preface

Containerization, also known as operating system layer virtualization, is a virtualization technology that virtualizes the operating system kernel and allows instances of user-space software to be split into several independent units that run within the kernel instead of a single instance.

At present, the author group is carrying out service container transformation, and it is best to know why to use a technology. Based on their own cognition of container and cloud virtualization technology, this paper compares the relevant implementation of the two technologies, and introduces some basic knowledge of containers to understand containers.

The body of the

Cloud services and virtualization

Cloud computing service is a kind of computing model and business model based on the Internet, which centralizes various scattered IT resources to form a shared resource pool, and provides users with large-scale computing and storage services in a dynamic and elastic way. Each enterprise is on the cloud, what level of services does the cloud provide?

Erection of old services

Before using cloud services, our application services had to be built from the bottom up. You need to purchase hardware devices, build server kernel operating systems, and deploy services by yourself.

Three different layers of cloud services

After the concept of cloud computing is introduced, IT can be roughly divided into three hierarchical models to provide corresponding IT services, as shown in the figure below:

  1. The first is the most basic, which is called infrastructure-as-a-Service (IaaS). This kind of cloud Service provides the most basic level. Various virtual servers purchased by individuals or enterprises on XX cloud are IaaS services. When purchasing services, we only need to choose the hardware configuration of the machine without considering the high maintenance cost. After purchasing the VM, we choose to install the kernel and operating system of the machine.

OpenStack, a popular open source IaaS framework a few years ago, is based on IaaS. Its basic principle is as follows: Enable virtualization services in various host, host of the physical machine computing resources, memory resources, storage resources, network resources through virtualization way to build a large resource pool, and then the IaaS service based on the large pond to make the corresponding resource allocation, such as assigning a 50 hard drives, 4 nuclear, 8 g of the virtual machine.

  1. Compared with IaaS, platform-as-a-Service (PaaS) ignores details related to hardware and internal testing and only provides a basic Platform for application running. However, when constructing our own services, we only need to pay attention to the outermost operating system layer, which is also corresponding to our container Service layer.

  2. Software-as-a-service (SaaS) directly provides the entire Service solution from top to bottom. You do not need to pay attention to architecture construction and data storage at all levels. You only need to customize your own services. This kind of service appears more in the business scenarios of TO B, where voting and ordering systems are everywhere.

The increasing degree of abstraction of these three layers of services requires the business research and development personnel to pay less attention to the point, which can liberate more manpower. However, for various business scenarios, the more the corresponding unified abstract content, the lower the degree of reuse or customization will become, which is also a problem we need to weigh in the selection.

Container technology

In the three-tier cloud service model mentioned above, PaaS corresponds to containerized service. When building containerized service, we do not need to care about the underlying hardware and kernel version, so we can focus more on the application.

Container operating system virtualization

Containers need to be started by building a base image, which includes the operating system and corresponding application softwareThe virtual machineIaaS service core is similar in that it starts with an image, builds a separate, isolated space, and runs services internally. However, containers are fundamentally different from virtual machines. As shown in the following figure, virtual machines are a heavyweight virtualization implementation based on the virtualization capability of the host, and the corresponding virtualization hardware is completely constructed. The kernel and operating system are also built based on the hardware. However, container technology only encapsulates the operating system, sharing kernel and hardware with the corresponding host, which is quite lightweight. There is no need to include kernel implementation in the image, and there is an obvious difference in startup speed. Virtual machine is started in minutes, while container services loaded with applications can be started in seconds.

Container resource isolation

Since it is necessary to build an independent and isolated operating environment for each application, resource isolation naturally includes memory, CPU, process, file system, network, etc., so virtual machine technology is a normal routine we can think of, and how to achieve resource isolation container? Let’s start with two features provided by the Linux kernel in one version: Cgroup and Namespace, which provide resource (hardware) control and resource encapsulation capabilities, respectively.

The Control Group (Cgroup) is a feature provided by the Linux kernel to restrict and isolate the use of system resources by a group of processes. The specific management of different resources is accomplished by each subsystem. The list of Cgroup process group resources that can be restricted for different subsystems is as follows:

The subsystem Limited resources
cpu Limit the CPU usage of Cgroup
memory Statistics and limits the memory usage of cgroups, including swap
devices Cgroup Device access control
blkio Limit the I/O frequency of Cgroup
net_prio Limit the network traffic priority of a process
. .

Namespace encapsulates global resources in the kernel, so that each namespace has an independent resource. Therefore, different processes use the same resource in their own namespace without interfering with each other.

namespace Resource isolation
Network Isolating Network Resources
IPC Isolate System V IPC and POSIX message queues
PID Quarantined process ID
User Isolate users and user groups
. .

There are a lot of cGroups and namespaces and some of the more specific system call details that I won’t go into.

Based on these two kernel features, we can use the Linux kernel to isolate and restrict the resources of a process. However, these two features alone do not allow us to achieve a separate view of the file system in the current container (the file system isolated from the host). Another technique is rootfs (root file system). A rootfs is the corresponding container image, which contains the corresponding operating system base directory /bin, /etc, /proc, etc. Rootfs is also divided into read-only and read-write layers. The read-only layer is our base image file, and the read-write layer allows us to make changes to the file based on the image, with each change increments at the file level.

These three functions enable us to implement the most basic capabilities of the container: resource isolation, restriction, and independent file system. Then Docker engine is a good encapsulation of these capabilities. Users only need to use docker API to completely control the life cycle of a container.

Other problems

While learning some of the basic principles of containers, I will have some questions, such as how to solve the problem of operating system and version inconsistency by sharing the kernel with the host.

  1. Centos6 hosts the container that starts the Ubuntu 16 image

The user-level API provided by Linux based on hardware is actually divided into two layers, Linux kernel distribution and operating system distribution, which are separate concepts. Therefore, when we encounter Linux kernel vulnerabilities, we only upgrade the kernel version to complete minimal changes. Containers take advantage of this, and rootfs is the distribution of the corresponding operating system, which can run on any kernel version that meets the requirements. However, when some kernel versions do not support new features of the operating system, it is common to report an error and fail to boot.

  1. Linux system images in the Windows and MAC OS ecosystem

If starting containers based on Linux kernel is to reuse the host kernel, then in recent years docker has also supported container features on Windows and MAC OS, how to achieve this? If a Windows host starts a Windows image, the Windows Server Container technology of Windows itself is used to isolate and restrict processes. Hyper-v starts a Linux VIRTUAL machine (VM) and then provides the function of the corresponding Linux base container image based on the VM. This is equivalent to going full circle without abandoning the performance of the container but maintaining its cross-platform feature.

Docker container other concepts

In addition to mirroring, for docker cluster services, there arepodandnodeThe concept of. As shown in the following figure, node is the concept of host, and pod can be divided based on node allocation. Multiple containers can be started in POD, and resources in POD can be shared, so it can be used to assist the middleware function in another container. For example, assist in log cleaning, service registration and discovery of microservices (Side Car in service Mesh).

conclusion

This article is based on the author for container from scratch learning process, learning process for operations in the group the teacher also consulted many about isolation and kernel version support related issues, compared the cloud service virtualization and container implementation, including isolation for container resources, resource constraints, such as the root file system implementation principle for sharing and overview, I hope it can be helpful to the initial cognitive learning of containers.

reference

Namespace Linux Cgroup series: Overview of cgroups