7. Virtualization
In computing, virtualization refers to the act of
creating a virtual version of resources,
including but not limited to a virtual computer
hardware platform, operating system (OS),
storage device, or computer network
resources.
http://en.wikipedia.org/wiki/Virtualization
8. Hypervisor
A hypervisor or virtual machine monitor (VMM)
is a piece of computer software, firmware or
hardware that creates and runs virtual
machines.
http://en.wikipedia.org/wiki/Hypervisor
10. Linux Containers
An operating system–level virtualization
method for running multiple isolated Linux
systems (containers) on a single control host.
http://en.wikipedia.org/wiki/LXC
12. Linux Kernel Features used by
Linux Containers
● Namespaces
● cgroups
● AppArmor
● SELinux
● seccomp
● chroot
13. Namespaces
Wraps global system resources in an
abstraction that makes it appear to the
processes that they have their own isolated
instance of the global resource.
Included in Linux Kernel 2.4.19
http://lwn.net/Articles/531114/
14. Namespaces
Currently, Linux implements six different types
of namespaces:
1. mnt (mount points, filesystems)
2. pid (processes)
3. net (network stack)
4. ipc (inter-process communication)
5. uts (hostname)
6. user (user ids)
http://www.cs.ucsb.edu/~rich/class/cs290-cloud/papers/lxc-namespace.pdf
15. cgroups (Control Groups)
A Linux kernel feature to limit, account, and
isolate resource usage (CPU, memory, disk I/O,
etc.) of process groups.
Started by engineers at Google in 2007 and
merged into the Linux Kernel 2.6.24
http://en.wikipedia.org/wiki/Cgroups
16. cgroups Features
● Access: which devices can be used per
cgroup
● Resource limiting: memory, CPU, device
accessibility, block I/O, etc
● Prioritization: who gets more of the CPU,
memory, etc
● Accounting: resource usage per cgroup
● Control: freezing & checkpointing
http://en.wikipedia.org/wiki/Cgroups
17. AppArmor
AppArmor is a Linux security module
implemented using the Linux Security Modules
(LSM) kernel interface.
It allows the system administrator to associate
with each program a security profile that
restricts the capabilities of that program.
http://en.wikipedia.org/wiki/AppArmor
18. SELinux (Security Enhanced Linux)
SELinux is a Linux kernel security module that
provides a mechanism for supporting access
control on security policies for programs.
Originally developed by the United States
National Security Agency (NSA).
Included in Linux kernel 2.6.0-test3, released
on 8 August 2003
http://en.wikipedia.org/wiki/Security-Enhanced_Linux
19. SELinux - How it works
● Compiled into the Linux kernel
● Package security policies in the distribution
● Policies in most distributions are applied
only to system processes, not user
processes
● Checks database of rules on syscalls
● Policies allows/denies what a daemon can
access and how
● Prevents daemons compromise affecting
other files/users/etc (namespaces)
SELinux for Everyday Users, PaulWay
20. AppArmor SELinux
Pathname based system Attaches labels to all files,
processes
Auditable policies Complex policy language
Integrated GUI/Console
Lack of integrated tools,
toolset
hard to manage rules
Proficiency with 1-2 days
training
Substantial training
investment
Usability is primary goal Hard to maintain
https://www.suse.com/support/security/apparmor/features/selinux_comparison.html
21. seccomp (Secure Computing Mode)
● seccomp is a secure-computing facility that
provides an application sandboxing
mechanism in the Linux kernel.
● Provides computing virtualization
● It allows a process to make a one-way
transition into a "secure" state where it
cannot make any system calls except exit(),
sigreturn(), read() and write().
http://en.wikipedia.org/wiki/Seccomp
22. seccomp (Secure Computing Mode)
It was merged into the Linux kernel mainline in
version 2.6.12, released on March 8, 2005.
http://en.wikipedia.org/wiki/Seccomp
24. chroot
A chroot on Unix operating systems is an
operation that changes the root directory for
the current running process and its children.
A program that is run in such a modified
environment cannot name (and therefore
normally not access) files outside the
designated directory tree.
Provides file system virtualization
http://en.wikipedia.org/wiki/Chroot
25. chroot
The modified environment is called a "chroot
jail"
Introduced in version 7 Unix in 1979, and added
to BSD by Bill Joy on 18 March 1982
http://en.wikipedia.org/wiki/Chroot
27. LXC Engine: A Hypervisor for
Containers
Linux Container Brief for IEEE WG P2302, Boden Russell
28. LXC (LinuX Containers)
LXC is an operating system–level virtualization
method for running multiple isolated Linux
systems (containers) on a single control host.
● From the inside it looks like a VM
● From the outside it looks like a normal
process
● Provides lightweight virtualization
29. Kernel Features used by LXC
● Kernel namespaces (ipc, uts, mount, pid,
network and user)
● Control groups (cgroups)
● Apparmor and SELinux profiles
● Seccomp policies
● Chroots (using pivot_root)
● Kernel capabilities
31. Docker
Docker is an open platform for developers and
sysadmins to build, ship, and run distributed
applications.
● Initially developed by dotCloud
● Original version written in Python, now
written in Go
● A very young project (started March, 2013),
but with a huge community
37. Docker - Hello World
# Get one base Docker image
>docker pull ubuntu
# List Docker images available
>docker images
# Run hello world
>docker run ubuntu:14.04 echo "hello world"
Docker Paris Meetup, Victor Vieux, dotCloud Inc
38. Detached mode
# Run hello world in detached mode (-d)
>docker run -d ubuntu sh -c "while true; do echo
hello world; sleep 1; done"
# Get container’s ID
>docker ps
# Attach to the container
>docker attach <container-id>
# Stop/start/restart the container
>docker stop <container-id>
Docker Paris Meetup, Victor Vieux, dotCloud Inc
40. CoreOS
CoreOS is a new Linux distribution that has
been re-architected to provide features needed
to run modern infrastructure stacks.
48. Kubernetes Terminology
● Pod - A group of Containers
● Labels - Labels for identifying pods
● Kubelet - Container Agent
● Proxy Service - A load balancer for Pods
● etcd - A metadata service
● cAdvisor - Container Advisor provides resource
usage/performance statistics
● Replication Controller - Manages replication of
pods
● Scheduler - Schedules pods in worker nodes
● API server - Kubernetes API server
49. Importance of containers for the
cloud
● Ability to run multiple OS-level isolated
environments within a single host
● Less startup time
● Less resource consumption
● Ultimately less expensive