Created
June 10, 2020 22:05
-
-
Save pgray/095058c5b3fc2447aad8700f525827cc to your computer and use it in GitHub Desktop.
containers: history and concepts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cpu.pressure | |
some avg10=0.00 avg60=0.00 avg300=0.00 total=395841890 | |
io.pressure | |
some avg10=0.00 avg60=0.00 avg300=0.00 total=434740073 | |
full avg10=0.00 avg60=0.00 avg300=0.00 total=405327915 | |
memory.pressure | |
some avg10=0.00 avg60=0.00 avg300=0.00 total=489232 | |
full avg10=0.00 avg60=0.00 avg300=0.00 total=253640 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
mkdir -p /home/$USER/cg | |
sudo mount -t cgroup2 none /home/$USER/cg | |
pushd cg > /dev/null | |
# look at read-only accounting files | |
for i in $(stat -c %n *.pressure);do echo $i;cat $i;done | |
# cleanup | |
popd > /dev/null | |
sudo umount /home/$USER/cg | |
rmdir /home/$USER/cg |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# containers: history and concepts | |
pgray | |
10 June 2020 | |
pgray@ns1.com | |
## What is virtualization? (IMMEDIATE SIDE TRIP) | |
- the act of creating a virtual (rather than actual) version of something... | |
- a method of logically dividing the system resources... | |
- types of virtualization | |
- hardware: kvm/virtualbox/xhyve/xen/hyper-v/etc. | |
- desktop: thin clients, LDAP, etc. | |
- operating system (and its abstractions: files/memory/cpu/process-id/etc.) | |
[Wikipedia Source](https://en.wikipedia.org/wiki/Virtualization) | |
## Timeline | |
- 1979 Unix V7 and chroot | |
- 1982 BSD chroot | |
- 2000 FreeBSD Jails | |
- 2001 Linux VServer | |
- 2004 Solaris Containers (zones) | |
- 2005 OpenVZ Containers | |
- 2006 Process Containers | |
- 2008 LXC | |
- 2011 Warden (LXC --> custom impl.) | |
- 2013 LMCTFY | |
- 2013 Docker | |
- 2015 Linux cgroups v2 | |
[source](https://blog.aquasec.com/a-brief-history-of-containers-from-1970s-chroot-to-docker-2016) | |
## What is a Container (in FreeBSD)? | |
- [jails](https://www.freebsd.org/doc/handbook/jails.html) | |
- cpu/memory limits | |
- filesystem/storage (chroot and zfs) | |
- set of users | |
- networking | |
- [address will be created on the host and "patched" into the jail](https://www.skyforge.at/posts/an-introduction-to-jails-and-jail-networking/) | |
- no virtual NIC | |
## What is a Container (in Illumos)? | |
- Illumos is the living open source fork of Solaris | |
- [zones](http://docs.openindiana.org/handbook/systems-administration/#zones) | |
- cpu/memory limits | |
- filesystem/storage (chroot and zfs) | |
- networking | |
- virtual NIC | |
## What is a Container (in Linux)? | |
- a lie! | |
- there is no such thing as a container at the kernel level | |
- there are APIs to achieve the same outcome as containers on other OSes though: | |
- [cgroups v1](https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt) | |
- [cgroups v2](https://www.kernel.org/doc/Documentation/cgroup-v2.txt) | |
- [namespaces](https://lwn.net/Articles/531114/) | |
## What is a Container (in Linux)? cont. | |
- Docker containers | |
- a framework of how to use Linux cgroups/namespaces to achieve container semantics | |
- various storage drivers (BTRFS, overlay, zfs, vfs, devicemapper) | |
- images are tarred OS FSes with metadata (entrypoint/image layers/etc.) | |
- [systemd-nspawn](https://wiki.archlinux.org/index.php/systemd-nspawn) | |
- similar to jails with unpacked OS in folder | |
- slots into system like regular OS services | |
- `systemctl enable example.service` | |
## What is a Container (in Linux)? cont. | |
- snaps | |
- share network | |
- immutable base image with no writes (mounted data) | |
- easily run X11 apps (spotify/slack/etc.) | |
- more | |
- podman | |
- kata (VM containers) | |
- rkt (dead) | |
## Linux cgroups (control groups) | |
- ["a mechanism to organize processes hierarchically and distribute system resources along the hierarchy in a controlled and configurable manner."](https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html) | |
- control around usage of: | |
- cpu | |
- memory | |
- disk IO | |
- network usage | |
- 4 major features | |
- resource limiting | |
- prioritization | |
- accounting | |
- control (frozen/stop/restart) | |
## Linux namespaces | |
- cgroup | |
- ipc | |
- network (virtual NICs) | |
- mount (one of our favorites) | |
- pid | |
- user | |
- uts (change hostname) | |
## cgroup demo | |
.code cg.sh | |
.code cg.out |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment