Evolution of Linux Container Virtualization

Imesh Gunaratne

Technical Lead, WSO2Committer & PMC Member, Apache Stratos

Agenda

● Virtualization● Linux Containers● LXC ● Docker● CoreOS● Kubernetes

Virtualization

Virtualization

In computing, refers to the act of creating a virtual (rather than actual) version of something, including but not limited to a virtual computer hardware platform, operating system (OS), storage device, or computer network resources.

http://en.wikipedia.org/wiki/Virtualization

Hypervisor

A hypervisor or virtual machine monitor (VMM) is a piece of computer software, firmware or hardware that creates and runs virtual machines.

http://en.wikipedia.org/wiki/Hypervisor

Linux Containers

Linux Containers

Linux Container Brief for IEEE WG P2302, Boden Russell

Linux Containers

An operating system–level virtualization method for running multiple isolated Linux systems (containers) on a single control host.

http://en.wikipedia.org/wiki/LXC

Linux Kernel Features used by Linux Containers

● Namespaces● cgroups● AppArmor● SELinux● seccomp● chroot

Namespaces

Wraps global system resources in an abstraction that makes it appear to the processes that they have their own isolated instance of the global resource.

Included in Linux Kernel 2.4.19

http://lwn.net/Articles/531114/

Namespaces

Currently, Linux implements six different types of namespaces:

1. mnt (mount points, filesystems)2. pid (processes)3. net (network stack)4. ipc (inter-process communication)5. uts (hostname)6. user (user ids)

http://www.cs.ucsb.edu/~rich/class/cs290-cloud/papers/lxc-namespace.pdf

cgroups (Control Groups)

A Linux kernel feature to limit, account, and isolate resource usage (CPU, memory, disk I/O, etc.) of process groups.

Started by engineers in Google in 2007 and merged into the Linux Kernel 2.6.24

http://en.wikipedia.org/wiki/Cgroups

cgroups (Control Groups)

● Access: which devices can be used per cgroup

● Resource limiting: memory, CPU, device accessibility, block I/O, etc

● Prioritization: who gets more of the CPU, memory, etc

● Accounting: resource usage per cgroup● Control: freezing & checkpointing

http://en.wikipedia.org/wiki/Cgroups

AppArmor

AppArmor is a Linux security module implemented using the Linux Security Modules (LSM) kernel interface.

It allows the system administrator to associate with each program a security profile that restricts the capabilities of that program.

http://en.wikipedia.org/wiki/AppArmor

SELinux (Security Enhanced Linux)

SELinux is a Linux kernel security module that provides a mechanism for supporting access control on security policies for programs.

Originally developed by the United States National Security Agency (NSA).Included in Linux kernel 2.6.0-test3, released on 8 August 2003

http://en.wikipedia.org/wiki/Security-Enhanced_Linux

SELinux - How it works

● Compiled into the Linux kernel● Package security policies in the distribution● Policies in most distributions are applied

only to system processes, not user processes

● Checks database of rules on syscalls● Policies allows/denies what a daemon can

access and how● Prevents daemons compromise affecting

other files/users/etc (namespaces)SELinux for Everyday Users, PaulWay

seccomp (Secure Computing Mode)

● seccomp is a secure-computing facility that provides an application sandboxing mechanism in the Linux kernel.

● Provides isolation for computing● It allows a process to make a one-way

transition into a "secure" state where it cannot make any system calls except exit(), sigreturn(), read() and write().

http://en.wikipedia.org/wiki/Seccomp

seccomp (Secure Computing Mode)

It was merged into the Linux kernel mainline in version 2.6.12, released on March 8, 2005.

http://en.wikipedia.org/wiki/Seccomp

chroot

http://www.lorien.ch/server/chroot.html

chroot

A chroot on Unix operating systems is an operation that changes the root directory for the current running process and its children.

A program that is run in such a modified environment cannot name (and therefore normally not access) files outside the designated directory tree.

http://en.wikipedia.org/wiki/Chroot

chroot

The modified environment is called a "chroot jail"

Introduced in version 7 Unix in 1979, and added to BSD by Bill Joy on 18 March 1982

http://en.wikipedia.org/wiki/Chroot

LXCA Hypervisor for Linux Containers

LXC Engine: A Hypervisor for Containers

Linux Container Brief for IEEE WG P2302, Boden Russell

LXC (LinuX Containers)

LXC is an operating system–level virtualization method for running multiple isolated Linux systems (containers) on a single control host.

● From the inside it looks like a VM● From the outside it looks like a normal

process● Provides lightweight virtualization

Kernel Features used by LXC

● Kernel namespaces (ipc, uts, mount, pid, network and user)

● Control groups (cgroups)● Apparmor and SELinux profiles● Seccomp policies● Chroots (using pivot_root)● Kernel capabilities

Docker

Docker is an open platform for developers and sysadmins to build, ship, and run distributed applications.

● Initially developed by dotCloud● Original version written in Python, now

written in Go● A very young project (started March, 2013),

but with a huge community

Problem: Shipping Software

Introduction to Docker, Jérôme Petazzoni

Solution: Linux Container

Introduction to Docker, Jérôme Petazzoni

Solved

Introduction to Docker, Jérôme Petazzoni

Virtual Machines Vs Docker

Docker Architecture

Enterprise Docker, Adrien BLIND, Aurelien GABET, Arnaud MAZIN

Docker - Hello World

# Get one base Docker image>docker pull ubuntu

# List Docker images available>docker images

# Run hello world>docker run ubuntu:14.04 echo "hello world"

Docker Paris Meetup, Victor Vieux, dotCloud Inc

Detached mode# Run hello world in detached mode (-d)>docker run -d ubuntu sh -c "while true; do echo hello world; sleep 1; done"

# Get container’s ID>docker ps

# Attach to the container>docker attach <container-id>

# Stop/start/restart the container>docker stop <container-id>

Docker Paris Meetup, Victor Vieux, dotCloud Inc

CoreOS

CoreOS is a new Linux distribution that has been re-architected to provide features needed to run modern infrastructure stacks.

CoreOS Architecture

CoreOS Architecture

Fleet ties together systemd and etcd into a distributed init system

Kubernetes

Kubernetes is an open source implementation of container cluster management.

Kubernetes High Level Architecture

Kubernetes High Level Architecture

Kubernetes Component Architecture

Kubernetes Terminology

● Pod - A group of Containers● Labels - Labels for identifying pods● Kubelet - Container Agent● Proxy Service - A load balancer for Pods● etcd - A metadata service● cAdvisor - Container Advisor provides resource

usage/performance statistics● Replication Controller - Manages replication of

pods● Scheduler - Schedules pods in worker nodes● API server - Kubernetes API server

References

● http://en.wikipedia.org/wiki/Virtualization● http://en.wikipedia.org/wiki/Hypervisor● http://en.wikipedia.org/wiki/LXC● http://www.cs.ucsb.edu/~rich/class/cs290-

cloud/papers/lxc-namespace.pdf● http://en.wikipedia.org/wiki/Cgroups● http://en.wikipedia.org/wiki/AppArmor● http://en.wikipedia.org/wiki/Security-

Enhanced_Linux● http://www.lorien.ch/server/chroot.html

References

● SELinux for Everyday Users, PaulWay● http://en.wikipedia.org/wiki/Seccomp● http://en.wikipedia.org/wiki/Chroot● Linux Container Brief for IEEE WG P2302,

Boden Russell● http://kubernetes.io/● https://coreos.com