containers work and the different processes/technologies ➤ No assumption that you know those ➤ Not specifically about LXC (LinuX Containers) ➤ Key takeaways: ➤ The problem containers solve ➤ How containers work ➤ A little on how linux works!
a machine ➤ Used to run on single, large, physical servers ➤ There were problems: ➤ Different environments/set up ➤ Not enough/too much resources ➤ Fragile/catastrophic if that machine goes down
through virtual machines (VM) ➤ VM is operating system (OS) that can run on another OS ➤ Enabled cloud providers ➤ Problems now: ➤ Large and difficult to move around ➤ Movement necessary to share between developers and deploy to production machinery
way to isolate applications ➤ LXC (Literally LinuX Containers) offered full fledged container creation software ➤ Docker eventually came along and offered a robust container management ecosystem ➤ Gained more confidence as a secure solution
More light weight than a Virtual Machine ➤ Are not a first-class citizen of Linux (or any operating system) ➤ Instead, are made up of different components such as namespaces and cgroups ➤ To understand these, we need to dig into how Linux works
read ➤ w = write ➤ x = execute ➤ - = no permission ➤ 3 groups of 3 permissions ➤ 1st group = owner of the file ➤ 2nd - members of the group owning the file ➤ 3rd - everyone else
➤ user ➤ group ➤ everyone else ➤ Users = uniquely identified users on the system ➤ Groups grant permissions to sets of users based on who is “in” the group ➤ I.E. can have group 2 which contains users 1, 2, 3 ➤ Files owned by user 1 - users 2 and 3 get permission of the group
handle storing info about files ➤ Example types of filesystems: ➤ Journaling ➤ Log-structured ➤ Copy-on-Write ➤ Difference in how metadata, recovery, storage, access is handled
with PID ➤ Files about process are stored in /proc/<PID> ➤ Can get most info from other commands ➤ Example: lsof -p <PID> gives files open by process ➤ Can get same info from /proc/<PID>
to “same location” ➤ Message passing ➤ Send and receive basic messages in a understandable format ➤ OS provides the channel to send the messages ➤ Example: pipes! |
Message queues ➤ Send and receive messages in order ➤ Semaphores ➤ Non-negative integer that is incremented/decremented ➤ Shared memory ➤ Area of memory that appears to be the same between processes
space ➤ Kernel: ➤ Has unrestricted access to hardware ➤ Can reference any memory address ➤ User space: ➤ Where applications run ➤ Talks to kernel to get access to hardware/memory
different permissions to files ➤ Can mount filesystems (arrangements of files) ➤ Processes are running instances of a program ➤ Processes communicate through interprocess communication (IPC) ➤ Machines/devices communicate over networks ➤ Kernel space and user space
for sharing resources ➤ Responsible for isolating the VMS ➤ Virtual view of the hardware on guest OS (inside the VM) ➤ Guest OS still acts like it is talking directly to the hardware ➤ Difficult to share virtual images - they are very large since they contain the entirety of the OS Guest OS Virtual Hardware App App Virtual Machine
three system calls: ➤ clone ➤ Creates a new process ➤ unshare ➤ Moves current process to a new namespace ➤ setns ➤ Join process to existing namespace ➤ Pass different constants to specify which kind(s) of namespace
network capabilities within the namespace ➤ Physical network devices can only connect to one namespace ➤ All other namespaces that need to talk to that network must create a virtual network ➤ Virtual network communicates through a veth pair where there is interfaces on the namespace with the device and the namespace without
CPU time, memory available, etc… ➤ Can see what controllers are available in /proc ➤ cat /proc/cgroups ➤ Can see cgroups that a process belongs to in /proc/<PID>/cgroup
free-for-all of people adding controllers ➤ Caused inconsistencies and management became too complex ➤ Rewrote to v2 to make more sane ➤ Did not completely replace v1 ➤ Many controllers still only implemented in v1 ➤ Both still exist so all controllers work - v1 specific ones drop to the v1 cgroup implementation
LXC ➤ One of the most popular container orchestration systems ➤ Uses containers to isolate the running processes - also wraps extra security, etc… ➤ Environment to run, maintain, share containers ➤ Uses images to cache info on building containers ➤ Stores images in a repository