05.22.2018 How to achieve strong isolation by PouchContainer ALLEN SUN [email protected] ALIBABA GROUP Agenda PouchContainer Intro Strong Isolation Features Brief Summary Raise you hand if you agree with that containerization is the first step to embrace cloud native. Keep you hand raised if you have containerized all applications in data center. PouchContainer Intro • Container solutions for devs and ops • FFaasstt ccoonnttaaiinneerriizzee lleeggaaccyy aapppplliiccaattiioonnss ffoorr eenntteerrpprriisseess • Open source https://github.com/alibaba/pouch • Similar tools: docker, mesos container, lxc • Distinguished feature: isolation, storage and so on PouchContainer Adoption in Alibaba Covered Business： Scale： l Ant trascation l Cover almost all BUs l Middleware l Millions of containers on the 2017 l DBs Singles Days l B2B/CBU/ICBU/1688/… l Online business 100% Pouchrized l Youku Covered tech stack： l Alimama l Programming languages l Private cloud delivered by Alibaba Cloud l DBs l …… l Online services Evolution of PouchContainer •Hack container elements manually Elements in Container(from devs and ops) • individual IP • virtualized eth0 • be tunneled by ssh • sshd • individual filesystems • Chroot (pivot_root) • resource view isolation • CGroup，Namespace • introduce LXC（Linux Container） Container in Alibaba • resource view isolation patch in kernel • disk quota support Introduce Docker Image Architecture of PouchContainer Arch of pouchd Strong Isolation features • traditional isolation: namespaces & cgroups • better resource view isolation • kernel patch in old days • lxcfs •More quota support: • disk • network bandwidth •Hypervisor-based container: • katacontainers Hypervisor-based container——katacontainers • hypervisor-based • as secure as VM • as fast as container • seamless integration with container ecosystem