VIRTUELIZACIJA ILI KONTEJNERI
Razumevanje konceptualnih razlika
Darko IvanovićNetApp BDM | Alef Distribucija
04/2019
2
Major IT VAD in Central and Southeastern Europe
61Cisco Distributor No. 1
74
6
1994
1996
2002
2015
Prague / CZ
Bratislava / SK
Budapest / HU
Ljubljana / SI
2015
2015
2017
Zagreb / HR
Belgrade / RS
Bucuresti / RO
Current number of employees ALEF Group
345 246MFY18 Annual sales in EUR of ALEF Group
31Cisco Distributor No. 1
171
Cisco Distributor No. 1
Sales coverage fromCroatia to Greece
62
Microsoft Distributor No. 2
Jedna jednostavna ideja
je PROMENILA SVE(T)!
Pakovanje paste za zube iz 1873!
1896
“ WE COULDN'T IMPROVE THEPRODUCT SO WE IMPROVEDTHE TUBE. “
Colgate, 1908
Razlike…
Malo istorije… Virtuelizacija• 1960’s IBM S/360 Mainframes are the 800# Gorilla (Single user system designed for batch jobs• 1963 MIT Project MAC ($2M grant from DARPA)• 1967 Virtual Machines on the CP-67 using “CP (Control Program)”• 1987 Insignia Solutions “SoftPC”• 1997 Apple (Connectrix) “VirtualPC”• 1999 VMWare “VMWare Workstation”
Malo istorije… Kontejneri
• 1979 UNIX chroot (added to BSD in 1982)• 2000 FreeBSD Jails (filesystems, users, networks)• 2001 Linux VServer (VPS Solution)• 2005 OpenVZ (filesystems, users/groups, process tree, networks, devices, IPC)• 2006 Process Containers (Linux Kernel 2.6.24, limit CPU, mem, disk, network IO)• 2008 Control Groups (cgroups added to Linux Kernel)• 2008 LXC (LinuX Containers, CLI and language bindings for 6 languages)• 2011 Warden, CloudFoundry• 2013 LMCTFY, Google
Konačno… DOCKER IMAGE
DOCKER REGISTY
• Git Repo Semantics
• Pull
• Push
• Commit
• Hierarchy
• May be nested
DOCKER CONTAINER IMAGE
• NOT A FILESYSTEM
• NOT A VHD
• Basically a tar file
• Has a hierarchy
• Arbitrary depth
• Layered file system
• Top layer can be writable
• Fits into the Docker Registry
• May be nested
LINUX NAMESPACE
• Kernel Feature
• Restrict your view of the system
• Mounts (CLONE_NEWNS)
• UTS (CLONE_NEWUTS)
• uname() output
• IPC (CLONE_NEWIPC)
• PID (CLONE_NEWPID)
• Networks (CLONE_NEWNET)
• User (CLONE_NEWUSER)
• See also: privileged/unprivileged modes
• May be nested
LINUX CGROUPS
• Kernel Feature
• Groups of processes
• Control resource allocations
• CPU
• Memory
• Disk
• I/O
• May be nested
Primer…DockerFile
FROM centos:centos6MAINTAINER Darko Ivanovic <[email protected]>RUN yum –y install httpdEXPOSE 80ADD start.sh /start.shCMD /start.sh
$ docker build –t webserver .
FROM webserverMAINTAINER Darko Ivanovic <[email protected]>RUN yum –y install mysql-server phpEXPOSE 80ADD start.sh /start.shCMD /start.sh
$ docker build –t lampstack .
Razlike - Efikasnost
Razlike - Performanse
Razlike - Bezbednost
TITLE
Razlike - Bezbednost397 CALLS IN KERNEL 3.19
Tehnike izolacije
• SELinux / AppArmor• Secure Computing Mode• Container Nesting• Docker Auth Plugins• User Namespaces• Encrypted Filesystems• Address Space Layout Randomization (ASLR)• Hardware Security Features (NX, VT-d, TPM, TXT, SMAP)
https://insights.stackoverflow.com/survey/2019?
© 2015 NetApp, Inc. All rights reserved. NetApp Confidential – Limited Use 19
NetApp At A Glance
Enabling Enterprises to Protect and Manage Data Anywhere
Private Cloud
CLOUDINSIGHTS
SaaSBackup
Disaster Recovery
DevOps & Analytics
NetApp Kubernetes
Service
Object basedStorage
NetApp Private storage
StorageGRIDWebscale
CLOUDSYNC
NPSCollocation
Private Cloud / Service Provider Cloud xxx
ConvergedNon-NetApp Storage SolidFire
FlexArray / FLI
Max Data
Cloud
Volumes
ONTAP
E/EF-Series
FAS/ALL FLASHONTAP
NetApp HCI
StorageGRIDWebscale
Object Storage
ONTAPSelect
Cloud
Volumes
Service
ONTAP AI NFLEX
Backup & Archive
cloud.netapp.com
Hvala!