1 / 97

Container [ Uday Hiwarale ]

Container [ Uday Hiwarale ]. Container [ Uday Hiwarale ]. Definition. A  container  is an isolated execution environment where one or many processes can run in isolation. Containerization.

parker
Télécharger la présentation

Container [ Uday Hiwarale ]

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Container [UdayHiwarale]

  2. Container [UdayHiwarale]

  3. Definition A container is an isolated execution environment where one or many processes can run in isolation.

  4. Containerization The action of creating containers and running your application as a process inside it; is known as containerization. Since there is no Hypervisor used to create different isolated environments directly on host operating system (these are containers), containerization sometimes is called as OS Level Virtualization.

  5. Linux Containerization Linux Kernel provides such containerization mechanism where you can create many containers on a single Linux hosts called as Linux Based Containers or LXCs.

  6. Mechanisms Supporting Linux Containers • As stated, a process inside the container has isolated environment. • That includes • network interface (to obtain IP addresses), • process ids (PIDs), mount points etc. • Linux Kernel out of the box provides some of the features like Namespaces and Control Groups to make this happen.

  7. Namespaces and Control Groups • Namespaces are the features of Linux Kernel that partition kernel resources like Network Interface (net), Mount Points (mnt), Process Ids (PIDs) etc. • Hence we can create sets of processes having same resource identifiers, for example, IP Addresses because they share different namespaces.  • Control Groups are also namespaced and they control how much system resources like CPU and Memory is allocated to sets of processes.

  8. General Properties of a Container In general, a container is nothing but a set of processes we just talked about. A container has unique namespace and all processes running inside it will have their share of resources allocated by container’s control group. Any process inside the container will not be able to see or interface with the resources allocated to other containers. All containers shares same kernel (of the host operating system) and when a container needs different kernel, then virtualization has to be provided.

  9. Content of a Container • A container is a package that contains y • our programs, • application level binaries and • libraries, • environment variables etc. • It utilizes host’s operating system hence OS level libraries, binaries and drivers are shared by container engine.

  10. VM vs. Container [Source: Google Cloud]

  11. Application Containers [Gabor Nagy]

  12. Application Containers Application containers are designed to package and run a single service. Container technologies like Docker and Rocket are examples of application containers. So even though they share the same kernel of the host there are subtle differences make them different, which I would like to talk about using the example of a Docker container:

  13. Run a Single Service As a Container • When a Docker container is launched, it runs a single process. • This process is usually the one that runs your application when you create containers per application. • This very different from the traditional OS containers where you have multiple services running on the same OS.

  14. Layers of Containers

  15. Layer Any RUN commands you specify in the Dockerfile creates a new layer for the container. In the end when you run your container, Docker combines these layers and runs your containers. Layering helps Docker to reduce duplication and increases the re-use. This is very helpful when you want to create different containers for your components. You can start with a base image that is common for all the components and then just add layers that are specific to your component. Layering also helps when you want to rollback your changes as you can simply switch to the old layers, and there is almost no overhead involved in doing so.

  16. Base Image [IBM] • A base image is the image that is used to create all of your container images. • Your base image can be • an official Docker image, such as Centos, or • you can modify an official Docker image to suit your needs, or • you can create your own base image from scratch.

  17. Understanding Docker "Container Host" vs. "Container OS" for Linux and Windows Containers [Floyd Hilton]

  18. Container Host A container host is also called aHost OS. The Host OS is the operating system on which the Docker client and Docker daemon run. In the case of Linux and non-Hyper-V containers, the Host OS shares its kernel with running Docker containers. For Hyper-V each container has its own Hyper-V kernel.

  19. Container OS A container OS is also called aBase OS. The base OS refers to an image that contains an operating system such as Ubuntu, CentOS, or windowsservercore. Typically, you would build your own image on top of a Base OS image so that you can take utilize parts of the OS. Note that windows containers require a Base OS, while Linux containers do not

  20. Operating System Kernel The Kernel manages lower level functions such as memory management, file system, network and process scheduling.

  21. Example

  22. Explanation of the Previous Diogram The Host OS is Ubuntu. The Docker Client and the Docker Daemon (together called the Docker Engine) are running on the Host OS. Each container shares the Host OS kernel. CentOS and BusyBox are Linux Base OS images. The “No OS” container demonstrates that you do not NEED a base OS to run a container in Linux. You can create a Docker file that has a base image of scratch and then runs a binary that uses the kernel directly.

  23. Function of Base Image OS [ITREAD01] The base image OS is used for filesystem, binaries, etc. 

  24. Why do we use a OS Base Image with Docker if containers have no Guest OS? (1) [drookie] Since all Linux distributions run the same (yup, it's a bit simplified) Linux kernel and differ only in userland software, it's pretty easy to simulate a different distribution environment - by just installing that userland software and pretending it's another distribution. Being specific, installing CentOScontainer inside UbuntuOS will mean that you will get the userland from CentOS, while still running the same kernel, not even another kernel instance.

  25. Why do we use a OS Base Image with Docker if containers have no Guest OS? (2) [drookie] Solightweight virtualization is like having isolated compartments within same OS. On the contrary, real virtualization is having another full-fledged OS inside host OS. That's why docker cannot run FreeBSD or Windows inside Linux. If that would be easier, you can think docker is kind of very sophisticated and advanced chroot environment.

  26. Docker Images and Layers [docker]

  27. Docker Images and Layers A Docker image is built up from a series of layers. Each layer represents an instruction in the image’s Dockerfile. Each layer except the very last one is read-only. 

  28. Example FROM ubuntu:15.04 COPY . /app RUN make /app CMD python /app/app.py This Dockerfile contains four commands, each of which creates a layer. TheFROM statement starts out by creating a layer from the ubuntu:15.04 image. TheCOPY command adds some files from your Docker client’s current directory. TheRUN command builds your application using the make command. Finally, the last layer specifies what command to run within the container.

  29. Properties of Layers (1) Each layer is only a set of differences from the layer before it. The layers are stacked on top of each other. When you create a new container, you add a new writable layer on top of the underlying layers. This layer is often called the “container layer”. All changes made to the running container, such as writing new files, modifying existing files, and deleting files, are written to this thin writable container layer.

  30. Properties of Layers [UdayHiwarale] A docker image follows modified Union File System such as AuFS. Each instruction in Dockerfile creates a read-onlyAuFS layer. These layers are stacked on each other as mentioned in Dockerfile. Each layer is only a set of differences from the layer before it.

  31. A Container Based on the Ubuntu 15.04 Image

  32. Container and Layers The major difference between a containerand an image is the top writable layer. All writes to the container that add new or modify existing data are stored in this writable layer. When the container is deleted, the writable layer is also deleted. The underlying image remains unchanged.

  33. Share Access Because each container has its own writable container layer, and all changes are stored in this container layer, multiple containers can share access to the same underlying image and yet have their own data state.

  34. Multiple Containers Sharing the Same Ubuntu 15.04 image.

  35. The Underlying Technology [Docker]

  36. The Underlying Technology Docker is written in Go and takes advantage of several features of the Linux kernel to deliver its functionality.

  37. Namespaces Docker uses a technology called namespaces to provide the isolated workspace called the container. When you run a container, Docker creates a set of namespaces for that container. These namespaces provide a layer of isolation. Each aspect of a container runs in a separate namespace and its access is limited to that namespace.

  38. Linux Namespaces Docker Engine uses namespaces such as the following on Linux: namespace, control group. The pid namespace: Process isolation (PID: Process ID). The net namespace: Managing network interfaces (NET: Networking). The ipc namespace: Managing access to IPC resources (IPC: InterProcess Communication). The mnt namespace: Managing filesystem mount points (MNT: Mount). The uts namespace: Isolating kernel and version identifiers. (UTS: Unix Timesharing System).

  39. Control groups • Docker Engine on Linux also relies on another technology called control groups (cgroups). • A cgroup limits an application to a specific set of resources. • Control groups allow Docker Engine to share available hardware resources to containers and optionally enforce limits and constraints. • For example, you can limit the memory available to a specific container.

  40. Union file systems • Union file systems, or UnionFS, are file systems that operate by creating layers, making them very lightweight and fast. • Docker Engine uses UnionFS to provide the building blocks for containers. • Docker Engine can use multiple UnionFS variants, including • AUFS, • btrfs, • vfs, • and DeviceMapper.

  41. Container format Docker Engine combines the namespaces, control groups, and UnionFS into a wrapper called a container format. The default container format is libcontainer. In the future, Docker may support other container formats by integrating with technologies such as BSD Jails or Solaris Zones.

  42. Finding Docker container processes from host point of view (1) [StackOverflow] You can use docker top command. This command lists all processes running within your container. For instance this command on a single process container on a box displays: UID PID PPID C STIME TTY TIME CMD root 14097 13930 0 23:17 pts/6 00:00:00 /bin/bash To simply get the main process id within the container use this command: dockerinspect -f '{{.State.Pid}}' <container id>

  43. Finding Docker container processes from host point of view (2) [StackOverflow] Another way to get an overview of all Docker processes running on a host is using generic cgroup based systemd tools. systemd-cgls will show all our cgroups and the processes running in them in a tree-view, like this:

  44. Finding Docker container processes from host point of view (3) [StackOverflow] • The process run in a docker container is a child of a process named containerd-shim (in Docker v18.09.4) • First figure out the process IDs of the containerd-shim processes. • For each of them, find their child process. % pgrepcontainerd-shim 7105 7141 7248 • To find the child process of parent process 7105: % pgrep-P 71057127

  45. Docker [UdayHiwarale]

  46. Docker Docker is nothing but a containerization software. Docker engine is nothing but a container engine. Source

  47. Docker Engine A docker engine consist of Docker daemon and other utilities to create, destroy and manage containers. 

  48. Docker Daemon Docker daemon is a process running in background that receives commands from local or remoteDocker client(CLI) using HTTP REST protocol to manage containers. Hence Docker is said to follow client-server  architecture where server is Docker daemon.

  49. What You Get after a Docker Installation? • When you install Docker on your system, you get • Docker engine, • Docker command line interface (Docker client) and • other GUI utilities. • When you start your Docker, it will start the Docker daemon.

More Related