Scribd Logo
Upload

Welcome to Scribd!

  • Lcna13 Philips

    Uploaded by

    Anonymous ryDGv1
    22 views116 pages
    The document appears to be a presentation on modern Linux server systems with containers. It discusses system designs like hypervisors and containers, namespaces for filesystems and networking, and using network bridges for container networking. The presentation provides overviews and examples of these topics to explain how they work and common patterns.

    Original Description:

    js

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document appears to be a presentation on modern Linux server systems with containers. It discusses system designs like hypervisors and containers, namespaces for filesystems and networking, and using network bridges for container networking. The presentation provides overviews and examples of these topics to explain how they work and common patterns.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    22 views116 pages

    Lcna13 Philips

    Uploaded by

    Anonymous ryDGv1
    The document appears to be a presentation on modern Linux server systems with containers. It discusses system designs like hypervisors and containers, namespaces for filesystems and networking, and using network bridges for container networking. The presentation provides overviews and examples of these topics to explain how they work and common patterns.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 116

    Who I Think You Are

    Software engineer, Sysadmin, etc who is...


    • wanting to learn about namespaces and
    cgroups
    • intereseted in containers and how they
    work
    • loves turtles (optional)

    Saturday, September 21, 13


    Modern Linux Server
    with Containers
    brandon.philips@coreos.com

    Saturday, September 21, 13


    Overview

    Saturday, September 21, 13


    Overview

    • System Designs

    Saturday, September 21, 13


    Overview

    • System Designs
    • Namespaces

    Saturday, September 21, 13


    Overview

    • System Designs
    • Namespaces
    • Cgroups

    Saturday, September 21, 13


    Overview

    • System Designs
    • Namespaces
    • Cgroups
    • Tooling

    Saturday, September 21, 13


    The Spectrum

    Saturday, September 21, 13


    Saturday, September 21, 13
    Hypervisor

    Saturday, September 21, 13


    Hypervisor Container

    Saturday, September 21, 13


    Application
    Hypervisor Container Container

    Saturday, September 21, 13


    WARNING

    Saturday, September 21, 13


    Saturday, September 21, 13
    Saturday, September 21, 13
    Saturday, September 21, 13
    Saturday, September 21, 13
    Saturday, September 21, 13
    Saturday, September 21, 13
    System Designs

    Saturday, September 21, 13


    Saturday, September 21, 13
    Hypervisor

    Saturday, September 21, 13


    Hypervisor

    • Host provides full hardware environment

    Saturday, September 21, 13


    Hypervisor

    • Host provides full hardware environment


    • Block device, ethernet device, etc

    Saturday, September 21, 13


    Hypervisor

    • Host provides full hardware environment


    • Block device, ethernet device, etc
    • Guests run a full kernel

    Saturday, September 21, 13


    Saturday, September 21, 13
    Container

    Saturday, September 21, 13


    Container

    • Host provides Kernel

    Saturday, September 21, 13


    Container

    • Host provides Kernel


    • Filesystem, network interface, etc are
    already there

    Saturday, September 21, 13


    Container

    • Host provides Kernel


    • Filesystem, network interface, etc are
    already there
    • Guest starts from /sbin/init

    Saturday, September 21, 13


    Saturday, September 21, 13
    Application Container

    Saturday, September 21, 13


    Application Container

    • Host provides Kernel

    Saturday, September 21, 13


    Application Container

    • Host provides Kernel


    • User data, socket fd, etc are already there

    Saturday, September 21, 13


    Application Container

    • Host provides Kernel


    • User data, socket fd, etc are already there
    • Starts from application not init

    Saturday, September 21, 13


    Namespaces

    Saturday, September 21, 13


    Imagine: cool medieval castle photo
    *perhaps fog rolling in*

    Saturday, September 21, 13


    Filesystem

    Saturday, September 21, 13


    Filesystem

    • Read-only

    Saturday, September 21, 13


    Filesystem

    • Read-only
    • Shared

    Saturday, September 21, 13


    Filesystem

    • Read-only
    • Shared
    • Slave

    Saturday, September 21, 13


    Filesystem

    • Read-only
    • Shared
    • Slave
    • Private

    Saturday, September 21, 13


    Read-only

    Saturday, September 21, 13


    Private bind mount
    before:
    after:
    source/a-file
    bind/a-file

    mount -t tmpfs -o size=1M tmpfs source/mnt


    before:
    after:
    source/mnt/tmpfs-file

    mount -t tmpfs -o size=1M tmpfs bind/mnt2


    before:
    after:
    bind/mnt2/mnt2-file

    Saturday, September 21, 13


    Shared bind mount
    before:
    after:
    source/a-file
    bind/a-file

    mount -t tmpfs -o size=1M tmpfs source/mnt


    before:
    after:
    source/mnt/tmpfs-file
    bind/mnt/tmpfs-file

    mount -t tmpfs -o size=1M tmpfs bind/mnt2


    before:
    after:
    source/mnt2/mnt2-file
    bind/mnt2/mnt2-file
    Saturday, September 21, 13
    Slave bind mount
    before:
    after:
    source/a-file
    bind/a-file

    mount -t tmpfs -o size=1M tmpfs source/mnt


    before:
    after:
    source/mnt/tmpfs-file
    bind/mnt/tmpfs-file

    mount -t tmpfs -o size=1M tmpfs bind/mnt2


    before:
    after:
    bind/mnt2/mnt2-file

    Saturday, September 21, 13


    Patterns

    • Mounting RO /usr inside a container


    • Private /tmp per service
    • Sharing data across containers via binds

    Saturday, September 21, 13


    Networking

    Saturday, September 21, 13


    Networking

    • Root namespace

    Saturday, September 21, 13


    Networking

    • Root namespace
    • Bridging

    Saturday, September 21, 13


    Networking

    • Root namespace
    • Bridging
    • Private namespace with socket activation

    Saturday, September 21, 13


    Root Namespace

    • Full access to the machine interfaces

    Saturday, September 21, 13


    Root Namespace

    Saturday, September 21, 13


    Root Namespace
    • Advantages

    Saturday, September 21, 13


    Root Namespace
    • Advantages
    • Fast

    Saturday, September 21, 13


    Root Namespace
    • Advantages
    • Fast
    • Easy to get setup

    Saturday, September 21, 13


    Root Namespace
    • Advantages
    • Fast
    • Easy to get setup
    • Network looks normal
    to the container

    Saturday, September 21, 13


    Root Namespace
    • Advantages
    • Fast
    • Easy to get setup
    • Network looks normal
    to the container

    Saturday, September 21, 13


    Root Namespace
    • Advantages • Disadvatages
    • Fast
    • Easy to get setup
    • Network looks normal
    to the container

    Saturday, September 21, 13


    Root Namespace
    • Advantages • Disadvatages
    • Fast • No separation of
    concerns
    • Easy to get setup
    • Network looks normal
    to the container

    Saturday, September 21, 13


    Root Namespace
    • Advantages • Disadvatages
    • Fast • No separation of
    concerns
    • Easy to get setup
    • Container has full
    • Network looks normal control
    to the container

    Saturday, September 21, 13


    Network Bridges

    Saturday, September 21, 13


    Network Bridges

    • Create a bridge, like a virtual switch

    Saturday, September 21, 13


    Network Bridges

    • Create a bridge, like a virtual switch


    • Create container namespace and add
    interface

    Saturday, September 21, 13


    Network Bridges

    • Create a bridge, like a virtual switch


    • Create container namespace and add
    interface
    • Attach container interface to bridge

    Saturday, September 21, 13


    Network Bridges

    Saturday, September 21, 13


    Network Bridges
    • Advantages

    Saturday, September 21, 13


    Network Bridges
    • Advantages
    • More complex to get
    setup

    Saturday, September 21, 13


    Network Bridges
    • Advantages
    • More complex to get
    setup

    • Network looks normal


    to the container

    Saturday, September 21, 13


    Network Bridges
    • Advantages
    • More complex to get
    setup

    • Network looks normal


    to the container

    Saturday, September 21, 13


    Network Bridges
    • Advantages
    • More complex to get
    setup

    • Network looks normal


    to the container

    Saturday, September 21, 13


    Network Bridges
    • Advantages • Disadvantages
    • More complex to get
    setup

    • Network looks normal


    to the container

    Saturday, September 21, 13


    Network Bridges
    • Advantages • Disadvantages
    • More complex to get • Less speed
    setup

    • Network looks normal


    to the container

    Saturday, September 21, 13


    Network Bridges
    • Advantages • Disadvantages
    • More complex to get • Less speed
    setup
    • NAT to the internet
    • Network looks normal
    to the container

    Saturday, September 21, 13


    Network Bridges
    • Advantages • Disadvantages
    • More complex to get • Less speed
    setup
    • NAT to the internet
    • Network looks normal
    to the container • iptables to expose public
    socket

    Saturday, September 21, 13


    Socket Activation

    Saturday, September 21, 13


    Socket Activation

    • No interface

    Saturday, September 21, 13


    Socket Activation

    • No interface
    • Sockets are passed via stdin (inetd)

    Saturday, September 21, 13


    Socket Activation

    • No interface
    • Sockets are passed via stdin (inetd)
    • systemd style listen fd API

    Saturday, September 21, 13


    inetd style

    Saturday, September 21, 13


    inetd style
    • Advantages

    Saturday, September 21, 13


    inetd style
    • Advantages
    • Fast and isolated

    Saturday, September 21, 13


    inetd style
    • Advantages
    • Fast and isolated
    • Simple and well
    understood

    Saturday, September 21, 13


    inetd style
    • Advantages
    • Fast and isolated
    • Simple and well
    understood

    • Support from existing


    daemons like ssh

    Saturday, September 21, 13


    inetd style
    • Advantages
    • Fast and isolated
    • Simple and well
    understood

    • Support from existing


    daemons like ssh

    • No process running until


    needed

    Saturday, September 21, 13


    inetd style
    • Advantages • Disadvantages
    • Fast and isolated
    • Simple and well
    understood

    • Support from existing


    daemons like ssh

    • No process running until


    needed

    Saturday, September 21, 13


    inetd style
    • Advantages • Disadvantages
    • Fast and isolated • One process per client
    (scaling problems!)
    • Simple and well
    understood

    • Support from existing


    daemons like ssh

    • No process running until


    needed

    Saturday, September 21, 13


    listen fd style

    Saturday, September 21, 13


    listen fd style
    • Advantages

    Saturday, September 21, 13


    listen fd style
    • Advantages
    • Fast and isolated

    Saturday, September 21, 13


    listen fd style
    • Advantages
    • Fast and isolated
    • Only one process
    needed per service

    Saturday, September 21, 13


    listen fd style
    • Advantages
    • Fast and isolated
    • Only one process
    needed per service

    • No process running until


    needed

    Saturday, September 21, 13


    listen fd style
    • Advantages
    • Fast and isolated
    • Only one process
    needed per service

    • No process running until


    needed

    Saturday, September 21, 13


    listen fd style
    • Advantages • Disadvantages
    • Fast and isolated
    • Only one process
    needed per service

    • No process running until


    needed

    Saturday, September 21, 13


    listen fd style
    • Advantages • Disadvantages
    • Fast and isolated • Patches required to
    daemons
    • Only one process
    needed per service

    • No process running until


    needed

    Saturday, September 21, 13


    Process Namespace

    • PID 1 is something else outside the


    namespace

    Saturday, September 21, 13


    All the Rest

    Saturday, September 21, 13


    Cgroups

    Saturday, September 21, 13


    Imagine: an accountant’s overflowing desk
    perhaps hands on head in dispair

    Saturday, September 21, 13


    Block I/O

    • Limit: Weight from 10 to1000


    • Limit: Bandwidth limits R/W
    • Metrics: iops serviced, waiting and
    queued

    Saturday, September 21, 13


    CPU

    • Limit: Shares system 1024 is half of 2048


    • Metrics: cpuacct.stats user and system

    Saturday, September 21, 13


    Memory

    • Limit: Total RSS memory limit


    • Metrics: swap, total rss, # page ins/outs

    Saturday, September 21, 13


    Tooling

    Saturday, September 21, 13


    docker

    Saturday, September 21, 13


    nspawn

    Saturday, September 21, 13


    nsenter

    Saturday, September 21, 13


    /sys/fs/cgroup

    Saturday, September 21, 13


    systemd units

    Saturday, September 21, 13


    systemd-cgtop

    Saturday, September 21, 13


    Recap

    Saturday, September 21, 13


    Recap
    • Containers are built on namespaces and
    cgroups

    Saturday, September 21, 13


    Recap
    • Containers are built on namespaces and
    cgroups
    • Namespaces provide isolation similar to
    hypervisors

    Saturday, September 21, 13


    Recap
    • Containers are built on namespaces and
    cgroups
    • Namespaces provide isolation similar to
    hypervisors
    • Cgroups provide resource limiting and
    accounting

    Saturday, September 21, 13


    Recap
    • Containers are built on namespaces and
    cgroups
    • Namespaces provide isolation similar to
    hypervisors
    • Cgroups provide resource limiting and
    accounting
    • These tools can be mixed to create hybrids
    Saturday, September 21, 13
    Future

    Saturday, September 21, 13


    Thanks!
    @BrandonPhilips
    @CoreOSLinux

    Saturday, September 21, 13

    You might also like