A container runtime is software that executes containers and manages container images on a node. Today, the most widely known container runtime is Docker, but there are other container runtimes in the ecosystem, such as rkt, containerd, and lxd. Docker is by far the most common container runtime used in production Kubernetes environments, but Docker’s smaller offspring, containerd, may prove to be a better option. This post describes using containerd with Kubernetes.
Kubernetes 1.5 introduced an internal plugin API named Container Runtime Interface (CRI) to provide easy access to different container runtimes. CRI enables Kubernetes to use a variety of container runtimes without the need to recompile. In theory, Kubernetes could use any container runtime that implements CRI to manage pods, containers and container images.
The following is reformatted from a presentation I gave at LinkedIn last year. The presentation attempted to explain functional programming without using concepts like “monads” or “immutability” or “side effects”. Instead it focuses on how thinking about composition can make you a better programmer, regardless of what language you use.
40years ago, on October 17th, 1977, the Turing Award was presented to John Backus for his contribution to the design of high-level programming systems, most notably the Fortran programming language. All Turing Award winners are given the opportunity to present a lecture on a topic of their choice during the year in which they receive the award. As the creator of the Fortran programming language, one may have expected Backus to lecture on the benefits of Fortran and future developments in the language. Instead, he gave a lecture entitled Can programming be liberated from the Von Neumann style? in which he criticized some of the mainstream languages of the day, including Fortran, for their shortcomings. He also proposed an alternative: a functional style of programming.
This is the second in a series of articles on systems administrator fundamentals. These days, DevOps has made even the job title “systems administrator” seem a bit archaic, much like the “systems analyst” title it replaced. These DevOps positions are rather different from sysadmin jobs in the past. They have a much larger emphasis on software development far beyond basic shell scripting, and as a result, they often are filled by people with software development backgrounds without much prior sysadmin experience. In the past, a sysadmin would enter the role at a junior level and be mentored by a senior sysadmin on the team, but in many cases currently, companies go quite a while with cloud outsourcing before their first DevOps hire. As a result, the DevOps engineer might be thrust into the role at a junior level with no mentor around apart from search engines and Stack Overflow posts.
In this series, I’m going to expound on some of the lessons I’ve learned through the years that might be obvious to longtime sysadmins but may be news to someone just coming into this position.
Improved local storage is at the heart of the new release of Prometheus 2.0, according to Fabian Reinartz, a CoreOS software engineer and a core developer of the Prometheus monitoring system.
With distributed system coordination software such as Kubernetes and Mesos, monitored environments have become increasingly more dynamic, Reinartz pointed out in a blog post. The motioning software needed its own dedicated storage to ensure responsiveness in these dynamic environments.
Though Prometheus 1.6 introduced auto-tuning capabilities, the team has been working on a more performant time-series database. “It’s just way more reliable and faster. Ideally, you don’t want to have to reconfigure all the time, so Prometheus just responds to change in demands, so there are way fewer knobs to turn for the people running it,” Reinartz said in an interview.
When last we met, in Testing IPv6 Networking in KVM: Part 1, we learned about IPv6 private addressing. Today, we’re going to use KVM to create networks for testing IPv6 to our heart’s content.
You need at least two virtual machines in KVM. Of course, you may create as many as you like. My little setup has Fedora, Ubuntu, and openSUSE. To create a new IPv6 network, open Edit > Connection Details > Virtual Networks in the main Virtual Machine Manager window. Click on the button with the green cross on the bottom left to create a new network (Figure 1).
Figure 1: Create a network.
Give your new network a name, then click the Forward button. You may opt to not create an IPv4 network if you wish. When you create a new IPv4 network the Virtual Machine Manager will not let you create a duplicate network, or one with an invalid address. On my host Ubuntu system a valid address is highlighted in green, and an invalid address is highlighted in a tasteful rosy hue. On my openSUSE machine there are no colored highlights. Enable DHCP or not, and create a static route or not, then move on to the next window.
Check “Enable IPv6 network address space definition” and enter your private address range. You may use any IPv6 address class you wish, being careful, of course, to not allow your experiments to leak out of your network. We shall use the nice IPv6 unique local addresses (ULA), and use the online address generator at Simple DNS Plus to create our network address. Copy the “Combined/CID” address into the Network field (Figure 2).
Figure 2: Copy the “Combined/CID” address into the Network field.
Virtual Machine Manager thinks my address is not valid, as evidenced by the rose highlight. Can it be right? Let us use ipv6calc to check:
$ ipv6calc -qi fd7d:844d:3e17:f3ae::/64
Address type: unicast, unique-local-unicast, iid, iid-local
Registry for address: reserved(RFC4193#3.1)
Address type has SLA: f3ae
Interface identifier: 0000:0000:0000:0000
Interface identifier is probably manual set
ipv6calc thinks it’s fine. Just for fun, change one of the numbers to something invalid, like the letter g, and try it again. (Asking “What if…?” and trial and error is the awesomest way to learn.)
Let us carry on and enable DHCPv6 (Figure 3). You can accept the default values, or set your own.
Figure 3: Enable DHCPv6.
We shall skip creating a default route definition and move on to the next screen, where we shall enable “Isolated Virtual Network” and “Enable IPv6 internal routing/networking”.
VM Network Selection
Now you can configure your virtual machines to use your new network. Open your VMs, and then click the “i” button at the top left to open its “Show virtual hardware details” screen. In the “Add Hardware” column click on the NIC button to open the network selector, and select your nice new IPv6 network. Click Apply, and then reboot. (Or use your favorite method for restarting networking, or renewing your DHCP lease.)
And there is our nice new ULA, fd7d:844d:3e17:f3ae::6314, and the auto-generated link-local address that is always present. Let’s have some ping fun, pinging another VM on the network:
vm1 ~$ ping6 -c2 fd7d:844d:3e17:f3ae::2c9f
PING fd7d:844d:3e17:f3ae::2c9f(fd7d:844d:3e17:f3ae::2c9f) 56 data bytes
64 bytes from fd7d:844d:3e17:f3ae::2c9f: icmp_seq=1 ttl=64 time=0.635 ms
64 bytes from fd7d:844d:3e17:f3ae::2c9f: icmp_seq=2 ttl=64 time=0.365 ms
vm2 ~$ ping6 -c2 fd7d:844d:3e17:f3ae:a:b:c:6314
PING fd7d:844d:3e17:f3ae:a:b:c:6314(fd7d:844d:3e17:f3ae:a:b:c:6314) 56 data bytes
64 bytes from fd7d:844d:3e17:f3ae:a:b:c:6314: icmp_seq=1 ttl=64 time=0.744 ms
64 bytes from fd7d:844d:3e17:f3ae:a:b:c:6314: icmp_seq=2 ttl=64 time=0.364 ms
When you’re struggling to understand subnetting, this gives you a fast, easy way to try different addresses and see whether they work. You can assign multiple IP addresses to a single interface and then ping them to see what happens. In a ULA, the interface, or host, portion of the IP address is the last four quads, so you can do anything to those and still be in the same subnet, which in this example is f3ae. This example changes only the interface ID on one of my VMs, to show how you really can do whatever you want with those four quads:
vm1 ~$ sudo /sbin/ip -6 addr add fd7d:844d:3e17:f3ae:a:b:c:6314 dev ens3
vm2 ~$ ping6 -c2 fd7d:844d:3e17:f3ae:a:b:c:6314
PING fd7d:844d:3e17:f3ae:a:b:c:6314(fd7d:844d:3e17:f3ae:a:b:c:6314) 56 data bytes
64 bytes from fd7d:844d:3e17:f3ae:a:b:c:6314: icmp_seq=1 ttl=64 time=0.744 ms
64 bytes from fd7d:844d:3e17:f3ae:a:b:c:6314: icmp_seq=2 ttl=64 time=0.364 ms
Now try it with a different subnet, which in this example is f4ae instead of f3ae:
$ ping6 -c2 fd7d:844d:3e17:f4ae:a:b:c:6314
PING fd7d:844d:3e17:f4ae:a:b:c:6314(fd7d:844d:3e17:f4ae:a:b:c:6314) 56 data bytes
From fd7d:844d:3e17:f3ae::1 icmp_seq=1 Destination unreachable: No route
From fd7d:844d:3e17:f3ae::1 icmp_seq=2 Destination unreachable: No route
This is also a great time to practice routing, which we will do in a future installment along with setting up auto-addressing without DHCP.
Learn more about Linux through the free “Introduction to Linux” course from The Linux Foundation and edX.
For some organizations working outside of technology hubs such as Silicon Valley, there is a vast shortage of developer talent to choose from. As a result, many have taken a proactive learning approach to help bring their developers up-to-speed with the demands of today’s cloud-native software platforms.
“For each of these companies that are becoming software companies, they’re trying to find out, where do they find that talent?” Kearns said, adding that, “We’re seeing a lot of companies invest in training and re-training people, teaching them to be cloud-native developers and I think that is the most fascinating piece of all this.”
How quickly has Kubernetes’ popularity soared? By most accounts, very quickly. Earlier this year, Cloud Native Computing Foundation executive director Dan Kohn penned a blog post that dug into that claim. People regularly tout Kubernetes as one of the highest velocity projects ever in open source history: Does the data back it up?
As Kohn found, there may not be a single definitive metric, but they all point in the same conclusion: “You can pick your preferred statistic, such as that Kubernetes is in the top 0.00006% of the projects on GitHub,” Kohn wrote. “I prefer to just think of it as one of the fastest moving projects in the history of open source.”
You can find plenty of numbers that illuminate Kubernetes’ path to becoming one of the most popular container orchestration tools, as well as other important characteristics of the platform. We rounded up some of the best for your consideration – and your potential use in making the case for Kubernetes in your organization.
One of my all time favorite quotes is from Brian Goetz, a smart dude in the Java world who is one of the authors of Java Concurrency in Practice, among other things. The quote appears in an interview that Oracle published under the title, “Write Dumb Code”. Goetz was asked how to write code that performs well. Here is what he had to say:
Often, the way to write fast code in Java applications is to write dumb code — code that is straightforward, clean, and follows the most obvious object-oriented principles.
The rest of the ~1000 words is devoted to explaining why trying to optimize code and trying to be clever is a common programmer mistake
The HPC world has some amazing “big” tools that help administrators monitor their systems and keep them running, such as the Ganglia and Nagios cluster monitoring systems. Although they are extremely useful, sometimes it is the smaller tools that can help debug a user problem or find system issues.
ldd
The introduction of sharable objects, or “dynamic libraries,” has allowed for smaller binaries, less “skew” across binaries, and a reduction in memory usage, among other things. Users, myself included, tend to forget that when code is compiled, we only see the size of the binary itself, not the “shared” objects.
For example, the following simple Hello World program, called test1, uses the PGI compilers (16.10).
Black Duck announced the release of its OpsSight automatic open source vulnerability detection solution for containers at its Flight 2017 conference in Boston today.
According to the company’s CEO Lou Shipley, OpsSight is Black Duck’s first product that targets the production phase of the software lifecycle.
“…as the number of containers grows, so does the complexity of validating the contents and securing container images in production. OpsSight allows operations team to be sure deployments are free from known open source security vulnerabilities because it provides full visibility into and control over the open source in the container images.”
