53443863
5.1 Linux namespace and Cgroup lxcDecember 03, 2016 12:53:32Hits: 2065
- Namespace: The first layer of isolation technology ensures that processes within Docker containers do not see and affect processes outside of Docker.
- The key component of Control GROUPS:LXC technology, which is used for resource throttling at runtime.
- UnionFS (File System): A component block of a container that creates an abstraction layer, enabling the lightweight and fast-running nature of Docker
1 Libcontainer
Docker uses Libcontainer to replace the interaction diagram of Lxc,libcontainer and Linux systems starting with version 0.9 as follows:
PID namespace
The process of different users is separated by PID namespace, and the same PID can be used in different namespace. Has the following characteristics:
- The PID in each namespace is a process that has its own pid=1 (similar to the/sbin/init process)
- Processes in each namespace can only affect processes in their own namespace or sub-namespace
- Because/proc contains a running process, the/proc directory of Pseudo-filesystem in container can only see the processes in its own namespace
- Because namespace allows nesting, the parent namespace can affect the process of the child namespace, so the process of the child namespace can be seen in the parent namespace, but with a different PID
MNT namespace
Similar to chroot, a process is placed into a specific directory for execution. MNT namespace allows different namespace processes to see different file structures so that each namespace process sees a file directory that is isolated. Unlike chroot, the information in/proc/mounts for each container in the namespace contains only mount point where the namespace is located.
NET Namespace
Network isolation is achieved through NET namespace, each net namespace has a separate network devices, IP addresses, IP routing tables,/proc/net directory. So that every container network can be isolated. Docker by default uses Veth to connect the virtual NIC in container with a Docker bridge on the host.
UTS namespace
UTS ("UNIX time-sharing System") namespace allows each container to have a separate hostname and domain name so that it can be viewed as a separate node on the network rather than a process on the Host.
IPC namespace
Process interactions in container are also based on common inter-process interaction methods (interprocess COMMUNICATION-IPC) of Linux, including common semaphores, message queues, and shared memory. Unlike VMS, however, the container process interaction is actually a process interaction in the same PID namespace on the host, so you need to add namespace information to the IPC resource request-each IPC resource has a unique 32bit ID.
User namespace
Each container can have a different user and group ID, which means that the user inside the container can execute the program inside the container rather than the user on the Host.
With the above 6 namespace isolation from the process, network, IPC, filesystem, UTS, and user perspective, a container can demonstrate the ability of a standalone computer, and different container are isolated from the OS level. However, the resources between the different namespace are still competing, and there is still a need for similar ulimit to manage the resources that each container can use-cgroup.
3 Resource Quota "cgroups"
Cgroups implements quotas and metrics for resources. Cgroups is very simple to use, provide similar file interface, create a new group in the/cgroup directory, create a new task file in this folder, and write the PID to the file, to achieve the resource control of the process. Specific resource configuration options you can create a new sub-subsystem, {subsystem prefix}, in this folder. {Resource Item} is a typical configuration method, such as Memory.usageinbytes, which defines a memory limit option for the group in subsystem memories. In addition, the subsystem in cgroups can be combined arbitrarily, a subsystem can be in different groups, or a group contains multiple subsystem-that is, a subsystem.
- Memory
- Memory-related limitations
- Cpu
- In Cgroup, it is not possible to define CPU capacity as a hardware virtualization scenario, but to define the priority of CPU rotation, so processes with higher CPU priority are more likely to get CPU operations. By writing parameters to Cpu.shares, you can define the CPU priority of the Cgroup-this is a relative weight, not an absolute value.
- Blkio
- Block IO-related statistics and limitations, byte/operation statistics and restrictions (IOPS, etc.), read and write speed limits, etc., but the main statistics here are synchronous IO
- Devices
[Reprint]linux namespace and Cgroup Lxc