SlideShare uma empresa Scribd logo

LXC Containers and AUFs

Docker, Inc.
Docker, Inc.
1 de 51
Baixar para ler offline
Lightweight Virtualization LXC containers & AUFS SCALE11x — February 2013, Los Angeles Those slides are available at: http://goo.gl/bFHSh  
Outline •  Intro: who, what, why? •  LXC containers •  Namespaces •  Cgroups •  AUFS •  setns •  Future developments
Who am I? Jérôme Petazzoni @jpetazzo SRE (=DevOps) at dotCloud dotCloud is the first "polyglot" PaaS, and we built it with Linux Containers!
What is this about? LXC (LinuX Containers) let you run a Linux system within another Linux system. A container is a group of processes on a Linux box, put together in an isolated environment. Inside the box, it looks like a VM. Outside the box, it looks like normal processes. This is "chroot() on steroids”
Why should I care? 1. I will try to convince you that it's awesome. 2. I will try to explain how it works. 3. I will try to get you involved!
Why should I care? 1. I will convince you that it's awesome. 2. I will explain how it works. 3. You will want to get involved!
Why is it awesome? The 3 reasons why containers are awesome
Why? 3) Speed! Ships within ... Manual deployment takes ... Automated deployment takes ... Boots in ... Bare Metal days hours minutes minutes Virtualization minutes minutes seconds less than a minute Lightweight Virtualization seconds minutes seconds seconds
Why? 2) Footprint! On a typical physical server, with average compute resources, you can easily run: •  10-100 virtual machines •  100-1000 containers On disk, containers can be very light. A few MB — even without fancy storage.
Why? 1) It's still virtualization! Each container has: •  its own network interface (and IP address) o  can be bridged, routed... just like $your_favorite_vm •  its own filesystem o  Debian host can run Fedora container (&vice-versa) •  isolation (security) o  container A & B can't harm (or even see) each other •  isolation (resource usage) o  soft & hard quotas for RAM, CPU, I/O...
Some use-cases For developers, hosting providers, and the rest of us
Use-cases: Developers •  Continuous Integration o  After each commit, run 100 tests in 100 VMs •  Escape dependency hell o  Build (and/or run) in a controlled environment •  Put everything in a VM o  Even the tiny things
Use-cases: Hosters •  Cheap Cheaper Hosting (VPS providers) o  I'd rather say "less expensive", if you get my drift o  Already a lot of vserver/openvz/... around •  Give away more free stuff o  "Pay for your production, get your staging for free!" o  We do that at dotCloud •  Spin down to save resources o  And spin up on demand, in seconds o  We do that, too
Use-cases: Everyone •  Look inside your VMs o  You can see (and kill) individual processes o  You can browse (and change) the filesystem •  Do whatever you did with VMs o  ... But faster
Breaking news: LXC can haz migration! This slide intentionally left blank (but the talk right before mine should have interesting results) oh yes indeed!
LXC lifecycle •  lxc-­‐createSetup a container (root filesystem and config) •  lxc-­‐startBoot the container (by default, you get a console) •  lxc-­‐console Attach a console (if you started in background) •  lxc-­‐stop Shutdown the container •  lxc-­‐destroy Destroy the filesystem created with lxc-create
How does it work? First time I tried LXC: #  lxc-­‐start  -­‐-­‐name  thingy  -­‐-­‐daemon   #  ls  /cgroup   ...  thingy/  ...   "So, LXC containers are powered by cgroups?" Wrong.
Namespaces Partition essential kernel structures to create virtual environments e.g., you can have multiple processes with PID 42, in different environments
Different kinds of namespaces •  pid (processes) •  net (network interfaces, routing...) •  ipc (System V IPC) •  mnt (mount points, filesystems) •  uts (hostname) •  user (UIDs)
Creating namespaces •  Extra flags to the clone() system call •  CLI tool unshare   Notes: •  You don't have to use all namespaces •  A new process inherits its parent's ns •  No easy way to attach to an existing ns o  Until recently! More on this later.
Namespaces: pid   •  Processes in a pid don't see processes of the whole system •  Each pid namespace has a PID #1 •  pid namespaces are actually nested •  A given process can have multiple PIDs o  One in each namespace it belongs to o  ... So you can easily access processes of children ns •  Can't see/affect processes in parent/sibling ns
Namespaces: net   •  Each net namespace has its own… o  Network interfaces (and its own lo/127.0.0.1) o  IP address(es) o  routing table(s) o  iptables rules •  Communication between containers: o  UNIX domain sockets (=on the filesystem) o  Pairs of veth interfaces
Setting up veth interfaces 1/2 #  Create  new  process,  <PID>,  with  its  own  net  ns   unshare  -­‐-­‐net  bash   echo  $$   #  Create  a  pair  of  (connected)  veth  interfaces   ip  link  add  name  lehost  type  veth  peer  name  leguest   #  Put  one  of  them  in  the  new  net  ns   ip  link  set  leguest  netns  <PID>  
Setting up veth interfaces 2/2 #  In  the  guest  (our  unshared  bash),  setup  leguest   ip  link  set  leguest  name  eth0   ifconfig  eth0  192.168.1.2   ifconfig  lo  127.0.0.1   #  In  the  host  (our  initial  environment),  setup  lehost   ifconfig  lehost  192.168.1.1   #  Alternatively:   brctl  addif  br0  lehost   #  ...  Or  anything  else!  
Namespaces: ipc   •  Remember "System V IPC"?msgget, semget, shmget   •  Have been (mostly) superseded by POSIX alternatives: mq_open, sem_open, shm_open   •  However, some stuff still uses "legacy" IPC. •  Most notable example: PostgreSQL The problem: xxxget() asks for a key, usually derived from the inode of a well-known file The solution: ipc namespace
Namespaces: mnt   •  Deluxe chroot()   •  A mnt namespace can have its own rootfs •  Filesystems mounted in a mnt namespace are visible only in this namespace •  You need to remount special filesystems, e.g.: o  procfs (to see your processes) o  devpts (to see your pseudo-terminals)
Setting up space efficient containers (1/2) /containers/leguest_1/rootfs  (empty  directory)   /containers/leguest_1/home  (container  private  data)   /images/ubuntu-­‐rootfs  (created  by  debootstrap)   CONTAINER=/containers/leguest_1   mount  -­‐-­‐bind  /images/ubuntu-­‐rootfs  $CONTAINER/rootfs   mount  -­‐o  ro,remount,bind  /images/ubuntu-­‐rootfs  $CONTAINER/rootfs   unshare  -­‐-­‐mount  bash   mount  -­‐-­‐bind  $CONTAINER/home  $CONTAINER/rootfs/home   mount  -­‐t  tmpfs  none  $CONTAINER/tmp   #  unmount  what  you  don't  need  ...   #  remount  /proc,  /dev/pts,  etc.,  and  then:   chroot  $CONTAINER/rootfs  
Setting up space efficient containers (2/2) Repeat the previous slides multiple times (Once for each different container.) But, the root filesystem is read-only...? No problem, nfsroot howtos have been around since … 1996
Namespaces: uts   Deals with just two syscalls: gethostname(),sethostname()   Useful to find out in which container you are ... More seriously: some tools might behave differently depending on the hostname (sudo)
Namespaces: user   UID42 in container X isn't UID42 in container Y •  Useful if you don't use the pid namespace (With it, X42 can't see/touch Y42 anyway) •  Can make sense for system-wide, per-user resource limits if you don't use cgroups   •  Honest: didn't really play with those!
Control Groups Create as many cgroups as you like. Put processes within cgroups. Limit, account, and isolate resource usage. Think ulimit, but for groups of processes … and with fine-grained accounting.
Cgroups: the basics Everything exposed through a virtual filesystem /cgroup, /sys/fs/cgroup... YourMountpointMayVary Create a cgroup: mkdir  /cgroup/aloha   Move process with PID 1234 to the cgroup: echo  1234  >  /cgroup/aloha/tasks   Limit memory usage: echo  10000000  >  /cgroup/aloha/memory.limit_in_bytes  
Cgroup: memory •  Limit o  memory usage, swap usage o  soft limits and hard limits o  can be nested •  Account o  cache vs. rss o  active vs. inactive o  file-backed pages vs. anonymous pages o  page-in/page-out •  Isolate o  "Get Off My Ram!" o  Reserve memory thanks to hard limits
Cgroup: CPU (and friends) •  Limit o  Set cpu.shares (defines relative weights) •  Account o  Check cpustat.usage for user/system breakdown •  Isolate o  Use cpuset.cpus (also for NUMA systems) Can't really throttle a group of process. But that's OK: context-switching << 1/HZ
Cgroup: Block I/O •  Limit & Isolate o  blkio.throttle.{read,write}.{iops,bps}.device o  Drawback: only for sync I/O (i.e.: "classical" reads; not writes; not mapped files) •  Account o  Number of IOs, bytes, service time... o  Drawback: same as previously Cgroups aren't perfect if you want to limit I/O. Limiting the amount of dirty memory helps a bit.
AUFS Writable single-system images or Copy-on-write at the filesystem level
AUFS quick example You have the following directories: /images/ubuntu-­‐rootfs   /containers/leguest/rootfs   /containers/leguest/rw   mount  -­‐t  aufs                -­‐o  br=/containers/leguest/rw=rw:/images/ubuntu-­‐ rootfs=ro                none  /containers/leguest/rootfs   Now, you can write in rootfs: changes will go to the rw directory.
Union filesystems benefits •  Use a single image (remember the mnt namespace with read-only filesystem?) •  Get read-writable root filesystem anyway •  Be nice with your page cache •  Easily track changes (rw directory)
AUFS layers •  Traditional use o  one read-only layer, one read-write layer •  System image development o  one read-only layer, one read-write layer o  checkpoint current work by adding another rw layer o  merge multiple rw layers (or use them as-is) o  track changes and replicate quickly •  Installation of optional packages o  one read-only layer with the base image o  multiple read-only layers with "plugins" / "addons" o  one read-write layer (if needed)
AUFS compared to others •  Low number of developers •  Not in mainstream kernel o  But Ubuntu ships with AUFS •  Has layers, whiteouts, inode translation, proper support for mmap... •  Every now and then, another Union FS makes it into the kernel (latest is overlayfs) •  Eventually, (some) people realize that it lacks critical features (for their use-case) o  And they go back to AUFS
AUFS personal statement AUFS is the worst union filesystems out there; except for all the others that have been tried. Not Churchill
Getting rid of AUFS •  Use separate mounts for tmp, var, data... •  Use read-only root filesystem •  Or use a simpler union FS (important data is in other mounts anyway)
setns()   The use-case Use-case: managing running containers (i.e. "I want to log into this container") •  SSH (inject authorized_keys file) •  some kind of backdoor •  spawn a process directly in the container This is what we want! •  no extra process (it could die, locking us out) •  no overhead
setns()   In theory •  LXC userland tools feature lxc-attach •  It relies on setns() syscall… •  …And on some files in /proc/<PID>/ns/   fd  =  open("/proc/<pid>/ns/pid")   setns(fd,  0)   And boom, the current process joined the namespace of <pid>!
setns()   In practice Problem (with kernel <3.8): #  ls  /proc/1/ns/   ipc    net    uts   Wait, what?!? (We're missing mnt  pid  user) You need custom kernel patches. Linux 3.8 to the rescue!
Lightweight virtualization at dotCloud •  >100 LXC hosts •  Up to 1000 running containers per host •  Many more sleeping containers •  Webapps o  Java, Python, Node.js, Ruby, Perl, PHP... •  Databases o  MySQL, PostgreSQL, MongoDB... •  Others o  Redis, ElasticSearch, SOLR...
Lightweight virtualization at $HOME •  We wrote the first lines of our current container management code back in 2010 •  We learned many lessons in the process (sometimes the hard way!) •  It got very entangled with our platform (networking, monitoring, orchestration...) •  We are writing a new container management tool, for a DevOps audience Would you like to know more?
Mandatory shameless plug If you think that this was easy-peasy, or extremely interesting: Join us! jobs@dotcloud.com
Thank you! More about containers, scalability, PaaS... http://blog.dotcloud.com/ @jpetazzo
Thank you! More about containers, scalability, PaaS... http://blog.dotcloud.com/ @jpetazzo

Recomendados

Introduction to Docker and deployment and Azure
Introduction to Docker and deployment and AzureIntroduction to Docker and deployment and Azure
Introduction to Docker and deployment and AzureJérôme Petazzoni
 
Lightweight Virtualization: LXC containers & AUFS
Lightweight Virtualization: LXC containers & AUFSLightweight Virtualization: LXC containers & AUFS
Lightweight Virtualization: LXC containers & AUFSJérôme Petazzoni
 
Introduction to Docker at Glidewell Laboratories in Orange County
Introduction to Docker at Glidewell Laboratories in Orange CountyIntroduction to Docker at Glidewell Laboratories in Orange County
Introduction to Docker at Glidewell Laboratories in Orange CountyJérôme Petazzoni
 
Docker storage drivers by Jérôme Petazzoni
Docker storage drivers by Jérôme PetazzoniDocker storage drivers by Jérôme Petazzoni
Docker storage drivers by Jérôme PetazzoniDocker, Inc.
 
Scale11x lxc talk
Scale11x lxc talkScale11x lxc talk
Scale11x lxc talkdotCloud
 
Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Jérôme Petazzoni
 
Union FileSystem - A Building Blocks Of a Container
Union FileSystem - A Building Blocks Of a ContainerUnion FileSystem - A Building Blocks Of a Container
Union FileSystem - A Building Blocks Of a ContainerKnoldus Inc.
 
Portable TeX Documents (PTD): PackagingCon 2021
Portable TeX Documents (PTD): PackagingCon 2021Portable TeX Documents (PTD): PackagingCon 2021
Portable TeX Documents (PTD): PackagingCon 2021Jonathan Fine
 

Recomendados

Introduction to Docker and deployment and Azure
Introduction to Docker and deployment and AzureIntroduction to Docker and deployment and Azure
Introduction to Docker and deployment and AzureJérôme Petazzoni
 
Lightweight Virtualization: LXC containers & AUFS
Lightweight Virtualization: LXC containers & AUFSLightweight Virtualization: LXC containers & AUFS
Lightweight Virtualization: LXC containers & AUFSJérôme Petazzoni
 
Introduction to Docker at Glidewell Laboratories in Orange County
Introduction to Docker at Glidewell Laboratories in Orange CountyIntroduction to Docker at Glidewell Laboratories in Orange County
Introduction to Docker at Glidewell Laboratories in Orange CountyJérôme Petazzoni
 
Docker storage drivers by Jérôme Petazzoni
Docker storage drivers by Jérôme PetazzoniDocker storage drivers by Jérôme Petazzoni
Docker storage drivers by Jérôme PetazzoniDocker, Inc.
 
Scale11x lxc talk
Scale11x lxc talkScale11x lxc talk
Scale11x lxc talkdotCloud
 
Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Jérôme Petazzoni
 
Union FileSystem - A Building Blocks Of a Container
Union FileSystem - A Building Blocks Of a ContainerUnion FileSystem - A Building Blocks Of a Container
Union FileSystem - A Building Blocks Of a ContainerKnoldus Inc.
 
Portable TeX Documents (PTD): PackagingCon 2021
Portable TeX Documents (PTD): PackagingCon 2021Portable TeX Documents (PTD): PackagingCon 2021
Portable TeX Documents (PTD): PackagingCon 2021Jonathan Fine
 
Namespaces in Linux
Namespaces in LinuxNamespaces in Linux
Namespaces in LinuxLubomir Rintel
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConJérôme Petazzoni
 
LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?Jérôme Petazzoni
 
Seven problems of Linux Containers
Seven problems of Linux ContainersSeven problems of Linux Containers
Seven problems of Linux ContainersKirill Kolyshkin
 
Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Jérôme Petazzoni
 
Namespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersNamespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersKernel TLV
 
Containerization Is More than the New Virtualization
Containerization Is More than the New VirtualizationContainerization Is More than the New Virtualization
Containerization Is More than the New VirtualizationC4Media
 
Virtualization which isn't: LXC (Linux Containers)
Virtualization which isn't: LXC (Linux Containers)Virtualization which isn't: LXC (Linux Containers)
Virtualization which isn't: LXC (Linux Containers)Dobrica Pavlinušić
 
Containers and Namespaces in the Linux Kernel
Containers and Namespaces in the Linux KernelContainers and Namespaces in the Linux Kernel
Containers and Namespaces in the Linux KernelOpenVZ
 
Linux Containers From Scratch
Linux Containers From ScratchLinux Containers From Scratch
Linux Containers From Scratchjoshuasoundcloud
 
Linux cgroups and namespaces
Linux cgroups and namespacesLinux cgroups and namespaces
Linux cgroups and namespacesLocaweb
 
Linux Containers From Scratch: Makfile MicroVPS
Linux Containers From Scratch: Makfile MicroVPSLinux Containers From Scratch: Makfile MicroVPS
Linux Containers From Scratch: Makfile MicroVPSjoshuasoundcloud
 
Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Neeraj Shrimali
 
Introduction to containers
Introduction to containersIntroduction to containers
Introduction to containersNitish Jadia
 
Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)Ralf Dannert
 
Docker Introduction + what is new in 0.9
Docker Introduction + what is new in 0.9 Docker Introduction + what is new in 0.9
Docker Introduction + what is new in 0.9 Jérôme Petazzoni
 
Lxc- Linux Containers
Lxc- Linux ContainersLxc- Linux Containers
Lxc- Linux Containerssamof76
 
Introduction to Docker (and a bit more) at LSPE meetup Sunnyvale
Introduction to Docker (and a bit more) at LSPE meetup SunnyvaleIntroduction to Docker (and a bit more) at LSPE meetup Sunnyvale
Introduction to Docker (and a bit more) at LSPE meetup SunnyvaleJérôme Petazzoni
 
Containers are the future of the Cloud
Containers are the future of the CloudContainers are the future of the Cloud
Containers are the future of the CloudPavel Odintsov
 
CoreOS, or How I Learned to Stop Worrying and Love Systemd
CoreOS, or How I Learned to Stop Worrying and Love SystemdCoreOS, or How I Learned to Stop Worrying and Love Systemd
CoreOS, or How I Learned to Stop Worrying and Love SystemdRichard Lister
 
Test What You Write, Ship What You Test
Test What You Write, Ship What You TestTest What You Write, Ship What You Test
Test What You Write, Ship What You TestDocker, Inc.
 
What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16
What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16 What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16
What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16 Docker, Inc.
 

Mais conteúdo relacionado

Mais procurados

Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConJérôme Petazzoni
 
LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?Jérôme Petazzoni
 
Seven problems of Linux Containers
Seven problems of Linux ContainersSeven problems of Linux Containers
Seven problems of Linux ContainersKirill Kolyshkin
 
Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Jérôme Petazzoni
 
Namespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersNamespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersKernel TLV
 
Containerization Is More than the New Virtualization
Containerization Is More than the New VirtualizationContainerization Is More than the New Virtualization
Containerization Is More than the New VirtualizationC4Media
 
Virtualization which isn't: LXC (Linux Containers)
Virtualization which isn't: LXC (Linux Containers)Virtualization which isn't: LXC (Linux Containers)
Virtualization which isn't: LXC (Linux Containers)Dobrica Pavlinušić
 
Containers and Namespaces in the Linux Kernel
Containers and Namespaces in the Linux KernelContainers and Namespaces in the Linux Kernel
Containers and Namespaces in the Linux KernelOpenVZ
 
Linux Containers From Scratch
Linux Containers From ScratchLinux Containers From Scratch
Linux Containers From Scratchjoshuasoundcloud
 
Linux cgroups and namespaces
Linux cgroups and namespacesLinux cgroups and namespaces
Linux cgroups and namespacesLocaweb
 
Linux Containers From Scratch: Makfile MicroVPS
Linux Containers From Scratch: Makfile MicroVPSLinux Containers From Scratch: Makfile MicroVPS
Linux Containers From Scratch: Makfile MicroVPSjoshuasoundcloud
 
Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Neeraj Shrimali
 
Introduction to containers
Introduction to containersIntroduction to containers
Introduction to containersNitish Jadia
 
Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)Ralf Dannert
 
Docker Introduction + what is new in 0.9
Docker Introduction + what is new in 0.9 Docker Introduction + what is new in 0.9
Docker Introduction + what is new in 0.9 Jérôme Petazzoni
 
Lxc- Linux Containers
Lxc- Linux ContainersLxc- Linux Containers
Lxc- Linux Containerssamof76
 
Introduction to Docker (and a bit more) at LSPE meetup Sunnyvale
Introduction to Docker (and a bit more) at LSPE meetup SunnyvaleIntroduction to Docker (and a bit more) at LSPE meetup Sunnyvale
Introduction to Docker (and a bit more) at LSPE meetup SunnyvaleJérôme Petazzoni
 
Containers are the future of the Cloud
Containers are the future of the CloudContainers are the future of the Cloud
Containers are the future of the CloudPavel Odintsov
 
CoreOS, or How I Learned to Stop Worrying and Love Systemd
CoreOS, or How I Learned to Stop Worrying and Love SystemdCoreOS, or How I Learned to Stop Worrying and Love Systemd
CoreOS, or How I Learned to Stop Worrying and Love SystemdRichard Lister
 

Mais procurados (20)

Namespaces in Linux
Namespaces in LinuxNamespaces in Linux
Namespaces in Linux
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
 
LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?
 
Seven problems of Linux Containers
Seven problems of Linux ContainersSeven problems of Linux Containers
Seven problems of Linux Containers
 
Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...
 
Namespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersNamespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containers
 
Containerization Is More than the New Virtualization
Containerization Is More than the New VirtualizationContainerization Is More than the New Virtualization
Containerization Is More than the New Virtualization
 
Virtualization which isn't: LXC (Linux Containers)
Virtualization which isn't: LXC (Linux Containers)Virtualization which isn't: LXC (Linux Containers)
Virtualization which isn't: LXC (Linux Containers)
 
Containers and Namespaces in the Linux Kernel
Containers and Namespaces in the Linux KernelContainers and Namespaces in the Linux Kernel
Containers and Namespaces in the Linux Kernel
 
Linux Containers From Scratch
Linux Containers From ScratchLinux Containers From Scratch
Linux Containers From Scratch
 
Linux cgroups and namespaces
Linux cgroups and namespacesLinux cgroups and namespaces
Linux cgroups and namespaces
 
Linux Containers From Scratch: Makfile MicroVPS
Linux Containers From Scratch: Makfile MicroVPSLinux Containers From Scratch: Makfile MicroVPS
Linux Containers From Scratch: Makfile MicroVPS
 
Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup.
 
Introduction to containers
Introduction to containersIntroduction to containers
Introduction to containers
 
Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)
 
Docker Introduction + what is new in 0.9
Docker Introduction + what is new in 0.9 Docker Introduction + what is new in 0.9
Docker Introduction + what is new in 0.9
 
Lxc- Linux Containers
Lxc- Linux ContainersLxc- Linux Containers
Lxc- Linux Containers
 
Introduction to Docker (and a bit more) at LSPE meetup Sunnyvale
Introduction to Docker (and a bit more) at LSPE meetup SunnyvaleIntroduction to Docker (and a bit more) at LSPE meetup Sunnyvale
Introduction to Docker (and a bit more) at LSPE meetup Sunnyvale
 
Containers are the future of the Cloud
Containers are the future of the CloudContainers are the future of the Cloud
Containers are the future of the Cloud
 
CoreOS, or How I Learned to Stop Worrying and Love Systemd
CoreOS, or How I Learned to Stop Worrying and Love SystemdCoreOS, or How I Learned to Stop Worrying and Love Systemd
CoreOS, or How I Learned to Stop Worrying and Love Systemd
 

Destaque

Test What You Write, Ship What You Test
Test What You Write, Ship What You TestTest What You Write, Ship What You Test
Test What You Write, Ship What You TestDocker, Inc.
 
What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16
What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16 What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16
What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16 Docker, Inc.
 
Docker Deployments
Docker DeploymentsDocker Deployments
Docker DeploymentsDocker, Inc.
 
Tupperware: Containerized Deployment at FB
Tupperware: Containerized Deployment at FBTupperware: Containerized Deployment at FB
Tupperware: Containerized Deployment at FBDocker, Inc.
 
Heart of the SwarmKit: Store, Topology & Object Model
Heart of the SwarmKit: Store, Topology & Object ModelHeart of the SwarmKit: Store, Topology & Object Model
Heart of the SwarmKit: Store, Topology & Object ModelDocker, Inc.
 
Cilium - BPF & XDP for containers
Cilium - BPF & XDP for containers Cilium - BPF & XDP for containers
Cilium - BPF & XDP for containersDocker, Inc.
 
Talking TUF: Securing Software Distribution
Talking TUF: Securing Software DistributionTalking TUF: Securing Software Distribution
Talking TUF: Securing Software DistributionDocker, Inc.
 
Unikernels: the rise of the library hypervisor in MirageOS
Unikernels: the rise of the library hypervisor in MirageOSUnikernels: the rise of the library hypervisor in MirageOS
Unikernels: the rise of the library hypervisor in MirageOSDocker, Inc.
 
'The History of Metrics According to me' by Stephen Day
'The History of Metrics According to me' by Stephen Day'The History of Metrics According to me' by Stephen Day
'The History of Metrics According to me' by Stephen DayDocker, Inc.
 
Prometheus design and philosophy
Prometheus design and philosophy Prometheus design and philosophy
Prometheus design and philosophy Docker, Inc.
 
Orchestrating Least Privilege by Diogo Monica
Orchestrating Least Privilege by Diogo Monica Orchestrating Least Privilege by Diogo Monica
Orchestrating Least Privilege by Diogo Monica Docker, Inc.
 
Orchestrating Linux Containers while tolerating failures
Orchestrating Linux Containers while tolerating failuresOrchestrating Linux Containers while tolerating failures
Orchestrating Linux Containers while tolerating failuresDocker, Inc.
 
Infinit: Modern Storage Platform for Container Environments
Infinit: Modern Storage Platform for Container EnvironmentsInfinit: Modern Storage Platform for Container Environments
Infinit: Modern Storage Platform for Container EnvironmentsDocker, Inc.
 
Docker Online Meetup: Infrakit update and Q&A
Docker Online Meetup: Infrakit update and Q&ADocker Online Meetup: Infrakit update and Q&A
Docker Online Meetup: Infrakit update and Q&ADocker, Inc.
 
Persistent storage tailored for containers
Persistent storage tailored for containersPersistent storage tailored for containers
Persistent storage tailored for containersDocker, Inc.
 
Docker Networking Deep Dive
Docker Networking Deep DiveDocker Networking Deep Dive
Docker Networking Deep DiveDocker, Inc.
 
Using Docker Swarm Mode to Deploy Service Without Loss by Dongluo Chen & Nish...
Using Docker Swarm Mode to Deploy Service Without Loss by Dongluo Chen & Nish...Using Docker Swarm Mode to Deploy Service Without Loss by Dongluo Chen & Nish...
Using Docker Swarm Mode to Deploy Service Without Loss by Dongluo Chen & Nish...Docker, Inc.
 
Docker Roadshow 2016
Docker Roadshow 2016Docker Roadshow 2016
Docker Roadshow 2016Docker, Inc.
 
Online Meetup: What's new in docker 1.13.0
Online Meetup: What's new in docker 1.13.0 Online Meetup: What's new in docker 1.13.0
Online Meetup: What's new in docker 1.13.0 Docker, Inc.
 
Docker and Microsoft - Windows Server 2016 Technical Deep Dive
Docker and Microsoft - Windows Server 2016 Technical Deep DiveDocker and Microsoft - Windows Server 2016 Technical Deep Dive
Docker and Microsoft - Windows Server 2016 Technical Deep DiveDocker, Inc.
 

Destaque (20)

Test What You Write, Ship What You Test
Test What You Write, Ship What You TestTest What You Write, Ship What You Test
Test What You Write, Ship What You Test
 
What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16
What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16 What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16
What's New in Docker 1.12 by Nishant Totla for Docker SF Meetup 08.03.16
 
Docker Deployments
Docker DeploymentsDocker Deployments
Docker Deployments
 
Tupperware: Containerized Deployment at FB
Tupperware: Containerized Deployment at FBTupperware: Containerized Deployment at FB
Tupperware: Containerized Deployment at FB
 
Heart of the SwarmKit: Store, Topology & Object Model
Heart of the SwarmKit: Store, Topology & Object ModelHeart of the SwarmKit: Store, Topology & Object Model
Heart of the SwarmKit: Store, Topology & Object Model
 
Cilium - BPF & XDP for containers
Cilium - BPF & XDP for containers Cilium - BPF & XDP for containers
Cilium - BPF & XDP for containers
 
Talking TUF: Securing Software Distribution
Talking TUF: Securing Software DistributionTalking TUF: Securing Software Distribution
Talking TUF: Securing Software Distribution
 
Unikernels: the rise of the library hypervisor in MirageOS
Unikernels: the rise of the library hypervisor in MirageOSUnikernels: the rise of the library hypervisor in MirageOS
Unikernels: the rise of the library hypervisor in MirageOS
 
'The History of Metrics According to me' by Stephen Day
'The History of Metrics According to me' by Stephen Day'The History of Metrics According to me' by Stephen Day
'The History of Metrics According to me' by Stephen Day
 
Prometheus design and philosophy
Prometheus design and philosophy Prometheus design and philosophy
Prometheus design and philosophy
 
Orchestrating Least Privilege by Diogo Monica
Orchestrating Least Privilege by Diogo Monica Orchestrating Least Privilege by Diogo Monica
Orchestrating Least Privilege by Diogo Monica
 
Orchestrating Linux Containers while tolerating failures
Orchestrating Linux Containers while tolerating failuresOrchestrating Linux Containers while tolerating failures
Orchestrating Linux Containers while tolerating failures
 
Infinit: Modern Storage Platform for Container Environments
Infinit: Modern Storage Platform for Container EnvironmentsInfinit: Modern Storage Platform for Container Environments
Infinit: Modern Storage Platform for Container Environments
 
Docker Online Meetup: Infrakit update and Q&A
Docker Online Meetup: Infrakit update and Q&ADocker Online Meetup: Infrakit update and Q&A
Docker Online Meetup: Infrakit update and Q&A
 
Persistent storage tailored for containers
Persistent storage tailored for containersPersistent storage tailored for containers
Persistent storage tailored for containers
 
Docker Networking Deep Dive
Docker Networking Deep DiveDocker Networking Deep Dive
Docker Networking Deep Dive
 
Using Docker Swarm Mode to Deploy Service Without Loss by Dongluo Chen & Nish...
Using Docker Swarm Mode to Deploy Service Without Loss by Dongluo Chen & Nish...Using Docker Swarm Mode to Deploy Service Without Loss by Dongluo Chen & Nish...
Using Docker Swarm Mode to Deploy Service Without Loss by Dongluo Chen & Nish...
 
Docker Roadshow 2016
Docker Roadshow 2016Docker Roadshow 2016
Docker Roadshow 2016
 
Online Meetup: What's new in docker 1.13.0
Online Meetup: What's new in docker 1.13.0 Online Meetup: What's new in docker 1.13.0
Online Meetup: What's new in docker 1.13.0
 
Docker and Microsoft - Windows Server 2016 Technical Deep Dive
Docker and Microsoft - Windows Server 2016 Technical Deep DiveDocker and Microsoft - Windows Server 2016 Technical Deep Dive
Docker and Microsoft - Windows Server 2016 Technical Deep Dive
 

Semelhante a LXC Containers and AUFs

Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Docker, Inc.
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Jérôme Petazzoni
 
Docker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xDocker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xrkr10
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Praguetomasbart
 
Containers for Science and High-Performance Computing
Containers for Science and High-Performance ComputingContainers for Science and High-Performance Computing
Containers for Science and High-Performance ComputingDmitry Spodarets
 
Docker and Containers for Development and Deployment — SCALE12X
Docker and Containers for Development and Deployment — SCALE12XDocker and Containers for Development and Deployment — SCALE12X
Docker and Containers for Development and Deployment — SCALE12XJérôme Petazzoni
 
Ippevent : openshift Introduction
Ippevent : openshift IntroductionIppevent : openshift Introduction
Ippevent : openshift Introductionkanedafromparis
 
Docker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQ
Docker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQDocker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQ
Docker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQJérôme Petazzoni
 
Java in containers
Java in containersJava in containers
Java in containersMartin Baez
 
Sanger OpenStack presentation March 2017
Sanger OpenStack presentation March 2017Sanger OpenStack presentation March 2017
Sanger OpenStack presentation March 2017Dave Holland
 
Introduction to OS LEVEL Virtualization & Containers
Introduction to OS LEVEL Virtualization & ContainersIntroduction to OS LEVEL Virtualization & Containers
Introduction to OS LEVEL Virtualization & ContainersVaibhav Sharma
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawnGábor Nyers
 
20100425 Configuration Management With Puppet Lfnw
20100425 Configuration Management With Puppet Lfnw20100425 Configuration Management With Puppet Lfnw
20100425 Configuration Management With Puppet Lfnwgarrett honeycutt
 
Linux 开源操作系统发展新趋势
Linux 开源操作系统发展新趋势Linux 开源操作系统发展新趋势
Linux 开源操作系统发展新趋势Anthony Wong
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013dotCloud
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Docker, Inc.
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!Sysdig
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
 
Leonid Vasilyev "Building, deploying and running production code at Dropbox"
Leonid Vasilyev "Building, deploying and running production code at Dropbox"Leonid Vasilyev "Building, deploying and running production code at Dropbox"
Leonid Vasilyev "Building, deploying and running production code at Dropbox"IT Event
 

Semelhante a LXC Containers and AUFs (20)

Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?Cgroups, namespaces and beyond: what are containers made from?
Cgroups, namespaces and beyond: what are containers made from?
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
 
Docker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xDocker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12x
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Prague
 
Containers > VMs
Containers > VMsContainers > VMs
Containers > VMs
 
Containers for Science and High-Performance Computing
Containers for Science and High-Performance ComputingContainers for Science and High-Performance Computing
Containers for Science and High-Performance Computing
 
Docker and Containers for Development and Deployment — SCALE12X
Docker and Containers for Development and Deployment — SCALE12XDocker and Containers for Development and Deployment — SCALE12X
Docker and Containers for Development and Deployment — SCALE12X
 
Ippevent : openshift Introduction
Ippevent : openshift IntroductionIppevent : openshift Introduction
Ippevent : openshift Introduction
 
Docker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQ
Docker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQDocker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQ
Docker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQ
 
Java in containers
Java in containersJava in containers
Java in containers
 
Sanger OpenStack presentation March 2017
Sanger OpenStack presentation March 2017Sanger OpenStack presentation March 2017
Sanger OpenStack presentation March 2017
 
Introduction to OS LEVEL Virtualization & Containers
Introduction to OS LEVEL Virtualization & ContainersIntroduction to OS LEVEL Virtualization & Containers
Introduction to OS LEVEL Virtualization & Containers
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawn
 
20100425 Configuration Management With Puppet Lfnw
20100425 Configuration Management With Puppet Lfnw20100425 Configuration Management With Puppet Lfnw
20100425 Configuration Management With Puppet Lfnw
 
Linux 开源操作系统发展新趋势
Linux 开源操作系统发展新趋势Linux 开源操作系统发展新趋势
Linux 开源操作系统发展新趋势
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
Leonid Vasilyev "Building, deploying and running production code at Dropbox"
Leonid Vasilyev "Building, deploying and running production code at Dropbox"Leonid Vasilyev "Building, deploying and running production code at Dropbox"
Leonid Vasilyev "Building, deploying and running production code at Dropbox"
 

Mais de Docker, Inc.

Containerize Your Game Server for the Best Multiplayer Experience
Containerize Your Game Server for the Best Multiplayer Experience Containerize Your Game Server for the Best Multiplayer Experience
Containerize Your Game Server for the Best Multiplayer Experience Docker, Inc.
 
How to Improve Your Image Builds Using Advance Docker Build
How to Improve Your Image Builds Using Advance Docker BuildHow to Improve Your Image Builds Using Advance Docker Build
How to Improve Your Image Builds Using Advance Docker BuildDocker, Inc.
 
Build & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSBuild & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSDocker, Inc.
 
Securing Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINXSecuring Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINXDocker, Inc.
 
How To Build and Run Node Apps with Docker and Compose
How To Build and Run Node Apps with Docker and ComposeHow To Build and Run Node Apps with Docker and Compose
How To Build and Run Node Apps with Docker and ComposeDocker, Inc.
 
Distributed Deep Learning with Docker at Salesforce
Distributed Deep Learning with Docker at SalesforceDistributed Deep Learning with Docker at Salesforce
Distributed Deep Learning with Docker at SalesforceDocker, Inc.
 
The First 10M Pulls: Building The Official Curl Image for Docker Hub
The First 10M Pulls: Building The Official Curl Image for Docker HubThe First 10M Pulls: Building The Official Curl Image for Docker Hub
The First 10M Pulls: Building The Official Curl Image for Docker HubDocker, Inc.
 
Monitoring in a Microservices World
Monitoring in a Microservices WorldMonitoring in a Microservices World
Monitoring in a Microservices WorldDocker, Inc.
 
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...Docker, Inc.
 
Predicting Space Weather with Docker
Predicting Space Weather with DockerPredicting Space Weather with Docker
Predicting Space Weather with DockerDocker, Inc.
 
Become a Docker Power User With Microsoft Visual Studio Code
Become a Docker Power User With Microsoft Visual Studio CodeBecome a Docker Power User With Microsoft Visual Studio Code
Become a Docker Power User With Microsoft Visual Studio CodeDocker, Inc.
 
How to Use Mirroring and Caching to Optimize your Container Registry
How to Use Mirroring and Caching to Optimize your Container RegistryHow to Use Mirroring and Caching to Optimize your Container Registry
How to Use Mirroring and Caching to Optimize your Container RegistryDocker, Inc.
 
Monolithic to Microservices + Docker = SDLC on Steroids!
Monolithic to Microservices + Docker = SDLC on Steroids!Monolithic to Microservices + Docker = SDLC on Steroids!
Monolithic to Microservices + Docker = SDLC on Steroids!Docker, Inc.
 
Kubernetes at Datadog Scale
Kubernetes at Datadog ScaleKubernetes at Datadog Scale
Kubernetes at Datadog ScaleDocker, Inc.
 
Labels, Labels, Labels
Labels, Labels, Labels Labels, Labels, Labels
Labels, Labels, Labels Docker, Inc.
 
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment ModelUsing Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment ModelDocker, Inc.
 
Build & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSBuild & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSDocker, Inc.
 
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...Docker, Inc.
 
Developing with Docker for the Arm Architecture
Developing with Docker for the Arm ArchitectureDeveloping with Docker for the Arm Architecture
Developing with Docker for the Arm ArchitectureDocker, Inc.
 

Mais de Docker, Inc. (20)

Containerize Your Game Server for the Best Multiplayer Experience
Containerize Your Game Server for the Best Multiplayer Experience Containerize Your Game Server for the Best Multiplayer Experience
Containerize Your Game Server for the Best Multiplayer Experience
 
How to Improve Your Image Builds Using Advance Docker Build
How to Improve Your Image Builds Using Advance Docker BuildHow to Improve Your Image Builds Using Advance Docker Build
How to Improve Your Image Builds Using Advance Docker Build
 
Build & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSBuild & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWS
 
Securing Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINXSecuring Your Containerized Applications with NGINX
Securing Your Containerized Applications with NGINX
 
How To Build and Run Node Apps with Docker and Compose
How To Build and Run Node Apps with Docker and ComposeHow To Build and Run Node Apps with Docker and Compose
How To Build and Run Node Apps with Docker and Compose
 
Hands-on Helm
Hands-on Helm Hands-on Helm
Hands-on Helm
 
Distributed Deep Learning with Docker at Salesforce
Distributed Deep Learning with Docker at SalesforceDistributed Deep Learning with Docker at Salesforce
Distributed Deep Learning with Docker at Salesforce
 
The First 10M Pulls: Building The Official Curl Image for Docker Hub
The First 10M Pulls: Building The Official Curl Image for Docker HubThe First 10M Pulls: Building The Official Curl Image for Docker Hub
The First 10M Pulls: Building The Official Curl Image for Docker Hub
 
Monitoring in a Microservices World
Monitoring in a Microservices WorldMonitoring in a Microservices World
Monitoring in a Microservices World
 
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
 
Predicting Space Weather with Docker
Predicting Space Weather with DockerPredicting Space Weather with Docker
Predicting Space Weather with Docker
 
Become a Docker Power User With Microsoft Visual Studio Code
Become a Docker Power User With Microsoft Visual Studio CodeBecome a Docker Power User With Microsoft Visual Studio Code
Become a Docker Power User With Microsoft Visual Studio Code
 
How to Use Mirroring and Caching to Optimize your Container Registry
How to Use Mirroring and Caching to Optimize your Container RegistryHow to Use Mirroring and Caching to Optimize your Container Registry
How to Use Mirroring and Caching to Optimize your Container Registry
 
Monolithic to Microservices + Docker = SDLC on Steroids!
Monolithic to Microservices + Docker = SDLC on Steroids!Monolithic to Microservices + Docker = SDLC on Steroids!
Monolithic to Microservices + Docker = SDLC on Steroids!
 
Kubernetes at Datadog Scale
Kubernetes at Datadog ScaleKubernetes at Datadog Scale
Kubernetes at Datadog Scale
 
Labels, Labels, Labels
Labels, Labels, Labels Labels, Labels, Labels
Labels, Labels, Labels
 
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment ModelUsing Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
 
Build & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSBuild & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWS
 
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
 
Developing with Docker for the Arm Architecture
Developing with Docker for the Arm ArchitectureDeveloping with Docker for the Arm Architecture
Developing with Docker for the Arm Architecture
 

LXC Containers and AUFs

  • 1. Lightweight Virtualization LXC containers & AUFS SCALE11x — February 2013, Los Angeles Those slides are available at: http://goo.gl/bFHSh  
  • 2. Outline •  Intro: who, what, why? •  LXC containers •  Namespaces •  Cgroups •  AUFS •  setns •  Future developments
  • 3. Who am I? Jérôme Petazzoni @jpetazzo SRE (=DevOps) at dotCloud dotCloud is the first "polyglot" PaaS, and we built it with Linux Containers!
  • 4. What is this about? LXC (LinuX Containers) let you run a Linux system within another Linux system. A container is a group of processes on a Linux box, put together in an isolated environment. Inside the box, it looks like a VM. Outside the box, it looks like normal processes. This is "chroot() on steroids”
  • 5. Why should I care? 1. I will try to convince you that it's awesome. 2. I will try to explain how it works. 3. I will try to get you involved!
  • 6.
  • 7. Why should I care? 1. I will convince you that it's awesome. 2. I will explain how it works. 3. You will want to get involved!
  • 8. Why is it awesome? The 3 reasons why containers are awesome
  • 9. Why? 3) Speed! Ships within ... Manual deployment takes ... Automated deployment takes ... Boots in ... Bare Metal days hours minutes minutes Virtualization minutes minutes seconds less than a minute Lightweight Virtualization seconds minutes seconds seconds
  • 10. Why? 2) Footprint! On a typical physical server, with average compute resources, you can easily run: •  10-100 virtual machines •  100-1000 containers On disk, containers can be very light. A few MB — even without fancy storage.
  • 11. Why? 1) It's still virtualization! Each container has: •  its own network interface (and IP address) o  can be bridged, routed... just like $your_favorite_vm •  its own filesystem o  Debian host can run Fedora container (&vice-versa) •  isolation (security) o  container A & B can't harm (or even see) each other •  isolation (resource usage) o  soft & hard quotas for RAM, CPU, I/O...
  • 12. Some use-cases For developers, hosting providers, and the rest of us
  • 13. Use-cases: Developers •  Continuous Integration o  After each commit, run 100 tests in 100 VMs •  Escape dependency hell o  Build (and/or run) in a controlled environment •  Put everything in a VM o  Even the tiny things
  • 14. Use-cases: Hosters •  Cheap Cheaper Hosting (VPS providers) o  I'd rather say "less expensive", if you get my drift o  Already a lot of vserver/openvz/... around •  Give away more free stuff o  "Pay for your production, get your staging for free!" o  We do that at dotCloud •  Spin down to save resources o  And spin up on demand, in seconds o  We do that, too
  • 15. Use-cases: Everyone •  Look inside your VMs o  You can see (and kill) individual processes o  You can browse (and change) the filesystem •  Do whatever you did with VMs o  ... But faster
  • 16. Breaking news: LXC can haz migration! This slide intentionally left blank (but the talk right before mine should have interesting results) oh yes indeed!
  • 17. LXC lifecycle •  lxc-­‐createSetup a container (root filesystem and config) •  lxc-­‐startBoot the container (by default, you get a console) •  lxc-­‐console Attach a console (if you started in background) •  lxc-­‐stop Shutdown the container •  lxc-­‐destroy Destroy the filesystem created with lxc-create
  • 18. How does it work? First time I tried LXC: #  lxc-­‐start  -­‐-­‐name  thingy  -­‐-­‐daemon   #  ls  /cgroup   ...  thingy/  ...   "So, LXC containers are powered by cgroups?" Wrong.
  • 19. Namespaces Partition essential kernel structures to create virtual environments e.g., you can have multiple processes with PID 42, in different environments
  • 20. Different kinds of namespaces •  pid (processes) •  net (network interfaces, routing...) •  ipc (System V IPC) •  mnt (mount points, filesystems) •  uts (hostname) •  user (UIDs)
  • 21. Creating namespaces •  Extra flags to the clone() system call •  CLI tool unshare   Notes: •  You don't have to use all namespaces •  A new process inherits its parent's ns •  No easy way to attach to an existing ns o  Until recently! More on this later.
  • 22. Namespaces: pid   •  Processes in a pid don't see processes of the whole system •  Each pid namespace has a PID #1 •  pid namespaces are actually nested •  A given process can have multiple PIDs o  One in each namespace it belongs to o  ... So you can easily access processes of children ns •  Can't see/affect processes in parent/sibling ns
  • 23. Namespaces: net   •  Each net namespace has its own… o  Network interfaces (and its own lo/127.0.0.1) o  IP address(es) o  routing table(s) o  iptables rules •  Communication between containers: o  UNIX domain sockets (=on the filesystem) o  Pairs of veth interfaces
  • 24. Setting up veth interfaces 1/2 #  Create  new  process,  <PID>,  with  its  own  net  ns   unshare  -­‐-­‐net  bash   echo  $$   #  Create  a  pair  of  (connected)  veth  interfaces   ip  link  add  name  lehost  type  veth  peer  name  leguest   #  Put  one  of  them  in  the  new  net  ns   ip  link  set  leguest  netns  <PID>  
  • 25. Setting up veth interfaces 2/2 #  In  the  guest  (our  unshared  bash),  setup  leguest   ip  link  set  leguest  name  eth0   ifconfig  eth0  192.168.1.2   ifconfig  lo  127.0.0.1   #  In  the  host  (our  initial  environment),  setup  lehost   ifconfig  lehost  192.168.1.1   #  Alternatively:   brctl  addif  br0  lehost   #  ...  Or  anything  else!  
  • 26. Namespaces: ipc   •  Remember "System V IPC"?msgget, semget, shmget   •  Have been (mostly) superseded by POSIX alternatives: mq_open, sem_open, shm_open   •  However, some stuff still uses "legacy" IPC. •  Most notable example: PostgreSQL The problem: xxxget() asks for a key, usually derived from the inode of a well-known file The solution: ipc namespace
  • 27. Namespaces: mnt   •  Deluxe chroot()   •  A mnt namespace can have its own rootfs •  Filesystems mounted in a mnt namespace are visible only in this namespace •  You need to remount special filesystems, e.g.: o  procfs (to see your processes) o  devpts (to see your pseudo-terminals)
  • 28. Setting up space efficient containers (1/2) /containers/leguest_1/rootfs  (empty  directory)   /containers/leguest_1/home  (container  private  data)   /images/ubuntu-­‐rootfs  (created  by  debootstrap)   CONTAINER=/containers/leguest_1   mount  -­‐-­‐bind  /images/ubuntu-­‐rootfs  $CONTAINER/rootfs   mount  -­‐o  ro,remount,bind  /images/ubuntu-­‐rootfs  $CONTAINER/rootfs   unshare  -­‐-­‐mount  bash   mount  -­‐-­‐bind  $CONTAINER/home  $CONTAINER/rootfs/home   mount  -­‐t  tmpfs  none  $CONTAINER/tmp   #  unmount  what  you  don't  need  ...   #  remount  /proc,  /dev/pts,  etc.,  and  then:   chroot  $CONTAINER/rootfs  
  • 29. Setting up space efficient containers (2/2) Repeat the previous slides multiple times (Once for each different container.) But, the root filesystem is read-only...? No problem, nfsroot howtos have been around since … 1996
  • 30. Namespaces: uts   Deals with just two syscalls: gethostname(),sethostname()   Useful to find out in which container you are ... More seriously: some tools might behave differently depending on the hostname (sudo)
  • 31. Namespaces: user   UID42 in container X isn't UID42 in container Y •  Useful if you don't use the pid namespace (With it, X42 can't see/touch Y42 anyway) •  Can make sense for system-wide, per-user resource limits if you don't use cgroups   •  Honest: didn't really play with those!
  • 32. Control Groups Create as many cgroups as you like. Put processes within cgroups. Limit, account, and isolate resource usage. Think ulimit, but for groups of processes … and with fine-grained accounting.
  • 33. Cgroups: the basics Everything exposed through a virtual filesystem /cgroup, /sys/fs/cgroup... YourMountpointMayVary Create a cgroup: mkdir  /cgroup/aloha   Move process with PID 1234 to the cgroup: echo  1234  >  /cgroup/aloha/tasks   Limit memory usage: echo  10000000  >  /cgroup/aloha/memory.limit_in_bytes  
  • 34. Cgroup: memory •  Limit o  memory usage, swap usage o  soft limits and hard limits o  can be nested •  Account o  cache vs. rss o  active vs. inactive o  file-backed pages vs. anonymous pages o  page-in/page-out •  Isolate o  "Get Off My Ram!" o  Reserve memory thanks to hard limits
  • 35. Cgroup: CPU (and friends) •  Limit o  Set cpu.shares (defines relative weights) •  Account o  Check cpustat.usage for user/system breakdown •  Isolate o  Use cpuset.cpus (also for NUMA systems) Can't really throttle a group of process. But that's OK: context-switching << 1/HZ
  • 36. Cgroup: Block I/O •  Limit & Isolate o  blkio.throttle.{read,write}.{iops,bps}.device o  Drawback: only for sync I/O (i.e.: "classical" reads; not writes; not mapped files) •  Account o  Number of IOs, bytes, service time... o  Drawback: same as previously Cgroups aren't perfect if you want to limit I/O. Limiting the amount of dirty memory helps a bit.
  • 38. AUFS quick example You have the following directories: /images/ubuntu-­‐rootfs   /containers/leguest/rootfs   /containers/leguest/rw   mount  -­‐t  aufs                -­‐o  br=/containers/leguest/rw=rw:/images/ubuntu-­‐ rootfs=ro                none  /containers/leguest/rootfs   Now, you can write in rootfs: changes will go to the rw directory.
  • 39. Union filesystems benefits •  Use a single image (remember the mnt namespace with read-only filesystem?) •  Get read-writable root filesystem anyway •  Be nice with your page cache •  Easily track changes (rw directory)
  • 40. AUFS layers •  Traditional use o  one read-only layer, one read-write layer •  System image development o  one read-only layer, one read-write layer o  checkpoint current work by adding another rw layer o  merge multiple rw layers (or use them as-is) o  track changes and replicate quickly •  Installation of optional packages o  one read-only layer with the base image o  multiple read-only layers with "plugins" / "addons" o  one read-write layer (if needed)
  • 41. AUFS compared to others •  Low number of developers •  Not in mainstream kernel o  But Ubuntu ships with AUFS •  Has layers, whiteouts, inode translation, proper support for mmap... •  Every now and then, another Union FS makes it into the kernel (latest is overlayfs) •  Eventually, (some) people realize that it lacks critical features (for their use-case) o  And they go back to AUFS
  • 42. AUFS personal statement AUFS is the worst union filesystems out there; except for all the others that have been tried. Not Churchill
  • 43. Getting rid of AUFS •  Use separate mounts for tmp, var, data... •  Use read-only root filesystem •  Or use a simpler union FS (important data is in other mounts anyway)
  • 44. setns()   The use-case Use-case: managing running containers (i.e. "I want to log into this container") •  SSH (inject authorized_keys file) •  some kind of backdoor •  spawn a process directly in the container This is what we want! •  no extra process (it could die, locking us out) •  no overhead
  • 45. setns()   In theory •  LXC userland tools feature lxc-attach •  It relies on setns() syscall… •  …And on some files in /proc/<PID>/ns/   fd  =  open("/proc/<pid>/ns/pid")   setns(fd,  0)   And boom, the current process joined the namespace of <pid>!
  • 46. setns()   In practice Problem (with kernel <3.8): #  ls  /proc/1/ns/   ipc    net    uts   Wait, what?!? (We're missing mnt  pid  user) You need custom kernel patches. Linux 3.8 to the rescue!
  • 47. Lightweight virtualization at dotCloud •  >100 LXC hosts •  Up to 1000 running containers per host •  Many more sleeping containers •  Webapps o  Java, Python, Node.js, Ruby, Perl, PHP... •  Databases o  MySQL, PostgreSQL, MongoDB... •  Others o  Redis, ElasticSearch, SOLR...
  • 48. Lightweight virtualization at $HOME •  We wrote the first lines of our current container management code back in 2010 •  We learned many lessons in the process (sometimes the hard way!) •  It got very entangled with our platform (networking, monitoring, orchestration...) •  We are writing a new container management tool, for a DevOps audience Would you like to know more?
  • 49. Mandatory shameless plug If you think that this was easy-peasy, or extremely interesting: Join us! jobs@dotcloud.com
  • 50. Thank you! More about containers, scalability, PaaS... http://blog.dotcloud.com/ @jpetazzo
  • 51. Thank you! More about containers, scalability, PaaS... http://blog.dotcloud.com/ @jpetazzo