Introduction to VMs & Containers

Transcription

1 Lesson iut.univ-paris8.fr Introduction to VMs & Containers This Document:

2 Hardware Software

3 "All problems in computer science can be solved by another level of indirection" (the "fundamental theorem of software engineering") David Wheeler

4 Hardware Assembly Langage Compiler & Langages Shared Libraries Frameworks

5 Problem 1 To Solve : Libraries Dependencies Hell Think Windows to understand Dll Dependency Hell Think Debian to upgrade Xserver driver Think NPM / NodeJS package.json node_modules and versionning

6 Example: Npm modules hell

7 Problem 2 To Solve : Configuration Conflicts / Reuse Component Think /etc/<app>.conf.d to understand Configuration for <app> OK How to have multiple instances?? <app.1>, <app.2>, <app.n> KO! foo foo.conf bar bar.conf foo-4 foo-3 foo-2 foo-1 foo-4.conf foo-3.conf foo-2.conf foo-1.conf Isolate shared / specific part?

8 Problem 3 : Versionning Multiple Versions Co-Existing

9 Problem 4 : Resource Sharing

10 Hardware OS Virtual Machine Containers Orchestrators

11 Problem 5 : Resource Scheduling

12 Virtualisation Containers History 2003 Qemu Xen Intel VT-x KVM 2008 LXC VirtualBox ( Innotek Sun 2008 Oracle 2010) 2010 dotcloud company created by Solomon Hykes Docker Docker released DotCloud renamed on Windows Docker Inc 2018 Solomon quits Docker.. what s next?

13 Qemu KVM VirtualBox...

14 LibVirt...

15 Lightweight Containers Virtual Machines VMs Containers

16 Docker : Linux Container Then Windows & Mac

17 Docker Libcontainer

18 Libcontainer, Open Container

19

20 Other Container Technologies..

21 Linux Isolations primitives for Containers

22 FileSystem

23 FileSystem : Class / Design-Pattern Interpretation Facade, Delegate design-pattern : all System I/O goes to a facade API File RegularFile Dir FileSystem

24 ChRoot

25 ChRoot Class/Pattern Interpretation FileSystem File RegularFile Dir MountDir 1 rootdir= / Process (Context) Object Instance Diagram : forking a ch-rooted process MountDir: / Dir: /a/b/chroot-dir CtxParent1 : Process (Context) Can not reach parent dir seen as /.. for /a/b MountDir: seen as / for process 2 correspond to /a/b/chroot-dir ChildCtx2 : Process (Context)

26 ChRoot Object Diagram for ch-rooted child process / for process2 correspond to /a/b/chroot-dir Can not reach parent dir seen as /.. for /a/b JAILS MountDir: seen as / for process 2 MountDir: / Dir: /a/b/chroot-dir CtxParent1 : Process (Context) ChildCtx2 : Process (Context)

27 Mount

28 Mount : Class / Design-Pattern Interpretation Adapter design-pattern : adapt a Dir sub-class to delegate to FileSystem MountDir FileSystem File RegularFile Dir MountDir FileSystem

29 Mount usage in Docker : Volumes Example: $ docker run -v /data:/redis-1/data --name redis-1 redis:latest

30 UnionFS, AuFS Example: $ mkdir /tmp/rw && mkdir /tmp/aus & sudo mount -t aufs -o br=/tmp/rw=rw:/home/user=ro none /tmp/aus/ will show in /tmp/aus the union of /tmp/rw and /home/user (kept as read-only)

31 UnionFS, AuFs If found diff override Virtual UnionFS Else NOT found Diff Base Read-Write overriden filesystem Write only Diffs (Copy-On-Write from Base filesystem) Read-Only base filesystem Example: Live linux distribution for test (no persistent files), on Boot USB disk

32 UnionFS : Class / Design Pattern Decorator design-pattern? Example: 1 layer Read-Write / Above 1 layer Read-Only decorate Read-Write over a Read-Only Delegate / Chain-Of-Responsibility design-pattern? Example: multiple layers when match pattern, then delegate else bubbles up FileSystem File Dir MountDir UnionMountDir UnionFileSystem * layers UnionFSLayer

33 UnionFS usage in Docker : Image Layers Stack (Dockerfile) Dockerfile FROM debian:latest RUN apt-get install tomcat RUN apt-get install apache $ docker build -t my-image.

34 Loopback Device, Losetup

35 Loopback Class / Design Pattern Adapter design-pattern : DeviceFile File Class Diagram: File Driver RegularFile DeviceFile Loopback LoopbackDriver

36 Namespaces (UTS, PIDs,..) Named Resource * Namespace [name] : leftns 1 : rightns Name Translation Table * Name Translation Entry LeftName rightname Example of Namespaces in Linux: PIDs, Hostnames,...

37 Reminder on TCP-IP Socket, Packet (IP:Port IP:Port) Level 7 Process1 Level 3 : TCP socket Port=Port1 Socket stream Receive/send data Level 3 : TCP socket Port=Port1 IP-Src,IP-Dest,Port-Src,Port-Dest, tcpnum,tcpack,tcpwindow,...len,data Level 1 : IP eth0 IP=IP1 Receive/send packets IP Packet format: IP-Src,IP-Dest,Port-Src,Port-Dest, len,data... Level 0 : eth0 Arp=Arp1 Electric/Fiber connection Notice: can have Host1=Host2, IP1=IP2,... Level 1 : IP eth0 IP=IP1 Level 0 : eth0 Arp=Arp1 Level 7 Process2

38 NAT : Network Address Translation Process1 IP-Src Port-Src IP-Src,IP-Dest1,Port-Src,Port-Dest1.. NAT Translater IP-Src,IP-Dest-NAT,Port-Src,Port-Dest-NAT.. IP-Dest-NAT Process1 Port-Dest-NAT

39 Example: Docker Port Export $ docker run -p 4001: name redis-1 redis:latest $ docker run -p 4002: name redis-2 redis:latest Container: redis-1 (host: a23bc6d1, IP:..) Container: redis-2 (host: b6c9aff2, IP:..) 4002 docker-proxy Docker ContainerD (VETH0 Bridge..) Linux OS (Localhost)

40 .. Docker -p <extport>:<intport> Check connecting manually (telnet) to redis on 4001 not on 6379!! execute redis commands It works..

41 Result Linux processes..

42 Idem NAT Level 7 : Http Reverse Proxy Process1 Http Request1 <dest> HTTP POST /url headers k=v Body {json..} Http Request2 <dest-new> HTTP POST /url-new headers k=v-new Body {json-new..} Http Reverse Proxy Http Response 200 headers k=v-new Body {json-new..} Http Server Http Response 200 headers k=v Body {json..}

43 DNS : Host to IP resolver

44 Ingress Networks.. (= Http Reverse Proxy + DNS +..)

45 Next Chapter 2/3 : Docker Next Chapter 3/3 : Kubernetes Orchestration