The document provides an overview of the evolution of Linux container virtualization, covering key concepts like virtualization, Linux containers, and associated technologies such as Docker, CoreOS, and Kubernetes. It elaborates on critical Linux kernel features including namespaces, cgroups, AppArmor, SELinux, seccomp, and chroot, which enable the creation and management of containers. Additionally, the document discusses the architecture and functionalities of Docker and Kubernetes in container management and deployment.

1. Evolution of Linux
Container Virtualization
Imesh Gunaratne
Technical Lead, WSO2
Committer & PMC Member, Apache Stratos

2. Agenda
● Virtualization
● Linux Containers
● LXC
● Docker
● CoreOS
● Kubernetes

3. Virtualization

4. Virtualization
In computing, refers to the act of creating a
virtual (rather than actual) version of
something, including but not limited to a
virtual computer hardware platform, operating
system (OS), storage device, or computer
network resources.
http://en.wikipedia.org/wiki/Virtualization

5. Hypervisor
A hypervisor or virtual machine monitor (VMM)
is a piece of computer software, firmware or
hardware that creates and runs virtual
machines.
http://en.wikipedia.org/wiki/Hypervisor

6. Linux Containers

7. Linux Containers
Linux Container Brief for IEEE WG P2302, Boden Russell

8. Linux Containers
An operating system–level virtualization
method for running multiple isolated Linux
systems (containers) on a single control host.
http://en.wikipedia.org/wiki/LXC

9. Linux Kernel Features used by Linux
Containers
● Namespaces
● cgroups
● AppArmor
● SELinux
● seccomp
● chroot

10. Namespaces
Wraps global system resources in an
abstraction that makes it appear to the
processes that they have their own isolated
instance of the global resource.
Included in Linux Kernel 2.4.19
http://lwn.net/Articles/531114/

11. Namespaces
Currently, Linux implements six different types
of namespaces:
1. mnt (mount points, filesystems)
2. pid (processes)
3. net (network stack)
4. ipc (inter-process communication)
5. uts (hostname)
6. user (user ids)
http://www.cs.ucsb.edu/~rich/class/cs290-cloud/papers/lxc-namespace.pdf

12. cgroups (Control Groups)
A Linux kernel feature to limit, account, and
isolate resource usage (CPU, memory, disk I/O,
etc.) of process groups.
Started by engineers in Google in 2007 and
merged into the Linux Kernel 2.6.24
http://en.wikipedia.org/wiki/Cgroups

13. cgroups (Control Groups)
● Access: which devices can be used per
cgroup
● Resource limiting: memory, CPU, device
accessibility, block I/O, etc
● Prioritization: who gets more of the CPU,
memory, etc
● Accounting: resource usage per cgroup
● Control: freezing & checkpointing
http://en.wikipedia.org/wiki/Cgroups

14. AppArmor
AppArmor is a Linux security module
implemented using the Linux Security Modules
(LSM) kernel interface.
It allows the system administrator to associate
with each program a security profile that
restricts the capabilities of that program.
http://en.wikipedia.org/wiki/AppArmor

15. SELinux (Security Enhanced Linux)
SELinux is a Linux kernel security module that
provides a mechanism for supporting access
control on security policies for programs.
Originally developed by the United States
National Security Agency (NSA).
Included in Linux kernel 2.6.0-test3, released
on 8 August 2003
http://en.wikipedia.org/wiki/Security-Enhanced_Linux

16. SELinux - How it works
● Compiled into the Linux kernel
● Package security policies in the distribution
● Policies in most distributions are applied
only to system processes, not user
processes
● Checks database of rules on syscalls
● Policies allows/denies what a daemon can
access and how
● Prevents daemons compromise affecting
other files/users/etc (namespaces)
SELinux for Everyday Users, PaulWay

17. seccomp (Secure Computing Mode)
● seccomp is a secure-computing facility that
provides an application sandboxing
mechanism in the Linux kernel.
● Provides isolation for computing
● It allows a process to make a one-way
transition into a "secure" state where it
cannot make any system calls except exit(),
sigreturn(), read() and write().
http://en.wikipedia.org/wiki/Seccomp

18. seccomp (Secure Computing Mode)
It was merged into the Linux kernel mainline in
version 2.6.12, released on March 8, 2005.
http://en.wikipedia.org/wiki/Seccomp

19. chroot
http://www.lorien.ch/server/chroot.html

20. chroot
A chroot on Unix operating systems is an
operation that changes the root directory for
the current running process and its children.
A program that is run in such a modified
environment cannot name (and therefore
normally not access) files outside the
designated directory tree.
http://en.wikipedia.org/wiki/Chroot

21. chroot
The modified environment is called a "chroot
jail"
Introduced in version 7 Unix in 1979, and added
to BSD by Bill Joy on 18 March 1982
http://en.wikipedia.org/wiki/Chroot

22. LXC
A Hypervisor for Linux Containers

23. LXC Engine: A Hypervisor for
Containers
Linux Container Brief for IEEE WG P2302, Boden Russell

24. LXC (LinuX Containers)
LXC is an operating system–level virtualization
method for running multiple isolated Linux
systems (containers) on a single control host.
● From the inside it looks like a VM
● From the outside it looks like a normal
process
● Provides lightweight virtualization

25. Kernel Features used by LXC
● Kernel namespaces (ipc, uts, mount, pid,
network and user)
● Control groups (cgroups)
● Apparmor and SELinux profiles
● Seccomp policies
● Chroots (using pivot_root)
● Kernel capabilities

27. Docker
Docker is an open platform for developers and
sysadmins to build, ship, and run distributed
applications.
● Initially developed by dotCloud
● Original version written in Python, now
written in Go
● A very young project (started March, 2013),
but with a huge community

28. Problem: Shipping Software
Introduction to Docker, Jérôme Petazzoni

29. Solution: Linux Container
Introduction to Docker, Jérôme Petazzoni

30. Solved
Introduction to Docker, Jérôme Petazzoni

31. Virtual Machines Vs Docker

32. Docker Architecture
Enterprise Docker, Adrien BLIND, Aurelien GABET, Arnaud MAZIN

33. Docker - Hello World
# Get one base Docker image
>docker pull ubuntu
# List Docker images available
>docker images
# Run hello world
>docker run ubuntu:14.04 echo "hello world"
Docker Paris Meetup, Victor Vieux, dotCloud Inc

34. Detached mode
# Run hello world in detached mode (-d)
>docker run -d ubuntu sh -c "while true; do echo
hello world; sleep 1; done"
# Get container’s ID
>docker ps
# Attach to the container
>docker attach <container-id>
# Stop/start/restart the container
>docker stop <container-id>
Docker Paris Meetup, Victor Vieux, dotCloud Inc

36. CoreOS
CoreOS is a new Linux distribution that has
been re-architected to provide features needed
to run modern infrastructure stacks.

37. CoreOS Architecture

38. CoreOS Architecture
Fleet ties together systemd and etcd into a distributed init
system

40. Kubernetes
Kubernetes is an open source implementation
of container cluster management.

41. Kubernetes High Level Architecture

42. Kubernetes High Level Architecture

43. Kubernetes Component Architecture

44. Kubernetes Terminology
● Pod - A group of Containers
● Labels - Labels for identifying pods
● Kubelet - Container Agent
● Proxy Service - A load balancer for Pods
● etcd - A metadata service
● cAdvisor - Container Advisor provides resource
usage/performance statistics
● Replication Controller - Manages replication of
pods
● Scheduler - Schedules pods in worker nodes
● API server - Kubernetes API server

45. References
● http://en.wikipedia.org/wiki/Virtualization
● http://en.wikipedia.org/wiki/Hypervisor
● http://en.wikipedia.org/wiki/LXC
● http://www.cs.ucsb.edu/~rich/class/cs290-
cloud/papers/lxc-namespace.pdf
● http://en.wikipedia.org/wiki/Cgroups
● http://en.wikipedia.org/wiki/AppArmor
● http://en.wikipedia.org/wiki/Security-
Enhanced_Linux
● http://www.lorien.ch/server/chroot.html

46. References
● SELinux for Everyday Users, PaulWay
● http://en.wikipedia.org/wiki/Seccomp
● http://en.wikipedia.org/wiki/Chroot
● Linux Container Brief for IEEE WG P2302,
Boden Russell
● http://kubernetes.io/
● https://coreos.com