This repository has been archived by the owner on Feb 8, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 5
/
blog.html
executable file
·325 lines (282 loc) · 14.8 KB
/
blog.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
<!doctype html>
<html class="no-js" lang="">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>Blog | Hyper - Make VM run like Container</title>
<meta name="description" content="Hyper - Make VM run like Container. Fast as Container, Isolated by VM.">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="icon" type="image/x-icon" href="./favicon.ico">
<link rel="stylesheet" href="css/normalize.css">
<link rel="stylesheet" href="css/main.min.css">
</head>
<body class="gray-bg">
<header class="page-header">
<div class="wrapper">
<div class="logo"><a href="/"></a></div>
<nav class="header">
<div class="border-menu"></div>
<a href="/">Home</a>
<a href="https://docs.hypercontainer.io/get_started/install.html" target="_blank">Install</a>
<a href="./how-it-works.html">How it works</a>
<a href="./why-hyper.html">Why Hyper</a>
<a href="https://docs.hypercontainer.io/" target="_blank">Docs</a>
<div class="dropdown">
<span>About</span>
<ul>
<li><a href="https://blog.hyper.sh/" target="_blank">Blog</a></li>
<li><a href="./partners.html">Partners</a></li>
<li><a href="./faq.html">FAQs</a></li>
<li><a href="./about.html">About</a></li>
</ul>
</div>
</nav>
<a href="https://github.com/hyperhq" target="_blank" class="btn btn-header">GitHub</a>
</div>
</header>
<section class="desc title">
<h3 data-sr="wait .1s enter bottom">Hyper and the art of Containerization</h3>
<div class="blog">
<p class="publish-date">Published on May 4th, 2015</p>
<p>Docker, without doubt, has been a phenomenal open source technology. With the rise of Docker, the world is
shifting its focus from "Machine" to "App", which is combined with the migration from <a
href="http://en.wikipedia.org/wiki/Hardware_virtualization">(Hardware) Virtualization</a> to <a
href="https://github.com/appc/spec">Containerization</a>.</p>
<p>As we believe <em>AppContainer</em> is the future, it is necessary to note that there are more approaches to
implement it than the popular <a href="http://en.wikipedia.org/wiki/Operating-system-level_virtualization">OS-level
Container</a> solution. </p>
<p>Virtualization could be one of the them. Let me explain. </p>
<h2>
<a id="user-content-machine-vs-app" class="anchor" href="#machine-vs-app" aria-hidden="true"><span
class="octicon octicon-link"></span></a>Machine vs App</h2>
<p>Traditionally, Virtualization is designed to emulate the hardware. The brainchild of this is the "virtual
machine" (VM) as we see today. A VM is a virtual instance of a full operating system, a.k.a.
"<em>Machine</em>". A virtual machine runs in the same way as a physical one, promising the identical
contract between application, OS and hardware. Therefore, everything in the world of VM works as it used to
be.</p>
<p>However, this perfect backward-compatibility comes with some severe compromises:</p>
<ul class="task-list">
<li>Fat: VM images are often in tens of GBs</li>
<li>Slow: it usually takes tens of seconds to boot</li>
<li>Heavy: a VM instance demands hundreds MBs of memory at the minimum, which means that a dozen of VMs will
overload the server
</li>
<li>Volatile: a VM instance tends to be long-running and suffers from various configuration drifts</li>
</ul>
<p>Containerization, on the other hand, focus on the notion of "<em>App</em>". A (Docker) container cares
nothing more than how to run the application, and a (Docker) image packages the minimal amount of data for
the application and its dependencies. Therefore,</p>
<ul class="task-list">
<li>Thin: a Docker image is usally 200-300 MBs</li>
<li>Fast: sub-second to launch a Docker container</li>
<li>Light: you can run hundreds of containers on a server, since each container consumes only the memory
needed by the application
</li>
<li>Immutable: due to the lighting-fast boot speed, containers are short-lived, so they always run in the
exact same state as the image is shipped
</li>
</ul>
<p>Docker has a neat diagram <a href="https://www.docker.com/whatisdocker/">on their website</a> to illustration
the difference between these two:</p>
<p>
<img src="./img/blog/1_1.png" alt="hyper blog img_1_1"/>
</p>
<p>However, as you may have noticed, the core idea behind Containerization has little to do with the <a
href="https://github.com/docker/libcontainer">Container technology</a>. Instead, all values of
AppContainer listed above comes from the fact of eliminating the full OS and focusing on the application.
</p>
<p>So, the question is:</p>
<blockquote><p>Can we build an App-centric VM, which runs like Container?</p></blockquote>
<h2>
<a id="user-content-hyper---a-hypervisor-based-appcontainer-solution" class="anchor"
href="#hyper---a-hypervisor-based-appcontainer-solution" aria-hidden="true"><span
class="octicon octicon-link"></span></a>Hyper - a Hypervisor-based AppContainer solution</h2>
<p>In short,</p>
<blockquote>
<p>Hyper = Hypervisor + AppContainer Image</p>
</blockquote>
<p>Hyper allows you to run any AppContainer image (Docker, rkt) with any hypervisor (KVM, Xen, etc.). What's
different from Docker is that Hyper launches new VM instances to run the images, rather than creating
containers:</p>
<pre><code>[root@user ~:]# docker pull nginx:latest
[root@user ~:]# hyper run nginx:latest
[root@user ~:]# docker ps
[root@user ~:]#
[root@user ~:]# hyper list
.......
Done
</code></pre>
<p>Since Hyper is a virtualization-based solution, it does not rely on the underlying host kernel. Instead,
every Hyper VM is booted with a minimalist Linux kernel, <strong><em>HyperKernel</em></strong>. Thanks to
the minimalism, HyperKernel is super light. The test result shows that a Hyper VM boots in 500-800
milliseconds, making it indistinguishable from Linux container.</p>
<p>
<img src="./img/how-it-works.png" alt="How it works."/>
</p>
<p>Moreover, upon starting, Hyper mounts the app images onto the instance, in which a tiny service, <strong><em>HyperStart</em></strong>,
serves as <a href="http://en.wikipedia.org/wiki/Init">Init process</a> to launch applications. In this
model, the application is completely "contained" within the VM instance and its kernel space, without the
need to access the host facility. </p>
<h2>
<a id="user-content-combine-the-best-from-both-worlds" class="anchor"
href="#combine-the-best-from-both-worlds" aria-hidden="true"><span
class="octicon octicon-link"></span></a>Combine the best from both worlds</h2>
<p>Aside from the isolation part, Hyper combines the best from both VM and Container:</p>
<table>
<thead>
<tr>
<th>-</th>
<th>Docker</th>
<th>VM</th>
<th>Hyper</th>
</tr>
</thead>
<tbody>
<tr>
<td>Isolation</td>
<td>Weak, shared kernel</td>
<td>Strong, HW-enforced</td>
<td>Strong, HW-enforced</td>
</tr>
<tr>
<td>Portable</td>
<td>Yes</td>
<td>No, hypervisor dependent</td>
<td>Yes, hypervisor agnostic and portable image</td>
</tr>
<tr>
<td>Boot</td>
<td>Fast, sub-second</td>
<td>Slow, tens of seconds</td>
<td>Fast, sub-second</td>
</tr>
<tr>
<td>Performance</td>
<td>Great</td>
<td>OK</td>
<td>Good, minimal resource footprint and overhead</td>
</tr>
<tr>
<td>Immutable</td>
<td>Yes</td>
<td>No, configuration management required</td>
<td>Yes, guest os is gone</td>
</tr>
<tr>
<td>Image Size</td>
<td>Small, MBs</td>
<td>Big, GBs</td>
<td>Small, MBs</td>
</tr>
<tr>
<td>Backward Compatibility</td>
<td>No, brand new world</td>
<td>Great, everything still works</td>
<td>Good, still a "Machine", much less changes</td>
</tr>
<tr>
<td>Maturity</td>
<td>No</td>
<td>Yes, production ready, SDN, SDS, LiveMigration, etc.</td>
<td>Yes, just plug-&-play</td>
</tr>
<tr>
<td>ROI</td>
<td>Low, rebuild everything with container</td>
<td>N/A</td>
<td>High, seamless integration with your virtual infrastructure</td>
</tr>
</tbody>
</table>
<h2>
<a id="user-content-introducing-the-secure-multi-tenant-caas" class="anchor"
href="#introducing-the-secure-multi-tenant-caas" aria-hidden="true"><span
class="octicon octicon-link"></span></a>Introducing the secure multi-tenant CaaS</h2>
<p>Prior to Docker, IaaS is the de-facto form of cloud. Most cloud platforms, if not all, offer some IaaS
service. Thanks to Docker, CaaS is gaining popularity as an echo of <a
href="http://en.wikipedia.org/wiki/Microservices">Microservices Architecture</a>.</p>
<p>
<img src="./img/blog/1_2.png" alt="Hyper Blog Img_1_2"/>
</p>
<p>While the future is promising, what holding us is the lack of isolation in container. Without
the necessary security, it is impossible for build a public multi-tenant CaaS platform, as different
customers' applications have to share the single host kernel (no matter the host is physical or
virtual).</p>
<p>With Hyper, the roadblock is gone. Considering that the attack surface for a VM instance is quite small (as
it lacks the variety of functions provided by a full operating systems, and therefore, the potential flaws
to be exploited), Hyper is able to offer the much-needed hardware-enforced isolation. </p>
<p>Now, we can start to build the secure, multi-tenant CaaS!</p>
<p>
<img src="./img/blog/1_3.png" alt="Hyper Blog img_1_3"/></p>
</div>
</section>
<footer>
<div class="wrapper clearfix">
<div class="column">
<h2>Company</h2>
<ul>
<li><a href="./about.html">About</a></li>
<li><a href="./jobs.html">Jobs</a></li>
<li><a href="./security.html">Security</a></li>
<li><a href="./partners.html">Partners</a></li>
</ul>
</div>
<div class="column">
<h2>Support & Community</h2>
<ul>
<li><a target="_blank" href="https://github.com/hyperhq">Github</a></li>
<li><p>Mailing List</p>
<ul>
<li><a target="_blank" href="https://groups.google.com/d/forum/hyper-user">General</a></li>
<li><a target="_blank" href="https://groups.google.com/d/forum/hyper-dev">Developer</a></li>
</ul>
</li>
<li><a href="https://twitter.com/hyper_sh" class="twitter-follow-button" data-show-count="false">Follow @hyper_sh</a></li>
<script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+'://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js,fjs);}}(document, 'script', 'twitter-wjs');</script>
<li style="margin-top: 5px"><script async defer src="https://slack.hyper.sh/slackin.js"></script></li>
</ul>
</div>
<div class="column">
<h2>Documentation</h2>
<ul>
<li><a target="_blank" href="https://docs.hypercontainer.io/get_started/install.html">Get Started</a></li>
<li><a target="_blank" href="https://docs.hypercontainer.io/get_started/pod.html">Running Pod</a></li>
<li><a target="_blank" href="https://docs.hypercontainer.io/reference/podfile.html">Reference</a></li>
<li><a target="_blank" href="https://docs.hypercontainer.io/release_notes/index.html">Release Notes</a></li>
</ul>
</div>
<div class="column">
<div class="subscribe">
<form action="//hyper.us10.list-manage.com/subscribe/post?u=5079c1cfdd3630a5d1a4a2f15&id=1c79a2241b" method="post" id="mc-embedded-subscribe-form" name="mc-embedded-subscribe-form" class="validate" target="_blank" novalidate>
<input type="email" value="" name="EMAIL" class="required email" id="mce-EMAIL" placeholder="Enter Your Email">
<input type="text" style="display: none;" name="b_5079c1cfdd3630a5d1a4a2f15_1c79a2241b" tabindex="-1" value="">
<button class="button" type="submit">Subscribe</button>
</form>
<p class="hint">Subscribe to the latest Hyper news.</p>
</div>
<div class="copyright">
(c) 2015, HyperHQ Inc. All rights reserved.
</div>
</div>
</div>
</footer>
<script src="js/vendor/jquery-1.11.2.min.js"></script>
<script src="js/vendor/scrollReveal.min.js"></script>
<script src="js/main.js"></script>
<script>
(function (i, s, o, g, r, a, m) {
i['GoogleAnalyticsObject'] = r;
i[r] = i[r] || function () {
(i[r].q = i[r].q || []).push(arguments)
}, i[r].l = 1 * new Date();
a = s.createElement(o),
m = s.getElementsByTagName(o)[0];
a.async = 1;
a.src = g;
m.parentNode.insertBefore(a, m)
})(window, document, 'script', '//www.google-analytics.com/analytics.js', 'ga');
ga('create', 'UA-61225823-1', 'auto');
ga('send', 'pageview');
</script>
</body>
</html>