OS Containers. Michal Sekletár November 06, 2016

Similar documents
Containers and isolation as implemented in the Linux kernel

深 入解析 Docker 背后的 Linux 内核技术. 孙健波浙江 大学 SEL/VLIS 实验室

Introduction to Container Technology. Patrick Ladd Technical Account Manager April 13, 2016

Container mechanics in Linux and rkt FOSDEM 2016

Travis Cardwell Technical Meeting

Using Linux Containers as a Virtualization Option

SAINT LOUIS JAVA USER GROUP MAY 2014

High Performance Containers. Convergence of Hyperscale, Big Data and Big Compute

OS Virtualization. Linux Containers (LXC)

1 Virtualization Recap

Alternatives to Solaris Containers and ZFS for Linux on System z

LXC(Linux Container) Lightweight virtual system mechanism Gao feng

OS Security III: Sandbox and SFI

ISSN (Online)

SOFT CONTAINER TOWARDS 100% RESOURCE UTILIZATION ACCELA ZHAO, LAYNE PENG

The failure of Operating Systems,

ISLET: Jon Schipp, AIDE jonschipp.com. An Attempt to Improve Linux-based Software Training

Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING

Container's Anatomy. Namespaces, cgroups, and some filesystem magic 1 / 59

PROCESS MANAGEMENT Operating Systems Design Euiseong Seo

RDMA Container Support. Liran Liss Mellanox Technologies

Zdeněk Kubala Senior QA

Understanding user namespaces

Linux Containers Roadmap Red Hat Enterprise Linux 7 RC. Bhavna Sarathy Senior Technology Product Manager, Red Hat

What s new in control groups (cgroups) v2

Faculté Polytechnique

FreeBSD Jails vs. Solaris Zones

Engineering Robust Server Software

[Docker] Containerization

Beyond Init: systemd

Introduction to Containers

for Kerrighed? February 1 st 2008 Kerrighed Summit, Paris Erich Focht NEC

Introduction to containers

Outline. Cgroup hierarchies

Docker Deep Dive. Daniel Klopp

See Docker from the Perspective of Linux Process. Allen Hangzhou Docker Meetup

Security of OS-level virtualization technologies

Docker for HPC? Yes, Singularity! Josef Hrabal

Making Applications Mobile

EE 660: Computer Architecture Cloud Architecture: Virtualization

Improving User Accounting and Isolation with Linux Kernel Features. Brian Bockelman Condor Week 2011

systemd in Containers

RESOURCE MANAGEMENT MICHAEL ROITZSCH

Linux Operating System

RESOURCE MANAGEMENT MICHAEL ROITZSCH

Sandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018

Namespaces and Capabilities Overview and Recent Developments

COMP3891/9283 Extended OS

CSE 153 Design of Operating Systems Fall 2018

Outline. Cgroup hierarchies

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

IMPLEMENTING SOLARIS CONTAINERS TO INCREASE PERFORMANCE AND SCALABILITY OF FINANCIAL MANAGEMENT SOFTWARE Genti Daci, Polytechnic University of Tirana

An introduction to Docker

Virtualisation: Jails and Unikernels

Lecture Topics. Announcements. Today: Threads (Stallings, chapter , 4.6) Next: Concurrency (Stallings, chapter , 5.

For personnal use only

EVALUATION OF PERFORMANCE OF SOLARIS TRUSTED EXTENSIONS USING CONTAINERS TECHNOLOGY

Linux Driver and Embedded Developer

Design Overview of the FreeBSD Kernel CIS 657

Design Overview of the FreeBSD Kernel. Organization of the Kernel. What Code is Machine Independent?

THE ROUTE TO ROOTLESS

The Classical OS Model in Unix

Utilizing Oracle Solaris Containers with Oracle Database. Björn Rost

Project 3: An Introduction to File Systems. COP 4610 / CGS 5765 Principles of Operating Systems

CSE/ISE 311: Systems Administra5on Access Control and Processes

A Design and Implementation of Universal Container

NON SCHOLAE, SED VITAE

Azure Sphere: Fitting Linux Security in 4 MiB of RAM. Ryan Fairfax Principal Software Engineering Lead Microsoft

Solaris TM Containers for System {Admins, Architects, Engineers} and Technical Trainers

ECE 550D Fundamentals of Computer Systems and Engineering. Fall 2017

Flatpak a technical walk-through. Alexander Larsson, Red Hat

A Lightweight OS-Level Virtualization Architecture Based on Android Bo-wen LIU, Nai-jie GU and De-he GU

2017 Pearson Educa2on, Inc., Hoboken, NJ. All rights reserved.

Linux Kernel Security Overview

rkt and Kubernetes What's new (and coming) with Container Runtimes and Orchestration

Introduction to Virtualization and Containers Phil Hopkins

User Namespaces. Linux Capabilities and Namespaces. Outline. Michael Kerrisk, man7.org c 2018 March 2018

Operating System Virtualization: Practice and Experience

Secure Architecture Principles

History of FreeBSD. FreeBSD Kernel Facilities

Cauldron: A Framework to Defend Against Cache-based Side-channel Attacks in Clouds

Linux Kung-Fu. James Droste UBNetDef Fall 2016

INSTITUTE OF AERONAUTICAL ENGINEERING (Autonomous) Dundigal, Hyderabad

FOSDEM 18. LTTng: The road to container awareness.

Virtualization. Starting Point: A Physical Machine. What is a Virtual Machine? Virtualization Properties. Types of Virtualization

INSTITUTE OF AERONAUTICAL ENGINEERING (Autonomous) Dundigal, Hyderabad

Virtualization. ! Physical Hardware Processors, memory, chipset, I/O devices, etc. Resources often grossly underutilized

Categorizing container escape methodologies in multi-tenant environments

Mininet: Squeezing a 1000 node OpenFlow Network onto a Laptop. Bob Lantz, November 19, 2009

Processes. Dr. Yingwu Zhu

On the Performance Impact of Virtual Link Types to 5G Networking

Container Isolation at Scale (... and introducing gvisor) Dawn Chen and Zhengyu He

Linux-CR: Transparent Application Checkpoint-Restart in Linux

Neale Ferguson

Virtualization and Performance

Raw Packet Capture in the Cloud: PF_RING and Network Namespaces. Alfredo

Oracle on Solaris 10 Containers/Zones

Docker and Oracle Everything You Wanted To Know

RED HAT ENTERPRISE LINUX 7 BETA

Operating Systems. II. Processes

Transcription:

OS Containers Michal Sekletár msekleta@redhat.com November 06, 2016

whoami Senior Software Engineer @ Red Hat systemd and udev maintainer Free/Open Source Software contributor Michal Sekletár msekleta@redhat.com OS Containers November 06, 2016 2 / 21

Agenda Introduction to OS containers Implementations of OS Containers FreeBSD Solaris Linux Michal Sekletár msekleta@redhat.com OS Containers November 06, 2016 3 / 21

Introduction Q: What is a container? Michal Sekletár msekleta@redhat.com OS Containers November 06, 2016 4 / 21

Introduction A: Virtualized application execution environment. Michal Sekletár msekleta@redhat.com OS Containers November 06, 2016 5 / 21

Container Technologies chroot BSD Jails Solaris Zones Linux VServer namespaces cgroups OpenVZ LXC systemd-nspawn Docker rkt Michal Sekletár msekleta@redhat.com OS Containers November 06, 2016 6 / 21

chroot(2) System call used to change filesystem root of a process First appeared in 4.1BSD in early 80 s (March 18 1982 according to SCCS log) chroot() { if (suser()) chdirec(&u.u_rdir); } Figure: Original implementation of chroot system call Michal Sekletár msekleta@redhat.com OS Containers November 06, 2016 7 / 21

BSD Jails FreeBSD - 4.0 (1998) Legacy UNIX privilege delegation model is basically non-existent Authors of jails wanted to solve problem of omnipotent root jail (2) syscall struct prison Once process is put to a jail it can t get out anymore Jails heavily leverage chroot (2) Some functionality is disabled in a jail (mounting filesystems, creating SOCK RAW sockets) Michal Sekletár msekleta@redhat.com OS Containers November 06, 2016 8 / 21

BSD Jails Each jail is characterized by 4 main properties, Directory subtree Hostname IP address (usually an alias address on existing interface) A command to run Michal Sekletár msekleta@redhat.com OS Containers November 06, 2016 9 / 21

Jails DEMO Michal Sekletár msekleta@redhat.com OS Containers November 06, 2016 10 / 21

Solaris Zones Early 2000 s (2004) Inspired by jails work in FreeBSD Zones were trying to solve problems related to workload consolidation Sun Microsystems was selling boxes too big to run only a single application Primitives backed into an operating system zone t 2 kinds of zones Global Non-global Global zone is a first (default zone) in the system Zone must be installed and configured, then it is booted and user can log into it ICMP is allowed but RAW sockets are still not allowed in a non-global zone zoneadm, zonecfg commands Michal Sekletár msekleta@redhat.com OS Containers November 06, 2016 11 / 21

Zones DEMO Michal Sekletár msekleta@redhat.com OS Containers November 06, 2016 12 / 21

Linux Containers First implemented as part of Virtuozzo OpenVZ in 2005 Implementation of underlying technologies was later included upstream Namespaces Cgroups Michal Sekletár msekleta@redhat.com OS Containers November 06, 2016 13 / 21

Linux Namespaces Feature provided by Linux Used to virtualize various global system resources mount PID user uts network IPC cgroup System calls used to manipulate namespaces, clone unshare setns Michal Sekletár msekleta@redhat.com OS Containers November 06, 2016 14 / 21

Linux Namespaces # ls -l /proc/self/ns total 0 lrwxrwxrwx. 1 root root 0 Nov lrwxrwxrwx. 1 root root 0 Nov lrwxrwxrwx. 1 root root 0 Nov lrwxrwxrwx. 1 root root 0 Nov lrwxrwxrwx. 1 root root 0 Nov lrwxrwxrwx. 1 root root 0 Nov lrwxrwxrwx. 1 root root 0 Nov 6 09:09 cgroup -> cgroup:[4026531835] 6 09:09 ipc -> ipc:[4026531839] 6 09:09 mnt -> mnt:[4026531840] 6 09:09 net -> net:[4026531969] 6 09:09 pid -> pid:[4026531836] 6 09:09 user -> user:[4026531837] 6 09:09 uts -> uts:[4026531838] Michal Sekletár msekleta@redhat.com OS Containers November 06, 2016 15 / 21

Mount Namespace Virtualization of a filesystem view unshare -m /bin/bash Oldest namespace clone(2) argument CLONE NEWNS Mount point propagation, private shared slave unchanged Michal Sekletár msekleta@redhat.com OS Containers November 06, 2016 16 / 21

PID Namespace Virtualization of process identifiers, CLONE NEWPID unshare -p --fork --mount-proc /bin/bash init process in PID namespace Reaps zombie processes within namespaces Same signal handling exceptions applies as for real PID 1 When init exits all other processes in a namespace get SIGKILL from kernel PID namespace of a process can t be changed It is possible to nest PID namespaces Michal Sekletár msekleta@redhat.com OS Containers November 06, 2016 17 / 21

User Namespace Virtualization of user and group databases and capabilities unshare -U --map-root /bin/bash Mapping of users between a container and a host system (created by writing to /proc/[pid]/uid, gid map) User namespaces can be nested Michal Sekletár msekleta@redhat.com OS Containers November 06, 2016 18 / 21

Network Namespace unshare -n /bin/bash Virtualization of network related system resources, Interfaces IPv4 stack IPv6 stack Routing tables Ports veth pair to create tunnel between namespaces Michal Sekletár msekleta@redhat.com OS Containers November 06, 2016 19 / 21

Other Kernel Namespaces IPC Isolation of SystemV IPC resources and POSIX message queues unshare -i /bin/bash UTS Virtualization of hostname and NIS domain name unshare -u /bin/bash Cgroups Virtualization of a cgroup tree view unshare -C /bin/bash Michal Sekletár msekleta@redhat.com OS Containers November 06, 2016 20 / 21

Linux Cgroups Subsystems used for process aggregation and resource limiting Named hierarchies Cgroup controllers, cpuset cpu cpuacct blkio memory devices freezer net cls net prio pids Orthogonal hierarchies Unified hierarchy in cgroup fs v2 Michal Sekletár msekleta@redhat.com OS Containers November 06, 2016 21 / 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback