groups constrain resource consumption ➔ namespaces Define isolation primitives ➔ fs hacks Provide a unique and isolated fs to be used by containers, they need a fs!
soft limits Soft limits are not enforced (no one dies; but under mem pressure they influence a reclaim) Hard limits trigger an OOM-killer You could also implement an OOM-notifier Limits can be set for physical, kernel, and total memory
(think init) When a process is spawned, it is placed in the same groups as its parent cgroups are just files in linux - UNIX philosophy Groups are materialized by one or multiple pseudo-fs (typically mounted in /sys/fs/cgroup) Groups are created by mkdir in the pseudo-fs The cgroup wars: systemd vs cgmanager vs cgroupfs (libcontainer)
API to manage images, distribution and packaging, client and resource allocation. Docker is a glorified .deb .tar distributor!! Container runtimes Rkt, docker - runC, containerd, openVZ, systemd-nspwan OCI - initiative to standardize container runtimes and images OCI - open image formats spec, OCR - open container runtime
Easy distribution of artifacts (via an image registry) Consistent environment between dev and prod Treat infrastructure as immutable - containers as disposable environments Increased utilisation when multiple containers are run together
Build images ➢ pull/push images to/from registry ➢ Create, run , stop, restart, kill containers ➢ Create, remove, link networks ➢ Create, remove volumes (storage) ❖ Very similar to git cli ❖ Dockerfile ➢ Blueprint for building images ➢ Used nicely with docker-compose for development
Container orchestration Storage containers? DB Docker in production - storage drivers, logging Network isolation when running multiple container groups
Container networking and isolation with calico and FAN - SDN Replication of tasks - controllers init for the DC New problems with monitoring and partitions