Skip to content

Container

Context

  • PlanetLab distributed system - a distributed system established in universities around the world (every university would install at least two not beefy servers).

  • PlanetLab was slowly replaced by cloud computing services such as AWS and Azure.

  • Docker is just the packaging for containers for code and data needed to run the container. (A virtualization package manager)

  • Kubernetes distributed runtime environment for running these containers.

    • resource allocator
    • scheduler
    • etc

Kubernetes and Docker do not implement virtualization themselves. Them implement managers to manage resources in virtualized containers.

Namespace

the mechanism that provides isolation

CGroups

provides resource allocation

Goal

  • efficiency

  • scalability

  • Isolation

    • fault isolation: isolation buggy or malicious VM
    • resource isolation: we don't want other VM to be able to steal resources allocated to a specific VM
    • security isolation:

Implementation

  • Virtualization operating system calls. Not hardware machine instructions.

  • Encapsulate processes running on top of the operating system into virtual machines.

  • create an environment in which the operating system can provide an illusion that each process running inside the container is the only process running on the operating system.

  • One special virtual machine (like Dom 0 in Xen) for control purposes.

Note

Kubernetes runs in this environment

Approaches

Each container has its own:

  • Namespace (context)
  • process pid (sets of pid)
  • user uid
  • network ip address and port
  • mount (file system)

Note

Essentially, filters are just lists (or tags) for "which thing belongs to which container"

Filters

  • Processes
  • Files

Note

In a container environment, we always consider resources to be scarce. Therefore, we want to make sure we don't waste disk resources by creating too many replicated files.

/bin directory

/bin directory is needed by all containers. Therefore, we can just let every container refer to the privilege container's /bin directory, and use the copy on write technique to allocate disk block for changes made to /bin directory for that specific container. → as a result we can save a lot of disk space by sharing a lot of file blocks.

Resources We Need to Allocate

  • CPU
  • Memory
  • Network
  • Disk

Takeaway

  • Lower overhead when compared to hardware virtualization.
  • The key difference to hardware virtualization: the operating system is not part of the virtualization
  • hardware virtualization may be a little overcommitted in a certain scenario.
  • Whether hardware-based or container-based virtualization provides better isolation is still in debate today.

My Question

Back to top