This document discusses container virtualization and key related technologies. It begins with an overview of virtualization and the hypervisor model. It then covers Linux containers and the kernel features they use like namespaces, cgroups, AppArmor, and SELinux. Popular container tools like LXC, Docker, CoreOS, and Kubernetes are introduced. The document argues that containers make it possible to run multiple isolated environments on one host more efficiently than virtual machines, improving cloud deployment.

1. Revolutionizing the Cloud
with Container Virtualization
Imesh Gunaratne
Technical Lead, WSO2
Committer & PMC Member, Apache Stratos

2. About the Presenter
Imesh Gunaratne
Technical Lead, WSO2
Committer & PMC Member, Apache Stratos
Email: imesh@wso2.com
Blog: http://imesh.gunaratne.org/blog
1

3. Agenda
2

4. 3

5. Agenda
● Virtualization
● Linux Containers
● LXC
● Docker
● CoreOS
● Kubernetes

6. Virtualization

7. Virtualization
In computing, virtualization refers to the act of
creating a virtual version of resources,
including but not limited to a virtual computer
hardware platform, operating system (OS),
storage device, or computer network
resources.
http://en.wikipedia.org/wiki/Virtualization

8. Hypervisor
A hypervisor or virtual machine monitor (VMM)
is a piece of computer software, firmware or
hardware that creates and runs virtual
machines.
http://en.wikipedia.org/wiki/Hypervisor

9. Linux Containers

10. Linux Containers
An operating system–level virtualization
method for running multiple isolated Linux
systems (containers) on a single control host.
http://en.wikipedia.org/wiki/LXC

11. Linux Containers
Linux Container Brief for IEEE WG P2302, Boden Russell

12. Linux Kernel Features used by
Linux Containers
● Namespaces
● cgroups
● AppArmor
● SELinux
● seccomp
● chroot

13. Namespaces
Wraps global system resources in an
abstraction that makes it appear to the
processes that they have their own isolated
instance of the global resource.
Included in Linux Kernel 2.4.19
http://lwn.net/Articles/531114/

14. Namespaces
Currently, Linux implements six different types
of namespaces:
1. mnt (mount points, filesystems)
2. pid (processes)
3. net (network stack)
4. ipc (inter-process communication)
5. uts (hostname)
6. user (user ids)
http://www.cs.ucsb.edu/~rich/class/cs290-cloud/papers/lxc-namespace.pdf

15. cgroups (Control Groups)
A Linux kernel feature to limit, account, and
isolate resource usage (CPU, memory, disk I/O,
etc.) of process groups.
Started by engineers at Google in 2007 and
merged into the Linux Kernel 2.6.24
http://en.wikipedia.org/wiki/Cgroups

16. cgroups Features
● Access: which devices can be used per
cgroup
● Resource limiting: memory, CPU, device
accessibility, block I/O, etc
● Prioritization: who gets more of the CPU,
memory, etc
● Accounting: resource usage per cgroup
● Control: freezing & checkpointing
http://en.wikipedia.org/wiki/Cgroups

17. AppArmor
AppArmor is a Linux security module
implemented using the Linux Security Modules
(LSM) kernel interface.
It allows the system administrator to associate
with each program a security profile that
restricts the capabilities of that program.
http://en.wikipedia.org/wiki/AppArmor

18. SELinux (Security Enhanced Linux)
SELinux is a Linux kernel security module that
provides a mechanism for supporting access
control on security policies for programs.
Originally developed by the United States
National Security Agency (NSA).
Included in Linux kernel 2.6.0-test3, released
on 8 August 2003
http://en.wikipedia.org/wiki/Security-Enhanced_Linux

19. SELinux - How it works
● Compiled into the Linux kernel
● Package security policies in the distribution
● Policies in most distributions are applied
only to system processes, not user
processes
● Checks database of rules on syscalls
● Policies allows/denies what a daemon can
access and how
● Prevents daemons compromise affecting
other files/users/etc (namespaces)
SELinux for Everyday Users, PaulWay

20. AppArmor SELinux
Pathname based system Attaches labels to all files,
processes
Auditable policies Complex policy language
Integrated GUI/Console
Lack of integrated tools,
toolset
hard to manage rules
Proficiency with 1-2 days
training
Substantial training
investment
Usability is primary goal Hard to maintain
https://www.suse.com/support/security/apparmor/features/selinux_comparison.html

21. seccomp (Secure Computing Mode)
● seccomp is a secure-computing facility that
provides an application sandboxing
mechanism in the Linux kernel.
● Provides computing virtualization
● It allows a process to make a one-way
transition into a "secure" state where it
cannot make any system calls except exit(),
sigreturn(), read() and write().
http://en.wikipedia.org/wiki/Seccomp

22. seccomp (Secure Computing Mode)
It was merged into the Linux kernel mainline in
version 2.6.12, released on March 8, 2005.
http://en.wikipedia.org/wiki/Seccomp

23. chroot
http://www.lorien.ch/server/chroot.html

24. chroot
A chroot on Unix operating systems is an
operation that changes the root directory for
the current running process and its children.
A program that is run in such a modified
environment cannot name (and therefore
normally not access) files outside the
designated directory tree.
Provides file system virtualization
http://en.wikipedia.org/wiki/Chroot

25. chroot
The modified environment is called a "chroot
jail"
Introduced in version 7 Unix in 1979, and added
to BSD by Bill Joy on 18 March 1982
http://en.wikipedia.org/wiki/Chroot

26. LXC
A Hypervisor for Linux Containers

27. LXC Engine: A Hypervisor for
Containers
Linux Container Brief for IEEE WG P2302, Boden Russell

28. LXC (LinuX Containers)
LXC is an operating system–level virtualization
method for running multiple isolated Linux
systems (containers) on a single control host.
● From the inside it looks like a VM
● From the outside it looks like a normal
process
● Provides lightweight virtualization

29. Kernel Features used by LXC
● Kernel namespaces (ipc, uts, mount, pid,
network and user)
● Control groups (cgroups)
● Apparmor and SELinux profiles
● Seccomp policies
● Chroots (using pivot_root)
● Kernel capabilities

31. Docker
Docker is an open platform for developers and
sysadmins to build, ship, and run distributed
applications.
● Initially developed by dotCloud
● Original version written in Python, now
written in Go
● A very young project (started March, 2013),
but with a huge community

32. Docker Architecture
Enterprise Docker, Adrien BLIND, Aurelien GABET, Arnaud MAZIN

33. Problem: Shipping Software
Introduction to Docker, Jérôme Petazzoni

34. Solution: Linux Container
Introduction to Docker, Jérôme Petazzoni

35. Solved
Introduction to Docker, Jérôme Petazzoni

36. Virtual Machines Vs Docker

37. Docker - Hello World
# Get one base Docker image
>docker pull ubuntu
# List Docker images available
>docker images
# Run hello world
>docker run ubuntu:14.04 echo "hello world"
Docker Paris Meetup, Victor Vieux, dotCloud Inc

38. Detached mode
# Run hello world in detached mode (-d)
>docker run -d ubuntu sh -c "while true; do echo
hello world; sleep 1; done"
# Get container’s ID
>docker ps
# Attach to the container
>docker attach <container-id>
# Stop/start/restart the container
>docker stop <container-id>
Docker Paris Meetup, Victor Vieux, dotCloud Inc

40. CoreOS
CoreOS is a new Linux distribution that has
been re-architected to provide features needed
to run modern infrastructure stacks.

41. CoreOS Architecture

42. CoreOS Architecture
Fleet ties together systemd and etcd into a distributed init
system

44. Kubernetes
Kubernetes is an open source implementation
of container cluster management.

45. Kubernetes High Level
Architecture

46. Kubernetes High Level
Architecture

47. Kubernetes Component
Architecture

48. Kubernetes Terminology
● Pod - A group of Containers
● Labels - Labels for identifying pods
● Kubelet - Container Agent
● Proxy Service - A load balancer for Pods
● etcd - A metadata service
● cAdvisor - Container Advisor provides resource
usage/performance statistics
● Replication Controller - Manages replication of
pods
● Scheduler - Schedules pods in worker nodes
● API server - Kubernetes API server

49. Importance of containers for the
cloud
● Ability to run multiple OS-level isolated
environments within a single host
● Less startup time
● Less resource consumption
● Ultimately less expensive

50. References
● http://en.wikipedia.org/wiki/Virtualization
● http://en.wikipedia.org/wiki/Hypervisor
● http://en.wikipedia.org/wiki/LXC
● http://www.cs.ucsb.edu/~rich/class/cs290-
cloud/papers/lxc-namespace.pdf
● http://en.wikipedia.org/wiki/Cgroups
● http://en.wikipedia.org/wiki/AppArmor
● http://en.wikipedia.org/wiki/Security-
Enhanced_Linux
● http://www.lorien.ch/server/chroot.html

51. References
● SELinux for Everyday Users, PaulWay
● http://en.wikipedia.org/wiki/Seccomp
● http://en.wikipedia.org/wiki/Chroot
● Linux Container Brief for IEEE WG P2302,
Boden Russell
● http://kubernetes.io/
● https://coreos.com

52. 3 6

53. Contact us !