Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Containers - CloudNativeCon [clear filter]
Wednesday, December 6


Container Runtime and Image Format Standards - What it Means to be “OCI-Certified” [I] - Jeff Borek, IBM & Stephen Walli, Microsoft
With the proliferation and rapid growth of container-based solutions over the past few years— including container-based solutions from almost all major IT vendors, cloud providers, and emerging start-ups—the industry needed a standard on which to support container image formats and runtimes while also ensuring interoperability and neutrality. The Open Container Initiative (OCI) was launched with the goal of developing common, minimal, open standards and specifications around container technology without the fear of lock-in. OCI has recently issued v1.0 of its container image format and runtime specifications, which enable a consistent and stable platform for running containerized applications.

The next phase in ensuring broad adoption of common container image format and runtime specifications is the OCI Certification program, which will be launching soon. This session will provide an overview and goals of the program, factors to consider if becoming OCI-certified makes sense for your container project, how to get your container project OCI-certified, and how you might be able to gain interoperability benefits from OCI-certified solutions. This session will also include a demo of the OCI Image validator being run against container images from container image registries from multiple vendors.

avatar for Jeffrey Borek

Jeffrey Borek

WW Program Director, IBM
Jeffrey Borek is a senior technology and communications professional with over twenty years of leadership and technical experience in the Software, Telecommunications, and Information Technology industries. He is currently the leader of the OSPO at IBM, and works in the Open Technologies... Read More →
avatar for Stephen Walli

Stephen Walli

Principal Program Manager, Microsoft
Stephen is a principal program manager in the Azure Office of the CTO at Microsoft. He is the governing board chair for the Confidential Computing Consortium. Prior to Microsoft, he has been a distinguished technologist (HPE), technical executive, a founder, a consultant, a writer... Read More →

Wednesday December 6, 2017 11:10am - 11:45am
Ballroom B, Level 1


Embedding the Containerd Runtime for Fun and Profit [I] - Phil Estes, IBM
The containerd project, one of the youngest in CNCF, is purpose-built to be an embeddable container runtime expected for use within higher layer container systems like the Docker engine and the Kubernetes orchestrator. Of course, the intent is that it will be used and embedded within a variety of software systems and has been designed for easy consumption via a gRPC API and client library.

In this talk we'll walk through a straightforward example of building up a container "client" written in Go, using today's containerd client library and API. Similar to how the Kubernetes CRI uses the containerd endpoints or how the Docker engine's libcontainerd operates, our small client will have access to all the same capabilities of container lifecycle management and registry interactions provided by containerd.

To finish our tour of building a fully functioning containerd client, we will pair our new sample application with LinuxKit and the Moby tool project. Using these tools, we'll build a simple virtual machine that embeds containerd and our sample client to test interesting aspects of containerd's capabilities in our own customized Linux OS image.

avatar for Phil Estes

Phil Estes

Distinguished Engineer & CTO, Container Architecture Strategy, IBM
Phil is a Distinguished Engineer in the office of the CTO for IBM Cloud, guiding IBM's strategy around containers and Linux. Phil is a founding maintainer of the CNCF containerd runtime project, and participates in the Open Container Initiative (OCI) as a member of the Technical Oversight... Read More →

Wednesday December 6, 2017 11:55am - 12:30pm
Ballroom B, Level 1


Kata Containers: Hypervisor-Based Container Runtime - Xu Wang, HyperHQ & Samuel Ortiz, Intel

Kata Containers is a merge of 2 hypervisor based container runtime efforts: Hyper's runV and Intel's Clear Containers. With Kata Containers, each container is hypervisor isolated just like an EC2 or GCE instance. It is an OCI compatible runtime and as such can seamlessly work with containerd or hyperd. Moreover it fully supports the Kubernetes CRI APIs and thus can run and manage hypervisor isolated Kubernetes pods through CRI-O, containerd-cri or frakti. Finally, Kata Containers is a multi architecture project as it supports x86, ARM, Power and s390x platforms.

During this talk we will describe the Kata Containers architecture and how it drastically reduces the virtualization overhead in order to be as fast as a namepace based container runtime while being as secure as a legacy VM. We will also run a multi tenant Kubernetes demo in order to show how Kata Containers could become the cornerstone of a secure, infrastructure free, container cloud.


Samuel Ortiz

Principal Software Engineer, Intel
I work at the Intel Open Source Technology Center where I spend my time playing with containers, virtual machines, hypervisors and orchestrators. Although I am currently contributing to Kata Containers, CRI-O, QEMU, NEMU and rust-vmm, I used to work on obscure networking protocols... Read More →
avatar for Xu Wang

Xu Wang

Senior Staff Engineer, Ant Financial
Xu Wang is a senior staff engineer at Ant Financial and an initial member of Kata Containers Architecture Committee. He was the CTO and Cofounder of hyper.sh and created hypervisor-based open source container runtime runV (secure as VM, fast as container). runV merged with clear containers... Read More →

Wednesday December 6, 2017 2:00pm - 2:35pm
Ballroom B, Level 1


Building Specialized Container-Based Systems with Moby: A Few Use Cases [I] - Patrick Chanezon, Docker
Moby is an open source project providing a "LEGO set" of dozens of components, the framework to assemble them into specialized container-based systems, and a place for all container enthusiasts to experiment and exchange ideas.
One of these assemblies is Docker CE, an open source product that lets you build, ship, and run containers.

This talk will explain how you can leverage the Moby project to assemble your own specialized container-based system, whether for IoT, cloud or bare metal scenarios.
We will cover Moby itself, the framework, and tooling around the project, as well as many of it’s components: LinuxKit, InfraKit, containerd, SwarmKit, Notary.
Then we will present a few use cases and demos of how different companies have leveraged Moby and some of the Moby components to create their own container-based systems.

avatar for Patrick Chanezon

Patrick Chanezon

Chief Developer Advocate, Docker
As the Chief Developer Advocate for Docker, Patrick Chanezon helps drive the direction of the company’s open source projects, acting as an advocate for the developer community to assure that their requirements and issues are addressed in the Docker platform. From 2013 to 2015, he... Read More →

Wednesday December 6, 2017 2:45pm - 3:20pm
Ballroom B, Level 1


CRI-O: All the Runtime Kubernetes Needs, and Nothing More - Mrunal Patel, Red Hat
CRI-O is a brand new container runtime dedicated and optimized to support kubernetes workload. Its goal is to be a stable container runtime tied to kubernetes releases, replacing the docker daemon.

Historically every update of Docker has broken Kubernetes. This has led to major rewriting and fixes of Kubernetes, which is understandable since Docker is not primarily for Kubernetes. Kubernetes needs a container runtime dedicated to its specifications.

CRI-O, the name comes from the Container Runtime Interface for Open container runtimes, takes advantages of emerging standards like OCI Runtime and Image Specification, as well as open source projects to handle container images (github.com:containers/image, github.com:containers/storage) . This means as these projects advance CRI-O will be able to take advantage of the improvements and features, but all the while guaranteeing that it will not break any functionality required by the Kubernetes CRI. CRI-O works with runc and Clear Containers runtimes.

CRI-O was designed from the ground up to satisfy Kubernetes Container Runtime Interface, and currently passes all node and E2E tests. The github repository has been setup to not accept any pull requests that causes these tests to break. We will be tying the versions of CRI-O to the Kubernetes versions, to maintain complete compatibility.

This talk will describe the CRI-O architecture as well as demonstrate different kubernetes features running on top of CRI-O exercising the CRI API. The attendees will learn how to configure CRI-O with kubernetes and use it for their workloads.


Mrunal Patel

Principal Software Engineer, Red Hat
Mrunal Patel is a Principal Software Engineer at Red Hat working on containers for Openshift. He is a maintainer of runc/libcontainer and the OCI runtime specification. He is the lead developer of CRI-O. He has helped contribute support for user namespaces to the Go programming language... Read More →

Wednesday December 6, 2017 3:40pm - 4:15pm
Ballroom B, Level 1


Building Better Containers: A Survey of Container Build Tools [I] - Michael Ducy, Chef
If you stick to the “industry standard” method of building containers (Dockerfiles), it’s easy to build containers that contain libraries, tools, binaries, and more that you don’t need. One survey showed that over 75% of containers contain a full Operating Systems. So how can you build containers that only contain the bits you require to run a particular application, and nothing more. This talk will cover various tools in the open source community that provide better methods for building containers, no matter the underlying container runtime. We will explore Bazel (along with Distroless), Smith (from Oracle), and Habitat (from Chef), and we will cover the benefits and drawbacks of each method. A short demo of each tool will be included.

avatar for Michael Ducy

Michael Ducy

Director of Community & Evangelism, Sysdig
Michael Ducy currently works as Director of Community & Evangelism for Sysdig where he is responsible for growing adoption of Sysdig’s open source solutions. Previously, Michael worked at Chef where we held a variety of roles helping customers and community members leverage Chef’s... Read More →

Wednesday December 6, 2017 4:25pm - 5:00pm
Ballroom B, Level 1