SlideShare a Scribd company logo

Docker 原理與實作

kao kuo-tung
kao kuo-tung

the technology behind docker. This is for osdc.tw 2014

Technology
1 of 39
Download to read offline
docker 原理與實作 果凍
簡介 ● 任職於迎廣科技 ○ python ○ openstack ● http://about.me/ya790206 ● http://blog.blackwhite.tw/ ● https://github.com/ya790206/call_seq
Agenda ● linux kernel namespace ● seccomp ● cgroup ● lxc ● docker
docker ● lightweight, portable, self- sufficient containers. ● the process running in the container is isolated from the process running in the other container.
Linux startup process ● Linux startup process ○ Boot loader -> ○ Kernel -> ○ Init process ● Difference between Linux distros: ○ package manager ○ init
Docker Autofs lxc Kernel namespaces Apparmor and SELinux profiles Seccomp policies Control groups Kernel capabilities Chroots btrfs
kernel namespace ● The purpose of each namespace is to wrap a particular global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource. ● Private view
kernel pid namespace root pid namespace pid 1 (pid 1) pid namespace x pid 2 (pid 2) pid 3 (pid 1) pid 4 (pid 2) ● black: the real pid. ● red: the pid process use getpid to get.
kernel namespace Mount namespaces UTS namespaces PID namespaces Network namespaces User namespaces IPC namespaces
int child_pid = clone(child_main, child_stack+STACK_SIZE, CLONE_NEWUTS | CLONE_NEWIPC | CLONE_NEWPID | SIGCHLD, NULL); ● https://gist.github.com/ya790206/9855021
尾巴沒藏好
int child_pid = clone(child_main, child_stack+STACK_SIZE, CLONE_NEWUTS | CLONE_NEWIPC | CLONE_NEWPID | CLONE_NEWNS | SIGCHLD, NULL); mount("proc", "/proc", "proc", 0, NULL); ● https://gist.github.com/ya790206/9855094
seccomp ● A process running in seccomp mode is severely limited in what it can do; ● there are only four system calls - read(), write(), exit(), and sigreturn() to already- open file descriptors.
libseccomp example https://gist.github. com/ya790206/9579145
cgroup ● This work was started by engineers at Google ● Resource limiting ● Prioritization ● Accounting ● Control
cgroup ○ blkio — this subsystem sets limits on input/output access to and from block devices such as physical drives (disk, solid state, USB, etc.). ○ cpu — this subsystem uses the scheduler to provide cgroup tasks access to the CPU. ○ cpuacct — this subsystem generates automatic reports on CPU resources used by tasks in a cgroup. ○ cpuset — this subsystem assigns individual CPUs (on a multicore system) and memory nodes to tasks in a cgroup. ○ devices — this subsystem allows or denies access to devices by tasks in a cgroup. ○ freezer — this subsystem suspends or resumes tasks in a cgroup. ○ memory — this subsystem sets limits on memory use by tasks in a cgroup, and generates automatic reports on memory resources used by those tasks. ○ net_cls — this subsystem tags network packets with a class identifier (classid) that allows the Linux traffic controller (tc) to identify packets originating from a particular cgroup task. ○ net_prio — this subsystem provides a way to dynamically set the priority of network traffic per network interface. ○ ns — the namespace subsystem.
cgroup freezer ● The cgroup freezer is useful to batch job management system which start and stop sets of tasks in order to schedule the resources of a machine according to the desires of a system administrator.
$ mount -t cgroup - ofreezer freezer /<path>/freezer /<path>/freezer: root cgroup tasks other file my /<path>/freezer/my: sub cgroup tasks other file $ mkdir /<path>/freezer/my all process pid
cgroup freezer $ mount -t cgroup -ofreezer freezer /<path>/freezer $ ch /<path>/freezer/; ls cgroup.clone_children cgroup.event_control cgroup.procs cgroup.sane_behavior notify_on_release release_agent tasks 1. mkdir my_group;cd mygroup 2. echo $some_pid > tasks 3. echo FROZEN > freezer.state 4. echo THAWED > freezer.state
other cgroup ● memory cgroup: ○ limit process memoroy usage. ○ show various statistics ● blkio cgroup: ○ change widget ○ show various statistics
lxc ● LXC is a userspace interface for the Linux kernel containment features. ● Container templates ● A set of standard tools to control the containers
lxc host os container A process 1 process 2 container B process 3 process 4 process x A can see BA B A B A can see B. B can see A.
lxc 1. lxc-create -n test-container -t ubuntu 2. lxc-ls --fancy 3. lxc-start -n test-container 4. lxc-console -n test-container 5. lxc-stop -n test-container 6. lxc-destroy -n test-container
start vs execute ● start: ○ boot linux system ● execute: ○ execute program directly ○ make sure you have "/usr/lib/lxc/lxc-init" in your container
sudo lxc-checkpoint -name p1 --statefile a ● output: ○ lxc-checkpoint: 'checkpoint' function not implemented
linux aufs ● It allows files and directories of separate filesystem to co-exist under a single directories. /tmp/union /tmp/a /tmp/b /tmp/c
# apt-get install aufs-tools # mount -t aufs -o br=/tmp/a:/tmp/b none /tmp/union/ # mount -t aufs -o br=/tmp/a=rw:/tmp/b=rw none /tmp/union
docker vs lxc ● docker is based on lxc ● docker can create image from text file. ● docker seldom boot system. ● docker provide user-friendly interface ● docker use less disk space.(aufs)
docker running containers process rootfs stopped containers rootfs image commit r u n s t o p s t a r t rootfs
rootfs in container image: rw ZZZ image: ro XXX image: ro ubuntu image: ro rootfs in image image: ro ZZZ image: ro XXX image: ro ubuntu image: ro a u f s a u f s
taiwan.py site dockerfile FROM ubuntu:12.10 RUN apt-get update RUN apt-get install -y python-dev RUN apt-get install -y python-pip RUN apt-get install -y git RUN pip install mynt RUN git clone https://github.com/lucemia/taiwan.py RUN mynt gen -f taiwan.py/src/ taiwan.py/build/ EXPOSE 8000 CMD cd taiwan.py/build/ && python -m SimpleHTTPServer
How to run 1. cat dockerfile | sudo docker build -t taiwanpy - 2. docker run -p 8000:9000 taiwanpy 3. docker stop xxx 4. docker start xxx 5. docker stop xxx 6. docker rm xxx 7. docker rmi taiwanpy
simple docker shell ● https://github. com/ya790206/misc_tools/tree/ma ster/docker_wrapper
Summary ● Namespace for virtualization. ● Cgroup for controlling a group of process. ● Conatiner and host system use the same kernel. ● Docker is similar to lxc. But docker is easy to use.
Question
Thank you
參考資料 - kernel namespace ● Namespaces in operation, part 1: namespaces overview ● PaaS under the hood, episode 1: kernel namespaces ● Introduction to Linux namespaces – Part 1: UTS
參考資料 - cgruop ● cgroup ● http://en.wikipedia. org/wiki/Cgroups
參考書目 ● Linux Kernel Hacks:改善效能、提昇開發效率 及節能的技巧與工具

Recommended

Docker 101 - from 0 to Docker in 30 minutes
Docker 101 - from 0 to Docker in 30 minutesDocker 101 - from 0 to Docker in 30 minutes
Docker 101 - from 0 to Docker in 30 minutesLuciano Fiandesio
 
Docker 初探,實驗室中的運貨鯨
Docker 初探,實驗室中的運貨鯨Docker 初探,實驗室中的運貨鯨
Docker 初探,實驗室中的運貨鯨Ruoshi Ling
 
Academy PRO: Docker. Part 1
Academy PRO: Docker. Part 1Academy PRO: Docker. Part 1
Academy PRO: Docker. Part 1Binary Studio
 
當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem)
當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem)當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem)
當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem)Ruoshi Ling
 
Academy PRO: Docker. Part 2
Academy PRO: Docker. Part 2Academy PRO: Docker. Part 2
Academy PRO: Docker. Part 2Binary Studio
 
Containerize! Between Docker and Jube.
Containerize! Between Docker and Jube.Containerize! Between Docker and Jube.
Containerize! Between Docker and Jube.Henryk Konsek
 
Academy PRO: Docker. Part 4
Academy PRO: Docker. Part 4Academy PRO: Docker. Part 4
Academy PRO: Docker. Part 4Binary Studio
 
Docker for mere mortals
Docker for mere mortalsDocker for mere mortals
Docker for mere mortalsHenryk Konsek
 

Recommended

Docker 101 - from 0 to Docker in 30 minutes
Docker 101 - from 0 to Docker in 30 minutesDocker 101 - from 0 to Docker in 30 minutes
Docker 101 - from 0 to Docker in 30 minutesLuciano Fiandesio
 
Docker 初探,實驗室中的運貨鯨
Docker 初探,實驗室中的運貨鯨Docker 初探,實驗室中的運貨鯨
Docker 初探,實驗室中的運貨鯨Ruoshi Ling
 
Academy PRO: Docker. Part 1
Academy PRO: Docker. Part 1Academy PRO: Docker. Part 1
Academy PRO: Docker. Part 1Binary Studio
 
當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem)
當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem)當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem)
當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem)Ruoshi Ling
 
Academy PRO: Docker. Part 2
Academy PRO: Docker. Part 2Academy PRO: Docker. Part 2
Academy PRO: Docker. Part 2Binary Studio
 
Containerize! Between Docker and Jube.
Containerize! Between Docker and Jube.Containerize! Between Docker and Jube.
Containerize! Between Docker and Jube.Henryk Konsek
 
Academy PRO: Docker. Part 4
Academy PRO: Docker. Part 4Academy PRO: Docker. Part 4
Academy PRO: Docker. Part 4Binary Studio
 
Docker for mere mortals
Docker for mere mortalsDocker for mere mortals
Docker for mere mortalsHenryk Konsek
 
Docker n co
Docker n coDocker n co
Docker n coRohit Jnagal
 
Ansible docker
Ansible dockerAnsible docker
Ansible dockerQNIB Solutions
 
Demystifying kubernetes
Demystifying kubernetesDemystifying kubernetes
Demystifying kubernetesWorks Applications
 
Perspectives on Docker
Perspectives on DockerPerspectives on Docker
Perspectives on DockerRightScale
 
Intro- Docker Native for OSX and Windows
Intro- Docker Native for OSX and WindowsIntro- Docker Native for OSX and Windows
Intro- Docker Native for OSX and WindowsThomas Chacko
 
Academy PRO: Docker. Lecture 3
Academy PRO: Docker. Lecture 3Academy PRO: Docker. Lecture 3
Academy PRO: Docker. Lecture 3Binary Studio
 
Containers: The What, Why, and How
Containers: The What, Why, and HowContainers: The What, Why, and How
Containers: The What, Why, and HowSneha Inguva
 
Docker / Ansible
Docker / AnsibleDocker / Ansible
Docker / AnsibleStephane Manciot
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to dockerJustyna Ilczuk
 
The state of the swarm
The state of the swarmThe state of the swarm
The state of the swarmMathieu Buffenoir
 
Docker 활용법: dumpdocker
Docker 활용법: dumpdockerDocker 활용법: dumpdocker
Docker 활용법: dumpdockerJaehwa Park
 
Docker at Flux7
Docker at Flux7Docker at Flux7
Docker at Flux7Aater Suleman
 
Docker Compose to Production with Docker Swarm
Docker Compose to Production with Docker SwarmDocker Compose to Production with Docker Swarm
Docker Compose to Production with Docker SwarmMario IC
 
Docker introduction
Docker introductionDocker introduction
Docker introductionLayne Peng
 
Container Torture: Run any binary, in any container
Container Torture: Run any binary, in any containerContainer Torture: Run any binary, in any container
Container Torture: Run any binary, in any containerDocker, Inc.
 
Tech Talk - Vagrant
Tech Talk - VagrantTech Talk - Vagrant
Tech Talk - VagrantThomas Krille
 
Running Docker with OpenStack | Docker workshop #1
Running Docker with OpenStack | Docker workshop #1Running Docker with OpenStack | Docker workshop #1
Running Docker with OpenStack | Docker workshop #1dotCloud
 
GDG Lima - Docker Compose
GDG Lima - Docker ComposeGDG Lima - Docker Compose
GDG Lima - Docker ComposeMario IC
 
Docker composeで開発環境をメンバに配布せよ
Docker composeで開発環境をメンバに配布せよDocker composeで開発環境をメンバに配布せよ
Docker composeで開発環境をメンバに配布せよYusuke Kon
 
Docker 0.11 at MaxCDN meetup in Los Angeles
Docker 0.11 at MaxCDN meetup in Los AngelesDocker 0.11 at MaxCDN meetup in Los Angeles
Docker 0.11 at MaxCDN meetup in Los AngelesJérôme Petazzoni
 
Understanding and building Your Own Docker
Understanding and building Your Own DockerUnderstanding and building Your Own Docker
Understanding and building Your Own DockerMotiejus Jakštys
 
LSA2 - 02 Namespaces
LSA2 - 02 NamespacesLSA2 - 02 Namespaces
LSA2 - 02 NamespacesMarian Marinov
 

More Related Content

What's hot

Perspectives on Docker
Perspectives on DockerPerspectives on Docker
Perspectives on DockerRightScale
 
Intro- Docker Native for OSX and Windows
Intro- Docker Native for OSX and WindowsIntro- Docker Native for OSX and Windows
Intro- Docker Native for OSX and WindowsThomas Chacko
 
Academy PRO: Docker. Lecture 3
Academy PRO: Docker. Lecture 3Academy PRO: Docker. Lecture 3
Academy PRO: Docker. Lecture 3Binary Studio
 
Containers: The What, Why, and How
Containers: The What, Why, and HowContainers: The What, Why, and How
Containers: The What, Why, and HowSneha Inguva
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to dockerJustyna Ilczuk
 
Docker 활용법: dumpdocker
Docker 활용법: dumpdockerDocker 활용법: dumpdocker
Docker 활용법: dumpdockerJaehwa Park
 
Docker Compose to Production with Docker Swarm
Docker Compose to Production with Docker SwarmDocker Compose to Production with Docker Swarm
Docker Compose to Production with Docker SwarmMario IC
 
Docker introduction
Docker introductionDocker introduction
Docker introductionLayne Peng
 
Container Torture: Run any binary, in any container
Container Torture: Run any binary, in any containerContainer Torture: Run any binary, in any container
Container Torture: Run any binary, in any containerDocker, Inc.
 
Running Docker with OpenStack | Docker workshop #1
Running Docker with OpenStack | Docker workshop #1Running Docker with OpenStack | Docker workshop #1
Running Docker with OpenStack | Docker workshop #1dotCloud
 
GDG Lima - Docker Compose
GDG Lima - Docker ComposeGDG Lima - Docker Compose
GDG Lima - Docker ComposeMario IC
 
Docker composeで開発環境をメンバに配布せよ
Docker composeで開発環境をメンバに配布せよDocker composeで開発環境をメンバに配布せよ
Docker composeで開発環境をメンバに配布せよYusuke Kon
 
Docker 0.11 at MaxCDN meetup in Los Angeles
Docker 0.11 at MaxCDN meetup in Los AngelesDocker 0.11 at MaxCDN meetup in Los Angeles
Docker 0.11 at MaxCDN meetup in Los AngelesJérôme Petazzoni
 

What's hot (20)

Docker n co
Docker n coDocker n co
Docker n co
 
Ansible docker
Ansible dockerAnsible docker
Ansible docker
 
Demystifying kubernetes
Demystifying kubernetesDemystifying kubernetes
Demystifying kubernetes
 
Perspectives on Docker
Perspectives on DockerPerspectives on Docker
Perspectives on Docker
 
Intro- Docker Native for OSX and Windows
Intro- Docker Native for OSX and WindowsIntro- Docker Native for OSX and Windows
Intro- Docker Native for OSX and Windows
 
Academy PRO: Docker. Lecture 3
Academy PRO: Docker. Lecture 3Academy PRO: Docker. Lecture 3
Academy PRO: Docker. Lecture 3
 
Containers: The What, Why, and How
Containers: The What, Why, and HowContainers: The What, Why, and How
Containers: The What, Why, and How
 
Docker / Ansible
Docker / AnsibleDocker / Ansible
Docker / Ansible
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to docker
 
The state of the swarm
The state of the swarmThe state of the swarm
The state of the swarm
 
Docker 활용법: dumpdocker
Docker 활용법: dumpdockerDocker 활용법: dumpdocker
Docker 활용법: dumpdocker
 
Docker at Flux7
Docker at Flux7Docker at Flux7
Docker at Flux7
 
Docker Compose to Production with Docker Swarm
Docker Compose to Production with Docker SwarmDocker Compose to Production with Docker Swarm
Docker Compose to Production with Docker Swarm
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
 
Container Torture: Run any binary, in any container
Container Torture: Run any binary, in any containerContainer Torture: Run any binary, in any container
Container Torture: Run any binary, in any container
 
Tech Talk - Vagrant
Tech Talk - VagrantTech Talk - Vagrant
Tech Talk - Vagrant
 
Running Docker with OpenStack | Docker workshop #1
Running Docker with OpenStack | Docker workshop #1Running Docker with OpenStack | Docker workshop #1
Running Docker with OpenStack | Docker workshop #1
 
GDG Lima - Docker Compose
GDG Lima - Docker ComposeGDG Lima - Docker Compose
GDG Lima - Docker Compose
 
Docker composeで開発環境をメンバに配布せよ
Docker composeで開発環境をメンバに配布せよDocker composeで開発環境をメンバに配布せよ
Docker composeで開発環境をメンバに配布せよ
 
Docker 0.11 at MaxCDN meetup in Los Angeles
Docker 0.11 at MaxCDN meetup in Los AngelesDocker 0.11 at MaxCDN meetup in Los Angeles
Docker 0.11 at MaxCDN meetup in Los Angeles
 

Viewers also liked

Understanding and building Your Own Docker
Understanding and building Your Own DockerUnderstanding and building Your Own Docker
Understanding and building Your Own DockerMotiejus Jakštys
 
Обзор Linux Control Groups
Обзор Linux Control GroupsОбзор Linux Control Groups
Обзор Linux Control GroupsOSLL
 
Пространства имен Linux (linux namespaces)
Пространства имен Linux (linux namespaces)Пространства имен Linux (linux namespaces)
Пространства имен Linux (linux namespaces)OSLL
 
Docker 基礎介紹與實戰
Docker 基礎介紹與實戰Docker 基礎介紹與實戰
Docker 基礎介紹與實戰Bo-Yi Wu
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security OverviewSreenivas Makam
 
Docker Plugin for Heat
Docker Plugin for HeatDocker Plugin for Heat
Docker Plugin for HeatDocker, Inc.
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Jérôme Petazzoni
 
Namespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersNamespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersKernel TLV
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConJérôme Petazzoni
 

Viewers also liked (10)

Understanding and building Your Own Docker
Understanding and building Your Own DockerUnderstanding and building Your Own Docker
Understanding and building Your Own Docker
 
LSA2 - 02 Namespaces
LSA2 - 02 NamespacesLSA2 - 02 Namespaces
LSA2 - 02 Namespaces
 
Обзор Linux Control Groups
Обзор Linux Control GroupsОбзор Linux Control Groups
Обзор Linux Control Groups
 
Пространства имен Linux (linux namespaces)
Пространства имен Linux (linux namespaces)Пространства имен Linux (linux namespaces)
Пространства имен Linux (linux namespaces)
 
Docker 基礎介紹與實戰
Docker 基礎介紹與實戰Docker 基礎介紹與實戰
Docker 基礎介紹與實戰
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
 
Docker Plugin for Heat
Docker Plugin for HeatDocker Plugin for Heat
Docker Plugin for Heat
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
 
Namespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersNamespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containers
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
 

Similar to Docker 原理與實作

Introduction to containers
Introduction to containersIntroduction to containers
Introduction to containersNitish Jadia
 
LXC on Ganeti
LXC on GanetiLXC on Ganeti
LXC on Ganetikawamuray
 
Java in containers
Java in containersJava in containers
Java in containersMartin Baez
 
Advanced Namespaces and cgroups
Advanced Namespaces and cgroupsAdvanced Namespaces and cgroups
Advanced Namespaces and cgroupsKernel TLV
 
Linuxcon Barcelon 2012: LXC Best Practices
Linuxcon Barcelon 2012: LXC Best PracticesLinuxcon Barcelon 2012: LXC Best Practices
Linuxcon Barcelon 2012: LXC Best Practiceschristophm
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013dotCloud
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Docker, Inc.
 
Troubleshooting containerized triple o deployment
Troubleshooting containerized triple o deploymentTroubleshooting containerized triple o deployment
Troubleshooting containerized triple o deploymentSadique Puthen
 
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo..."Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...Yandex
 
Linux Capabilities - eng - v2.1.5, compact
Linux Capabilities - eng - v2.1.5, compactLinux Capabilities - eng - v2.1.5, compact
Linux Capabilities - eng - v2.1.5, compactAlessandro Selli
 
Lightweight Virtualization: LXC Best Practices
Lightweight Virtualization: LXC Best PracticesLightweight Virtualization: LXC Best Practices
Lightweight Virtualization: LXC Best PracticesWerner Fischer
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Praguetomasbart
 
Linux 开源操作系统发展新趋势
Linux 开源操作系统发展新趋势Linux 开源操作系统发展新趋势
Linux 开源操作系统发展新趋势Anthony Wong
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloudDobrica Pavlinušić
 
Docker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xDocker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xrkr10
 
OpenNebulaConf 2016 - Storage Hands-on Workshop by Javier Fontán, OpenNebula
OpenNebulaConf 2016 - Storage Hands-on Workshop by Javier Fontán, OpenNebulaOpenNebulaConf 2016 - Storage Hands-on Workshop by Javier Fontán, OpenNebula
OpenNebulaConf 2016 - Storage Hands-on Workshop by Javier Fontán, OpenNebulaOpenNebula Project
 
Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Jérôme Petazzoni
 
Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant Ricardo Amaro
 

Similar to Docker 原理與實作 (20)

Introduction to containers
Introduction to containersIntroduction to containers
Introduction to containers
 
LXC on Ganeti
LXC on GanetiLXC on Ganeti
LXC on Ganeti
 
Java in containers
Java in containersJava in containers
Java in containers
 
Advanced Namespaces and cgroups
Advanced Namespaces and cgroupsAdvanced Namespaces and cgroups
Advanced Namespaces and cgroups
 
Linuxcon Barcelon 2012: LXC Best Practices
Linuxcon Barcelon 2012: LXC Best PracticesLinuxcon Barcelon 2012: LXC Best Practices
Linuxcon Barcelon 2012: LXC Best Practices
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
 
Troubleshooting containerized triple o deployment
Troubleshooting containerized triple o deploymentTroubleshooting containerized triple o deployment
Troubleshooting containerized triple o deployment
 
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo..."Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
 
Linux Capabilities - eng - v2.1.5, compact
Linux Capabilities - eng - v2.1.5, compactLinux Capabilities - eng - v2.1.5, compact
Linux Capabilities - eng - v2.1.5, compact
 
Containers > VMs
Containers > VMsContainers > VMs
Containers > VMs
 
Lightweight Virtualization: LXC Best Practices
Lightweight Virtualization: LXC Best PracticesLightweight Virtualization: LXC Best Practices
Lightweight Virtualization: LXC Best Practices
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Prague
 
Linux 开源操作系统发展新趋势
Linux 开源操作系统发展新趋势Linux 开源操作系统发展新趋势
Linux 开源操作系统发展新趋势
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
 
Docker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xDocker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12x
 
OpenNebulaConf 2016 - Storage Hands-on Workshop by Javier Fontán, OpenNebula
OpenNebulaConf 2016 - Storage Hands-on Workshop by Javier Fontán, OpenNebulaOpenNebulaConf 2016 - Storage Hands-on Workshop by Javier Fontán, OpenNebula
OpenNebulaConf 2016 - Storage Hands-on Workshop by Javier Fontán, OpenNebula
 
Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Let's Containerize New York with Docker!
Let's Containerize New York with Docker!
 
Linux Kernel Debugging
Linux Kernel DebuggingLinux Kernel Debugging
Linux Kernel Debugging
 
Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant
 

More from kao kuo-tung

用 Open source 改造鍵盤
用 Open source 改造鍵盤用 Open source 改造鍵盤
用 Open source 改造鍵盤kao kuo-tung
 
Immutable infrastructure 介紹與實做:以 kolla 為例
Immutable infrastructure 介紹與實做:以 kolla 為例Immutable infrastructure 介紹與實做:以 kolla 為例
Immutable infrastructure 介紹與實做:以 kolla 為例kao kuo-tung
 
Openstack swift, how does it work?
Openstack swift, how does it work?Openstack swift, how does it work?
Openstack swift, how does it work?kao kuo-tung
 
Why is a[1] fast than a.get(1)
Why is a[1] fast than a.get(1)Why is a[1] fast than a.get(1)
Why is a[1] fast than a.get(1)kao kuo-tung
 
減少重複的測試程式碼的一些方法
減少重複的測試程式碼的一些方法減少重複的測試程式碼的一些方法
減少重複的測試程式碼的一些方法kao kuo-tung
 
Openstack taskflow 簡介
Openstack taskflow 簡介Openstack taskflow 簡介
Openstack taskflow 簡介kao kuo-tung
 
Async: ways to store state
Async: ways to store stateAsync: ways to store state
Async: ways to store statekao kuo-tung
 
那些年,我們一起看的例外
那些年,我們一起看的例外那些年,我們一起看的例外
那些年,我們一起看的例外kao kuo-tung
 
Python 中 += 與 join比較
Python 中 += 與 join比較Python 中 += 與 join比較
Python 中 += 與 join比較kao kuo-tung
 
Garbage collection 介紹
Garbage collection 介紹Garbage collection 介紹
Garbage collection 介紹kao kuo-tung
 
Python 如何執行
Python 如何執行Python 如何執行
Python 如何執行kao kuo-tung
 
C python 原始碼解析 投影片
C python 原始碼解析 投影片C python 原始碼解析 投影片
C python 原始碼解析 投影片kao kuo-tung
 
recover_pdb 原理與介紹
recover_pdb 原理與介紹recover_pdb 原理與介紹
recover_pdb 原理與介紹kao kuo-tung
 

More from kao kuo-tung (16)

用 Open source 改造鍵盤
用 Open source 改造鍵盤用 Open source 改造鍵盤
用 Open source 改造鍵盤
 
Immutable infrastructure 介紹與實做:以 kolla 為例
Immutable infrastructure 介紹與實做:以 kolla 為例Immutable infrastructure 介紹與實做:以 kolla 為例
Immutable infrastructure 介紹與實做:以 kolla 為例
 
Python to scala
Python to scalaPython to scala
Python to scala
 
Intorduce to Ceph
Intorduce to CephIntorduce to Ceph
Intorduce to Ceph
 
Openstack swift, how does it work?
Openstack swift, how does it work?Openstack swift, how does it work?
Openstack swift, how does it work?
 
Why is a[1] fast than a.get(1)
Why is a[1] fast than a.get(1)Why is a[1] fast than a.get(1)
Why is a[1] fast than a.get(1)
 
減少重複的測試程式碼的一些方法
減少重複的測試程式碼的一些方法減少重複的測試程式碼的一些方法
減少重複的測試程式碼的一些方法
 
Openstack taskflow 簡介
Openstack taskflow 簡介Openstack taskflow 簡介
Openstack taskflow 簡介
 
Async: ways to store state
Async: ways to store stateAsync: ways to store state
Async: ways to store state
 
Openstack 簡介
Openstack 簡介Openstack 簡介
Openstack 簡介
 
那些年,我們一起看的例外
那些年,我們一起看的例外那些年,我們一起看的例外
那些年,我們一起看的例外
 
Python 中 += 與 join比較
Python 中 += 與 join比較Python 中 += 與 join比較
Python 中 += 與 join比較
 
Garbage collection 介紹
Garbage collection 介紹Garbage collection 介紹
Garbage collection 介紹
 
Python 如何執行
Python 如何執行Python 如何執行
Python 如何執行
 
C python 原始碼解析 投影片
C python 原始碼解析 投影片C python 原始碼解析 投影片
C python 原始碼解析 投影片
 
recover_pdb 原理與介紹
recover_pdb 原理與介紹recover_pdb 原理與介紹
recover_pdb 原理與介紹
 

Recently uploaded

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 

Docker 原理與實作

  • 2. 簡介 ● 任職於迎廣科技 ○ python ○ openstack ● http://about.me/ya790206 ● http://blog.blackwhite.tw/ ● https://github.com/ya790206/call_seq
  • 3. Agenda ● linux kernel namespace ● seccomp ● cgroup ● lxc ● docker
  • 4. docker ● lightweight, portable, self- sufficient containers. ● the process running in the container is isolated from the process running in the other container.
  • 5. Linux startup process ● Linux startup process ○ Boot loader -> ○ Kernel -> ○ Init process ● Difference between Linux distros: ○ package manager ○ init
  • 6. Docker Autofs lxc Kernel namespaces Apparmor and SELinux profiles Seccomp policies Control groups Kernel capabilities Chroots btrfs
  • 7. kernel namespace ● The purpose of each namespace is to wrap a particular global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource. ● Private view
  • 8. kernel pid namespace root pid namespace pid 1 (pid 1) pid namespace x pid 2 (pid 2) pid 3 (pid 1) pid 4 (pid 2) ● black: the real pid. ● red: the pid process use getpid to get.
  • 9. kernel namespace Mount namespaces UTS namespaces PID namespaces Network namespaces User namespaces IPC namespaces
  • 10. int child_pid = clone(child_main, child_stack+STACK_SIZE, CLONE_NEWUTS | CLONE_NEWIPC | CLONE_NEWPID | SIGCHLD, NULL); ● https://gist.github.com/ya790206/9855021
  • 12. int child_pid = clone(child_main, child_stack+STACK_SIZE, CLONE_NEWUTS | CLONE_NEWIPC | CLONE_NEWPID | CLONE_NEWNS | SIGCHLD, NULL); mount("proc", "/proc", "proc", 0, NULL); ● https://gist.github.com/ya790206/9855094
  • 13. seccomp ● A process running in seccomp mode is severely limited in what it can do; ● there are only four system calls - read(), write(), exit(), and sigreturn() to already- open file descriptors.
  • 15. cgroup ● This work was started by engineers at Google ● Resource limiting ● Prioritization ● Accounting ● Control
  • 16. cgroup ○ blkio — this subsystem sets limits on input/output access to and from block devices such as physical drives (disk, solid state, USB, etc.). ○ cpu — this subsystem uses the scheduler to provide cgroup tasks access to the CPU. ○ cpuacct — this subsystem generates automatic reports on CPU resources used by tasks in a cgroup. ○ cpuset — this subsystem assigns individual CPUs (on a multicore system) and memory nodes to tasks in a cgroup. ○ devices — this subsystem allows or denies access to devices by tasks in a cgroup. ○ freezer — this subsystem suspends or resumes tasks in a cgroup. ○ memory — this subsystem sets limits on memory use by tasks in a cgroup, and generates automatic reports on memory resources used by those tasks. ○ net_cls — this subsystem tags network packets with a class identifier (classid) that allows the Linux traffic controller (tc) to identify packets originating from a particular cgroup task. ○ net_prio — this subsystem provides a way to dynamically set the priority of network traffic per network interface. ○ ns — the namespace subsystem.
  • 17. cgroup freezer ● The cgroup freezer is useful to batch job management system which start and stop sets of tasks in order to schedule the resources of a machine according to the desires of a system administrator.
  • 18. $ mount -t cgroup - ofreezer freezer /<path>/freezer /<path>/freezer: root cgroup tasks other file my /<path>/freezer/my: sub cgroup tasks other file $ mkdir /<path>/freezer/my all process pid
  • 19. cgroup freezer $ mount -t cgroup -ofreezer freezer /<path>/freezer $ ch /<path>/freezer/; ls cgroup.clone_children cgroup.event_control cgroup.procs cgroup.sane_behavior notify_on_release release_agent tasks 1. mkdir my_group;cd mygroup 2. echo $some_pid > tasks 3. echo FROZEN > freezer.state 4. echo THAWED > freezer.state
  • 20. other cgroup ● memory cgroup: ○ limit process memoroy usage. ○ show various statistics ● blkio cgroup: ○ change widget ○ show various statistics
  • 21. lxc ● LXC is a userspace interface for the Linux kernel containment features. ● Container templates ● A set of standard tools to control the containers
  • 22. lxc host os container A process 1 process 2 container B process 3 process 4 process x A can see BA B A B A can see B. B can see A.
  • 23. lxc 1. lxc-create -n test-container -t ubuntu 2. lxc-ls --fancy 3. lxc-start -n test-container 4. lxc-console -n test-container 5. lxc-stop -n test-container 6. lxc-destroy -n test-container
  • 24. start vs execute ● start: ○ boot linux system ● execute: ○ execute program directly ○ make sure you have "/usr/lib/lxc/lxc-init" in your container
  • 25. sudo lxc-checkpoint -name p1 --statefile a ● output: ○ lxc-checkpoint: 'checkpoint' function not implemented
  • 26. linux aufs ● It allows files and directories of separate filesystem to co-exist under a single directories. /tmp/union /tmp/a /tmp/b /tmp/c
  • 27. # apt-get install aufs-tools # mount -t aufs -o br=/tmp/a:/tmp/b none /tmp/union/ # mount -t aufs -o br=/tmp/a=rw:/tmp/b=rw none /tmp/union
  • 28. docker vs lxc ● docker is based on lxc ● docker can create image from text file. ● docker seldom boot system. ● docker provide user-friendly interface ● docker use less disk space.(aufs)
  • 30. rootfs in container image: rw ZZZ image: ro XXX image: ro ubuntu image: ro rootfs in image image: ro ZZZ image: ro XXX image: ro ubuntu image: ro a u f s a u f s
  • 31. taiwan.py site dockerfile FROM ubuntu:12.10 RUN apt-get update RUN apt-get install -y python-dev RUN apt-get install -y python-pip RUN apt-get install -y git RUN pip install mynt RUN git clone https://github.com/lucemia/taiwan.py RUN mynt gen -f taiwan.py/src/ taiwan.py/build/ EXPOSE 8000 CMD cd taiwan.py/build/ && python -m SimpleHTTPServer
  • 32. How to run 1. cat dockerfile | sudo docker build -t taiwanpy - 2. docker run -p 8000:9000 taiwanpy 3. docker stop xxx 4. docker start xxx 5. docker stop xxx 6. docker rm xxx 7. docker rmi taiwanpy
  • 33. simple docker shell ● https://github. com/ya790206/misc_tools/tree/ma ster/docker_wrapper
  • 34. Summary ● Namespace for virtualization. ● Cgroup for controlling a group of process. ● Conatiner and host system use the same kernel. ● Docker is similar to lxc. But docker is easy to use.
  • 37. 參考資料 - kernel namespace ● Namespaces in operation, part 1: namespaces overview ● PaaS under the hood, episode 1: kernel namespaces ● Introduction to Linux namespaces – Part 1: UTS
  • 38. 參考資料 - cgruop ● cgroup ● http://en.wikipedia. org/wiki/Cgroups
  • 39. 參考書目 ● Linux Kernel Hacks:改善效能、提昇開發效率 及節能的技巧與工具