Introduction of LXC

LXC, also known as Linux container, is a virtualized solution, which is a kernel-level virtualization. (Main solutions Xen, KVM, LXC)

Introduced

By namespace resource isolation, the process under Gust1 is independent of the process under Guset2 and can be seen as running on two physical machines. The Contaniner management tool is the management of guest (creation, destruction).

Figure is an introduction to the LXC architecture

is a comparison of LXC and KVM Technology, the advantage of KVM is that a physical machine can run multiple operating systems (Guest-os), and then run the application on each operating system, in this way to achieve the isolation of the application. And the use of LXC technology directly can be isolated on the basis of Host-os. This is the advantage of LXC-running fast. However, if there are two applications running in Windows and one running on Linux, then only KVM technology can be used.

Namespace

Namespace is one of the important techniques in container, which is the isolation of the operation of system resources. The GUEST-OS1 operation has no effect on the guest-os2.

Of course, the implementation of namespace is still in perfect, below is more than 3.8 of the kernel implementation of the namespace

Mount

Mount namespace is the isolation of mounted file system layouts. The diagram shows that the process seen in Namespace1 is consistent with the way the file system is mounted, but what you see in Mount Namespace2 is a different case

Ipc

Processes that are under the same namespace can communicate between processes.

NET

NET namespace implements the isolation on the network protocol stack, the setting of the network in its own namespace only takes effect in this namespace.

Pid

When we create a process by fork, we can specify a namespace for each process. The process relationship under Linux is a tree, so there is a parent namespace and a sub-namespace.

The P2 process created in Namespace2 has two PID. The first one is the PID number under the parent namespace, and one is the PID number in its own space. The parent PID number is because P2 eventually runs under the parent namespace, and the namespace is specified for the process to isolate the P2 and P3 implementations.

USER

The map conversion is used in user namespace, and because container is not really virtualized, the root user created in Guest-os is mapped to a normal user in Host-os.

In the example, the root user creates a file under his own namespace, and the owner ID of the file should be 0, when the file uid is converted to Kuid when the disk is stored, and the owner ID is 1000. To say the name is under the Guest-os you are a root user, but in Host-os you are simply turned into a normal user. Because we know that there is already a root user under the Host-os.

System Api/abi

The proc directory under Linux is a description of the entire system state, and the user can view the proc directory to understand the current system state. In the proc directory there are many numbers, these numbers correspond to the process ID created by the system, previously we said the process is invisible, but through the proc directory we can actually see some information about the process.

There is an NS directory under each process, which records the process used by the namespace

Use of the Clone function

The Clone function is the system's API and is used to create the process. The fork function that we commonly use is actually called the clone function at the bottom. When using the Clone function, you can specify namespace for it. The following is an example of specifying an IPC namespace.

The P2 will run in the new IPC namespace, and the other namespace will inherit from P1

unshare function

The Unshare function is used to modify the namespace information of the current process. such as changing the current process of namespace and so on.

Setns function

Sets the namespace of the current process to the namespace of another process

Container management Tools

Comparison of Container and KVM

Container does not implement full virtualization, and some of the operations performed in Guest-os directly affect Host-os. Here's a comparison of the two.

Reference Blog

http://www.ibm.com/developerworks/cn/linux/l-cn-chroot/

Http://www.open-open.com/lib/view/open1427350543512.html

Http://www.cnblogs.com/wang_yb/p/3923040.html

Introduction of LXC