5. @jorgemoralespou / @gordillo_ramon
Kernel namespaces:
sandboxing processes from one another
Control Groups (cgroups):
control process resource allocations
Security:
capabilities drop (seccomp), Mandatory
access control (SELinux, Apparmor)
Linux Containers
6. @jorgemoralespou / @gordillo_ramon
Cgroups and Namespaces
Cgroups:
● cpu (cpu shares)
● cpuacct
● cpuset (limit processes to a CPU)
● memory (swap, dirty pages)
● blkio (throttle reads/writes)
● Devices
● net_prio (packet class and priority)
● freezer
Namespaces:
● pid (processes)
● net (network interfaces, routing)
● ipc (system V ipc)
● mnt (mount points, filesystems)
● uts (hostname)
● user (UIDs)
10. @jorgemoralespou / @gordillo_ramon
2000
2010
2005
2015
2000:
JAILS ADDED
TO FREEBSD
2006:
GENERIC PROCESS
CONTAINERS
2008:
KERNEL AND USER
NAMESPACES
2015:
GOOGLE
KUBERNETES
2008:
LINUX CONTAINER
PROJECT (LXC)
2016:
STANDARDS VIA
OCI AND CNCF
2013:
RED HAT
ENTERPRISE LINUX
2013:
DOTCLOUD
BECOMES DOCKER
2007:
GPC RENAMED
CONTROL GROUPS
2003:
SELINUX ADDED TO
LINUX MAINLINE
2015:
RHT CONTAINER
PLATFORM
2001:
LINUX -VSERVER
PROJECT
2013:
DOTCLOUD PYCON
LIGHTNING TALK
2005:
FULL RELEASE OF
SOLARIS ZONES
History of Containers
11. @jorgemoralespou / @gordillo_ramon
JDK 1.0
1996
2010
2000
2018
2016
2014
2012
2008
2006
2004
2002
1998
https://en.wikipedia.org/wiki/Java_version_history
JDK 1.2
J2SE 1.3
J2SE 1.4
J2SE 5
Java SE 6
Java SE 7
Java SE 8
Java SE 11
Java SE 10
Java SE 9
6 Months
March2014
History of Java
23. @jorgemoralespou / @gordillo_ramon
Alternative
When your Java < 8u131
Fabric8 run-java.sh
● Set Ratio for container memory
● Set max memory for the container
● Set number of cores available for the
container
29. @jorgemoralespou / @gordillo_ramon
Red Hat JDK 8 Mem options for containers (512 Mb)
-Xms64m: Min and initial heap memory (25% of max heap)
-Xmx256m: Max heap memory (50% of max memory of containers)
-XX:MaxMetaspaceSize=100m: Max memory for metaspace
-XX:+UnlockExperimentalVMOptions: enables UseCGroupMemoryLimitForHeap.
-XX:+UseCGroupMemoryLimitForHeap: throw an OutOfMemory if memory exceeds the cgroup max
memory. Deprecated from JDK 10, as it is implemented internally by default.
-XX:+ExitOnOutOfMemoryError: When you enable this option, the JVM exits on the first occurrence of
an out-of-memory error
33. @jorgemoralespou / @gordillo_ramon
Red Hat JDK 8 CPU options for containers (1 cpu)
-XX:ParallelGCThreads=1: The number of garbage collector threads can be controlled with this
command-line option.
-Djava.util.concurrent.ForkJoinPool.common.parallelism=1: The fork/join framework provides tools to
help speed up parallel processing by attempting to use all available processor cores – which is
accomplished through a divide and conquer approach. This parameter sets the parallelism of the pool.
-XX:CICompilerCount=2: Sets the number of compiler threads to use for compilation.
34. @jorgemoralespou / @gordillo_ramon
Red Hat JDK 8 GC options for containers (1 cpu)
-XX:+UseParallelOldGC: The parallel collector performs minor collections in parallel, Parallel compaction is
a feature that enables the parallel collector to perform major collections in parallel.
-XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20: By default, the virtual machine grows or shrinks
the heap at each collection to try to keep the proportion of free space to live objects at each collection
within a specific range. This target range is set as a percentage by these parameters.
-XX:GCTimeRatio=4: The throughput goal is measured in terms of the time spent doing garbage collection
versus the time spent outside of garbage collection. sets a goal of 1/5 or 20% of the total time in garbage
collection.
-XX:AdaptiveSizePolicyWeight=90: controls how much previous GC times are taken into account when
checking the timing goal. Bases the timing goal check 10% on previous GC times and 90% on the current
GC time.
39. @jorgemoralespou / @gordillo_ramon
JIT
Cpu
Time
As there is a JIT compilation at startup time,
there’s a high spike in CPU usage for
applications to start up.
NOTE: Containers might need more
CPU to start than to later run, or
startup time will increase.
41. @jorgemoralespou / @gordillo_ramon
Kubernetes resource allocation: Explained
Configuration
● Requests: Minimum amount cpu/memory for the container to run
● Limits: Maximum cpu/memory the container can use/grow-to.
Besteffort
Burstable
Guaranteed
requests
limits
limits
requests
Quality of service
limit
requested
allocated