Skip to main content

Containers - Quick Low Level Guide

Containers Kernel, namespace, cgroups
Kernel space and user space

Before we actually get to explain containers let's define what is a kernel.  Because you know there is no such thing in reality as a kernel it's only how we name things, and different people name things differently.

cgroups, namespaces, UFS

We are going to discuss containers, cgroups, namespace, UFS, hypervisor, user space, kernetl space and more.
 
When we say "kernel" we mean this.  We have the hardware, this is not the kernel, now above the hardware we have a few layers of software, imagine now two boxes.

User mode is all the application you run while the kernel is the lower level is all the virtual memory management scheduling, connection to hardware devices, network drivers, it's basically the abstraction on top of the hardware + the basic services which allow this.


One box is closer to the hardware and contains a few layers, the second box sits on top of the kernel box and contains libraries we already use the lower box.

The lower box is the kernel it contains all the hardware abstraction layer, all the thread shielding the interrupts and many other lower level services such as memory management, power management etc.  The kernel is like the bare bones of the hardware plus all the operating system which manages this hardware.


The layer which connects the User space to the kernel space is system calls from user space to kernel space.

The Promise

Containers are built from cgroups, namespaces, tarballs, and they are just processes.  Let's elaborate on this.

The promise is that you can package your application in a container and then just run it in production, because all would be bundled inside the container, while we all know that is not really the truth containers do help us however if you would like to understand a little under the hoods or what containers really are let's start our discovery.  And while containers do contain processes it's best practice to use them for stateless applications due to their simple nature all we want to do is to contain processes not file systems, they are after all ephemeral.

Machine

If you look at a machine running containers and list the processes with PS you would not see any containers you would actually see real processes like java processes etc.  So what is going on, where are all those containers because those would appear to be super standard boring processes with the standard process output from the ps command.

So containers run as standard processes, what is the packaging that we all talk about? when you create a container you create a tarball file, so if you wanted to package a container manually you would zip your app in a tarball.

But tarball is that all there is to containers? I could tarball a process by myself, you could but you would need to take a few more steps for it to be equal to standard container for example you would need to update cgroups which we would soon discuss controlling the container better control how much CPU allocation it gets and how much memory.

When you run a container the tarball is being unzipped and run as any process.

As you want your container to have limited access for example to disk then there is a native way to do this on Linux, it's with the standard namespaces feature, it would allow containers to see certain processes and libraries.

The cgroups would limit the memory and CPU. 

VM Vs Containers

With vms you have multiple kernels but how do these multiple vm multiple kernels talk to the actual hardware and get all the basic thread scheduling services? That is with the hypervisor, so you have a kernel for each vm and each vm talks to the kernel of the hypervisor to get the basic OS services.

You can also load multiple OS like windows and linux, but in containers you have processes, each process runs inside a container.

Container

Each container is a ting up together cgroup namespaces and UFS nifon capable file system this is a container, it looks like an OS the container

Namespace isolates and limits what you can use separate pid net mnt you have your own view of the system.
cgorups - how much you can use memory CPU

Processes from one namespace pid like if you have myapp1 namespace pid it cannot see any pid from myapp2 PID namespace

The access to resources is controlled by the cgroups.

UFS - combine multiple directories into one you get the illusion that you have a single directory.





Comments

Popular posts from this blog

API Design Paper Summary and Review

API Design Paper Summary Introduction Is building API a solvable question, how far can we get into having good API’s and what is a good API at all? these are all very hard questions, usually you know the answers once you designed multiple APIs and got experience and then reviewed the decisions you have taken. Fortunately there are papers dealing with this problem exactly, for complex API’s used by a huge amount of people, the Qt API for example a very populate framework for desktop GUI building, and today we are going to go through a summary of that paper.

“The Little Manual of API Design” is a very nice paper written by Jasmin Blanchette has released a paper while working in trolltech, which is a Nokia company. I found it to be very clear and concise, and reassuring what we think of API design. It’s a difficult task that includes both artistic, social, programming and scientific skills. We are going to summarize this paper for you.

When you write an API you combine a set of symb…

Dev OnCall Patterns

IntroductionBeing On-Call is not easy. So does writing software. Being On-Call is not just a magic solution, anyone who has been On-Call can tell you that, it's a stressful, you could be woken up at the middle of the night, and be undress stress, there are way's to mitigate that. White having software developers as On-Calls has its benefits, in order to preserve the benefits you should take special measurements in order to mitigate the stress and lack of sleep missing work-life balance that comes along with it. Many software developers can tell you that even if they were not being contacted the thought of being available 24/7 had its toll on them. But on the contrary a software developer who is an On-Call's gains many insights into troubleshooting, responsibility and deeper understanding of the code that he and his peers wrote. Being an On-Call all has become a natural part of software development. Please note I do not call software development software engineering because …

Recursion Trees Primer

Recursion trees.

Controlling the fundamentals stands at the cornerstone of controlling a topic.  In our case in order to be a good developer its not enough or even not at all important to control the latest Java/JavaScript/big data technology but what's really important is the basics.  And the basics in computer science are maths, stats, algorithms and computer structure.

Steve wosniak the co-founder of apple said the same, what gave him his relative advantage was his deep understanding of programming and computer structure, this is what gave him the ability to create computer's which are less costly than the competitors (not that there were many) and by the way there were 3 founders to apple company one responsible for the technical side, one for the product and sales (Steve Jobs) and the third responsible for the company structure and growth, each of the three extremely important, it was not only the two Steve's but that's a topic for another episode.

And with that l…