kao kuo-tung, profile picture
Uploaded bykao kuo-tung
4,959 views

Docker 原理與實作

This document discusses Docker concepts and implementation in Chinese. It covers Linux kernel namespaces, seccomp, cgroups, LXC, and Docker. Namespaces isolate processes and resources between containers. Cgroups control resource limits and prioritization. LXC provides containerization tools while Docker builds on these concepts and provides an easy-to-use interface for containers. The document also provides examples of using namespaces, cgroups, LXC, and building Docker images.

Embed presentation

Downloaded 209 times
docker 原理與實作 果凍
簡介 ● 任職於迎廣科技 ○ python ○ openstack ● http://about.me/ya790206 ● http://blog.blackwhite.tw/ ● https://github.com/ya790206/call_seq
Agenda ● linux kernel namespace ● seccomp ● cgroup ● lxc ● docker
docker ● lightweight, portable, self- sufficient containers. ● the process running in the container is isolated from the process running in the other container.
Linux startup process ● Linux startup process ○ Boot loader -> ○ Kernel -> ○ Init process ● Difference between Linux distros: ○ package manager ○ init
Docker Autofs lxc Kernel namespaces Apparmor and SELinux profiles Seccomp policies Control groups Kernel capabilities Chroots btrfs
kernel namespace ● The purpose of each namespace is to wrap a particular global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource. ● Private view
kernel pid namespace root pid namespace pid 1 (pid 1) pid namespace x pid 2 (pid 2) pid 3 (pid 1) pid 4 (pid 2) ● black: the real pid. ● red: the pid process use getpid to get.
kernel namespace Mount namespaces UTS namespaces PID namespaces Network namespaces User namespaces IPC namespaces
int child_pid = clone(child_main, child_stack+STACK_SIZE, CLONE_NEWUTS | CLONE_NEWIPC | CLONE_NEWPID | SIGCHLD, NULL); ● https://gist.github.com/ya790206/9855021
尾巴沒藏好
int child_pid = clone(child_main, child_stack+STACK_SIZE, CLONE_NEWUTS | CLONE_NEWIPC | CLONE_NEWPID | CLONE_NEWNS | SIGCHLD, NULL); mount("proc", "/proc", "proc", 0, NULL); ● https://gist.github.com/ya790206/9855094
seccomp ● A process running in seccomp mode is severely limited in what it can do; ● there are only four system calls - read(), write(), exit(), and sigreturn() to already- open file descriptors.
libseccomp example https://gist.github. com/ya790206/9579145
cgroup ● This work was started by engineers at Google ● Resource limiting ● Prioritization ● Accounting ● Control
cgroup ○ blkio — this subsystem sets limits on input/output access to and from block devices such as physical drives (disk, solid state, USB, etc.). ○ cpu — this subsystem uses the scheduler to provide cgroup tasks access to the CPU. ○ cpuacct — this subsystem generates automatic reports on CPU resources used by tasks in a cgroup. ○ cpuset — this subsystem assigns individual CPUs (on a multicore system) and memory nodes to tasks in a cgroup. ○ devices — this subsystem allows or denies access to devices by tasks in a cgroup. ○ freezer — this subsystem suspends or resumes tasks in a cgroup. ○ memory — this subsystem sets limits on memory use by tasks in a cgroup, and generates automatic reports on memory resources used by those tasks. ○ net_cls — this subsystem tags network packets with a class identifier (classid) that allows the Linux traffic controller (tc) to identify packets originating from a particular cgroup task. ○ net_prio — this subsystem provides a way to dynamically set the priority of network traffic per network interface. ○ ns — the namespace subsystem.
cgroup freezer ● The cgroup freezer is useful to batch job management system which start and stop sets of tasks in order to schedule the resources of a machine according to the desires of a system administrator.
$ mount -t cgroup - ofreezer freezer /<path>/freezer /<path>/freezer: root cgroup tasks other file my /<path>/freezer/my: sub cgroup tasks other file $ mkdir /<path>/freezer/my all process pid
cgroup freezer $ mount -t cgroup -ofreezer freezer /<path>/freezer $ ch /<path>/freezer/; ls cgroup.clone_children cgroup.event_control cgroup.procs cgroup.sane_behavior notify_on_release release_agent tasks 1. mkdir my_group;cd mygroup 2. echo $some_pid > tasks 3. echo FROZEN > freezer.state 4. echo THAWED > freezer.state
other cgroup ● memory cgroup: ○ limit process memoroy usage. ○ show various statistics ● blkio cgroup: ○ change widget ○ show various statistics
lxc ● LXC is a userspace interface for the Linux kernel containment features. ● Container templates ● A set of standard tools to control the containers
lxc host os container A process 1 process 2 container B process 3 process 4 process x A can see BA B A B A can see B. B can see A.
lxc 1. lxc-create -n test-container -t ubuntu 2. lxc-ls --fancy 3. lxc-start -n test-container 4. lxc-console -n test-container 5. lxc-stop -n test-container 6. lxc-destroy -n test-container
start vs execute ● start: ○ boot linux system ● execute: ○ execute program directly ○ make sure you have "/usr/lib/lxc/lxc-init" in your container
sudo lxc-checkpoint -name p1 --statefile a ● output: ○ lxc-checkpoint: 'checkpoint' function not implemented
linux aufs ● It allows files and directories of separate filesystem to co-exist under a single directories. /tmp/union /tmp/a /tmp/b /tmp/c
# apt-get install aufs-tools # mount -t aufs -o br=/tmp/a:/tmp/b none /tmp/union/ # mount -t aufs -o br=/tmp/a=rw:/tmp/b=rw none /tmp/union
docker vs lxc ● docker is based on lxc ● docker can create image from text file. ● docker seldom boot system. ● docker provide user-friendly interface ● docker use less disk space.(aufs)
docker running containers process rootfs stopped containers rootfs image commit r u n s t o p s t a r t rootfs
rootfs in container image: rw ZZZ image: ro XXX image: ro ubuntu image: ro rootfs in image image: ro ZZZ image: ro XXX image: ro ubuntu image: ro a u f s a u f s
taiwan.py site dockerfile FROM ubuntu:12.10 RUN apt-get update RUN apt-get install -y python-dev RUN apt-get install -y python-pip RUN apt-get install -y git RUN pip install mynt RUN git clone https://github.com/lucemia/taiwan.py RUN mynt gen -f taiwan.py/src/ taiwan.py/build/ EXPOSE 8000 CMD cd taiwan.py/build/ && python -m SimpleHTTPServer
How to run 1. cat dockerfile | sudo docker build -t taiwanpy - 2. docker run -p 8000:9000 taiwanpy 3. docker stop xxx 4. docker start xxx 5. docker stop xxx 6. docker rm xxx 7. docker rmi taiwanpy
simple docker shell ● https://github. com/ya790206/misc_tools/tree/ma ster/docker_wrapper
Summary ● Namespace for virtualization. ● Cgroup for controlling a group of process. ● Conatiner and host system use the same kernel. ● Docker is similar to lxc. But docker is easy to use.
Question
Thank you
參考資料 - kernel namespace ● Namespaces in operation, part 1: namespaces overview ● PaaS under the hood, episode 1: kernel namespaces ● Introduction to Linux namespaces – Part 1: UTS
參考資料 - cgruop ● cgroup ● http://en.wikipedia. org/wiki/Cgroups
參考書目 ● Linux Kernel Hacks:改善效能、提昇開發效率 及節能的技巧與工具

More Related Content

PDF
Docker 101 - from 0 to Docker in 30 minutes
byLuciano Fiandesio
 
PDF
Docker 初探,實驗室中的運貨鯨
byRuoshi Ling
 
PPTX
Academy PRO: Docker. Part 1
byBinary Studio
 
PDF
當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem)
byRuoshi Ling
 
PPTX
Academy PRO: Docker. Part 2
byBinary Studio
 
PDF
Containerize! Between Docker and Jube.
byHenryk Konsek
 
PPTX
Academy PRO: Docker. Part 4
byBinary Studio
 
PDF
Docker for mere mortals
byHenryk Konsek
 
Docker 101 - from 0 to Docker in 30 minutes
byLuciano Fiandesio
 
Docker 初探,實驗室中的運貨鯨
byRuoshi Ling
 
Academy PRO: Docker. Part 1
byBinary Studio
 
當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem)
byRuoshi Ling
 
Academy PRO: Docker. Part 2
byBinary Studio
 
Containerize! Between Docker and Jube.
byHenryk Konsek
 
Academy PRO: Docker. Part 4
byBinary Studio
 
Docker for mere mortals
byHenryk Konsek
 

What's hot

PDF
Docker n co
byRohit Jnagal
 
PDF
Ansible docker
byQNIB Solutions
 
PDF
Demystifying kubernetes
byWorks Applications
 
PDF
Perspectives on Docker
byRightScale
 
PPTX
Intro- Docker Native for OSX and Windows
byThomas Chacko
 
PPTX
Academy PRO: Docker. Lecture 3
byBinary Studio
 
PDF
Containers: The What, Why, and How
bySneha Inguva
 
PDF
Docker / Ansible
byStephane Manciot
 
PDF
Introduction to docker
byJustyna Ilczuk
 
PDF
The state of the swarm
byMathieu Buffenoir
 
PDF
Docker 활용법: dumpdocker
byJaehwa Park
 
PDF
Docker at Flux7
byAater Suleman
 
PDF
Docker Compose to Production with Docker Swarm
byMario IC
 
PDF
Docker introduction
byLayne Peng
 
PPTX
Container Torture: Run any binary, in any container
byDocker, Inc.
 
PDF
Tech Talk - Vagrant
byThomas Krille
 
PDF
Running Docker with OpenStack | Docker workshop #1
bydotCloud
 
PDF
GDG Lima - Docker Compose
byMario IC
 
PDF
Docker composeで開発環境をメンバに配布せよ
byYusuke Kon
 
PDF
Docker 0.11 at MaxCDN meetup in Los Angeles
byJérôme Petazzoni
 
Docker n co
byRohit Jnagal
 
Ansible docker
byQNIB Solutions
 
Demystifying kubernetes
byWorks Applications
 
Perspectives on Docker
byRightScale
 
Intro- Docker Native for OSX and Windows
byThomas Chacko
 
Academy PRO: Docker. Lecture 3
byBinary Studio
 
Containers: The What, Why, and How
bySneha Inguva
 
Docker / Ansible
byStephane Manciot
 
Introduction to docker
byJustyna Ilczuk
 
The state of the swarm
byMathieu Buffenoir
 
Docker 활용법: dumpdocker
byJaehwa Park
 
Docker at Flux7
byAater Suleman
 
Docker Compose to Production with Docker Swarm
byMario IC
 
Docker introduction
byLayne Peng
 
Container Torture: Run any binary, in any container
byDocker, Inc.
 
Tech Talk - Vagrant
byThomas Krille
 
Running Docker with OpenStack | Docker workshop #1
bydotCloud
 
GDG Lima - Docker Compose
byMario IC
 
Docker composeで開発環境をメンバに配布せよ
byYusuke Kon
 
Docker 0.11 at MaxCDN meetup in Los Angeles
byJérôme Petazzoni
 

Viewers also liked

PDF
Understanding and building Your Own Docker
byMotiejus Jakštys
 
ODP
LSA2 - 02 Namespaces
byMarian Marinov
 
PDF
Обзор Linux Control Groups
byOSLL
 
PDF
Пространства имен Linux (linux namespaces)
byOSLL
 
PPTX
Docker 基礎介紹與實戰
byBo-Yi Wu
 
PPTX
Docker Security Overview
bySreenivas Makam
 
PDF
Docker Plugin for Heat
byDocker, Inc.
 
PDF
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
byJérôme Petazzoni
 
PDF
Namespaces and cgroups - the basis of Linux containers
byKernel TLV
 
PDF
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
byJérôme Petazzoni
 
Understanding and building Your Own Docker
byMotiejus Jakštys
 
LSA2 - 02 Namespaces
byMarian Marinov
 
Обзор Linux Control Groups
byOSLL
 
Пространства имен Linux (linux namespaces)
byOSLL
 
Docker 基礎介紹與實戰
byBo-Yi Wu
 
Docker Security Overview
bySreenivas Makam
 
Docker Plugin for Heat
byDocker, Inc.
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
byJérôme Petazzoni
 
Namespaces and cgroups - the basis of Linux containers
byKernel TLV
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
byJérôme Petazzoni
 

Similar to Docker 原理與實作

PPTX
Realizing Linux Containers (LXC)
byBoden Russell
 
PDF
Docker and friends at Linux Days 2014 in Prague
bytomasbart
 
PPTX
Lxc – next gen virtualization for cloud intro (cloudexpo)
byBoden Russell
 
PPTX
LXC
byWu Fan-Cheng
 
PDF
Evolution of containers to kubernetes
byKrishna-Kumar
 
ODP
Linux containers & Devops
byMaciej Lasyk
 
PDF
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
bydotCloud
 
PDF
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
byDocker, Inc.
 
PDF
GDG Cloud Iasi - Docker For The Busy Developer.pdf
byathlonica
 
PDF
LXC Containers and AUFs
byDocker, Inc.
 
PDF
Virtualization which isn't: LXC (Linux Containers)
byDobrica Pavlinušić
 
PDF
Linuxcon Barcelon 2012: LXC Best Practices
bychristophm
 
PPTX
Introduction to OS LEVEL Virtualization & Containers
byVaibhav Sharma
 
PDF
Let's Containerize New York with Docker!
byJérôme Petazzoni
 
PDF
Introduction to Docker (as presented at December 2013 Global Hackathon)
byJérôme Petazzoni
 
PDF
Docker Container: isolation and security
by宇 傅
 
PDF
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
byYandex
 
PDF
Talk on PHP Day Uruguay about Docker
byWellington Silva
 
PPTX
Cgroups, namespaces and beyond: what are containers made from?
byDocker, Inc.
 
PDF
Lightweight Virtualization in Linux
bySadegh Dorri N.
 
Realizing Linux Containers (LXC)
byBoden Russell
 
Docker and friends at Linux Days 2014 in Prague
bytomasbart
 
Lxc – next gen virtualization for cloud intro (cloudexpo)
byBoden Russell
 
LXC
byWu Fan-Cheng
 
Evolution of containers to kubernetes
byKrishna-Kumar
 
Linux containers & Devops
byMaciej Lasyk
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
bydotCloud
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
byDocker, Inc.
 
GDG Cloud Iasi - Docker For The Busy Developer.pdf
byathlonica
 
LXC Containers and AUFs
byDocker, Inc.
 
Virtualization which isn't: LXC (Linux Containers)
byDobrica Pavlinušić
 
Linuxcon Barcelon 2012: LXC Best Practices
bychristophm
 
Introduction to OS LEVEL Virtualization & Containers
byVaibhav Sharma
 
Let's Containerize New York with Docker!
byJérôme Petazzoni
 
Introduction to Docker (as presented at December 2013 Global Hackathon)
byJérôme Petazzoni
 
Docker Container: isolation and security
by宇 傅
 
"Lightweight Virtualization with Linux Containers and Docker". Jerome Petazzo...
byYandex
 
Talk on PHP Day Uruguay about Docker
byWellington Silva
 
Cgroups, namespaces and beyond: what are containers made from?
byDocker, Inc.
 
Lightweight Virtualization in Linux
bySadegh Dorri N.
 

More from kao kuo-tung

PDF
用 Open source 改造鍵盤
bykao kuo-tung
 
PPTX
Immutable infrastructure 介紹與實做:以 kolla 為例
bykao kuo-tung
 
PDF
Python to scala
bykao kuo-tung
 
PDF
Intorduce to Ceph
bykao kuo-tung
 
PDF
Openstack swift, how does it work?
bykao kuo-tung
 
PDF
Why is a[1] fast than a.get(1)
bykao kuo-tung
 
PPTX
減少重複的測試程式碼的一些方法
bykao kuo-tung
 
PDF
Openstack taskflow 簡介
bykao kuo-tung
 
PDF
Async: ways to store state
bykao kuo-tung
 
PDF
Openstack 簡介
bykao kuo-tung
 
PDF
那些年,我們一起看的例外
bykao kuo-tung
 
PDF
Python 中 += 與 join比較
bykao kuo-tung
 
PDF
Garbage collection 介紹
bykao kuo-tung
 
PDF
Python 如何執行
bykao kuo-tung
 
PDF
C python 原始碼解析 投影片
bykao kuo-tung
 
PDF
recover_pdb 原理與介紹
bykao kuo-tung
 
用 Open source 改造鍵盤
bykao kuo-tung
 
Immutable infrastructure 介紹與實做:以 kolla 為例
bykao kuo-tung
 
Python to scala
bykao kuo-tung
 
Intorduce to Ceph
bykao kuo-tung
 
Openstack swift, how does it work?
bykao kuo-tung
 
Why is a[1] fast than a.get(1)
bykao kuo-tung
 
減少重複的測試程式碼的一些方法
bykao kuo-tung
 
Openstack taskflow 簡介
bykao kuo-tung
 
Async: ways to store state
bykao kuo-tung
 
Openstack 簡介
bykao kuo-tung
 
那些年,我們一起看的例外
bykao kuo-tung
 
Python 中 += 與 join比較
bykao kuo-tung
 
Garbage collection 介紹
bykao kuo-tung
 
Python 如何執行
bykao kuo-tung
 
C python 原始碼解析 投影片
bykao kuo-tung
 
recover_pdb 原理與介紹
bykao kuo-tung
 

Recently uploaded

PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab
 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
AI in the Real World: From University to Industry
byDarvan Shvan
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PPTX
Exploring-AI-Basics in Artificial Intelligence
bysharmilas219546
 
PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
AI in the Real World: From University to Industry
byDarvan Shvan
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
Exploring-AI-Basics in Artificial Intelligence
bysharmilas219546
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 

Docker 原理與實作

  • 1.
  • 2.
    簡介 ● 任職於迎廣科技 ○ python ○openstack ● http://about.me/ya790206 ● http://blog.blackwhite.tw/ ● https://github.com/ya790206/call_seq
  • 3.
    Agenda ● linux kernelnamespace ● seccomp ● cgroup ● lxc ● docker
  • 4.
    docker ● lightweight, portable, self- sufficientcontainers. ● the process running in the container is isolated from the process running in the other container.
  • 5.
    Linux startup process ●Linux startup process ○ Boot loader -> ○ Kernel -> ○ Init process ● Difference between Linux distros: ○ package manager ○ init
  • 6.
    Docker Autofs lxc Kernel namespaces Apparmor and SELinuxprofiles Seccomp policies Control groups Kernel capabilities Chroots btrfs
  • 7.
    kernel namespace ● Thepurpose of each namespace is to wrap a particular global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource. ● Private view
  • 8.
    kernel pid namespace rootpid namespace pid 1 (pid 1) pid namespace x pid 2 (pid 2) pid 3 (pid 1) pid 4 (pid 2) ● black: the real pid. ● red: the pid process use getpid to get.
  • 9.
    kernel namespace Mount namespaces UTSnamespaces PID namespaces Network namespaces User namespaces IPC namespaces
  • 10.
    int child_pid =clone(child_main, child_stack+STACK_SIZE, CLONE_NEWUTS | CLONE_NEWIPC | CLONE_NEWPID | SIGCHLD, NULL); ● https://gist.github.com/ya790206/9855021
  • 11.
  • 12.
    int child_pid =clone(child_main, child_stack+STACK_SIZE, CLONE_NEWUTS | CLONE_NEWIPC | CLONE_NEWPID | CLONE_NEWNS | SIGCHLD, NULL); mount("proc", "/proc", "proc", 0, NULL); ● https://gist.github.com/ya790206/9855094
  • 13.
    seccomp ● A processrunning in seccomp mode is severely limited in what it can do; ● there are only four system calls - read(), write(), exit(), and sigreturn() to already- open file descriptors.
  • 14.
  • 15.
    cgroup ● This workwas started by engineers at Google ● Resource limiting ● Prioritization ● Accounting ● Control
  • 16.
    cgroup ○ blkio —this subsystem sets limits on input/output access to and from block devices such as physical drives (disk, solid state, USB, etc.). ○ cpu — this subsystem uses the scheduler to provide cgroup tasks access to the CPU. ○ cpuacct — this subsystem generates automatic reports on CPU resources used by tasks in a cgroup. ○ cpuset — this subsystem assigns individual CPUs (on a multicore system) and memory nodes to tasks in a cgroup. ○ devices — this subsystem allows or denies access to devices by tasks in a cgroup. ○ freezer — this subsystem suspends or resumes tasks in a cgroup. ○ memory — this subsystem sets limits on memory use by tasks in a cgroup, and generates automatic reports on memory resources used by those tasks. ○ net_cls — this subsystem tags network packets with a class identifier (classid) that allows the Linux traffic controller (tc) to identify packets originating from a particular cgroup task. ○ net_prio — this subsystem provides a way to dynamically set the priority of network traffic per network interface. ○ ns — the namespace subsystem.
  • 17.
    cgroup freezer ● Thecgroup freezer is useful to batch job management system which start and stop sets of tasks in order to schedule the resources of a machine according to the desires of a system administrator.
  • 18.
    $ mount -tcgroup - ofreezer freezer /<path>/freezer /<path>/freezer: root cgroup tasks other file my /<path>/freezer/my: sub cgroup tasks other file $ mkdir /<path>/freezer/my all process pid
  • 19.
    cgroup freezer $ mount-t cgroup -ofreezer freezer /<path>/freezer $ ch /<path>/freezer/; ls cgroup.clone_children cgroup.event_control cgroup.procs cgroup.sane_behavior notify_on_release release_agent tasks 1. mkdir my_group;cd mygroup 2. echo $some_pid > tasks 3. echo FROZEN > freezer.state 4. echo THAWED > freezer.state
  • 20.
    other cgroup ● memorycgroup: ○ limit process memoroy usage. ○ show various statistics ● blkio cgroup: ○ change widget ○ show various statistics
  • 21.
    lxc ● LXC isa userspace interface for the Linux kernel containment features. ● Container templates ● A set of standard tools to control the containers
  • 22.
    lxc host os container A process1 process 2 container B process 3 process 4 process x A can see BA B A B A can see B. B can see A.
  • 23.
    lxc 1. lxc-create -ntest-container -t ubuntu 2. lxc-ls --fancy 3. lxc-start -n test-container 4. lxc-console -n test-container 5. lxc-stop -n test-container 6. lxc-destroy -n test-container
  • 24.
    start vs execute ●start: ○ boot linux system ● execute: ○ execute program directly ○ make sure you have "/usr/lib/lxc/lxc-init" in your container
  • 25.
    sudo lxc-checkpoint -namep1 --statefile a ● output: ○ lxc-checkpoint: 'checkpoint' function not implemented
  • 26.
    linux aufs ● Itallows files and directories of separate filesystem to co-exist under a single directories. /tmp/union /tmp/a /tmp/b /tmp/c
  • 27.
    # apt-get installaufs-tools # mount -t aufs -o br=/tmp/a:/tmp/b none /tmp/union/ # mount -t aufs -o br=/tmp/a=rw:/tmp/b=rw none /tmp/union
  • 28.
    docker vs lxc ●docker is based on lxc ● docker can create image from text file. ● docker seldom boot system. ● docker provide user-friendly interface ● docker use less disk space.(aufs)
  • 29.
  • 30.
    rootfs in container image: rw ZZZimage: ro XXX image: ro ubuntu image: ro rootfs in image image: ro ZZZ image: ro XXX image: ro ubuntu image: ro a u f s a u f s
  • 31.
    taiwan.py site dockerfile FROMubuntu:12.10 RUN apt-get update RUN apt-get install -y python-dev RUN apt-get install -y python-pip RUN apt-get install -y git RUN pip install mynt RUN git clone https://github.com/lucemia/taiwan.py RUN mynt gen -f taiwan.py/src/ taiwan.py/build/ EXPOSE 8000 CMD cd taiwan.py/build/ && python -m SimpleHTTPServer
  • 32.
    How to run 1.cat dockerfile | sudo docker build -t taiwanpy - 2. docker run -p 8000:9000 taiwanpy 3. docker stop xxx 4. docker start xxx 5. docker stop xxx 6. docker rm xxx 7. docker rmi taiwanpy
  • 33.
    simple docker shell ●https://github. com/ya790206/misc_tools/tree/ma ster/docker_wrapper
  • 34.
    Summary ● Namespace forvirtualization. ● Cgroup for controlling a group of process. ● Conatiner and host system use the same kernel. ● Docker is similar to lxc. But docker is easy to use.
  • 35.
  • 36.
  • 37.
    參考資料 - kernelnamespace ● Namespaces in operation, part 1: namespaces overview ● PaaS under the hood, episode 1: kernel namespaces ● Introduction to Linux namespaces – Part 1: UTS
  • 38.
    參考資料 - cgruop ●cgroup ● http://en.wikipedia. org/wiki/Cgroups
  • 39.
    參考書目 ● Linux KernelHacks:改善效能、提昇開發效率 及節能的技巧與工具