OCI (Open Containers Initiative) compatible runtime using Virtual Machines
License: Apache License 2.0
WARNING:
This project is no longer maintained.
All users are encouraged to migrate to Kata Containers.
See the Kata Containers project installation documentation for further details.
To see the old Clear Containers README, click here.
From @jodh-intel on October 18, 2016 8:5
See: https://github.com/opencontainers/runtime-spec/blob/master/config.md#process-configuration
process.consoleSize is specified by docker 1.12.2.
Copied from original issue: intel/cc-oci-runtime#330
ps shows all processes running inside a container.
We want to be able to run the networking metrics tests on CC3.x like we did for CC2.x
From @jodh-intel on August 30, 2016 16:48
See: https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#seccomp
Copied from original issue: intel/cc-oci-runtime#193
We should probably do a review of our executables 'capabilities', and start to remove any that are not needed (to reduce attack surface).
On the host side we should check what we can do for:
and on the guest side we probably need to set or remove the capabilities around the workload according to the configuration (from the OCI file for instance) that is passed in/requested of us.
All Clear Containers share the same kernel and guest OS image, and thus the hypervisor will allocate anonymous pages for both of those components. For many of them, those pages could be shared and deduplicated through the Kernel Same Page Merging (KSM) technology. Unfortunately, we are currently not taking full advantage of it for the following reasons:
Both our runtime and proxy components can gather pieces of information about the current number of running/started/starting Clear Containers, the number of started containers during the last N seconds, etc...
By combining this data with at least the host available memory and CPU utilization, we should implement a ksm tuning loop that will:
Running KSM frequently can have a significant impact on the overall system performance. We need to take advantage of KSM memory overhead reduction while at the same time minimizing the number of pages the KSM kernel thread wants and can scan:
cc @jtkukunas
For some unknown reasons, we cannot use the latest kernels for Clear Containers guest kernel when using Semaphore CI. Indeed, using some 4.9 kernels (maybe something changed in the config and it is not related to the kernel version), makes the kernel crashing inside the VM, while it works perfectly with kernel 4.5-50. This was the kernel released just before we switch to 4.9.4-53.
Implement the runtime create command according to the OCI specs.
Gate runtime, @clearcontainers/proxy, @clearcontainers/shim PR merges by basic PnP runs: Container density and boot time for docker run busybox true.
cc @jtkukunas
Implement the runtime delete command according to the OCI specs.
Implement Clear Containers networking support:
Should this be done from virtcontainers ?
So that one can easily reproduce and track PnP locally.
From @devimc on July 18, 2016 18:53
ps command has not implementation
Copied from original issue: intel/cc-oci-runtime#24
Compare a full OS image vs an uncompressed intrd/initramfs one for:
We may be ready to accept slight boot time degradation for significant memory consumption reduction.
cc @jtkukunas
We want to be able to run the boot time tests for CC 3.x like we did for CC 2.x.
From @jodh-intel on August 30, 2016 16:49
See: https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#readonly-paths
Copied from original issue: intel/cc-oci-runtime#196
Implement the runtime state command according to the OCI specs.
With Clear Containers we are pushing all network packets between the container and the host through a Linux bridge, with or without SRIOV.
Having basic networking benchmarks (iperf based ?) for Clear Containers with and without SRIOV would be needed.
cc @jtkukunas
Runtime's unit testing only covers 35% of the runtime code today.
The code will need some refactoring but this needs to be improved.
We want to measure the overall Clear Containers (QEMU, guest VM, runtime, shim, proxy) memory overhead, but we should also measure our memory overhead compared to a very basic QEMU instance.
This will give us the runtime+shim+proxy+guest VM overhead.
Our basic QEMU VM should not even boot a kernel, but stop at the firmware level.
From @jodh-intel on August 30, 2016 16:35
The following namespaces are not honoured:
pid (see #143).mountipcutsusercgroupSee: https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#namespaces.
Note that the network namespace is created outside the VM - this is mandatory to work with docker and have working networking.
Copied from original issue: intel/cc-oci-runtime#189
run creates and starts a container
From @jodh-intel on August 30, 2016 16:26
See https://github.com/opencontainers/runtime-spec/blob/master/config.md#process-configuration.
Copied from original issue: intel/cc-oci-runtime#184
We should add I/O tests for measuring disk/volumes and filesystem throughput.
We know 9pfs is slow and we hope to be able to improve it over time, and thus we need to include benchmarks for it to our PnP suite.
cc @jtkukunas
From @jodh-intel on September 29, 2016 9:32
Travis is an excellent facility, but the fact that the newest environment they support is Ubuntu Trusty (14.04) is problematic given the old versions of tooling and libraries.
We should use Travis to trigger a build and test run inside a docker image since that way we can use any environment we wish (even multiple).
Related: #255, #295, #114, #155.
Copied from original issue: intel/cc-oci-runtime#305
From @jodh-intel on August 30, 2016 16:47
See: https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#sysctl
Copied from original issue: intel/cc-oci-runtime#192
We should define and publish a short set of custom workloads for our benchmarks.
For example:
Each of those workloads should:
From @sameo on January 24, 2017 15:44
We do not support running Clear Containers within the host network (docker --net=host run foo).
Although this sounds like a corner case, it seems that Kubernetes starts at least one such container per node (for kube-proxy) in order to mess with the host iptables and routes.
Copied from original issue: intel/cc-oci-runtime#617
Implement the runtime kill command according to the OCI specs.
cc @jtkukunas
To be completed with more tests
Does our memory consumption scale with the number of started containers ? With KSM enabled the average memory consumption per container should decrease with the number of containers.
We should measure the total average memory consumption per container for 1, 10, 100, 500 and 1000 running containers.
We want to be able to measure Clear Containers memory density.
For a given machine (Available RAM, distro, etc...), we should measure how many Clear Containers can be started before we crash or before docker refuses to launch more.
This benchmark should be run with at least 2 parameters:
From @jodh-intel on July 18, 2016 16:58
Specifically, process.user.uid, process.user.gid and process.additionalGids are ignored.
See:
clr_oci_create_container_workload() in src/oci.c.Copied from original issue: intel/cc-oci-runtime#20
The runtime needs a configuration file for runtime specific settings:
Hypervisor
Agent
In order to improve boot time, we want to instrument QEMU and understand where we can reduce the number of VM exits by e.g. tuning VT-x to skip some of them.
cc @jtkukunas
Besides the raw memory consumption in KBytes, we should measure more fine grained data:
We would also need to get how those pages are distributed between the process mappings. For example how many anonymous pages are used by glibc for a given QEMU process. This will allow us to understand where e.g. our QEMU processes are consuming the most pages:
Finally, we need to add huge pages consumption to that data.
We should use more than one distro for measuring our Clear Containers performance data.
Clear Linux, Fedora and Ubuntu for example.
cc @jtkukunas
We should have a runtime command (runtime config) for generating a default configuration with all options set to reasonable values. For binary paths (shim, proxy), we should use the default Clear Containers values.
cc @jtkukunas
To be completed with more tests
On a given system running N containers, how does our boot time per container increase when starting a single container? N=[10, 50, 100]
We currently use both, sometimes it's /var/run/clearcontainers and other times /var/lib/clear-containers. Pick one and stick with it. A quick git grep suggest we like clear-containers better.
From @jodh-intel on August 22, 2016 13:27
The OCI config file, config.json, specifies resource constraints in the form of linux.resources JSON objects which map closely to cgroups.
We need to find a way to implement such constraints.
See:
Copied from original issue: intel/cc-oci-runtime#148
Integrate with Kubernetes at the CRI level, through the CRI-O project.
Add support for the OCI CLI spec.
Use an existing Go package for command and options handling like e.g. github.com/urfave/cli.
We'd like to be able to run the I/O (storage) metrics on CC3.x like we did for CC2.x.
We'd like to be able to run for local and remote volumes and rootfs.
From @jodh-intel on Jul 18, 2016
See https://github.com/opencontainers/runtime-spec/blob/master/config.md#annotations.
Copied from original issue: intel/cc-oci-runtime#21
We should check if we have 'atime' set (or more correctly, noatime not set) on our mount points. Currently we believe it is not, and timestamp updates may be trickling down to layers that really don't need any updates, and the data is lost on container quit anyhow.
@mcastelino , as he was involved in the original discussion - so please add thoughts as appropriate.
From @dlespiau on August 19, 2016 17:21
We could use PrivateTmp (https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateTmp=) as a quick solution, but might as well take all the other init process/exec related issue and come up with a better solution.
Copied from original issue: intel/cc-oci-runtime#144
We want to be able to run the memory consumption metrics for CC3.x like we did for CC2.x
From @jodh-intel on August 30, 2016 16:49
See: https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#masked-paths.
Copied from original issue: intel/cc-oci-runtime#195
Implement the runtime start command according to the OCI specs.
We want a generic API for converting an OCI compatible config.json file into a virtcontainers PodConfig.
The runtime will then use the PodConfig to call into virtcontainers API and manage the containers lifecycles.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.