Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
FATTI UN
CONTAINER
TUTTO TUO!! @liuggio Giulio De Donato
@liuggiowelcometothebundle.com
@liuggio Giulio De Donato
What is a
Container?
@liuggio Giulio De Donato
“I once heard that hypervisors
are the living proof of operating
system's incompetence”
-- Glauber Costa's - LinuxCon Euro...
... containers ...
“I would love to say months,
but let's get realistic”
-- Glauber Costa's - LinuxCon Europe 2012
@liuggi...
Is all about
ISOLATION
@liuggio Giulio De Donato
?
@liuggio Giulio De Donato
while true;
do mkdir x; cd x;
done
bomb() {
bomb | bomb &
}; bomb
Attacks
@liuggio Giulio De Donato
GOAL OF
TODAY:
http://9gag.com/gag/aGxbmGz
namespace cgroups ufs
@liuggio Giulio De Donato
LXC vs DOCKER
@liuggio Giulio De Donato
Let’s start with the first set of slides
Once upon a time ...
@liuggio Giulio De Donato
NAMESPACE
Linux 2.6.23 (released in late 2007)
6 namespaces
- mnt (mount points, filesystems)
- pid (processes)
- net (net...
Namespaces processes API
consists of these 3 system calls:
● clone() - creates a new process and a new namespace; the
newl...
DEMO
Namespace
https://gist.github.com/liuggio/
114f506fbe040ac93687dc797b923cbf
1
@liuggio Giulio De Donato
@liuggio Giulio De Donato
CGroups!
The cgroup (control groups) subsystem is a Resource Management and Resource
Accounting/Tracking solution, providi...
DEMO
CGROUPS
https://asciinema.org/a/7w13btk2uethz2e57lgpfz5ym
or https://goo.gl/NyPMFJ
3
@liuggio Giulio De Donato
THIS IS A TREE
@liuggio Giulio De Donato
THIS IS A TREE
@liuggio Giulio De Donato
WHAT IS IT?
@liuggio Giulio De Donato
DEMO
UFSapt-get install aufs-tools
https://asciinema.org/~liuggio
https://asciinema.org/a/41778
2
@liuggio Giulio De Donato
@liuggio Giulio De Donato
Union File System
PRO
∎ File level
∎ No caches
CONS
∎ Bad performance for big files
∎ Not in kernel
∎ Too much layers cost...
ZFS is a combination of a volume manager (like LVM) and a filesystem (like ext4, xfs, or btrfs).
ZFS one of the most belov...
UFS
@liuggio Giulio De Donato
THANKS!
@liuggio Giulio De Donato
∎ www.welcometothebundle.com/isolate-a-process-with-no-container-like-docker
∎ https://github.com/opencontainers/runtime-s...
Upcoming SlideShare
Loading in …5
×

Docker italia fatti un container tutto tuo

docker-italia.slack.com

  • Login to see the comments

Docker italia fatti un container tutto tuo

  1. 1. FATTI UN CONTAINER TUTTO TUO!! @liuggio Giulio De Donato
  2. 2. @liuggiowelcometothebundle.com
  3. 3. @liuggio Giulio De Donato
  4. 4. What is a Container? @liuggio Giulio De Donato
  5. 5. “I once heard that hypervisors are the living proof of operating system's incompetence” -- Glauber Costa's - LinuxCon Europe 2012 @liuggio Giulio De Donato
  6. 6. ... containers ... “I would love to say months, but let's get realistic” -- Glauber Costa's - LinuxCon Europe 2012 @liuggio Giulio De Donato
  7. 7. Is all about ISOLATION @liuggio Giulio De Donato
  8. 8. ? @liuggio Giulio De Donato
  9. 9. while true; do mkdir x; cd x; done bomb() { bomb | bomb & }; bomb Attacks @liuggio Giulio De Donato
  10. 10. GOAL OF TODAY: http://9gag.com/gag/aGxbmGz namespace cgroups ufs @liuggio Giulio De Donato
  11. 11. LXC vs DOCKER @liuggio Giulio De Donato
  12. 12. Let’s start with the first set of slides Once upon a time ... @liuggio Giulio De Donato
  13. 13. NAMESPACE Linux 2.6.23 (released in late 2007) 6 namespaces - mnt (mount points, filesystems) - pid (processes) - net (network stack) - ipc (System V IPC) - uts (hostname) - user (UIDs) Namespaces started in about 2002. @liuggio Giulio De Donato
  14. 14. Namespaces processes API consists of these 3 system calls: ● clone() - creates a new process and a new namespace; the newly created process is attached to the new namespace ● unshare()–gets only a single parameter, flags. Does not create a new process; creates a new namespace and attaches the calling processto it. ● setns()- a new system call, for attaching the calling process to an existing namespace; @liuggio Giulio De Donato
  15. 15. DEMO Namespace https://gist.github.com/liuggio/ 114f506fbe040ac93687dc797b923cbf 1 @liuggio Giulio De Donato
  16. 16. @liuggio Giulio De Donato
  17. 17. CGroups! The cgroup (control groups) subsystem is a Resource Management and Resource Accounting/Tracking solution, providing a generic process - grouping framework It handles resources such as memory, cpu, network, and more; mostly needed in both ends of the spectrum (servers and embedded). ∎ Development was started by engineers at Google in 2006 under the name "process containers” ∎ Merged into kernel 2.6.24 (2008). ∎ cgroup core has 3 maintainers, and each cgroup controller has its own maintainer (cpu memory io) @liuggio Giulio De Donato
  18. 18. DEMO CGROUPS https://asciinema.org/a/7w13btk2uethz2e57lgpfz5ym or https://goo.gl/NyPMFJ 3 @liuggio Giulio De Donato
  19. 19. THIS IS A TREE @liuggio Giulio De Donato
  20. 20. THIS IS A TREE @liuggio Giulio De Donato
  21. 21. WHAT IS IT? @liuggio Giulio De Donato
  22. 22. DEMO UFSapt-get install aufs-tools https://asciinema.org/~liuggio https://asciinema.org/a/41778 2 @liuggio Giulio De Donato
  23. 23. @liuggio Giulio De Donato
  24. 24. Union File System PRO ∎ File level ∎ No caches CONS ∎ Bad performance for big files ∎ Not in kernel ∎ Too much layers costs merge into a single directory 2 devices Combining a large, read-only file system with small write area (like livecd) @liuggio Giulio De Donato
  25. 25. ZFS is a combination of a volume manager (like LVM) and a filesystem (like ext4, xfs, or btrfs). ZFS one of the most beloved features of Solaris, universally coveted by every Linux sysadmin with a Solaris background. ● snapshots ● copy-on-write cloning ● continuous integrity checking against data corruption ● automatic repair ● efficient data compression 2016 @liuggio Giulio De Donato
  26. 26. UFS @liuggio Giulio De Donato
  27. 27. THANKS! @liuggio Giulio De Donato
  28. 28. ∎ www.welcometothebundle.com/isolate-a-process-with-no-container-like-docker ∎ https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#namespaces ∎ https://www.opencontainers.org/news/faqs/who-will-be-initial-technical-leadership ∎ http://www.cyberciti.biz/faq/unix-linux-chroot-command-examples-usage-syntax/ ∎ http://s0.cyberciti.org/uploads/faq/2013/01/bash-chroot-ls-demo.gif ∎ https://www.flockport.com/lxc-vs-docker/ ∎ http://ramirose.wix.com/ramirosen ∎ https://lwn.net/Articles/532593/ ∎ https://lwn.net/Articles/531114/ ∎ https://lwn.net/Articles/531381/ ∎ https://lwn.net/Articles/528078/ ∎ https://docs.docker.com/engine/reference/run/ ∎ http://www.netdevconf.org/1.1/proceedings/slides/rosen-namespaces-cgroups-lxc.pdf ∎ https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/ ∎ https://skillsmatter.com/skillscasts/7101-building-containers-from-scratch-for-fun-and-profit ∎ https://docs.oracle.com/cd/E18752_01/html/817-5093/bkupsnapshot-9.html ∎ https://www.flickr.com/photos/15514374@N05/10164384915/in/photolist-guc8vM-eUsLmk-bUx1od-snDG6D-4EdN6w-dRNW5S-92a5Rc-bqLMQX-9W8h5y-b4nUUZ-qBTHgX-qP1gRX- bjCEPC-9tmmnk-eiz69R-dUwHXM-ff6xuP-J1cvu-7FC9CK-5QNat5-sniS97-dmWZqi-9FJL3F-e5QKNc-oaepa3-dHcamQ-4EJPTP-eB42Pm-aywhxM-eSZ6Gv-jhYq8x-cXnWtd-6HXxUg-8ZKp87- 5BL32d-7g3EHP-4gc756-cBECqo-oBFK5Y-9fUMLY-e7z58s-oViSZU-pKrEsE-6J2D5b-6HXwrz-6HXxt8-9k3DeV-9k6CLy-qFGW5B-hrxHnf ∎ https://docs.docker.com/engine/userguide/storagedriver/device-mapper-driver/ ∎ https://docs.docker.com/engine/userguide/storagedriver/zfs-driver/ ∎ Presentation template by SlidesCarnival CREDITS

×