What is Carina?
Carina is a container runtime environment (currently in Beta) that offers performance, container-native tools, and portability without sacrificing ease of use. You can get started in minutes by using open-source software on managed infrastructure to run your containerized applications.
Your containers run in a bare-metal environment, which avoids the “hypervisor tax” on performance. Applications in this environment launch as much as 20 percent faster and run as much as 60 percent faster. This environment builds on the standard restrictions set out by libcontainer by using an AppArmor profile as an additional security layer to keep your resources isolated.
Carina is built on the open-source Docker Swarm project. It exposes the Docker API, which gives you maximum portability for easily moving applications from development to test and production environments, thus reducing errors and saving time. In the future, other container orchestration environments will be available to you.
You also have access to an intuitive user interface (UI), a command-line interface (CLI), and Carina specific developer tooling, in addition to the ecosystem of tools already compatible with the Docker API. You also have access to a wealth of documentation, from getting started guides to detailed tutorials and best practices. If you need help, you can access community support directly from other developers.
The path from creating a free account (no credit card required) to running a containerized application on a cluster takes under two minutes. You will use open-source software like Docker to compose your applications. And because the infrastructure is managed by Carina, you can take advantage of features like autoscaling. Now you can focus on what is important to you, your business, and your applications.
Usage
brew install carina
export CARINA_USERNAME=<email>
export CARINA_APIKEY=<api_key>
carina create cluster --wait --segments=2 --autoscale
carina list
eval $(carina env cluster)
# Now play with docker images
$ docker run -itd -P nginx
ebca8aff4badb001912cc119fb58a93d6d2209622ec74404c0643ecbbf31a50a
# Grab public ip and ports
$ docker inspect -f {{.NetworkSettings.Ports}} ebca8aff
map[443/tcp:[{104.130.0.24 32768}] 80/tcp:[{104.130.0.24 32769}]]
Limitations
For a public container service, Carina of course should only allow containers to run non-privileged processes. For example:
$ docker run --rm --privileged busybox
Timestamp: 2016-02-29 02:21:29.151360105 +0000 UTC
Code: System error
Message: permission denied
Frames:
---
0: setupRootfs
Package: github.com/opencontainers/runc/libcontainer
File: rootfs_linux.go@40
---
1: Init
Package: github.com/opencontainers/runc/libcontainer.(*linuxStandardInit)
File: standard_init_linux.go@57
---
2: StartInitialization
Package: github.com/opencontainers/runc/libcontainer.(*LinuxFactory)
File: factory_linux.go@240
---
3: initializer
Package: github.com/docker/docker/daemon/execdriver/native
File: init.go@35
---
4: Init
Package: github.com/docker/docker/pkg/reexec
File: reexec.go@26
---
5: main
Package: main
File: docker.go@18
---
6: main
Package: runtime
File: proc.go@111
---
7: goexit
Package: runtime
File: asm_amd64.s@1721
docker: Error response from daemon: 500 Internal Server Error: Container command could not be invoked..
What interests me is Carina allows your container bind to host network, which means processes in container could monitoring all networks the underlying physical machine:
docker run -it --rm --net=host busybox sh
/ # hostname
a0b7f5c6-a069-4ed0-b681-adc9ad8cd8de-n1
/ # ifconfig
docker0 Link encap:Ethernet HWaddr 02:42:83:02:E7:0C
inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:83ff:fe02:e70c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1211 errors:0 dropped:0 overruns:0 frame:0
TX packets:1260 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:579745 (566.1 KiB) TX bytes:596826 (582.8 KiB)
eth0 Link encap:Ethernet HWaddr BC:76:4E:20:ED:26
inet addr:104.130.0.23 Bcast:104.130.0.255 Mask:255.255.255.0
inet6 addr: fe80::be76:4eff:fe20:ed26/64 Scope:Link
inet6 addr: 2001:4802:7800:103:be76:4eff:fe20:ed26/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:105014 errors:0 dropped:0 overruns:0 frame:0
TX packets:74924 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:195922683 (186.8 MiB) TX bytes:10895679 (10.3 MiB)
eth1 Link encap:Ethernet HWaddr BC:76:4E:20:F5:C3
inet addr:10.176.224.183 Bcast:10.176.255.255 Mask:255.255.224.0
inet6 addr: fe80::be76:4eff:fe20:f5c3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:570 (570.0 B) TX bytes:648 (648.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:509058 errors:0 dropped:0 overruns:0 frame:0
TX packets:509058 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:142964399 (136.3 MiB) TX bytes:142964399 (136.3 MiB)
veth1a257f6 Link encap:Ethernet HWaddr DE:DC:7D:59:A4:DE
inet6 addr: fe80::dcdc:7dff:fe59:a4de/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1161 errors:0 dropped:0 overruns:0 frame:0
TX packets:1270 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:590651 (576.8 KiB) TX bytes:597163 (583.1 KiB)
/ # brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.02428302e70c no veth1a257f6
/ # netstat -anp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:12000 0.0.0.0:* LISTEN -
tcp 0 0 10.176.224.183:12001 0.0.0.0:* LISTEN -
tcp 0 0 10.176.224.183:12002 0.0.0.0:* LISTEN -
tcp 0 0 10.176.224.183:7946 0.0.0.0:* LISTEN -
tcp 0 0 10.176.224.183:8300 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8400 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8600 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:12000 127.0.0.1:57711 ESTABLISHED -
tcp 0 0 127.0.0.1:12000 127.0.0.1:57808 ESTABLISHED -
tcp 0 0 127.0.0.1:12000 127.0.0.1:54332 ESTABLISHED -
tcp 0 0 127.0.0.1:57808 127.0.0.1:12000 ESTABLISHED -
tcp 0 0 127.0.0.1:57832 127.0.0.1:12000 ESTABLISHED -
tcp 0 0 127.0.0.1:54335 127.0.0.1:12000 ESTABLISHED -
tcp 0 0 104.130.0.23:43695 104.130.0.23:42376 ESTABLISHED -
tcp 0 0 127.0.0.1:12000 127.0.0.1:54335 ESTABLISHED -
tcp 0 0 127.0.0.1:54328 127.0.0.1:12000 ESTABLISHED -
tcp 0 0 127.0.0.1:54332 127.0.0.1:12000 ESTABLISHED -
tcp 0 0 104.130.0.23:43692 104.130.0.23:42376 ESTABLISHED -
tcp 0 0 127.0.0.1:12000 127.0.0.1:57832 ESTABLISHED -
tcp 0 0 127.0.0.1:12000 127.0.0.1:54328 ESTABLISHED -
tcp 0 0 104.130.0.23:43694 104.130.0.23:42376 ESTABLISHED -
tcp 0 0 104.130.0.23:47207 104.130.0.23:42376 ESTABLISHED -
tcp 0 0 127.0.0.1:57711 127.0.0.1:12000 ESTABLISHED -
tcp 0 0 :::32770 :::* LISTEN -
tcp 0 0 :::2376 :::* LISTEN -
tcp 0 0 :::42376 :::* LISTEN -
tcp 0 0 :::22 :::* LISTEN -
tcp 0 0 ::ffff:104.130.0.23:42376 ::ffff:104.130.0.23:47207 ESTABLISHED -
tcp 0 0 ::ffff:104.130.0.23:42376 ::ffff:104.130.0.23:43694 ESTABLISHED -
tcp 0 2500 ::ffff:104.130.0.23:2376 ::ffff:139.227.1.228:50333 ESTABLISHED -
tcp 0 0 ::ffff:104.130.0.23:42376 ::ffff:104.130.0.23:43695 ESTABLISHED -
tcp 0 0 ::ffff:104.130.0.23:42376 ::ffff:104.130.0.23:43692 ESTABLISHED -
tcp 0 0 ::ffff:104.130.0.23:2376 ::ffff:139.227.1.228:50332 ESTABLISHED -
udp 0 0 10.176.224.183:7946 0.0.0.0:* -
udp 0 0 127.0.0.1:8600 0.0.0.0:* -
udp 0 0 10.176.224.183:12001 0.0.0.0:* -
udp 0 0 10.176.224.183:12002 0.0.0.0:* -
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 1015753155 - /var/lib/docker/network/files/33d3542ddd4b10c0411b8c50997cceb8272475bc7a63caeb666e772b57c48a8a.sock
unix 2 [ ACC ] STREAM LISTENING 1015755212 - /var/run/docker.sock
/ # brctl addbr br0
brctl: bridge br0: Operation not permitted
Although you couldn’t manage networks (Operation not permitted), but as you see above, containers could obtain many sensitive machine informations. Actually I don’t understand why Rackspace would like to take this risk for public services, or this is just because they are making mistakes.
Though Rackspace makes a different way of CaaS (Run docker bare-metally), Docker itself without hypervisor is still not of security for pulic container services. So all of pulic container services, including AWS ECS, Google GKE, Docker Cloud and so on, are running Docker on virtual machines provided by IaaS.