containers: history and concepts

cg.out

cpu.pressure
some avg10=0.00 avg60=0.00 avg300=0.00 total=395841890
io.pressure
some avg10=0.00 avg60=0.00 avg300=0.00 total=434740073
full avg10=0.00 avg60=0.00 avg300=0.00 total=405327915
memory.pressure
some avg10=0.00 avg60=0.00 avg300=0.00 total=489232
full avg10=0.00 avg60=0.00 avg300=0.00 total=253640

cg.sh

#!/usr/bin/env bash
mkdir -p /home/$USER/cg
sudo mount -t cgroup2 none /home/$USER/cg
pushd cg > /dev/null
# look at read-only accounting files
for i in $(stat -c %n *.pressure);do echo $i;cat $i;done
# cleanup
popd > /dev/null
sudo umount /home/$USER/cg
rmdir /home/$USER/cg

containers.slide

# containers: history and concepts

pgray
10 June 2020
pgray@ns1.com

## What is virtualization? (IMMEDIATE SIDE TRIP)
- the act of creating a virtual (rather than actual) version of something...
- a method of logically dividing the system resources...
- types of virtualization
  - hardware: kvm/virtualbox/xhyve/xen/hyper-v/etc.
  - desktop: thin clients, LDAP, etc.
  - operating system (and its abstractions: files/memory/cpu/process-id/etc.)

[Wikipedia Source](https://en.wikipedia.org/wiki/Virtualization)

## Timeline
- 1979 Unix V7 and chroot
- 1982 BSD chroot
- 2000 FreeBSD Jails
- 2001 Linux VServer
- 2004 Solaris Containers (zones)
- 2005 OpenVZ Containers
- 2006 Process Containers
- 2008 LXC
- 2011 Warden (LXC --> custom impl.)
- 2013 LMCTFY 
- 2013 Docker
- 2015 Linux cgroups v2
[source](https://blog.aquasec.com/a-brief-history-of-containers-from-1970s-chroot-to-docker-2016)

## What is a Container (in FreeBSD)?
- [jails](https://www.freebsd.org/doc/handbook/jails.html)
  - cpu/memory limits
  - filesystem/storage (chroot and zfs)
  - set of users
  - networking
    - [address will be created on the host and "patched" into the jail](https://www.skyforge.at/posts/an-introduction-to-jails-and-jail-networking/)
    - no virtual NIC

## What is a Container (in Illumos)?
- Illumos is the living open source fork of Solaris
- [zones](http://docs.openindiana.org/handbook/systems-administration/#zones)
  - cpu/memory limits
  - filesystem/storage (chroot and zfs)
  - networking
    - virtual NIC

## What is a Container (in Linux)?
- a lie!
- there is no such thing as a container at the kernel level
- there are APIs to achieve the same outcome as containers on other OSes though:
  - [cgroups v1](https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt)
  - [cgroups v2](https://www.kernel.org/doc/Documentation/cgroup-v2.txt)
  - [namespaces](https://lwn.net/Articles/531114/)


## What is a Container (in Linux)? cont.
- Docker containers
  - a framework of how to use Linux cgroups/namespaces to achieve container semantics
  - various storage drivers (BTRFS, overlay, zfs, vfs, devicemapper)
  - images are tarred OS FSes with metadata (entrypoint/image layers/etc.)
- [systemd-nspawn](https://wiki.archlinux.org/index.php/systemd-nspawn)
  - similar to jails with unpacked OS in folder
  - slots into system like regular OS services
    - `systemctl enable example.service`

## What is a Container (in Linux)? cont.
- snaps
  - share network
  - immutable base image with no writes (mounted data)
  - easily run X11 apps (spotify/slack/etc.)
- more
  - podman
  - kata (VM containers)
  - rkt (dead)

## Linux cgroups (control groups)
- ["a mechanism to organize processes hierarchically and distribute system resources along the hierarchy in a controlled and configurable manner."](https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html)
- control around usage of:
  - cpu
  - memory
  - disk IO
  - network usage
- 4 major features
  - resource limiting
  - prioritization
  - accounting
  - control (frozen/stop/restart)

## Linux namespaces
- cgroup
- ipc
- network (virtual NICs)
- mount (one of our favorites)
- pid
- user
- uts (change hostname)

## cgroup demo
.code cg.sh
.code cg.out