VIRTUELIZACIJA ILI KONTEJNERI

Razumevanje konceptualnih razlika

Darko IvanovićNetApp BDM | Alef Distribucija

04/2019

2

Major IT VAD in Central and Southeastern Europe

61Cisco Distributor No. 1

74

6

1994

1996

2002

2015

Prague / CZ

Bratislava / SK

Budapest / HU

Ljubljana / SI

2015

2015

2017

Zagreb / HR

Belgrade / RS

Bucuresti / RO

Current number of employees ALEF Group

345 246MFY18 Annual sales in EUR of ALEF Group

31Cisco Distributor No. 1

171

Cisco Distributor No. 1

Sales coverage fromCroatia to Greece

62

Microsoft Distributor No. 2

Jedna jednostavna ideja

je PROMENILA SVE(T)!

Pakovanje paste za zube iz 1873!

1896

“ WE COULDN'T IMPROVE THEPRODUCT SO WE IMPROVEDTHE TUBE. “

Colgate, 1908

Razlike…

Malo istorije… Virtuelizacija• 1960’s IBM S/360 Mainframes are the 800# Gorilla (Single user system designed for batch jobs• 1963 MIT Project MAC ($2M grant from DARPA)• 1967 Virtual Machines on the CP-67 using “CP (Control Program)”• 1987 Insignia Solutions “SoftPC”• 1997 Apple (Connectrix) “VirtualPC”• 1999 VMWare “VMWare Workstation”

Malo istorije… Kontejneri

• 1979 UNIX chroot (added to BSD in 1982)• 2000 FreeBSD Jails (filesystems, users, networks)• 2001 Linux VServer (VPS Solution)• 2005 OpenVZ (filesystems, users/groups, process tree, networks, devices, IPC)• 2006 Process Containers (Linux Kernel 2.6.24, limit CPU, mem, disk, network IO)• 2008 Control Groups (cgroups added to Linux Kernel)• 2008 LXC (LinuX Containers, CLI and language bindings for 6 languages)• 2011 Warden, CloudFoundry• 2013 LMCTFY, Google

Konačno… DOCKER IMAGE

DOCKER REGISTY

• Git Repo Semantics

• Pull

• Push

• Commit

• Hierarchy

• May be nested

DOCKER CONTAINER IMAGE

• NOT A FILESYSTEM

• NOT A VHD

• Basically a tar file

• Has a hierarchy

• Arbitrary depth

• Layered file system

• Top layer can be writable

• Fits into the Docker Registry

• May be nested

LINUX NAMESPACE

• Kernel Feature

• Restrict your view of the system

• Mounts (CLONE_NEWNS)

• UTS (CLONE_NEWUTS)

• uname() output

• IPC (CLONE_NEWIPC)

• PID (CLONE_NEWPID)

• Networks (CLONE_NEWNET)

• User (CLONE_NEWUSER)

• See also: privileged/unprivileged modes

• May be nested

LINUX CGROUPS

• Kernel Feature

• Groups of processes

• Control resource allocations

• CPU

• Memory

• Disk

• I/O

• May be nested

Primer…DockerFile

FROM centos:centos6MAINTAINER Darko Ivanovic <darko@darko.com>RUN yum –y install httpdEXPOSE 80ADD start.sh /start.shCMD /start.sh

$ docker build –t webserver .

FROM webserverMAINTAINER Darko Ivanovic <darko@darko.com>RUN yum –y install mysql-server phpEXPOSE 80ADD start.sh /start.shCMD /start.sh

$ docker build –t lampstack .

Razlike - Efikasnost

Razlike - Performanse

Razlike - Bezbednost

TITLE

Razlike - Bezbednost397 CALLS IN KERNEL 3.19

Tehnike izolacije

• SELinux / AppArmor• Secure Computing Mode• Container Nesting• Docker Auth Plugins• User Namespaces• Encrypted Filesystems• Address Space Layout Randomization (ASLR)• Hardware Security Features (NX, VT-d, TPM, TXT, SMAP)

https://insights.stackoverflow.com/survey/2019?

© 2015 NetApp, Inc. All rights reserved. NetApp Confidential – Limited Use 19

NetApp At A Glance

Enabling Enterprises to Protect and Manage Data Anywhere

Private Cloud

CLOUDINSIGHTS

SaaSBackup

Disaster Recovery

DevOps & Analytics

NetApp Kubernetes

Service

Object basedStorage

NetApp Private storage

StorageGRIDWebscale

CLOUDSYNC

NPSCollocation

Private Cloud / Service Provider Cloud xxx

ConvergedNon-NetApp Storage SolidFire

FlexArray / FLI

Max Data

Cloud

Volumes

ONTAP

E/EF-Series

FAS/ALL FLASHONTAP

NetApp HCI

StorageGRIDWebscale

Object Storage

ONTAPSelect

Cloud

Volumes

Service

ONTAP AI NFLEX

Backup & Archive

cloud.netapp.com

Hvala!