Inside Docker

Transcript

1. Inside Docker

2. OMG! Why VirtualBox is so slow?

3. Virtualization

4. Full Virtualization Software-based Paravirtualization

5. Full x86 Virtualization Software-based Hardware assisted Paravirtualization

6. Full x86 Virtualization Operating system- level Software-based Hardware assisted Paravirtualization

7. 3 key aspects CPU virtualization Memory virtualization Device and IO

   virtualization

8. Privilege rings for the x86 available in protected mode Ring

   0 - “Kernel” 4 rings

9. User Apps Ring 3 Ring 2 Guest OS Ring 1

   VMM Ring 0 Hardware Binary translation Full virtualization using Binary translation

10. User Apps Ring 3 Ring 2 Ring 1 Paravirtualized Guest

    OS Ring 0 Hardware Replacing non-virtualizable OS-instructions Paravirtualization Virtualization Layer

11. User Apps Ring 3 Ring 2 Ring 1 Guest OS

    Ring 0 Hardware x86 VMM Root mode privilege levels Non-root mode privilege levels

12. To summarize VBox ‣ Emulates IO/Hardware devices, BIOS ‣ Use

    binary translation ‣ Work hard in MMU (shadowing pages table, updating TLB)

13. AUFS LXC

14. AUFS LXC Linux Containers

15. ‣ Kernel namespaces (ipc, uts, mount, pid, network and user)

    ‣ AppArmor and SELinux profiles ‣ Seccomp policies ‣ Chroots (using pivot_root) ‣ Kernel capabilities ‣ Control groups (cgroups)

16. Linux namespaces user utc ipc net mnt pid Process

17. Cgroups Resource limiting CPU Memory IO cpu.shares cpuset.cpus memory.limit_in_bytes blkio.throttle.

    {read,write}. {iops,bps}.device blkio.weight memory.stat cpuacct.stat Accounting Isolation

18. ‣ The liblxc library ‣ Several language bindings (python3, lua

    and Go) ‣ A set of standard tools to control the containers ‣ Container templates Parts

19. ‣ all containers uses the same kernel ‣ thus requires

    less resources ‣ and more lightweight ‣ takes seconds to start (fast) Pros ‣ not so isolated Cons

20. AUFS LXC

21. AUFS Layered Filesystem

22. AUFS Branch 1 Branch 2 f1 f1 f2 f2 f3

    f3 f3 d1 f4 f5 d1 f4 d1 f5 f6 f6 f6 Copy on Write Write Read

23. Read AUFS Branch 1 Branch 2 f6 f6 f6 Delete

    f6 Whiteout f6

24. ‣ storage savings ‣ faster deployments ‣ better memory usage

    ‣ easier upgrades ‣ allows arbitrary changes (root filesystem is still writeable) Pros ‣ not so active development Cons

25. Resources 1. VMware “Understanding Full Virtualization, Paravirtualization, andHardware Assist” http://www.vmware.com/files/pdf/

    VMware_paravirtualization.pdf 2. Namespaces in operation, part 1: namespaces overview https://lwn.net/ Articles/531114/ 3. PaaS Under the Hood http://blog.dotcloud.com/ 4. Lightweight Virtualization by Jérôme Petazzoni http:// www.socallinuxexpo.org/sites/default/files/presentations/Jerome- Scale11x%20LXC%20Talk.pdf 5. The File system http://www.tldp.org/LDP/tlk/fs/filesystem.html