Post on 04-Jul-2015
transcript
Revolutionizing the Cloudwith Container Virtualization
Imesh Gunaratne
Technical Lead, WSO2Committer & PMC Member, Apache Stratos
About the Presenter
Imesh GunaratneTechnical Lead, WSO2Committer & PMC Member, Apache Stratos
Email: imesh@wso2.comBlog: http://imesh.gunaratne.org/blog
1
Agenda
2
3
Agenda
● Virtualization● Linux Containers● LXC ● Docker● CoreOS● Kubernetes
Virtualization
Virtualization
In computing, virtualization refers to the act of creating a virtual version of resources, including but not limited to a virtual computer hardware platform, operating system (OS), storage device, or computer network resources.
http://en.wikipedia.org/wiki/Virtualization
Hypervisor
A hypervisor or virtual machine monitor (VMM) is a piece of computer software, firmware or hardware that creates and runs virtual machines.
http://en.wikipedia.org/wiki/Hypervisor
Linux Containers
Linux Containers
An operating system–level virtualization method for running multiple isolated Linux systems (containers) on a single control host.
http://en.wikipedia.org/wiki/LXC
Linux Containers
Linux Container Brief for IEEE WG P2302, Boden Russell
Linux Kernel Features used by Linux Containers
● Namespaces● cgroups● AppArmor● SELinux● seccomp● chroot
Namespaces
Wraps global system resources in an abstraction that makes it appear to the processes that they have their own isolated instance of the global resource.
Included in Linux Kernel 2.4.19
http://lwn.net/Articles/531114/
Namespaces
Currently, Linux implements six different types of namespaces:
1. mnt (mount points, filesystems)2. pid (processes)3. net (network stack)4. ipc (inter-process communication)5. uts (hostname)6. user (user ids)
http://www.cs.ucsb.edu/~rich/class/cs290-cloud/papers/lxc-namespace.pdf
cgroups (Control Groups)
A Linux kernel feature to limit, account, and isolate resource usage (CPU, memory, disk I/O, etc.) of process groups.
Started by engineers at Google in 2007 and merged into the Linux Kernel 2.6.24
http://en.wikipedia.org/wiki/Cgroups
cgroups Features
● Access: which devices can be used per cgroup
● Resource limiting: memory, CPU, device accessibility, block I/O, etc
● Prioritization: who gets more of the CPU, memory, etc
● Accounting: resource usage per cgroup● Control: freezing & checkpointing
http://en.wikipedia.org/wiki/Cgroups
AppArmor
AppArmor is a Linux security module implemented using the Linux Security Modules (LSM) kernel interface.
It allows the system administrator to associate with each program a security profile that restricts the capabilities of that program.
http://en.wikipedia.org/wiki/AppArmor
SELinux (Security Enhanced Linux)
SELinux is a Linux kernel security module that provides a mechanism for supporting access control on security policies for programs.
Originally developed by the United States National Security Agency (NSA).Included in Linux kernel 2.6.0-test3, released on 8 August 2003
http://en.wikipedia.org/wiki/Security-Enhanced_Linux
SELinux - How it works
● Compiled into the Linux kernel● Package security policies in the distribution● Policies in most distributions are applied
only to system processes, not user processes
● Checks database of rules on syscalls● Policies allows/denies what a daemon can
access and how● Prevents daemons compromise affecting
other files/users/etc (namespaces)SELinux for Everyday Users, PaulWay
AppArmor SELinux
https://www.suse.com/support/security/apparmor/features/selinux_comparison.html
Pathname based system Attaches labels to all files, processes
Auditable policies Complex policy language
Integrated GUI/Console toolset
Lack of integrated tools, hard to manage rules
Proficiency with 1-2 days training
Substantial training investment
Usability is primary goal Hard to maintain
seccomp (Secure Computing Mode)
● seccomp is a secure-computing facility that provides an application sandboxing mechanism in the Linux kernel.
● Provides computing virtualization● It allows a process to make a one-way
transition into a "secure" state where it cannot make any system calls except exit(), sigreturn(), read() and write().
http://en.wikipedia.org/wiki/Seccomp
seccomp (Secure Computing Mode)
It was merged into the Linux kernel mainline in version 2.6.12, released on March 8, 2005.
http://en.wikipedia.org/wiki/Seccomp
chroot
http://www.lorien.ch/server/chroot.html
chroot
A chroot on Unix operating systems is an operation that changes the root directory for the current running process and its children.
A program that is run in such a modified environment cannot name (and therefore normally not access) files outside the designated directory tree.
Provides file system virtualizationhttp://en.wikipedia.org/wiki/Chroot
chroot
The modified environment is called a "chroot jail"
Introduced in version 7 Unix in 1979, and added to BSD by Bill Joy on 18 March 1982
http://en.wikipedia.org/wiki/Chroot
LXCA Hypervisor for Linux Containers
LXC Engine: A Hypervisor for Containers
Linux Container Brief for IEEE WG P2302, Boden Russell
LXC (LinuX Containers)
LXC is an operating system–level virtualization method for running multiple isolated Linux systems (containers) on a single control host.
● From the inside it looks like a VM● From the outside it looks like a normal
process● Provides lightweight virtualization
Kernel Features used by LXC
● Kernel namespaces (ipc, uts, mount, pid, network and user)
● Control groups (cgroups)● Apparmor and SELinux profiles● Seccomp policies● Chroots (using pivot_root)● Kernel capabilities
Docker
Docker is an open platform for developers and sysadmins to build, ship, and run distributed applications.
● Initially developed by dotCloud● Original version written in Python, now
written in Go● A very young project (started March, 2013),
but with a huge community
Docker Architecture
Enterprise Docker, Adrien BLIND, Aurelien GABET, Arnaud MAZIN
Problem: Shipping Software
Introduction to Docker, Jérôme Petazzoni
Solution: Linux Container
Introduction to Docker, Jérôme Petazzoni
Solved
Introduction to Docker, Jérôme Petazzoni
Virtual Machines Vs Docker
Docker - Hello World# Get one base Docker image>docker pull ubuntu
# List Docker images available>docker images
# Run hello world>docker run ubuntu:14.04 echo "hello world"
Docker Paris Meetup, Victor Vieux, dotCloud Inc
Detached mode# Run hello world in detached mode (-d)>docker run -d ubuntu sh -c "while true; do echo hello world; sleep 1; done"
# Get container’s ID>docker ps
# Attach to the container>docker attach <container-id>
# Stop/start/restart the container>docker stop <container-id>
Docker Paris Meetup, Victor Vieux, dotCloud Inc
CoreOS
CoreOS is a new Linux distribution that has been re-architected to provide features needed to run modern infrastructure stacks.
CoreOS Architecture
CoreOS Architecture
Fleet ties together systemd and etcd into a distributed init system
Kubernetes
Kubernetes is an open source implementation of container cluster management.
Kubernetes High Level Architecture
Kubernetes High Level Architecture
Kubernetes Component Architecture
Kubernetes Terminology
● Pod - A group of Containers● Labels - Labels for identifying pods● Kubelet - Container Agent● Proxy Service - A load balancer for Pods● etcd - A metadata service● cAdvisor - Container Advisor provides resource
usage/performance statistics● Replication Controller - Manages replication of
pods● Scheduler - Schedules pods in worker nodes● API server - Kubernetes API server
Importance of containers for the cloud
● Ability to run multiple OS-level isolated environments within a single host
● Less startup time● Less resource consumption● Ultimately less expensive
References
● http://en.wikipedia.org/wiki/Virtualization● http://en.wikipedia.org/wiki/Hypervisor● http://en.wikipedia.org/wiki/LXC● http://www.cs.ucsb.edu/~rich/class/cs290-
cloud/papers/lxc-namespace.pdf● http://en.wikipedia.org/wiki/Cgroups● http://en.wikipedia.org/wiki/AppArmor● http://en.wikipedia.org/wiki/Security-
Enhanced_Linux● http://www.lorien.ch/server/chroot.html
References
● SELinux for Everyday Users, PaulWay● http://en.wikipedia.org/wiki/Seccomp● http://en.wikipedia.org/wiki/Chroot● Linux Container Brief for IEEE WG P2302,
Boden Russell● http://kubernetes.io/● https://coreos.com
36