Computação Distribuída

OS Support

Linux does not have support for containers.

  • The kernel does not recognize the concept of containers.

Containers are a set of configurations that define an environment that is applied to a process (and its children).

  • Namespace: isolation and virtualization of each tenant.

  • Cgroups: controls the resources of each tenant (CPU, RAM, IO).

Subjacent technologies

  • Namespaces.

    • (mnt, pid, net, ipc, uts/hostname, user ids).

  • Cgroups.

    • (cpu, memory, disk, I/O - resource management).

  • AppArmor, SELinux.

    • (security/ access control).

  • Seccomp.

    • Computation isolation.

  • CHROOT.

    • File system isolation.

Namespaces

The mechanism used to isolate and virtualize the systems resources.

  • Processes in a namespace can't see the remnant resources.

    • They see their namespace as the host.

Network namespace.

  • A mechanism that allows the creation of network resources almost independently.

    • Network interface, routing tables.

  • A network interface can only belong to a single namespace.

PID namespace.

  • A restricted namespace with private processes identifiers

    • Host processes are invisible.

Cgroup

The mechanism used to restring or monitor the quantity of used resources by "access groups".

  • The processes can be organized in groups, and in this way, control the access to resources.

    • Example: CPU scheduling control.

      • Limit the amount of time a group of processes can use with the CPU.

    • Other uses:

      • Memory, I/O, pids, ...

PreviousVM's vs ContainersNextBuilding a container

Last updated