simulated resources to logically separate execution environments

Hardware

Virtualization

Lets you run multiple virtual computers under a physical one

Containers

Uses the underlying OS to create siloed userlands

Docker

Configuration tool that allows the deployment of containers via cgroups and kernel namespaces

Virtualization, Containerization,

By Billy Conn

Virtualization, Containerization,

  • 2,408