 Hello. Okay. The next talk is held by Anna Mittal. She's an open source Ensegast working for a startup in India and involved with KD since 2014. Yeah. And today she will talk about how containerization and sandboxing can help with development. Yeah. Thank you for the intro. Yeah. So I would like to ask everybody how many of you know about containerization. Okay. About virtual machines. Perfect. Yeah. So let us start with what introducing myself. I started contributing KD as a season of KD student in 2014. What an opportunity to do this? GSOG in 2016 and currently working at Zomato and Indian startup company. So what are we going to cover in this complete presentation? One, why should we containerize things? The softwares that we build. What is containerization? How can we containerize our softwares? And what are the different ways through which we can build those images and all. So the first thing is why? As you know with each development phase we have different tasks to do and the timelines and deadlines are such that we have to you know mess around sometimes and we are not sure about if we can do the complete staging process, the production, setting tests and everything. So to come up with the piece of the fast training technology landscape it's important that we turn our face towards the containerization. Before we used to have a whole big bunch of packages and have only one software that could do all our tasks together but now with the introduction of microservices we break down one of our softwares into small tasks. For example if I am working for a restaurant API I want something to tell me what are the menus for the restaurants or similarly different tasks. I break my complete project into small tasks. So now this require breaking down of a software into smaller requires setting up multiple tests for each of those case. Before we were testing only for one complete project now because we have divided into several parts you have to take care of all the dependencies and libraries that are used in the microservices. So it amplifies our requirement of the work we do. So why should we know about containerization? So the main reason is it's useful in every field that you work with. For developers it's easy to get started with any project that you want to work on. You have a single link to it. We'll discuss more about it. The link is known as image of the country images. So it's just that image that link away that you can download the software you can explore around the stuff. You can do versioning in it and lot of many things that we're going to cover later on. Next for IT operations for example if I have done my set up in my laptop I give it to the production. I ask them now it's upon you. You know give it to everybody to experiment. So what happens is say it works on my computer but I'm not sure what is missing in yours or the person have to manually see what are the dependencies, what are the settings in my system right now and it was lot of work for them. But then by using the images that we create, that is created by the developer, the ID person doesn't have to work about the dependencies that the software requires. It's as simple for him also just to run the image in a container and perform all the operation that they have to. Also the last thing is about the business that we get from the software that we're working. How to analyze what was the past versions success, what could be added in the future and stuff. So through containerization it's very easy to versionize your software and to know what was the level of success of each of the version. So it saves you from this thing that now it's running on my computer. I don't know about what else is missing on somebody else's laptop. So you can just be spared from such situation when you use containers. Next is what do you mean by containerization? Containerization helps you create, deploy and run your application using containers. So as I told, there is this image link and there is this container on which we run this images. So you can easily do whatever work you want to do, whether you just want to run it on a staging level, whether you want to run it on for production level stage. So it's easy to mock your environments and change settings according to the things that you want to do. So let's talk about what is an image and container. These are the two basic terms that you should be knowing when you start learning about containerization. So image is a package or a bundle of all these things. For example, it includes your code, your runtime settings, your libraries, environment variables, configuration file, which we can say it's like manifest file and data if needed. So and when this image gets in memory, for example, when it comes into a runtime sense, it makes the container. So container is nothing without an image. We can understand it better by taking an example of a class and an object. What do we say class is? Class has all the functional method that defines itself, but it has no meaning containers. We create an object and initialize it. It doesn't work at all. So similar is a container. Container is your class. For container to run, you need images which acts like your objects. So what is containerization in containers in short? We can say it provides you an isolated environment. So if you need some sort of binaries and libraries for a process A and difference set of libraries for set B, it gives your package A a feeling that it is the only thing running and it has all the version that it needs. For example, if you need a Python 3 for one process A and Python 3.1 or some other version for any process B, then in process A is running, it gets a sandbox environment in which it is not affected by what other threads are going on, what other processes are going on in the system. So this is how a container looks like. Everything is hosted on your actual host OS. We have a container layer. For example, in Docker, the container engine is your Docker itself. And this container helps your applications to get its own isolated OS sort of thing. It is actually running on your host OS, but it gives the feeling that it has its own virtual thing. So now I would say what is the difference between a virtual machine and a container? So let us understand this thing by a simple example. The container is running on your, running the process on your host OS, but in a virtual environment, sorry, in a sandbox environment. It doesn't have to have any external hardware support. For example, in VM, we need a hypervisor. So what it does is it maps your host OS into small chunks, and each of the process has its own guest OS, and upon which it runs all the dependencies. Whereas container is very lightweight, because it doesn't have to divide your actual OS into multiple parts and you can run thousands of it together. Also one thing that it works on is known as G groups. What is G group? It gives you isolation, process isolation, network isolation or some different side which are going to cover it later on. So how does this isolation happens? First you would, we can understand it through an example of a Linux kernel. Initially when we start our setup system, it has only one process ID, which knows what further it has to start so that your complete system is working. So it's a pre sort of structure where your one process ID gives initialization to the other two tasks. For example, process two and processes. This is a tree of processes that runs in your kernel. So if suppose later on I want a container, I want to run my project in a different environment itself, what I do? I create a small child PID for myself. Now it has its own process ID is one, two and three. But as it is sharing it's sharing the OS with my actual system, the OS also have the eight, nine and ten added along with that. So for the child, it feels that I only have three processes in it but the system knows that there are altogether ten processes that are running in your system. Similar is the case with the file isolation. When any child file is added to your system, it creates a virtual disk for it. But it won't be mapped with your actual hardest and ten line unless you mount your virtual child process, your file to the actual global mount namespace. And also same is the case with the network isolation. For example, if you if you have two process which have different network interfaces, it would create its own small subclasses and give it the feeling that it is isolated from the rest of the process that is running on your lab. So what are the various ways of doing this containerization? One is Docker and the other one is Flatpak. We would cover some of the instructions how we can get started with Docker and Flatpak and later on we will continue with the demonstration of seeing how KD has, you know, started working using Docker for NeonKD and Flatpak. We have some application for example, ocular and stuff. So we'll run it in the demo and show you this. So what are the steps for installing it? So this is the steps that you have to follow to install Docker CE, that is the community edition. You simply have to do APT get update followed by three other commands that are, you know, global same for every setup of Linux. So after that, once you are ready with the Docker, you have to set up the repositories that you will be needed. For example, if you want to run a simple hello world file, you just have to do, install Docker CE, then you have to run Docker, run the file name. It can be any file name that you want to run. This is the simple command and you'll be getting a different container with the image that you wanted to populate in it. So hello world here is an image, for example. So along with this, apart from this thing, when, as a developer, when I'm ready with my image, if suppose I've created my software, it's in shipable format, I'll create a manifest of it, which is known as the image. It will have every single thing that we mentioned about that image, it will have the code, it will have what all the dependent runtime dependencies we need and stuff. So now how, how do we do it? For example, in Git, we have this GitHub, where we push our code and anybody can focus it and clone it and stuff. Similarly for Docker, we have a Docker hub. So all around the globe, anybody who is, you know, working on any stuff can upload an image link for it. You just have to get the, you just have to type Docker run that image name. Now what is Flatpak? Flatpak is tied to Linux, I would say. For example, you can install a software that are not, you know, easily available for your Linux environment because there are different domains we would say that we have Ubuntu, we have different distributions like Kubuntu, Ubuntu and Flora, Flora and stuff. So what we can do is, we can use Flatpak for such cases. It focuses on building sandbox for your application, desktop applications, whatever you want to have. So we're going to see this with example. Now what are the steps to set up your Flatpak? It is very similar to that. We have a repository. We just have to install it. And afterwards, it's similar to the GitHub, similar to the Docker hub. We have a Flatpak hub where we upload all our images or the package IDs. So in Flatpak, we have this package IDs. Not exactly, we would say image. It is known as a Flatpak IDs. So how is it different from Docker? So Docker has its, it is more related to providing containers to it. Whereas this is more focused on Linux softwares that you want to run. So now we have Shubham along with us. He's going to help us run all this demonstration for us. What about the security impact by downloading Docker images from somewhere? And what about the life cycle? So basically what Docker provides you is, let's say you want to download an image for Python. But you're not sure what is the official source for it, right? So with Docker, what you can do is, this will give you a list of images that are on Docker hub. And what are different stars that this particular image has. So in this particular case, there are official images. So for Python, there is a mark there that this is an official image by the distributor, which is the Python organization over here. And then you also have the number of stars. Just like GitHub, you have stars on different depots. But yes, if you download an image that you don't trust and you give it access to your own, like mount space, which is your own hard disk, then it can do anything that is programmed in. That is correct. But then you usually try to not give your, like, you usually try to not volume mount your own OS, or you only volume mount specific directories. So that way it cannot access a lot of stuff, because it is sandboxing an environment. So if you don't volume mount anything, if you don't give it access to your original network, it won't be able to do anything. So let's say we want to run. Sorry. Just a odd question to be complete. This show the flat pack and the Docker in contrast to virtualization. We have a hypervisor, we have support by the hardware to get, to give this kind of security. Is the security on Docker and flat pack basically the security of change route environment? Flat pack also provides you a sandbox environment. And what basically flat pack does is they are more integrated to Linux and they are focused on Linux. That is what they want to do. Docker is more generalized. So it is for running APIs applications, anything like server related. They are more focused on desktop environment. But flat pack provides you, they provide you like these different permissions that in your manifest file, you can mention that I need access to D bus, I need access to X 11, all of these display drivers. And before installing any image, it will ask you whether you want to give this permission or not. So let's say this is a new system and I don't have Python installed on it. And I don't want to set up anything related to Python on my system. Right. So what Docker provides is you can download an official image. You only have to download a file. And that will give you the entire libraries and everything else related to it. So I can do Docker full. What this will basically do is it will download an image for me. Let's see let we'll run one of the images that is already downloaded on this particular system. So in this case, I have an image for Swift downloaded. So I can do Docker run hyphen it hyphen it is flag for basically whatever process I'm going to run. I need it to be connected to my TTY. That's about it. So then you specify the image name, which is and you can specify the version or the tag of that image. So in this case, the tag is latest. So what this has done is it has started a shell in a sandbox in a country, it has started a container using the files from that image. And it has given me shell access to that particular container. I can do anything in this container. And when I basically exit from this particular container, everything that I write will be lost unless I have mounted my volumes or something. So for example, if I create a file called fubar, so I have a file in my root namespace. Sorry, I have created a directory called fubar. What I'll do is I'll exit this particular shell. When I start this again, it will be a fresh environment. So it won't have anything like that. So let's say I try out Swift. I compile whatever I need to compile with it. I use Swift and I don't like Swift anymore. So what I can do is I can exit and then I can just do Docker, RM, image, Swift. And essentially, if this image is not running anywhere, it will say I have successfully deleted this particular image. I tried out Swift. It didn't work out for me. I've deleted that particular image. I didn't have to install any dependencies related to it or anything related to it on my particular system. Everything is gone now. So what is the problem with Docker is, Docker is not focused on desktop applications. So you have to work around it to make it run for desktop applications like any KDE application. So there is this project called KDE Neon. So what they are trying to do is essentially they've created this wrapper around Docker and they mark all of, they do all the heavy lifting for you. So you have to essentially volume mount certain sockets. So when you run, you have to volume mount sockets and drivers and all of those files. It does that automatically for you. And then you can do Neon RB. So this is a Ruby file. You can just press enter. It will download a KDE Neon image. It will start running that particular image. In this case, it started a blank window, but this is running in a container spawned by Docker. So flatback is slightly different. So we had to do all of these setups. We had to start another project like KDE Neon for setting up or making Docker work for us. Flatback is focused on desktop environments. So what they do is once you have flatback setup, you can do a flatback install flat of org.kde. Let's say ocular. So this is one of the package over there. So it's saying it's already installed on my particular system. What I can do is flatback run org.kde.ocular. So but this is essentially started ocular on my system. It is running in a sandbox environment. If I could try like whatever I need to do with it, I could open files in it. So with Docker, you have to volume out your actual hard disk, right? But with flatback, you don't have to do it. So once I click on a particular file that is on my original OS, it that automatically grants it the permission to access those files. So I can open anything from my system. It will open all of those files. So ocular is working properly. Now as a user, I tried it. It didn't work out for me. So I could just similarly, just like I removed Docker image, I can also remove flatback image. If I say yes, it will uninstall ocular from my system. But flatback also provides you is so there is this different runtime than SDKs that you can have. So in this particular case, I'm running ocular that needs KDE platform version 5.11. But I'm also running telegram which needs KDE platform version 5.9. So I have both of those runtime and both of those SDKs installed on my system at the same time. So this also provides me to keep different versions of library depending on what I want to run. So as a developer, this can give you that particular sandbox environment with whatever files you need for your application to run. Then you can create this image, post this image on FlatHub or any other like a repository. And you can share it with the world and they can just do FlatHub run this particular package ID. That's how it makes life easy for developers and for users. So that's for this demo. Okay thank you. We are at the end of the time. We have time for one or two short questions if there are any short answers. The flatback thing does it launch and attach to your normal X11 session or is it somehow sandboxed out of that as well? It runs in your X11 session or in a different X11 session? That I'm not sure about. How is the security lifecycle of this? Is it like I get the impression that security is treated as somebody else's problem and not and is that correct or how if an app has an access to X11 it can basically read things from other applications. You can inject keystrokes, you can do a lot of weird things. I talked about that two years ago. But this is not something that works. So as far as I know you give it permission to access X11 and after that it has access to your entire excellent system. So it could vertically I think do that. So whenever you run this command, flatback, run some your package ID. It first says what are the things that are missing and it's going to install for you. You have to give it a permission saying yes that it's okay with me and then it starts downloading it for you. I just looked it up because I was asking for security myself. It looks like flatback actually has the model as a security model that it runs as the user and the user who starts the flatback inherits all its permissions to the flatback. This is different to Docker. Docker has a sandbox environment. It has more isolation but within Docker typically application itself has basically root permissions within the sandbox. So flatback depends on the privilege separation in the kernel which knows about users but it has if you write as your own user it has can do everything you can do yourself. And if you write as a different user you can't access for example X11 anymore. Okay, so thank you for the presentation and I think time for questions afterwards.