Linux Containers and Docker

Linux containers, such as LXC, are lightweight virtual machines, and Docker streamlines their use. Learn about the comparison between LXC/Docker and VMs, container techniques leveraging Linux kernel functionalities like cgroups and namespace isolation, unique features of containers, cgroups capabilities for resource limiting, prioritization, accounting, and control, as well as resource isolation with cgroups for memory, CPU, block I/O, and devices. Dive into memory cgroups, CPU cgroups, and explore the possibilities surrounding resource isolation and tracking within container environments.

• Linux Containers
• Docker
• LXC
• Cgroups
• Container Techniques

ydome Follow

Uploaded on Feb 21, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. Linux Containers and Docker

2. introduction Linux containers (LXC) are lightweight VMs Docker is a commoditized LXC technique that dramatically simplifies the use of LXC

3. Comparison between LXC/docker and VM

4. Container technique Linux kernel provides the control groups (cgroups) functionality (cgroup-tools) allows limitation and prioritization of resources (CPU, memory, block I/O, network, etc.) without the need for starting any VM Introduced in 2008 (kernel 2.6.24) namespace isolation functionality The unshare command allows complete isolation of an applications' view of the operating environment, including process trees, networking, user IDs and mounted file systems. Possible to have a new init process for each container

5. Unique features Containers running in the user space Each container has Own process space Own network interface Own /sbin/init (coordinates the rest of the boot process and configures the environment for the user) Run stuff as root Share kernel with the host No device emulation. The system software and devices are provided by the image

6. What cgroups can do Resource limiting groups can be set to not exceed a configured memory limit, which also includes the file system cache Prioritization some groups may get a larger share of CPU utilization or disk I/O throughput Accounting measures a group's resource usage, which may be used, for example, for billing purposes Control freezing groups of processes, their checkpointing and restarting

7. Resource isolation with cgroups Memory Cpu Blkio devices

8. Memory cgroup keeps track pages used by each group: file (read/write/mmap from block devices; swap) anonymous (stack, heap, anonymous mmap) active (recently accessed) inactive (candidate for eviction) each page is charged to a group pages can be shared Individual (per-cgroup) limits and out-of-memory killer

9. CPU cgroup keep track of user/system CPU time set relative weight per group pin groups to specific CPU(s) Can be used to reserve CPUs for some apps

10. Blkio cgroup keep track IOs for each block device read vs write; sync vs async set relative weights set throttle (limits) for each block device read vs write; bytes/sec vs operations/sec

11. Devices cgroup controls read/write/mknod permissions typically: allow: /dev/{tty,zero,random,null}... deny: everything else maybe: /dev/net/tun, /dev/fuse, /dev/kvm, /dev/dri... fine-grained control for GPU, virtualization, etc

12. Almost no overhead processes are isolated, but run straight on the host CPU performance = native performance memory performance = a few % shaved off for (optional) accounting network performance = small overhead; can be reduced to zero

13. Performance Networking Linear algebra

14. What is docker Open Source engine to commoditize LXC using copy-on-write for quick provisioning allowing to create and share images standard format for containers standard, reproducible way to easily build trusted images (Dockerfile, Stackbrew...)

15. Docker history 2013-03: Releases as Open Source 2013-09: Red Hat collaboration (Fedora, RHEL, OpenShift) 2014-03: 34th most starred GitHub project 2014-05: JAX Innovation Award (most innovative open technology)

16. the Docker engine runs in the background manages containers, images, and builds HTTP API (over UNIX or TCP socket) embedded CLI talking to the API

17. Setup docker Check the website for Linux, windows, OSX The getting start tutorial Sample getting-start commands docker run hello-world docker run -t -i ubuntu

18. Concept of docker images A JSON file describes layers { "RootFS": {"Type": "layers", "Layers": [ "sha256:bcf2f368fe234217249e00ad9d762d8f1a3156d60c44 2ed92079fa5b120634a1", "sha256:aabe8fddede54277f929724919213cc5df2ab4e4175a 5ce45ff4e00909a4b757", "sha256:fbe16fc07f0d81390525c348fbd720725dcae6498bd5 e902ce5d37f2b7eed743" ] } }

19. Building docker images with dockerfile https://github.com/docker-library/hello- world/tree/master/amd64/hello-world Example: the simplest hello-world dockerfile FROM scratch COPY hello / CMD [ hello"] where hello is a local compiled executable. It copies the local executable to the root directory of the container and then run the program. Save these lines to dockerfile and in the same directory run > docker image build t hello-world .

20. Concept of docker images Example: a simple dockerfile for running app.py FROM python:3.4-alpine COPY . /code WORKDIR /code CMD ["python", "app.py"]

21. Check the image content docker image history python-app"

22. docker image inspect python-app { "RootFS": { "Type": "layers", "Layers": [ "sha256:bcf2f368fe234217249e00ad9d762d8f1a3156d60c442ed92079fa5b120634a1", "sha256:aabe8fddede54277f929724919213cc5df2ab4e4175a5ce45ff4e00909a4b757", "sha256:fbe16fc07f0d81390525c348fbd720725dcae6498bd5e902ce5d37f2b7eed743", "sha256:58026b9b6bf1a7dbc0872462e9ea675cad54a45bc7682bd3631dd4f3c16b1332", "sha256:62de8bcc470aef81ddbec19b7f5aeed24d7b7ec1bff09422f7e0da3a4842d346", "sha256:8605394513ec8103a4b386e62f5dcca888651e770d36d4a58bc0f1a723526e1d" ] } }

23. A more complicated sample dockerfile: for couchdb FROM ubuntu RUN apt-get -y update RUN apt-get install -y g++ RUN apt-get install -y erlang-dev erlang-manpages erlang-base-hipe ... RUN apt-get install -y libmozjs185-dev libicu-dev libtool ... RUN apt-get install -y make wget RUN wget http://.../apache-couchdb-1.3.1.tar.gz | tar -C /tmp -zxf- RUN cd /tmp/apache-couchdb-* && ./configure && make install RUN printf "[httpd]\nport = 8101\nbind_address = 0.0.0.0" > /usr/local/etc/couchdb/local.d/docker.ini EXPOSE 8101 CMD ["/usr/local/bin/couchdb"] Run the command to build: docker build -t your_dockhub_account/couchdb .

24. Minimal learning curve Rebuilds are easy Caching system makes rebuilds faster Single file to define the whole environment!

25. Take-home exercise: observe differences between host and container Try to run the following commands in host and a docker container, respectively Check the results of pid, mnt, net, uts, ipc, user Pid namespace Type ps aux| wc l in host and the container Mnt namespace Type wc l /proc/mounts in both Net namespace Install net-tools Type ifconfig

26. hostname namespace hostname ipc namespace Type ipcs Check user namespace (UID) UID 0-1999 in the first container mapped to UID 10000 11999 in host UID 0-1999 in the 2nd container mapped to UID 12000 13999 in host

27. Docker Hub Public repository of Docker images https://hub.docker.com/ docker search [term] Automated: Has been automatically built from Dockerfile Source for build is available on GitHub

28. Docker ecosystem Docker Images: Docker Hub Automated Setup Puppet, Chef, Ansible, ... other skydock / skydns fig

29. Docker use cases Development Environment Environments for Integration Tests Quick evaluation of software Microservices Multi-Tenancy Unified execution environment (dev test prod (local, VM, cloud, ...)

30. Dev-> test->production code in local environment ( dockerized or not) each push to the git repo triggers a hook the hook tells a build server to clone the code and run docker build (using the Dockerfile) the containers are tested (nosetests, Jenkins...), and if the tests pass, pushed to the registry production servers pull the containers and run them for network services, load balancers are updated