SlideShare ist ein Scribd-Unternehmen logo

DevOpsMtl January 2014 - A Decade of Linux Containers

•
•
S
Simon Boulet

Containers technologies have been gaining a lot of traction in the DevOps world, especially with the arrival of Docker.io. But these technologies have been around for more than 10 years. In this talk, we will dive through the history of Linux Containers, and how it differentiates with traditional virtualization technologies. From Linux UML and VServer days in the early 2000s, through OpenVZ and the rise of Linux namespaces and cgroups, to LXC, the new kid on the block.

TechnologieNews & Politik
1 von 16
Downloaden Sie, um offline zu lesen
A Decade of Linux Containers Simon Boulet Consultant, Deployment and Automation simon@nostalgeek.com
A Decade of Linux Containers
An Introduction to Containers “[...] should it be possible for the operating system to ensure that excessive resource usage by one group of processes doesn't interfere with another group of processes? Should it be possible for a single kernel to provide resource-usage statistics for a logical group of processes? Likewise, should the kernel be able to allow multiple processes to transparently use port 80?” Glauber Costa, Parallels (SWSoft / company behind OpenVZ) http://lwn.net/Articles/524952/
Containers (vs virtualization) â—Ź Group processes together to create secure, isolated virtual environments â—Ź Share the host kernel / operating system â—Ź Generally perform better than traditional virtualization â—Ź Often have limitations with kernel features (VPN, loopback devices, iptables, FUSE, NFS, etc.)
User-Mode Linux (UML) ● Kernel patch to compile the Linux kernel as “regular” binary. Run linux inside linux: ./linux ● First paper in August 2000, Linux 2.2.x [1] ● Mainstream since 2.6.0 (December 2003) ● No root access needed (network requires TUN/TAP) ● Linode was initially offering UML containers and switched to Xen on March 28, 2008 [2] ● Works out of the box with all recent kernels [3] [1] http://user-mode-linux.sourceforge.net/old/als2000/index.html [2] https://blog.linode.com/2008/03/28/linodes-in-xen/ [3] http://uml.devloop.org.uk/
Linux-VServer ● Created by Jacques Gelinas, a Montrealer ● First public announcement October 2001 [1] ● Use a “security context” concept to isolate processes (similar to Linux Namespaces) ● Still alive (latest patch for Linux 3.10.21) ● Dreamhost (the company behind Ceph) still use Linux-VServer for their VPS offering [1] http://www.cs.helsinki.fi/linux/linux-kernel/2001-40/1065.html [2] http://www.dreamhost.com/servers/vps/
OpenVZ â—Ź Patch based on latest RHEL kernel (currently 2.6.32; 40MB gzip patch). Extends Linux Cgroups/Namespaces features â—Ź Mature (initial release in 2005), OSS behind Parallels Virtuozzo (commercial) â—Ź Future of OpenVZ lies within Linux Cgroups/ Namespaces. Recent version of OpenVZ tools work partially with recent mainstream kernels â—Ź OpenVZ developers very active in Linux kernel/Namespaces community
OpenVZ Contributions to Linux Kernel http://openvz.org/Development_portal
OpenVZ: LXC/Namespaces older brother “OpenVZ is great, and it has been around for longer than LXC, so some people consider it to be more stable and secure. However, one has to keep in mind that LXC and OpenVZ share many developers in common, and that LXC is nothing else than “OpenVZ redesigned to be able to be merged into the mainline kernel”. Therefore, OpenVZ will eventually sunset, to be fully replaced by LXC.” Jérôme Petazzoni, Senior Engineer at dotCloud (company behind Docker) http://blog.docker.io/2013/08/containers-docker-how-secure-are-they/
LXC ● Docker uses LXC for creating containers ● First release of LXC September 2008 ● Set of userspace tools to create containers on top of Linux Cgroups and Namespaces ● LXC containers are not fully secure yet. It’s possible for root inside container to escape and gain root on host. Need AppArmor/SELinux. Future lies in the User namespace.
Linux Namespaces Different namespaces = Different “Views” of the kernel Linux 2.4.19 - 3 Aug 2002 Mount namespace Mount Points Linux 2.6.19 - 29 Nov 2006 UTS namespace Hostname IPC namespace Interprocess communication PID namespace Processes in different PID namespace can have the same PID Network namespace Network devices, IP addresses, routing tables, iptables entries User namespace Root privileges for operations inside a user namespace, but unprivileged outside the namespace. Number of Linux filesystems are not yet usernamespace aware. Linux 2.6.24 - 24 Jan 2008 Linux 3.8 - 18 Feb 2013 http://lwn.net/Articles/531114/
Linux Cgroups â—Ź Virtually group processes together, apply limits, priority, accounting, etc. â—Ź Divided in subsystems, each subsystem representing a resource (CPU, memory, etc) blkio Limit input/output access to and from block devices cpu Uses the scheduler to provide access to the CPU devices Allows or denies access to devices freezer Suspends or resumes tasks in a cgroup memory Set limits on memory use by tasks in a cgroup, and generates automatic reports on memory resources used by those tasks ... https://access.redhat.com/site/documentation/enUS/Red_Hat_Enterprise_Linux/6/html/Resource_Management_Guide/ch01.html
Playing with Cgroups ● Cgroups are configured through the cgroup virtual file system (similar to /proc) ● Mounting the cgroup virtual filesystem for the desired subsystem (ex. blkio): sudo mkdir -p /sys/fs/cgroup/blkio sudo mount -t cgroup -oblkio blkio /sys/fs/cgroup/blkio ● Create a new cgroup named “1mbsec” in the blkio sybsystem: sudo mkdir /sys/fs/cgroup/blkio/1mbsec
Playing with Cgroups (cont.) â—Ź Set a limit of 1MB/ sec on this cgroup: echo '253:2 '$((1024*1024)) |sudo tee /sys/fs/cgroup/blkio/1mbsec/blkio.throttle.write_bps_device â—Ź Attach current process (shell) to the 1mbsec cgroup: echo $$ | sudo tee /sys/fs/cgroup/blkio/1mbsec/tasks â—Ź Writes are now throttled to 1MB/sec: dd if=/dev/zero of=100mbtest.bin bs=1M count=100 conv=fdatasync 100+0 records in 100+0 records out 104857600 bytes (105 MB) copied, 100.055 s, 1.0 MB/s
My Personal Experience ● OpenVZ is generally the “go-to” for public / production containers (unless you need some of the recent kernel features) ● LXC is gaining a lot of interest, especially with tools like Docker. Escaping LXC containers is a major security issue, you will need to learn AppArmor/SELinux to secure LXC ● User-Mode Linux is a very well kept secret. It’ s a great way to quickly run containers, especially in non-root environments, and works out the box with all recent kernels.
Thank you! Questions? Simon Boulet simon@nostalgeek.com

Empfohlen

Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copyLinux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copyBoden Russell
 
Containers and Namespaces in the Linux Kernel
Containers and Namespaces in the Linux KernelContainers and Namespaces in the Linux Kernel
Containers and Namespaces in the Linux KernelOpenVZ
 
Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)Ralf Dannert
 
The Linux Kernel Implementation of Pipes and FIFOs
The Linux Kernel Implementation of Pipes and FIFOsThe Linux Kernel Implementation of Pipes and FIFOs
The Linux Kernel Implementation of Pipes and FIFOsDivye Kapoor
 
CUIDADOS DE ENFERMERIA
CUIDADOS DE ENFERMERIACUIDADOS DE ENFERMERIA
CUIDADOS DE ENFERMERIACarol Rodriguez
 
India Japan Trade and Investment Monthly Bulletin
India Japan Trade and Investment Monthly BulletinIndia Japan Trade and Investment Monthly Bulletin
India Japan Trade and Investment Monthly BulletinCorporate Professionals
 
email samples
email samplesemail samples
email samplesRyan Mulvihill
 
Global governance, indigenous peoples and the right to prior consultation in ...
Global governance, indigenous peoples and the right to prior consultation in ...Global governance, indigenous peoples and the right to prior consultation in ...
Global governance, indigenous peoples and the right to prior consultation in ...Dr Lendy Spires
 

Empfohlen

Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copyLinux containers – next gen virtualization for cloud (atl summit) ar4 3 - copy
Linux containers – next gen virtualization for cloud (atl summit) ar4 3 - copyBoden Russell
 
Containers and Namespaces in the Linux Kernel
Containers and Namespaces in the Linux KernelContainers and Namespaces in the Linux Kernel
Containers and Namespaces in the Linux KernelOpenVZ
 
Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)Ralf Dannert
 
The Linux Kernel Implementation of Pipes and FIFOs
The Linux Kernel Implementation of Pipes and FIFOsThe Linux Kernel Implementation of Pipes and FIFOs
The Linux Kernel Implementation of Pipes and FIFOsDivye Kapoor
 
CUIDADOS DE ENFERMERIA
CUIDADOS DE ENFERMERIACUIDADOS DE ENFERMERIA
CUIDADOS DE ENFERMERIACarol Rodriguez
 
India Japan Trade and Investment Monthly Bulletin
India Japan Trade and Investment Monthly BulletinIndia Japan Trade and Investment Monthly Bulletin
India Japan Trade and Investment Monthly BulletinCorporate Professionals
 
email samples
email samplesemail samples
email samplesRyan Mulvihill
 
Global governance, indigenous peoples and the right to prior consultation in ...
Global governance, indigenous peoples and the right to prior consultation in ...Global governance, indigenous peoples and the right to prior consultation in ...
Global governance, indigenous peoples and the right to prior consultation in ...Dr Lendy Spires
 
Vocabulary decimals
Vocabulary decimalsVocabulary decimals
Vocabulary decimalsMartha Ardila Ibarra
 
Paolo panizza arianna presentazione pdf 1 veneziapptx
Paolo panizza arianna presentazione pdf 1 veneziapptxPaolo panizza arianna presentazione pdf 1 veneziapptx
Paolo panizza arianna presentazione pdf 1 veneziapptxsalonedimpresaspa
 
Unit 21 notes for progression poster
Unit 21 notes for progression posterUnit 21 notes for progression poster
Unit 21 notes for progression posterRedDreamsJosh
 
Adele
AdeleAdele
Adelejadellama
 
Task 4
Task 4Task 4
Task 4kd6141
 
Trade openness and city interaction
Trade openness and city interactionTrade openness and city interaction
Trade openness and city interactionCuerpo Academico Temas Contemporáneos de Teoría Económica y Economía Internacional
 
TwoRavens: A Graphical, Browser-Based Statistical Interface for Data Reposito...
TwoRavens: A Graphical, Browser-Based Statistical Interface for Data Reposito...TwoRavens: A Graphical, Browser-Based Statistical Interface for Data Reposito...
TwoRavens: A Graphical, Browser-Based Statistical Interface for Data Reposito...datascienceiqss
 
20101215 learning files consulting students
20101215 learning files consulting students20101215 learning files consulting students
20101215 learning files consulting studentslievle
 
Marketingplan
MarketingplanMarketingplan
Marketingplanspotterbg
 
1320
13201320
1320kotob arabia
 
Evaluation Question 2
Evaluation Question 2Evaluation Question 2
Evaluation Question 2oliviagodd
 
Slides task 2
Slides task 2Slides task 2
Slides task 2mty3
 
Buatava reunion 2013
Buatava reunion 2013Buatava reunion 2013
Buatava reunion 2013Walusio Buatava
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 

Weitere ähnliche Inhalte

Andere mochten auch

Paolo panizza arianna presentazione pdf 1 veneziapptx
Paolo panizza arianna presentazione pdf 1 veneziapptxPaolo panizza arianna presentazione pdf 1 veneziapptx
Paolo panizza arianna presentazione pdf 1 veneziapptxsalonedimpresaspa
 
Unit 21 notes for progression poster
Unit 21 notes for progression posterUnit 21 notes for progression poster
Unit 21 notes for progression posterRedDreamsJosh
 
Task 4
Task 4Task 4
Task 4kd6141
 
TwoRavens: A Graphical, Browser-Based Statistical Interface for Data Reposito...
TwoRavens: A Graphical, Browser-Based Statistical Interface for Data Reposito...TwoRavens: A Graphical, Browser-Based Statistical Interface for Data Reposito...
TwoRavens: A Graphical, Browser-Based Statistical Interface for Data Reposito...datascienceiqss
 
20101215 learning files consulting students
20101215 learning files consulting students20101215 learning files consulting students
20101215 learning files consulting studentslievle
 
Marketingplan
MarketingplanMarketingplan
Marketingplanspotterbg
 
Evaluation Question 2
Evaluation Question 2Evaluation Question 2
Evaluation Question 2oliviagodd
 
Slides task 2
Slides task 2Slides task 2
Slides task 2mty3
 
Buatava reunion 2013
Buatava reunion 2013Buatava reunion 2013
Buatava reunion 2013Walusio Buatava
 

Andere mochten auch (13)

Vocabulary decimals
Vocabulary decimalsVocabulary decimals
Vocabulary decimals
 
Paolo panizza arianna presentazione pdf 1 veneziapptx
Paolo panizza arianna presentazione pdf 1 veneziapptxPaolo panizza arianna presentazione pdf 1 veneziapptx
Paolo panizza arianna presentazione pdf 1 veneziapptx
 
Unit 21 notes for progression poster
Unit 21 notes for progression posterUnit 21 notes for progression poster
Unit 21 notes for progression poster
 
Adele
AdeleAdele
Adele
 
Task 4
Task 4Task 4
Task 4
 
Trade openness and city interaction
Trade openness and city interactionTrade openness and city interaction
Trade openness and city interaction
 
TwoRavens: A Graphical, Browser-Based Statistical Interface for Data Reposito...
TwoRavens: A Graphical, Browser-Based Statistical Interface for Data Reposito...TwoRavens: A Graphical, Browser-Based Statistical Interface for Data Reposito...
TwoRavens: A Graphical, Browser-Based Statistical Interface for Data Reposito...
 
20101215 learning files consulting students
20101215 learning files consulting students20101215 learning files consulting students
20101215 learning files consulting students
 
Marketingplan
MarketingplanMarketingplan
Marketingplan
 
1320
13201320
1320
 
Evaluation Question 2
Evaluation Question 2Evaluation Question 2
Evaluation Question 2
 
Slides task 2
Slides task 2Slides task 2
Slides task 2
 
Buatava reunion 2013
Buatava reunion 2013Buatava reunion 2013
Buatava reunion 2013
 

KĂĽrzlich hochgeladen

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 

KĂĽrzlich hochgeladen (20)

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 

DevOpsMtl January 2014 - A Decade of Linux Containers

  • 1. A Decade of Linux Containers Simon Boulet Consultant, Deployment and Automation simon@nostalgeek.com
  • 2. A Decade of Linux Containers
  • 3. An Introduction to Containers “[...] should it be possible for the operating system to ensure that excessive resource usage by one group of processes doesn't interfere with another group of processes? Should it be possible for a single kernel to provide resource-usage statistics for a logical group of processes? Likewise, should the kernel be able to allow multiple processes to transparently use port 80?” Glauber Costa, Parallels (SWSoft / company behind OpenVZ) http://lwn.net/Articles/524952/
  • 4. Containers (vs virtualization) â—Ź Group processes together to create secure, isolated virtual environments â—Ź Share the host kernel / operating system â—Ź Generally perform better than traditional virtualization â—Ź Often have limitations with kernel features (VPN, loopback devices, iptables, FUSE, NFS, etc.)
  • 5. User-Mode Linux (UML) â—Ź Kernel patch to compile the Linux kernel as “regular” binary. Run linux inside linux: ./linux â—Ź First paper in August 2000, Linux 2.2.x [1] â—Ź Mainstream since 2.6.0 (December 2003) â—Ź No root access needed (network requires TUN/TAP) â—Ź Linode was initially offering UML containers and switched to Xen on March 28, 2008 [2] â—Ź Works out of the box with all recent kernels [3] [1] http://user-mode-linux.sourceforge.net/old/als2000/index.html [2] https://blog.linode.com/2008/03/28/linodes-in-xen/ [3] http://uml.devloop.org.uk/
  • 6. Linux-VServer â—Ź Created by Jacques Gelinas, a Montrealer â—Ź First public announcement October 2001 [1] â—Ź Use a “security context” concept to isolate processes (similar to Linux Namespaces) â—Ź Still alive (latest patch for Linux 3.10.21) â—Ź Dreamhost (the company behind Ceph) still use Linux-VServer for their VPS offering [1] http://www.cs.helsinki.fi/linux/linux-kernel/2001-40/1065.html [2] http://www.dreamhost.com/servers/vps/
  • 7. OpenVZ â—Ź Patch based on latest RHEL kernel (currently 2.6.32; 40MB gzip patch). Extends Linux Cgroups/Namespaces features â—Ź Mature (initial release in 2005), OSS behind Parallels Virtuozzo (commercial) â—Ź Future of OpenVZ lies within Linux Cgroups/ Namespaces. Recent version of OpenVZ tools work partially with recent mainstream kernels â—Ź OpenVZ developers very active in Linux kernel/Namespaces community
  • 8. OpenVZ Contributions to Linux Kernel http://openvz.org/Development_portal
  • 9. OpenVZ: LXC/Namespaces older brother “OpenVZ is great, and it has been around for longer than LXC, so some people consider it to be more stable and secure. However, one has to keep in mind that LXC and OpenVZ share many developers in common, and that LXC is nothing else than “OpenVZ redesigned to be able to be merged into the mainline kernel”. Therefore, OpenVZ will eventually sunset, to be fully replaced by LXC.” JĂ©rĂ´me Petazzoni, Senior Engineer at dotCloud (company behind Docker) http://blog.docker.io/2013/08/containers-docker-how-secure-are-they/
  • 10. LXC â—Ź Docker uses LXC for creating containers â—Ź First release of LXC September 2008 â—Ź Set of userspace tools to create containers on top of Linux Cgroups and Namespaces â—Ź LXC containers are not fully secure yet. It’s possible for root inside container to escape and gain root on host. Need AppArmor/SELinux. Future lies in the User namespace.
  • 11. Linux Namespaces Different namespaces = Different “Views” of the kernel Linux 2.4.19 - 3 Aug 2002 Mount namespace Mount Points Linux 2.6.19 - 29 Nov 2006 UTS namespace Hostname IPC namespace Interprocess communication PID namespace Processes in different PID namespace can have the same PID Network namespace Network devices, IP addresses, routing tables, iptables entries User namespace Root privileges for operations inside a user namespace, but unprivileged outside the namespace. Number of Linux filesystems are not yet usernamespace aware. Linux 2.6.24 - 24 Jan 2008 Linux 3.8 - 18 Feb 2013 http://lwn.net/Articles/531114/
  • 12. Linux Cgroups â—Ź Virtually group processes together, apply limits, priority, accounting, etc. â—Ź Divided in subsystems, each subsystem representing a resource (CPU, memory, etc) blkio Limit input/output access to and from block devices cpu Uses the scheduler to provide access to the CPU devices Allows or denies access to devices freezer Suspends or resumes tasks in a cgroup memory Set limits on memory use by tasks in a cgroup, and generates automatic reports on memory resources used by those tasks ... https://access.redhat.com/site/documentation/enUS/Red_Hat_Enterprise_Linux/6/html/Resource_Management_Guide/ch01.html
  • 13. Playing with Cgroups â—Ź Cgroups are configured through the cgroup virtual file system (similar to /proc) â—Ź Mounting the cgroup virtual filesystem for the desired subsystem (ex. blkio): sudo mkdir -p /sys/fs/cgroup/blkio sudo mount -t cgroup -oblkio blkio /sys/fs/cgroup/blkio â—Ź Create a new cgroup named “1mbsec” in the blkio sybsystem: sudo mkdir /sys/fs/cgroup/blkio/1mbsec
  • 14. Playing with Cgroups (cont.) â—Ź Set a limit of 1MB/ sec on this cgroup: echo '253:2 '$((1024*1024)) |sudo tee /sys/fs/cgroup/blkio/1mbsec/blkio.throttle.write_bps_device â—Ź Attach current process (shell) to the 1mbsec cgroup: echo $$ | sudo tee /sys/fs/cgroup/blkio/1mbsec/tasks â—Ź Writes are now throttled to 1MB/sec: dd if=/dev/zero of=100mbtest.bin bs=1M count=100 conv=fdatasync 100+0 records in 100+0 records out 104857600 bytes (105 MB) copied, 100.055 s, 1.0 MB/s
  • 15. My Personal Experience â—Ź OpenVZ is generally the “go-to” for public / production containers (unless you need some of the recent kernel features) â—Ź LXC is gaining a lot of interest, especially with tools like Docker. Escaping LXC containers is a major security issue, you will need to learn AppArmor/SELinux to secure LXC â—Ź User-Mode Linux is a very well kept secret. It’ s a great way to quickly run containers, especially in non-root environments, and works out the box with all recent kernels.