IBM Research Day: Containers Changing the Game in Cloud. Gosia Steinder Distinguished Research Staff Member

Transcription

1 IBM Research Day: Containers Changing the Game in Cloud Gosia Steinder Distinguished Research Staff Member

2 Please Note: IBM s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here. 1

3 Containers are not just for microservices Multiple-tenants Single-tenant Docker Engine Host OS Server B Bare metal performance Improved density Docker Engine Host OS Server Container-native cloud Docker Engine Host OS Server B Simplified but flexible environment for customer Customer can deploy applications with flexible topologies, arbitrary runtimes Customers only worry about containerized applications Provider manages the operating system deployment, patching, monitoring, health Improved visibility and control Limited visibility and control Docker Engine Guest OS Hypervisor Host OS Server B B Docker Engine Guest OS Containers on IaaS cloud Docker Engine Guest OS Hypervisor Host OS Server Visibility and control Container has direct access to shared libraries on host Container has direct access to network, storage, accelerators Provider can inspect installed/running packages, configuration Provider can view memory usage stats Provider can monitor and control kernel calls Managed by customer Managed by provider Container-native cloud enables new differentiating capabilities in the areas of security, compliance, and performance management: with better guarantees and simpler to use.

4 Deep Visibility! Operational nalytics! Insights! Customer Value From Container - OS Info - Processes - Disk Info - Metrics - Network Info - Packages - Files - Config Info Docker Run1me - Docker metadata (docker inspect) - CPU metrics (/cgroup/cpuacct/) - Memory metrics (/cgroup/memory) - Docker history Config nnotator Vulnerability nnotator Compliance nnotator Password nnotator SW nnotator Licence nnotator Index (Data) Vuln. & Compl. nalysis Pipeline Service Secure Config nalysis Forensic Security & Compl. Remedia1on Service Plaorm - udit Subsystem - Syscall Tracing - System Integrity Seamless, no- touch, tamper- proof monitoring!

5 Example: Deep monitoring allows no-touch vulnerability analysis

6 Vulnerability dvisor enables ackve client control over container security Policy relaxed Policy strengthened New threats Percentage 100 allow 50 warn 0 Policy change Policy change block

7 Changing the game in cloud with containers Our point of view Container- nakve cloud allows customers to incrementally deliver, scale, and modify high value container- based workloads with unprecedented visibility, insight, and control, and enterprise- grade security, compliance, stability, and performance. lready in IBM Containers on Bluemix Industry- first container Container- na1ve plaorm for micro- services with isola1on expected for public cloud lways on, tamper- proof, built in monitoring of containers and images utomated, built- in vulnerability analy1cs of container images Vulnerability teskng built- in into container devops pipeline Innova1on pipeline Leading container plaorm with advanced orchestrakon, open architecture, increased security, operakonal excellence, and agility Customizable and detailed visibility of event- based and snapshot- based rich data for images and containers nalykcs based insight into security and compliance posture of images and containers based on customizable policies Control over security and compliance posture via devops- level checks and automated remediakon

8 Container orchestration open-source landscape Mesos (Mesosphere) resource management platform enabling partitioning of compute resources across multiple workloads Marathon (Mesosphere) platform as a service enabling deployment of 12-factor applications on top of Mesos Swarm and Compose (Docker) multi-host Docker container management system Kubernetes (Google) platform for the management of microservices enabling fine-grained composition of multi-container instances Today, these communities build all-encompassing stacks with significant functional overlap, divergent PIs, virtually no collaboration, and with significant gaps for large-scale production usage. Our goal: Evolve these opensource projects to become mature production-ready platforms based on our own production usage of these technologies Develop common container management PIs for cloud-native workloads and common open architecture Leverage Cloud Native Computing Foundation as a community to bring together these efforts and drive towards common open architecture

9 Why these choices? kubectl K8s master Compose PI server Scheduler state Etcd service Controller mger K8s minion K8s minion Kubelet Proxy Cdvisor Kubelet Proxy Cdvisor Native Docker experience Rich life-cycle management Pattern deployment via Compose Light-weight POD single-host pattern, fine-grained application composition Desired state management Replication groups with autorecovery, rolling-update, autoscaling Richly-featured microservice platform Framework Offers Start task Mesos Master llocation module Resource / task status Start task Mesos Slave Mesos allows Swarm and Kubernetes to share compute resources 8

10 Container-native Cloud rchitecture Image Registry Orchestration Orchestration (single container and container group) Cloud Services PI Private IP Network Private NFS Storage Container Host C C C C C C Operational Visibility pache Mesos Master Cluster Infrastructure (VMs & bare metal) 9

11 Swarm multi-tenancy and performance enhancements What we are working on: Full PI support on top of Mesos Private registry integration uthentication and authorization with pluggable auth/authz mechanisms Performance analysis and improvement uth Backen d Pass auth token Regular Docker engine PI Swarm auth plugin Override requests and responses Swarm docker calls Swarm Time to create a network grows linearly with the number of networks already present in swarm. Scalability challenge. Our improvement Time to create a network grows linearly with the number of networks already present in Docker engine. Scalability challenge. Working on it 10

12 Kubernetes performance enhancements What we are working on Improved modularity and configurability Network plugins Performance and scalability Default configuration: POD deployment times dramatically increase with system occupancy Tuned configuration: significant performance improvement (2 orders of magnitude) 11

13 Container networking in Swarm and Kubernetes Kubernetes Containers deployed via Swarm and Kubernetes can join the same L2/L3 network seamless private communication between Kubernetes and Swarm parts of an application. Kubernetes Minion gent Kubernetes Minion gent Swarm Master CNI plugin CNI plugin Docker Engine Docker Engine Docker Engine Docker Engine Neutron OVS/OVN network L2 overlays Subnets Security groups Firewalls Load balancers Rich management PIs libnetwork Kuryr libnetwork Kuryr Neutron libnetwork Kuryr libnetwork Kuryr 12

14 Using Swarm & Kubernetes with Mesos Mesos manages the actual resources on the cluster Incoming PI/CLI are stored in a queue, waiting for offers from Mesos The framework s scheduler is used to choose the target host from the Mesos offers The framework sends a task to Mesos slave to create the container Swarm Kubernetes Docker CLI/PI framework Scheduler Scheduler framework Offers Offers Tasks to Mesos Mesos Master Mesos gents

15 Looking forward: introducing Optimistic Offers in Mesos Framework scheduling logic Simpler, however: Under Utilization Starving Big Tasks Non-optimized schedule decision SL Enforcement Pessimistic Offer* Optimistic Offer* IBM is driving Mesos-1607 ( ) with Mesos community to support Optimistic Offers * from the Google Omega Whitepaper

16 Hardened Container Platform with Isolation and Runtime Integrity IBM led Docker community to enhance the engine to meet reasonable security expecta:ons for a cloud service. We are pursuing further innova:ons in isola:on and run:me integrity both in the community and in IBM cloud pla?orm. What: hardening of the underlying compute platform to: Prevent breach of isolation through container privilege escalation attacks Detect, prevent and mitigate resource exhaustion (DoS) attacks Efficiently manage and audit of network isolation across the cloud infrastructure Continuous runtime and enforcement of platform integrity to protect against installation of unknown software Why: Strong level of assurance of isolation from other cloud workloads, without additional management complexity and overhead of hypervisors and VMs Increased visibility afforded by shared platform Kernel (files, processes, system calls) allows earlier detection of anomalies bility to continuously verify (attest) workload integrity

17 Securing the container platform Coloring: Docker supports this out of box. Docker or Linux gap we are working on it Inherent issue Restrict Docker PI Calls Docker Registry Docker PI allows users to create privileged containers or change capabilities without authorization. Provider must restrict access to certain PIs and ensure access to PI is authorized. Use V2 registry it has signatures for images and layers. Isolation from other containers Resource isolation Capability limitation Kernel isolation Host root isolation Docker Engine Configuration pprmor Host Security Hardware ssisted Verification and Isolation Use kernel namespaces for isolating from other containers: pid, net, ipc, mnt, utc, uts.. Leverage cgroups for resource isolation. Network traffic shaping is an issue with default networking. No ability to isolate process id resources. Not all control knobs exposed in CLI.. Limit the set of Linux capabilities each container is started with. Docker, by default drops most capabilities. Ensure that changes is capabilities are properly authorized. ll Docker containers share host kernel, but not all syscalls and capabilities are exposed to them. Inherent issue with containers. User namespaces: container root is de-priivileged on host. Docker: in v1.10 root in all containers mapped to same unprivileged id on host Work in progress:: Enable configurable mappings (requires Linux kernel improvement) User pprmor profiles for containers (customizable) Provider must ensure proper pprmor configuration. Use pprmor for daemon confinement (customizable). Provider must ensure proper pprmor configuration. Follow best practice for securing a host (e.g., STIG firewall, auditd) Use Trusted computing and TPM for host integrity verification and VT-d for better isolation

18 Security Configuration nalytics: Detection of Misconfiguration & Breach of Isolation Enhanced Visibility template Event & Log Repositories (e.g. logstash) Security Backend Configuration Database nalytics Security Configuration nalytics Detects Configuration Drift Generate lerts & Remediation ctions based on Risk and sset Value (see next) ication Developer builds & deploys complex app with (network) security policies FW, IPS/IDS, Forward notifications on orchestration events, PI calls, Kubernetes Docker Compose Docker Engine Monitoring Ironic Nova Neutron Cloud User modifies running application settings to improve performance (e.g. change IPS policies) Tenant 1 Tenant 2 Tenant 3 Generate alerts if any misconfiguration is detected ssess relative risk of configuration anomaly

19 Recommended for you Demos of technology in discussed today: CCI-7280 : IBM Research Day Demo: Running Containers on Swarm and Kubernetes at Data Center Scale Related Research presentations and demos: YPS-7294: IBM Research Day Demo: Scale on IBM Power Systems, coming next SD-7288: IBM Research Day Demo: Vulnerability Remediation Service, happened this morning LBs and Education on IBM Containers: TCD-1506: Hands-On Lab Demonstrating the Enterprise-Grade Capabilities of IBM Containers CCD-6713: Meet the Experts Who re Leveraging Docker Containers and Microservices to Run IBM Containers CCD-3865: Leveraging IBM Containers for Enterprise-Scale Software Development CDL-9409: Learn IBM Conatiners in 15 minutes InnerCircle presentations: DEV-6859: IBM and Docker Container Offerings, Strategy and Roadmap Core curriculum: CCD-2715: Building an Enterprise PaaS with Bluemix, Docker Container Services and Watson on IBM Power Systems COC-3243: IBM Containers and Open Technologies: Container Service Designed for the Enterprise CCD-3518: The Bluemix Triple Threat: Cloud Foundry, Containers and Virtual Machines 18

20 Notices and Disclaimers Copyright 2016 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GS DP Schedule Contract with IBM. Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "S IS" WITHOUT NY WRRNTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHLL IBM BE LIBLE FOR NY DMGE RISING FROM THE USE OF THIS INFORMTION, INCLUDING BUT NOT LIMITED TO, LOSS OF DT, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided. ny statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. ctual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. ll materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation. It is the customer s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law 19

21 Notices and Disclaimers Con t. Information concerning non-ibm products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-ibm products. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM s products. IBM EXPRESSLY DISCLIMS LL WRRNTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WRRNTIES OF MERCHNTBILITY ND FITNESS FOR PRTICULR PURPOSE. The provision of the information contained h erein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right. IBM, the IBM logo, ibm.com, spera, Bluemix, Blueworks Live, CICS, Clearcase, Cognos, DOORS, Emptoris, Enterprise Document Management System, FSP, FileNet, Global Business Services, Global Technology Services, IBM ExperienceOne, IBM SmartCloud, IBM Social Business, Information on Demand, ILOG, Maximo, MQIntegrator, MQSeries, Netcool, OMEGMON, OpenPower, Purenalytics, Pureication, purecluster, PureCoverage, PureData, PureExperience, PureFlex, purequery, purescale, PureSystems, QRadar, Rational, Rhapsody, Smarter Commerce, SoD, SPSS, Sterling Commerce, StoredIQ, Tealeaf, Tivoli, Trusteer, Unica, urban{code}, Watson, WebSphere, Worklight, X-Force and System z Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: 20

22 Thank You Your Feedback is Important! ccess the InterConnect 2016 Conference ttendee Portal to complete your session surveys from your smartphone, laptop or conference kiosk.