Linux containers_Docker
?
0 likes?381 views
This document discusses Linux containers and Docker. It covers the key technologies that enable containers like namespaces, cgroups, and Docker internals. Namespaces isolate processes by resource like mount points, hostnames, IDS, and networks. Cgroups limit resources like memory, CPU, and disk. Docker builds on these technologies to provide tools for building, distributing, and running application containers.
![Namespaces Api
/proc/[pid]/ns
ipc->ipc:[4026531839]
mnt->mnt:[4026531840]
net->net:[4026531956]
pid->pid:[4026531836]
user->user:[4026531837]
uts->uts:[4026531838]
Syscalls:
clone(2)
setns(2)
unshare(2)](https://image.slidesharecdn.com/70b83fe5-ef5d-40bd-8c4c-9c40def39bd3-150225105432-conversion-gate01/85/Linux-containers_Docker-6-320.jpg)
![Mount namespaces
Mount points
/proc/[pid]/mounts
/proc/[pid]/mountstats](https://image.slidesharecdn.com/70b83fe5-ef5d-40bd-8c4c-9c40def39bd3-150225105432-conversion-gate01/85/Linux-containers_Docker-8-320.jpg)
![User namespaces
user credentials (user IDs and group IDs), capabilities
Still strict user mapping. Sad ...
UID1000insidecontainer->1000onhostnode
UID0 insidecontainer->0 onhostnode
etc
And dont really work ...
sudols-l/proc/1/ns/user
lrwxrwxrwx1rootroot0Nov2814:17/proc/1/ns/user->user:[4026531837]
dockerrun-it--rmcentos:centos7ls-l/proc/1/ns/user
lrwxrwxrwx1rootroot0Nov2811:18/proc/1/ns/user->user:[4026531837]](https://image.slidesharecdn.com/70b83fe5-ef5d-40bd-8c4c-9c40def39bd3-150225105432-conversion-gate01/85/Linux-containers_Docker-20-320.jpg)
Linux containers_Docker
- 1. Linux containers/Docker (and how it works) Dmitry Fedorov
- 2. Wont talk about (Lots of talks about it allready) This talk will not include: Marketing stories Docker is awesome...blah,blah,blah
- 3. Will talk about Namespaces Capabilities Cgroups Docker internals (libcontainer)
- 4. Namespaces
- 5. Namespaces He'sback.Andthistimehe'sgotachainsaw. Yes,folks.Wegotper-processnamespaces.Working.Withproper behaviouronexit(),yodda,yodda.Enjoy. Mount (Mount points) UTS (Hostname and NIS domain name) IPC (System V IPC, POSIX message queues) PID (Process IDs) Network (Network devices, stacks, ports, etc.) User (User and group IDs)
- 9. Mount namespaces On hostnode: cat/proc/1/mounts|wc-l 32 Inside container: dockerrun-it--rmcentos:centos7cat/proc/1/mounts|wc-l 16
- 11. UTS namespaces hostname, domainname On hostnode: uname-n dfedorov Inside container: dockerrun-it--rmcentos:centos7sh-c'uname-n' b543e1bb6eef
- 13. IPC namespaces System V IPC objects, POSIX message queues /proc/sys/fs/mqueue /proc/sys/kernel /proc/sysvipc On hostnode: dfedorov@dfedorov:~$ipcs|wc-l 45 Inside container: dfedorov@dfedorov:~$dockerrun-it--rmcentos:centos7ipcs|wc-l 10
- 15. PID namespaces process ID number space Nesting namespace: PIDnamespacescanbenested:eachPIDnamespacehasaparent, exceptfortheinitial("root")PIDnamespace. On hostnode: psaux|wc-l 298 Inside container: dockerrun-it--rmcentos:centos7psaxu|wc-l 2
- 17. Network namespaces network devices, IPv4 and IPv6 protocol stacks, IP routing tables, firewalls /proc/net /sys/class/net /sys/class/net on hostnode: docker0 eth0 lo lxcbr0 veth1 veth50cf98d veth6b9c9cc Inside container: docker run -it --rm centos:centos7 ls /sys/class/net eth0 lo
- 18. Network namespaces Create netns manualy: ipnetnsaddminimal#Createnamespace iplinkaddeth1typevethpeernameveth1#Createvirtualethernetdevice iplinkseteth1netnsminimal#Attachdevicetonamespace ipaadd10.0.0.1/24devveth1 iplsetveth1up
- 20. User namespaces user credentials (user IDs and group IDs), capabilities Still strict user mapping. Sad ... UID1000insidecontainer->1000onhostnode UID0 insidecontainer->0 onhostnode etc And dont really work ... sudols-l/proc/1/ns/user lrwxrwxrwx1rootroot0Nov2814:17/proc/1/ns/user->user:[4026531837] dockerrun-it--rmcentos:centos7ls-l/proc/1/ns/user lrwxrwxrwx1rootroot0Nov2811:18/proc/1/ns/user->user:[4026531837]
- 21. User namespaces - Capabilities per-thread attribute Used caplist: CHOWN DAC_OVERRIDE FOWNER MKNOD NET_RAW SETGID SETUID SETFCAP SETPCAP NET_BIND_SERVICE SYS_CHROOT KILL troublesome: mount (cap_sys_admin)
- 22. Cgroups
- 24. Efficiency
- 25. Efficiency isolated, but still on hostnode cpu: native memory: allmost native, few % shaved for accounting network: small overhead dics: native on volumes. overhead on layered fs
- 26. Still not a cake
- 27. What do we need on top of all of it? unionfs (aufs, vfs) snapshotting fs (btrfs, zfs) CoW (thin provisioning, lvm)
- 28. Docker
- 29. Docker container control operations version control system system administration
- 30. Docker Approach Application level isolation vs OS level isolation. One task per container. Deduplication. Commoditize.
- 31. Typical workflow developer: -- write some code -- unit test -- commit docker build: -- environment test (serverspec, rspec etc) -- functional test -- push to registry devops: -- pull images and run
- 32. Old-new challenges Monitoring. Logging. Backups. Configuration management. No ssh, and you dont need it. No ssh, but you have exec.