Share this page!

Ivan Velichko Profile picture
Twitter logo
30 Oct, 6 tweets, 2 min read
How Kubernetes differs from Docker in the way it deals with containers 🔽

Under the hood, Kubernetes and Docker both rely on the same/similar lower-level components to run containers.

Often, both use containerd and runc. However, Kubernetes makes the container runtime pluggable
Even when Kubernetes uses exactly the same container runtime as Docker, the implementation of Pods differs from the implementation of Containers.

Pods are more than just groups of containers. Containers in a pod share net, ipc, and uts namespaces making pods more similar to VMs.
Not all Containers are Linux containers!

OCI Runtime Spec doesn't limit container implementation to namespaces and cgroups. And VM-based containers is a real thing!

Some of the container runtimes supported by Kubernetes (e.g., Kata), launch a micro-VM per Pod.
Read more about different forms of containers:

iximiuz.com/en/posts/oci-c…
Check out an in-depth analysis of how Pods differ from Containers from the implementation standpoint:

iximiuz.com/en/posts/conta…
Learn why and how to use containerd - one of the most widely used container runtimes - without Docker or Kubernetes:

iximiuz.com/en/posts/conta…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Ivan Velichko

Ivan Velichko Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @iximiuz

Ivan Velichko Profile picture
20 Oct
Computer Networking in Layman's Terms (thread)

L2 - Ethernet
L3 - IP
L4 - TCP
L7 - HTTP

Lots of server-side folks are fluent with L4/L7 concepts. But understanding L2/L3 is often important too!

Especially if you deal with containers, Kubernetes, or DC networking constraints 🔽
Example ✏️

By default, Docker/podman/containerd/etc. use a `bridge` network to interconnect containers on a single host. But what is a Bridge?

In the case of containers, a Bridge is a virtual device. However, it simulates a real-world L2/L3 networking device called a Switch.
A Switch is a multiport device that combines two logical functions: L2 bridging and L3 routing.

Bridging creates an L2 broadcast domain out of connected nodes. A single broadcast domain _usually_ forms an L3 network.

Routing creates an (inter)network out of L3 (sub)networks.
Read 8 tweets
Ivan Velichko Profile picture
3 Oct
Cloud-Native Learn-by-Doing Platforms (part 2) ✏️

I closely reviewed 10+ platforms providing a hands-on learning experience to study:

- Linux
- Containers
- Orchestration
- other Cloud-Native stuff

My findings (thread) 🔽

#kubernetes #docker #containers #linux #sre #devops
1. A Cloud Guru (acloudguru .com)

A really massive platform for individuals and businesses.

Content:
- 360+ courses and 1,600+ hands-on labs
- Clouds: AWS, GCP, etc.
- Tech: Kubernetes, Docker, Serverless

Playgrounds:
- Servers
- Temporary cloud accounts

Price:
$35-$50/month
2. Developer Sandbox for Red Hat OpenShift (developers.redhat .com/developer-sandbox)

A free platform with a private OpenShift playground:
7 GB RAM, 15GB storage 🔥

Almost no educational content, but combines well with kubebyexample .com.
Read 7 tweets
Ivan Velichko Profile picture
30 Aug
iptables - a userspace program to configure IP packets filtration and modification rules.

It's a dated but still widely used tool:

- Linux firewall
- Container egress (SNAT) and port publishing (DNAT)
- Kubernetes service discovery
- Service Mesh transparent injection
- etc. 🔽 Image
iptables comes with its own terminology:

- tables
- chains
- rules
- targets
- policies

...that might be challenging to grasp. Here is how I approach it.

1. Come up with a logical model of packet processing inside the Linux kernel. Give meaningful names to stages. Image
2. Understand possible packet paths through the kernel.

Packet from a local process:
OUTPUT -> POSTROUTE

Packet to a local process:
PREROUTE -> INPUT

Packet forwarded between interfaces:
PREROUTE -> FORWARD -> POSTROUTE
Read 6 tweets
Ivan Velichko Profile picture
22 Aug
How to Expose Multiple Containers On the Same Port

First off, why you may need it:

- Load Balancing - more containers mean more capacity
- Redundancy - if one container dies, there won't be downtime
- Single Facade - run multiple apps behind one frontend

Interested? Read on!🔽
Docker doesn't support binding multiple containers to the same host port.

Instead, it suggests using an extra container with a reverse proxy like Nginx, HAProxy, or Traefik.

Here are two ways you can trick Docker and avoid adding the reverse proxy:

1. SO_REUSEPORT
2. iptables
Multiple Containers On the Same Port w/o Proxy (I)

1) Use SO_REUSEPORT sockopt for your server sockets
2) Run containers with `--network host` and the same port

SO_REUSEPORT allows binding diff processes to the same port.
--network host puts all containers on one network stack.
Read 8 tweets
Ivan Velichko Profile picture
21 Aug
Containers are Virtual Machines (controversial thread)

Some mental gymnastics. Bear with me.

Person A comes to Containers with prior VM experience.
Dockerfiles start FROM debian/centos/etc.
docker run/exec feels like SSH-ing sessions into servers.

Containers are VMs!
A container starts in less than a second
A VM takes tens of seconds to start

A bare-metal server can run hundreds of containers
Only a few VMs can coexist on a server

How come?

Person A starts digging into the internals to understand the difference between containers and VMs.
Person A: Aha! Containers are just isolated and restricted Linux processes + OS-level virtualization!

Person A starts sharing the finding with friends and colleagues - seasoned backend devs. Everyone instantly grasps the idea.

Then a Person B comes by. W/o prior VM experience.
Read 7 tweets
Ivan Velichko Profile picture
15 Aug
Grasping Kubernetes Networking (Mega Thread)

- What is Kubernetes Service?
- When to use ClusterIP, NodePort, or LoadBalancer?
- How does multi-cluster service work?
- Why both Ingress and Ingress Controller?

The answers become clear when things are explained bottom-up! 🔽
1. Low-level Kubernetes Networking Guarantees

To make Pods mimicking traditional VMs, Kubernetes defines its networking model as follows:

- Every Pod gets its own IP address
- Pods talk to other Pods directly (no visible sNAT)
- Containers in a pod communicate via localhost
2. Kubernetes does nothing for low-level networking!

It delegates the implementation to Container Runtimes and networking plugins.

A typical example: cri-o (CR) connects pods on a node to a shared Linux bridge; flannel (plugin) puts nodes into an overlay network.
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @iximiuz has new unrolls!

Check out other threads from @iximiuz!

Read all threads by @iximiuz

:(