Inside Docker - Speaker Deck

Slide 1

Slide 1 text

Inside Docker

Slide 2

Slide 2 text

OMG! Why VirtualBox is so slow?

Slide 3

Slide 3 text

Virtualization

Slide 4

Slide 4 text

Full Virtualization Software-based Paravirtualization

Slide 5

Slide 5 text

Full x86 Virtualization Software-based Hardware assisted Paravirtualization

Slide 6

Slide 6 text

Full x86 Virtualization Operating system- level Software-based Hardware assisted Paravirtualization

Slide 7

Slide 7 text

3 key aspects CPU virtualization Memory virtualization Device and IO virtualization

Slide 8

Slide 8 text

Privilege rings for the x86 available in protected mode Ring 0 - “Kernel” 4 rings

Slide 9

Slide 9 text

User Apps Ring 3 Ring 2 Guest OS Ring 1 VMM Ring 0 Hardware Binary translation Full virtualization using Binary translation

Slide 10

Slide 10 text

User Apps Ring 3 Ring 2 Ring 1 Paravirtualized Guest OS Ring 0 Hardware Replacing non-virtualizable OS-instructions Paravirtualization Virtualization Layer

Slide 11

Slide 11 text

User Apps Ring 3 Ring 2 Ring 1 Guest OS Ring 0 Hardware x86 VMM Root mode privilege levels Non-root mode privilege levels

Slide 12

Slide 12 text

To summarize VBox ‣ Emulates IO/Hardware devices, BIOS ‣ Use binary translation ‣ Work hard in MMU (shadowing pages table, updating TLB)

Slide 13

Slide 13 text

AUFS LXC

Slide 14

Slide 14 text

AUFS LXC Linux Containers

Slide 15

Slide 15 text

‣ Kernel namespaces (ipc, uts, mount, pid, network and user) ‣ AppArmor and SELinux profiles ‣ Seccomp policies ‣ Chroots (using pivot_root) ‣ Kernel capabilities ‣ Control groups (cgroups)

Slide 16

Slide 16 text

Linux namespaces user utc ipc net mnt pid Process

Slide 17

Slide 17 text

Cgroups Resource limiting CPU Memory IO cpu.shares cpuset.cpus memory.limit_in_bytes blkio.throttle. {read,write}. {iops,bps}.device blkio.weight memory.stat cpuacct.stat Accounting Isolation

Slide 18

Slide 18 text

‣ The liblxc library ‣ Several language bindings (python3, lua and Go) ‣ A set of standard tools to control the containers ‣ Container templates Parts

Slide 19

Slide 19 text

‣ all containers uses the same kernel ‣ thus requires less resources ‣ and more lightweight ‣ takes seconds to start (fast) Pros ‣ not so isolated Cons

Slide 20

Slide 20 text

AUFS LXC

Slide 21

Slide 21 text

AUFS Layered Filesystem

Slide 22

Slide 22 text

AUFS Branch 1 Branch 2 f1 f1 f2 f2 f3 f3 f3 d1 f4 f5 d1 f4 d1 f5 f6 f6 f6 Copy on Write Write Read

Slide 23

Slide 23 text

Read AUFS Branch 1 Branch 2 f6 f6 f6 Delete f6 Whiteout f6

Slide 24

Slide 24 text

‣ storage savings ‣ faster deployments ‣ better memory usage ‣ easier upgrades ‣ allows arbitrary changes (root filesystem is still writeable) Pros ‣ not so active development Cons

Slide 25

Slide 25 text

Resources 1. VMware “Understanding Full Virtualization, Paravirtualization, andHardware Assist” http://www.vmware.com/files/pdf/ VMware_paravirtualization.pdf 2. Namespaces in operation, part 1: namespaces overview https://lwn.net/ Articles/531114/ 3. PaaS Under the Hood http://blog.dotcloud.com/ 4. Lightweight Virtualization by Jérôme Petazzoni http:// www.socallinuxexpo.org/sites/default/files/presentations/Jerome- Scale11x%20LXC%20Talk.pdf 5. The File system http://www.tldp.org/LDP/tlk/fs/filesystem.html