Engineering Robust Server Software

Similar documents
Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING

An introduction to Docker

Introduction to containers

Containers and isolation as implemented in the Linux kernel

LXC(Linux Container) Lightweight virtual system mechanism Gao feng

Understanding user namespaces

1 Virtualization Recap

Introduction to Containers

ECE 550D Fundamentals of Computer Systems and Engineering. Fall 2017

Lecture 3: O/S Organization. plan: O/S organization processes isolation

Cross platform enablement for the yocto project with containers. ELC 2017 Randy Witt Intel Open Source Technology Center

containerization: more than the new virtualization

ISLET: Jon Schipp, AIDE jonschipp.com. An Attempt to Improve Linux-based Software Training

OS Containers. Michal Sekletár November 06, 2016

Docker und IBM Digital Experience in Docker Container

USING DOCKER FOR MXCUBE DEVELOPMENT AT MAX IV

Docker & why we should use it

CS 326: Operating Systems. Process Execution. Lecture 5

Travis Cardwell Technical Meeting

Lecture Topics. Announcements. Today: Threads (Stallings, chapter , 4.6) Next: Concurrency (Stallings, chapter , 5.

Think Small to Scale Big

Operating System Design

PROCESS MANAGEMENT Operating Systems Design Euiseong Seo

See Docker from the Perspective of Linux Process. Allen Hangzhou Docker Meetup

Containers. Pablo F. Ordóñez. October 18, 2018

CS61 Scribe Notes Date: Topic: Fork, Advanced Virtual Memory. Scribes: Mitchel Cole Emily Lawton Jefferson Lee Wentao Xu

The failure of Operating Systems,

Midterm Presentation Schedule

Agenda Process Concept Process Scheduling Operations on Processes Interprocess Communication 3.2

Processes COMPSCI 386

Neale Ferguson

User Namespaces. Linux Capabilities and Namespaces. Outline. Michael Kerrisk, man7.org c 2018 March 2018

docker & HEP: containerization of applications for development, distribution and preservation

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Chapter 3: Processes. Operating System Concepts 9 th Edit9on

Getting Started with Hadoop

Processes in linux. What s s a process? process? A dynamically executing instance of a program. David Morgan. David Morgan

Presented By: Gregory M. Kurtzer HPC Systems Architect Lawrence Berkeley National Laboratory CONTAINERS IN HPC WITH SINGULARITY

Process. Heechul Yun. Disclaimer: some slides are adopted from the book authors slides with permission 1

Orchestrating Docker containers at scale

Getting Started With Cpsc (Advanced) Hosted by Jarrett Spiker

Portable, lightweight, & interoperable Docker containers across Red Hat solutions

Technical Manual. Software Quality Analysis as a Service (SQUAAD) Team No.1. Implementers: Aleksandr Chernousov Chris Harman Supicha Phadungslip

Processes and Threads

Getting Started With Containers

深 入解析 Docker 背后的 Linux 内核技术. 孙健波浙江 大学 SEL/VLIS 实验室

Docker for Sysadmins: Linux Windows VMware

CIT 480: Securing Computer Systems. Operating System Concepts

Processes. What s s a process? process? A dynamically executing instance of a program. David Morgan

Linux File System and Basic Commands

Chapter 3: Processes

PVS Deployment in the Cloud. Last Updated: June 17, 2016

Installing and Using Docker Toolbox for Mac OSX and Windows

The age of orchestration

What s Up Docker. Presented by Robert Sordillo Avada Software

Introduction. Let s start with the first set of slides

Operating System Structure

Docker for Developers

LSST software stack and deployment on other architectures. William O Mullane for Andy Connolly with material from Owen Boberg

Container-based virtualization: Docker

Spring 2017 :: CSE 506. Introduction to. Virtual Machines. Nima Honarmand

Singularity: Containers for High-Performance Computing. Grigory Shamov Nov 21, 2017

Docker Swarm installation Guide

Booting Up & Processes

Unix Processes. What is a Process?

CS61 Scribe Notes Lecture 18 11/6/14 Fork, Advanced Virtual Memory

Deploying Rails with Kubernetes

State of Containers. Convergence of Big Data, AI and HPC

What is a Process? Processes and Process Management Details for running a program

Contents. Note: pay attention to where you are. Note: Plaintext version. Note: pay attention to where you are... 1 Note: Plaintext version...

Chapter 3: Process Concept

Chapter 3: Process Concept

A Design and Implementation of Universal Container

Project 1: Implementing a Shell

Design Overview of the FreeBSD Kernel CIS 657

Design Overview of the FreeBSD Kernel. Organization of the Kernel. What Code is Machine Independent?

Chapter 3: Process Concept

swiftenv Documentation

Docker 101 Workshop. Eric Smalling - Solution Architect, Docker

OS Structure, Processes & Process Management. Don Porter Portions courtesy Emmett Witchel

EECS Software Tools. Lab 2 Tutorial: Introduction to UNIX/Linux. Tilemachos Pechlivanoglou

COMP 3430 Robert Guderian

Rootless Containers with runc. Aleksa Sarai Software Engineer

Introduction to Container Technology. Patrick Ladd Technical Account Manager April 13, 2016

Asterisk & the Docker revolution Some lessons from the trenches

COMS 6100 Class Notes 3

Docker Security. Mika Vatanen

Removing files and directories, finding files and directories, controlling programs

Note Takers: Chau, Bao Kham (cs162-bb) and Quang Tran (cs162-bc) Topic: Real time system

for Kerrighed? February 1 st 2008 Kerrighed Summit, Paris Erich Focht NEC

High Performance Containers. Convergence of Hyperscale, Big Data and Big Compute

UUID and R1Soft. What is a UUID and what is it used for?

Who am I? I m a python developer who has been working on OpenStack since I currently work for Aptira, who do OpenStack, SDN, and orchestration

BEST PRACTICES FOR DOCKER

Table of Contents 1.1. Introduction. Overview of vsphere Integrated Containers 1.2

Implementing DPDK based Application Container Framework with SPP YASUFUMI OGAWA, NTT

Processes. OS Structure. OS Structure. Modes of Execution. Typical Functions of an OS Kernel. Non-Kernel OS. COMP755 Advanced Operating Systems

Virtualization Overview NSRC

OS Assignment I. The result is a smaller kernel. Microkernels provide minimal process and memory management, in addition to a communication facility.

Chap 4, 5: Process. Dongkun Shin, SKKU

Transcription:

Engineering Robust Server Software Containers

Isolation Isolation: keep different programs separate Good for security Might also consider performance isolation Also has security implications (side channel attacks) How would we get that? 2

Extreme Isolation $$$$ Obviously we can't do this Most secure: Run program on a computer Throw away computer Buy new computer Run next program on it 3

Virtual Machines? Run a program that pretends to be a computer - Emulate ISA - Emulate hardware devices - "Disk" is a file on real computer. Run another program inside of the VM What if those computers are virtual instead of real? 4

Virtual Machines Gives us isolation for security Assuming no bugs in VM What about performance? 5

Virtual Machines Gives us isolation for security Assuming no bugs in VM What about performance? Emulating every instruction = slow Booting OS takes time Could we improve on this idea? 6

Hardware Virtualization P1 P2 P3 P1 P2 P3 P4 P1 P2 OS OS OS Hypervisor Hypervisor manages multiple guest OSes Each OS runs its own processes Details later in 650 7

Virtualization How do you think each OS manages physical memory in a virtualized setting? A: The hypervisor informs each guest OS of the ranges of physical memory that it is responsible for. B: Each guest OS thinks it has all of physical memory, but those are really virtual addresses whose page tables are managed by the hypervisor C: Each guest OS passes all memory allocation requests down to the hypervisor, which handles them directly. D: Virtual memory is disable and all programs run with direct physical addresses. 8

Hardware Virtualization Security Isolation Unless hardware or hypervisor bugs.. Instructions run directly on hardware Much lower performance overheads Still takes time to boot guest OSes for a new one Can we improve that? 9

Containers: OS-Level Virtualization Want a lightweight solution Have OS give benefits of virtualization=> namespaces Starting up new container comparable to starting new process Run programs directly on hardware 10

Containers: OS-Level Virtualization Want a lightweight solution Have OS give benefits of virtualization=> namespaces Starting up new container comparable to starting new process Run programs directly on hardware What do we need to split between separate namespaces? 11

Process ID Namespacing 1: init 2: kthreadd 3: ksoftirqd. 1234: sshd 2345: sshd 3972: bash 4875: myprog Normal process tree: parent/child relationship myprog wants to start a new container 12

Process ID Namespacing 1: init 2: kthreadd clone(,clone_newpid) 3: ksoftirqd. 1234: sshd 2345: sshd 3972: bash 4875: myprog Calls clone and passed in CLONE_NEWPID in the flags clone() is a lot like fork, but more options 13

Process ID Namespacing 1: init 2: kthreadd clone(,clone_newpid) 3: ksoftirqd. 1234: sshd 2345: sshd 3972: bash 4875: myprog 9834 1: myprog New process has "normal" pid in original namespace And is pid 1 in its own, new namespace 14

2345: sshd Process ID Namespacing 3972: bash 4875: myprog 9834 1: myprog 9914 2: something 9935 4: otherthing 9987 3: whatever If this program has children, they go into its namespace 15

Process ID Namespacing 1: myprog 2: something 4: otherthing 3: whatever Inside namespace, nothing outside exists 16

Process ID Namespacing getppid(), returns 0 1: myprog 2: something 4: otherthing 3: whatever Process 1 in this namespace acts like init. Has no parent 17

Process ID Namespacing 1: myprog 2: something 4: otherthing 3: whatever What happens if process 2 exits? A: Process 4 leaves the namespaces to become a child of the system-wide init B: Process 4 becomes the leader of the namespace C: "myprog" adopts process 4 as its child D: The namespace collapses 18

Process ID Namespacing 1: myprog orphaned processes adopted 2: something by pid 1 in their namespace 4: otherthing 3: whatever Process 1 in this namespace acts like init. Adopts orphan processes 19

But What Else Should We Namespace? 1: myprog 4: otherthing 3: whatever Process ids are not enough. 20

Mount Point Namespaces Want to give containers a different view of filesystem CLONE_NEWNS puts new process in new mount namespace Flag named new namespace since mount ns was first Child can unmount/mount filesystems without affecting anything outside Can setup an entirely new filesystem for container 21

Mount Point Namespaces Our namespaces processes can have their own filesystem Maybe it is a disk image on the "regular" file system but that filesystem can have mount points in the "regular" fs Allow files to be put into the outside world in controlled way 22

User ID Namespaces Try this out on Linux: unshare -r --user bash What happened? 23

User ID Namespaces Try this out: unshare -r --user bash echo "hello" > /tmp/hello ls -l /tmp/hello exit ls -l /tmp/hello What do you think the first ls -l will show? What do you think the second ls -l will show? 24

Think Pair Share Given what you just saw, what can you say about the rules of user namespaces? How do processes in the namespace interact with the rest of the system? 25

User ID Namespace user ID=0 user ID=0 user ID=1001 user ID=1001 user ID=1001 User ID Namespaces: different notions of user id "Outside" looks like normal user id that setup namespace 26

User ID Namespace user ID=0 user ID=42 user ID=99 User ID Namespaces: different notions of user id Inside the namespace processes have their own notion of uid 27

User ID Namespace user ID=1001 Create /tmp/hello user ID=0 user ID=42 user ID=99 But when operations leave that namespace, they use external UID 28

User ID Namespace Is First If you request a new UID namespace, it happens first Allows privileged namespace creation e.g., making new mount namespace is privileged Can do at same time as new UID namespace 29

Other Namespaces: Net and UTS Linux supports two other namespaces: Networking: devices, routing tables, firewall rules, Can set up virtual network devices between namespaces UTS: hostname, domain name IPC: System V IPC 30

Other Namespace Related Operations unshare system call: Lets process create separate namespace without clone()ing child Some things work differently especially PID namespaces unshare command: wrapper around system call see unshare(1), and unshare(2) setns system call: Allows a process to enter a child namespace nsenter command: execute command in child namespace See setns(2), nsenter(1) 31

Namespace Summary From "man namespaces" Namespaces: separate versions of system resources See namespaces(7), pid_namespaces(7), user_namespaces(7) 32

Back to Big Picture Want to setup container to run process in isolation 33

Back to Big Picture - clone with an NS types - adjust our mount points - maybe some CoW fs? - setup some virtual networking - Want to setup container to run process in isolation 34

Docker Docker: does containers for you Makes all these system calls Manages file system Supports virtual networking Try this out: sudo docker run -it --rm ubuntu bash Do whatever wild and crazy things you want INSIDE container 35

More Docker Make a directory ~/stuff Put some stuff in it sudo docker run -it --rm -v /home/netid/stuff:/stuff ubuntu bash cd /stuff ls, make some files, etc Think about what -v did 36

What did -v do? What did -v do? A: Caused docker to not pass CLONE_NEWNS to clone B: Caused docker to mount /home/netid/stuff as /stuff in the new mount namespace C: Caused docker to mount /home/netid/stuff as /stuff in the original mount namespace D: Caused docker to setup a virtual network to transmit changes back to the original filesystem 37

Docker: Make Your Own Image Using ubuntu image gives us an Ubuntu system, but probably want things installed Try gcc, make, python, valgrind none of them are there! For most things want to make our own image Start from a base image (e.g., ubuntu:16.04) And run commands to build up a new image 38

Dockerfile Make a directory with a Dockerfile in it Dockerfile has commands for how to build image Start with FROM otherimage E.g., FROM ubuntu:16.04 Place other commands: e.g., RUN, USER, ENV, ADD in the file Each command makes a new layer Docker saves/caches intermediate layers Later changes -> rebuild only later layers https://docs.docker.com/engine/reference/builder/ 39

Example Dockerfile from hwk1 FROM python:3 ENV PYTHONUNBUFFERED 1 RUN mkdir /code WORKDIR /code ADD requirements.txt /code/ RUN pip install -r requirements.txt ADD. /code/ Base image is python:3 set an environment variable run the command mkdir /code cd into /code for future commands copy from context into image run pip install inside virtual image copy everything into /code sudo docker build -t=testimg. sudo docker run -it --rm testimg bash 40

Advantages Isolation: processes run in container Self-contained images: No need to worry about library version mismatches, things not installed,.. Easy to use Can include what command to run in the Dockerfile 41

Multiple Services Together? Postgres Django Nginx 42

Maybe Add More Stuff? Analytics Postgres Django Nginx Backup Dist. File Strg 43

Design What does good software engineering tell you to do here? A: Make one large container with all the services. B: Make one container for the front-end, and one for the back-end C: Make one container per privilege-level required D: Make one container per service. 44

Docker-Compose Docker-compose puts together containers Sets up communication between them Lets you bring them all up together Etc See homework 1's docker-compose.yml 45

Scale Beyond One Computer? Docker also has "swarm" Run containers on different computers in a swarm We'll discuss in scalability section later 46

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback