SlideShare a Scribd company logo

The building blocks of docker.

C
Chafik Belhaoues

Docker provides a way to package applications into containers that can be run on any infrastructure. It uses namespaces and cgroups to isolate processes and share resources efficiently. The key components are images which are read-only templates for building containers, registries for storing images, and containers which combine an image with writable layers and metadata to run applications anywhere. Docker uses a client-server architecture with containers built from images and managed through commands to the Docker daemon which handles building, running, and distributing containers.

Engineering
1 of 28
Download to read offline
Ready to get shipped? By Chafik Belhaoues @XebiaFr
Introduction [History & newness of the idea]1 Anatomy of the building blocks2 Namespaces3 cgroups5 Storage backends6 Execution environments7
A little bit of history: The marine containers have been created in 1956 par Malcom Mclean in NewYork, just because time is money (-90% of transport costs). BEFORE AFTER
Did the containerization {concept} exist before Docker? OH YEAH…
By Pivotal
The need of containerization: Develop, ship, and run applications {everywhere}. Concept? Product? Life-cycle engine? …you said {DevOps} tool? A single, runnable, distributable executable. What is the difference with the other form of virtualization then? Open source [CS version]. Not OS-related [theoretically]. No hypervisor needed. A different [new] vision of IT. Closer to the most IT needs.
Hardware-centric: A VM packages a full stack (virtual hardware, kernel, a user space). Designed with machine operators in mind, not software developers. VMs offer no facilities for application versioning, monitoring, configuration, logging or service discovery… Application-centric: Packages only the user space; there is no kernel or virtual hardware. Sandboxing method known as containerization = Application virtualization.
Overview: Docker is based on a client-server architecture. The client {user commands} talks to the Docker Daemon. Daemon: runs on a host machine. Client: accepts commands from the user and communicates back and forth with a Docker Daemon using API. 3 components involved: build..ship..run Images: a read-only template, images are the build component of Docker. Registries: hold images, the distribution component of Docker. Containers: holds everything that is needed for an application to run, the run component of Docker
Combination: A container consists of a read-only image based on a given operating system, user-added files, and meta-data.
Anatomy of the building blocks: Apartment complex analogy: 1. Each apartment will require water and electricity and these resources should be distributed fairly {resources}. 2. The apartments are isolated with walls to keep people separate from their respective neighbors {isolation}. 3. Each apartment also has a door, lock, and keys {security}. 4. Finally, most apartment complexes benefit from a manager who works to ensure a consistent and clean steady state of operations {management}. By analogy to system resources required for a container, the kernel should implement 4 elements: - Resource Management. - Process Isolation. - Security. - Tooling (CLI).
Resource management is provided by control groups (cgroups). Process isolation is provided by kernel namespaces. Security is provided by policy manager like: SELinux Overall management by Docker CLI.
Namespace: Wraps a global system resources in an abstraction. Changes are visible only inside the namespace. Kernel namespaces allow the new process to have its own hostname, IP address and a whole network stack, filesystem, PID, IPC stack, and even user mapping. The container to look a VM. Kernal space: Strictly reserved for running a privileged operating system kernel, kernel extensions, and most device drivers, the gate to this land is managed by CAP_SYS_ADMIN capability starting with kernel 2.2 [before it was the superuser, or root, ID 0]. User space [userland]: The memory area where application software and some drivers execute.
These interactions are managed by 3 syscall : clone setns unshare
Playing with Syscalls: clone: Creates a new process, in a manner similar to fork then creates new namespaces for every flag CLONE_NEW*. Unlike fork, the child process is allowed to share parts of its execution context with the calling process (the memory space, the table of file descriptors, the table of signal handlers…). setns: Allows the calling process to join an existing namespace. unshare: Moves the calling process to a new namespace in other words: disassociates parts of its execution context that are currently being shared with other processes (or threads).
Namespace Date Kernel version mount 2002 2.4.19 uts 2006 2.6.19 ipc 2006 2.6.19 pid 2008 2.6.24 net 2009 2.6.29 user 2013 3.8
MNT namespace: Isolate the set of filesystem mount points. Means that processes in different mount namespaces can have different views of the filesystem hierarchy. The container “thinks” that a directory which is actually mounted from the host OS is exclusive to the container. Interacting with this namespace is simply done by mount/umount syscalls. All about Isolation…
PID namespace: Isolate the process ID number space = processes in different "PID namespaces" can have the same PID. The container thinks it has a separate standalone instance of the OS. Technically, the new process created in a new namespace will be the famous PID 1 "init“. Inside the namespace fork/clone syscalls will produce processes with PIDs that are unique. This mechanism allows containers to provide functionality such as: suspending/resuming the set of processes. PID consistency on migration.
NETNS namespace: Logically another copy of the network stack, with its own routes, firewall rules, and network devices. It means each network namespace has its own network devices, IP addresses, IP routing tables, /proc/net directory, port numbers... It allows a container to have its own IP address, independent of that of the host.
UTS namespace [UNIX Time Sharing]: Historically the term "UTS" derives from the name of the structure passed to the uname() system call: struct utsname. {Initially the time sharing was invited to allow a large number of users to interact concurrently with a single computer by the sharing of a computing resource among many users by means of multiprogramming and multi-tasking at the same time}. This mechanism isolates two system identifiers nodename and domainname. It allows the containers to have its own separate identity {hostname and NIS domain name}.
IPC namespace: IPC (POSIX/SysV IPC) namespace provides isolation/separation of IPC resources: Named shared memory segments. Semaphores. Message queues. Why this need ? Shared memory segments are used to accelerate inter-process communication at memory speed, rather than through pipes or through the network stack. It is commonly used by databases and custom-built high performance applications for scientific computing and financial services industries. If these types of applications are broken into multiple containers, you might need to share the IPC mechanisms of the containers.
User namespace: The last namespace to be implemented, integrated in the kernel mainstream starting from 3.8 BUT in technical preview in almost all Linux distros. A process's user and group IDs can be different inside and outside a user namespace, that means a process can have a normal unprivileged user ID outside a user namespace while at the same time having a user ID of 0 inside the namespace. Which in term of isolation, makes the user and group ID number spaces totally separated.
cgroups: Traditionally, all processes received similar amount of system resources and all the tuning goes through the process niceness value. A mechanism to organize processes hierarchically and distribute system resources — such as CPU time, system memory, network bandwidth, or combinations of these resources — along the hierarchy in a controlled and configurable manner. Every process belongs to one and only one cgroup. Initially, only the root cgroup exists to which all processes belong. All processes are put in the cgroup that the parent process belongs to at the time. Two parts of cgroups: 1. core: primarily responsible for hierarchically organizing processes. 2. controller: responsible for distributing or applying limits to a specific type of system resource.
blkio: sets limits on input/output access to and from block devices. cpu: uses the CPU scheduler to provide cgroup tasks an access to the CPU. cpuacct: creates automatic reports on CPU resources used by tasks in a cgroup. cpuset: assigns individual CPUs (on a multicore system) and memory nodes to tasks in a cgroup. devices: allows or denies access to devices for tasks in a cgroup. freezer: suspends or resumes tasks in a cgroup. memory: sets limits on memory used by tasks in a cgroup. net_cls: tags network packets with a class identifier (classid) that allows the traffic controller to identify packets originating from a particular cgroup task. perf_event: enables monitoring cgroups with the perf tool. hugetlb: allows to use virtual memory pages of large sizes, and to enforce resource limits on these pages.
Union filesystem: A stackable unification file system, which merges the contents of several directories (branches), while keeping their physical content separate. Builds file systems that operate by creating layers, allow files and directories of separate file systems {branches}, to be transparently overlaid, forming a single coherent file system. It allows any combination of read-only and read-write branches, as well as insertion and deletion of branches anywhere in the tree.
AUFS [Another Union File System]: Since V2 it stands for "advanced multi layered unification filesystem“. It was the first storage driver in use with Docker, developed in 2006 as a complete rewrite of the earlier UnionFS. According to Docker: AUFS is not included in the mainline (upstream) Linux kernel. It was rejected because of the dense, unreadable, and uncommented code.
OverlayFS: Merged in the Linux kernel in 2014, kernel version 3.18. The natural successor to aufs. Combines two filesystems - an 'upper' filesystem and a 'lower' filesystem. When a name exists in both filesystems, the object in the 'upper' filesystem is visible while the object in the 'lower' filesystem is either hidden or, in the case of directories, merged with the 'upper' object.
DeviceMapper [storage backend ]: Initially developed by Redhat as an alternative to AUFS. Based on snapshots. Uses allocate-on-demand.
Container format: Docker wraps all the previous components into an execution environment or driver called {container format}. Traditional container drivers: OpenVZ, systemd-nspawn, libvirt-lxc, libvirt-sandbox, qemu/kvm, BSD Jails, Solaris Zones, and even good old chroot. The new execution drivers: moving from libcontainer to runc & containerd.

Recommended

Docker
DockerDocker
Docker
Ramchandra Koty
 
Docker
Docker Docker
Docker
Mindstorm Studios
 
Understanding the container landscape and it associated projects
Understanding the container landscape and it associated projectsUnderstanding the container landscape and it associated projects
Understanding the container landscape and it associated projects
Anthony Chow
 
Introduction to linux containers
Introduction to linux containersIntroduction to linux containers
Introduction to linux containers
Google
 
Evoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationEvoluation of Linux Container Virtualization
Evoluation of Linux Container Virtualization
Imesh Gunaratne
 
Kernel linux lab manual feb (1)
Kernel linux lab manual feb (1)Kernel linux lab manual feb (1)
Kernel linux lab manual feb (1)
johny shaik
 
Docker: Aspects of Container Isolation
Docker: Aspects of Container IsolationDocker: Aspects of Container Isolation
Docker: Aspects of Container Isolation
allingeek
 
Docker Dojo
Docker DojoDocker Dojo
Docker Dojo
Hugo González Labrador
 

Recommended

Docker
DockerDocker
Docker
Ramchandra Koty
 
Docker
Docker Docker
Docker
Mindstorm Studios
 
Understanding the container landscape and it associated projects
Understanding the container landscape and it associated projectsUnderstanding the container landscape and it associated projects
Understanding the container landscape and it associated projects
Anthony Chow
 
Introduction to linux containers
Introduction to linux containersIntroduction to linux containers
Introduction to linux containers
Google
 
Evoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationEvoluation of Linux Container Virtualization
Evoluation of Linux Container Virtualization
Imesh Gunaratne
 
Kernel linux lab manual feb (1)
Kernel linux lab manual feb (1)Kernel linux lab manual feb (1)
Kernel linux lab manual feb (1)
johny shaik
 
Docker: Aspects of Container Isolation
Docker: Aspects of Container IsolationDocker: Aspects of Container Isolation
Docker: Aspects of Container Isolation
allingeek
 
Docker Dojo
Docker DojoDocker Dojo
Docker Dojo
Hugo González Labrador
 
Docker internals
Docker internalsDocker internals
Docker internals
Rohit Jnagal
 
Containerization (docker)
Containerization (docker)Containerization (docker)
Containerization (docker)
RadhikaKachhawa
 
Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup.
Neeraj Shrimali
 
Survey of open source cloud architectures
Survey of open source cloud architecturesSurvey of open source cloud architectures
Survey of open source cloud architecturesabhinav vedanbhatla
 
Introduction to automated environment management with Docker Containers - for...
Introduction to automated environment management with Docker Containers - for...Introduction to automated environment management with Docker Containers - for...
Introduction to automated environment management with Docker Containers - for...
Lucas Jellema
 
paper
paperpaper
paperAnkit Mishra
 
LXC NSAttach
LXC NSAttachLXC NSAttach
LXC NSAttachDarshan Parmar
 
Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)
Ralf Dannert
 
Linux cgroups and namespaces
Linux cgroups and namespacesLinux cgroups and namespaces
Linux cgroups and namespaces
Locaweb
 
Hack the whale
Hack the whaleHack the whale
Hack the whale
Marco Ferrigno
 
Microservices, Containers and Docker
Microservices, Containers and DockerMicroservices, Containers and Docker
Microservices, Containers and Docker
Ioannis Papapanagiotou
 
Linuxcon Barcelon 2012: LXC Best Practices
Linuxcon Barcelon 2012: LXC Best PracticesLinuxcon Barcelon 2012: LXC Best Practices
Linuxcon Barcelon 2012: LXC Best Practices
christophm
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Jérôme Petazzoni
 
Unikernels Introduction
Unikernels IntroductionUnikernels Introduction
Unikernels Introduction
Pradipta Banerjee
 
Lxc- Introduction
Lxc- IntroductionLxc- Introduction
Lxc- Introduction
Luís Eduardo
 
Realizing Linux Containers (LXC)
Realizing Linux Containers (LXC)Realizing Linux Containers (LXC)
Realizing Linux Containers (LXC)
Boden Russell
 
Docker storage drivers by Jérôme Petazzoni
Docker storage drivers by Jérôme PetazzoniDocker storage drivers by Jérôme Petazzoni
Docker storage drivers by Jérôme Petazzoni
Docker, Inc.
 
Union FileSystem - A Building Blocks Of a Container
Union FileSystem - A Building Blocks Of a ContainerUnion FileSystem - A Building Blocks Of a Container
Union FileSystem - A Building Blocks Of a Container
Knoldus Inc.
 
Docker 1.8: What's new
Docker 1.8: What's new Docker 1.8: What's new
Docker 1.8: What's new
Ronak Kogta
 
K ubuntu
K ubuntuK ubuntu
K ubuntu
Mayuresh Wadekar
 
Tendencias del marketing pucp 2012
Tendencias del marketing pucp 2012Tendencias del marketing pucp 2012
Tendencias del marketing pucp 2012Roberto Alvarez
 
XebiCon'16 : Orange - Transformation DevOps, les conteneurs sont vos alliés !
XebiCon'16 : Orange - Transformation DevOps, les conteneurs sont vos alliés !XebiCon'16 : Orange - Transformation DevOps, les conteneurs sont vos alliés !
XebiCon'16 : Orange - Transformation DevOps, les conteneurs sont vos alliés !
Publicis Sapient Engineering
 

More Related Content

What's hot

Docker internals
Docker internalsDocker internals
Docker internals
Rohit Jnagal
 
Containerization (docker)
Containerization (docker)Containerization (docker)
Containerization (docker)
RadhikaKachhawa
 
Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup.
Neeraj Shrimali
 
Survey of open source cloud architectures
Survey of open source cloud architecturesSurvey of open source cloud architectures
Survey of open source cloud architecturesabhinav vedanbhatla
 
Introduction to automated environment management with Docker Containers - for...
Introduction to automated environment management with Docker Containers - for...Introduction to automated environment management with Docker Containers - for...
Introduction to automated environment management with Docker Containers - for...
Lucas Jellema
 
Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)
Ralf Dannert
 
Linux cgroups and namespaces
Linux cgroups and namespacesLinux cgroups and namespaces
Linux cgroups and namespaces
Locaweb
 
Hack the whale
Hack the whaleHack the whale
Hack the whale
Marco Ferrigno
 
Microservices, Containers and Docker
Microservices, Containers and DockerMicroservices, Containers and Docker
Microservices, Containers and Docker
Ioannis Papapanagiotou
 
Linuxcon Barcelon 2012: LXC Best Practices
Linuxcon Barcelon 2012: LXC Best PracticesLinuxcon Barcelon 2012: LXC Best Practices
Linuxcon Barcelon 2012: LXC Best Practices
christophm
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Jérôme Petazzoni
 
Unikernels Introduction
Unikernels IntroductionUnikernels Introduction
Unikernels Introduction
Pradipta Banerjee
 
Lxc- Introduction
Lxc- IntroductionLxc- Introduction
Lxc- Introduction
Luís Eduardo
 
Realizing Linux Containers (LXC)
Realizing Linux Containers (LXC)Realizing Linux Containers (LXC)
Realizing Linux Containers (LXC)
Boden Russell
 
Docker storage drivers by Jérôme Petazzoni
Docker storage drivers by Jérôme PetazzoniDocker storage drivers by Jérôme Petazzoni
Docker storage drivers by Jérôme Petazzoni
Docker, Inc.
 
Union FileSystem - A Building Blocks Of a Container
Union FileSystem - A Building Blocks Of a ContainerUnion FileSystem - A Building Blocks Of a Container
Union FileSystem - A Building Blocks Of a Container
Knoldus Inc.
 
Docker 1.8: What's new
Docker 1.8: What's new Docker 1.8: What's new
Docker 1.8: What's new
Ronak Kogta
 
K ubuntu
K ubuntuK ubuntu
K ubuntu
Mayuresh Wadekar
 

What's hot (20)

Docker internals
Docker internalsDocker internals
Docker internals
 
Containerization (docker)
Containerization (docker)Containerization (docker)
Containerization (docker)
 
Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup.
 
Survey of open source cloud architectures
Survey of open source cloud architecturesSurvey of open source cloud architectures
Survey of open source cloud architectures
 
Introduction to automated environment management with Docker Containers - for...
Introduction to automated environment management with Docker Containers - for...Introduction to automated environment management with Docker Containers - for...
Introduction to automated environment management with Docker Containers - for...
 
paper
paperpaper
paper
 
LXC NSAttach
LXC NSAttachLXC NSAttach
LXC NSAttach
 
Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)Linux containers-namespaces(Dec 2014)
Linux containers-namespaces(Dec 2014)
 
Linux cgroups and namespaces
Linux cgroups and namespacesLinux cgroups and namespaces
Linux cgroups and namespaces
 
Hack the whale
Hack the whaleHack the whale
Hack the whale
 
Microservices, Containers and Docker
Microservices, Containers and DockerMicroservices, Containers and Docker
Microservices, Containers and Docker
 
Linuxcon Barcelon 2012: LXC Best Practices
Linuxcon Barcelon 2012: LXC Best PracticesLinuxcon Barcelon 2012: LXC Best Practices
Linuxcon Barcelon 2012: LXC Best Practices
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
 
Unikernels Introduction
Unikernels IntroductionUnikernels Introduction
Unikernels Introduction
 
Lxc- Introduction
Lxc- IntroductionLxc- Introduction
Lxc- Introduction
 
Realizing Linux Containers (LXC)
Realizing Linux Containers (LXC)Realizing Linux Containers (LXC)
Realizing Linux Containers (LXC)
 
Docker storage drivers by Jérôme Petazzoni
Docker storage drivers by Jérôme PetazzoniDocker storage drivers by Jérôme Petazzoni
Docker storage drivers by Jérôme Petazzoni
 
Union FileSystem - A Building Blocks Of a Container
Union FileSystem - A Building Blocks Of a ContainerUnion FileSystem - A Building Blocks Of a Container
Union FileSystem - A Building Blocks Of a Container
 
Docker 1.8: What's new
Docker 1.8: What's new Docker 1.8: What's new
Docker 1.8: What's new
 
K ubuntu
K ubuntuK ubuntu
K ubuntu
 

Viewers also liked

Tendencias del marketing pucp 2012
Tendencias del marketing pucp 2012Tendencias del marketing pucp 2012
Tendencias del marketing pucp 2012Roberto Alvarez
 
XebiCon'16 : Orange - Transformation DevOps, les conteneurs sont vos alliés !
XebiCon'16 : Orange - Transformation DevOps, les conteneurs sont vos alliés !XebiCon'16 : Orange - Transformation DevOps, les conteneurs sont vos alliés !
XebiCon'16 : Orange - Transformation DevOps, les conteneurs sont vos alliés !
Publicis Sapient Engineering
 
A Gentle Introduction To Docker And All Things Containers
A Gentle Introduction To Docker And All Things ContainersA Gentle Introduction To Docker And All Things Containers
A Gentle Introduction To Docker And All Things Containers
Jérôme Petazzoni
 
Why Docker
Why DockerWhy Docker
Why DockerdotCloud
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
dotCloud
 
Kubernetes Meetup Paris #5 - Metriques applicatives k8s
Kubernetes Meetup Paris #5 - Metriques applicatives k8sKubernetes Meetup Paris #5 - Metriques applicatives k8s
Kubernetes Meetup Paris #5 - Metriques applicatives k8s
Arnaud MAZIN
 
Docker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker, Inc.
 

Viewers also liked (7)

Tendencias del marketing pucp 2012
Tendencias del marketing pucp 2012Tendencias del marketing pucp 2012
Tendencias del marketing pucp 2012
 
XebiCon'16 : Orange - Transformation DevOps, les conteneurs sont vos alliés !
XebiCon'16 : Orange - Transformation DevOps, les conteneurs sont vos alliés !XebiCon'16 : Orange - Transformation DevOps, les conteneurs sont vos alliés !
XebiCon'16 : Orange - Transformation DevOps, les conteneurs sont vos alliés !
 
A Gentle Introduction To Docker And All Things Containers
A Gentle Introduction To Docker And All Things ContainersA Gentle Introduction To Docker And All Things Containers
A Gentle Introduction To Docker And All Things Containers
 
Why Docker
Why DockerWhy Docker
Why Docker
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
 
Kubernetes Meetup Paris #5 - Metriques applicatives k8s
Kubernetes Meetup Paris #5 - Metriques applicatives k8sKubernetes Meetup Paris #5 - Metriques applicatives k8s
Kubernetes Meetup Paris #5 - Metriques applicatives k8s
 
Docker 101: Introduction to Docker
Docker 101: Introduction to DockerDocker 101: Introduction to Docker
Docker 101: Introduction to Docker
 

Similar to The building blocks of docker.

Introduction to OS LEVEL Virtualization & Containers
Introduction to OS LEVEL Virtualization & ContainersIntroduction to OS LEVEL Virtualization & Containers
Introduction to OS LEVEL Virtualization & Containers
Vaibhav Sharma
 
First steps on CentOs7
First steps on CentOs7First steps on CentOs7
First steps on CentOs7
Marc Cortinas Val
 
Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302
Boden Russell
 
Namespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersNamespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containers
Kernel TLV
 
Linux and Java - Understanding and Troubleshooting
Linux and Java - Understanding and TroubleshootingLinux and Java - Understanding and Troubleshooting
Linux and Java - Understanding and Troubleshooting
Jérôme Kehrli
 
UNIX INTERNALS UNIT-I
UNIX INTERNALS UNIT-IUNIX INTERNALS UNIT-I
UNIX INTERNALS UNIT-I
JK Knowledge
 
Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetes
Krishna-Kumar
 
Linux architecture
Linux architectureLinux architecture
Linux architecturemcganesh
 
Linux architecture
Linux architectureLinux architecture
Linux architecturemcganesh
 
Linux internal
Linux internalLinux internal
Linux internalmcganesh
 
Linux26 New Features
Linux26 New FeaturesLinux26 New Features
Linux26 New Featuresguest491c69
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization
WSO2
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
All Things Open
 
Intro to kubernetes
Intro to kubernetesIntro to kubernetes
Intro to kubernetes
Elad Hirsch
 
POUG2022_OracleDbNestInsideOut.pptx
POUG2022_OracleDbNestInsideOut.pptxPOUG2022_OracleDbNestInsideOut.pptx
POUG2022_OracleDbNestInsideOut.pptx
Mahmoud Hatem
 
Mca ii os u-5 unix linux file system
Mca ii os u-5 unix linux file systemMca ii os u-5 unix linux file system
Mca ii os u-5 unix linux file system
Rai University
 
Linux kernel Architecture and Properties
Linux kernel Architecture and PropertiesLinux kernel Architecture and Properties
Linux kernel Architecture and Properties
Saadi Rahman
 
Docker Online Training
Docker Online TrainingDocker Online Training
Docker Online Training
navyatejavisualpath
 

Similar to The building blocks of docker. (20)

Introduction to OS LEVEL Virtualization & Containers
Introduction to OS LEVEL Virtualization & ContainersIntroduction to OS LEVEL Virtualization & Containers
Introduction to OS LEVEL Virtualization & Containers
 
First steps on CentOs7
First steps on CentOs7First steps on CentOs7
First steps on CentOs7
 
Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302
 
Namespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containersNamespaces and cgroups - the basis of Linux containers
Namespaces and cgroups - the basis of Linux containers
 
Studies
StudiesStudies
Studies
 
Linux and Java - Understanding and Troubleshooting
Linux and Java - Understanding and TroubleshootingLinux and Java - Understanding and Troubleshooting
Linux and Java - Understanding and Troubleshooting
 
UNIX INTERNALS UNIT-I
UNIX INTERNALS UNIT-IUNIX INTERNALS UNIT-I
UNIX INTERNALS UNIT-I
 
Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetes
 
Linux architecture
Linux architectureLinux architecture
Linux architecture
 
Linux architecture
Linux architectureLinux architecture
Linux architecture
 
Linux internal
Linux internalLinux internal
Linux internal
 
Linux26 New Features
Linux26 New FeaturesLinux26 New Features
Linux26 New Features
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
Intro to kubernetes
Intro to kubernetesIntro to kubernetes
Intro to kubernetes
 
POUG2022_OracleDbNestInsideOut.pptx
POUG2022_OracleDbNestInsideOut.pptxPOUG2022_OracleDbNestInsideOut.pptx
POUG2022_OracleDbNestInsideOut.pptx
 
Mca ii os u-5 unix linux file system
Mca ii os u-5 unix linux file systemMca ii os u-5 unix linux file system
Mca ii os u-5 unix linux file system
 
Linux kernel Architecture and Properties
Linux kernel Architecture and PropertiesLinux kernel Architecture and Properties
Linux kernel Architecture and Properties
 
Docker Online Training
Docker Online TrainingDocker Online Training
Docker Online Training
 
Chapter 6 os
Chapter 6 osChapter 6 os
Chapter 6 os
 

Recently uploaded

Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
MdTanvirMahtab2
 
addressing modes in computer architecture
addressing modes in computer architectureaddressing modes in computer architecture
addressing modes in computer architecture
ShahidSultan24
 
Planning Of Procurement o different goods and services
Planning Of Procurement o different goods and servicesPlanning Of Procurement o different goods and services
Planning Of Procurement o different goods and services
JoytuBarua2
 
ASME IX(9) 2007 Full Version .pdf
ASME IX(9) 2007 Full Version .pdfASME IX(9) 2007 Full Version .pdf
ASME IX(9) 2007 Full Version .pdf
AhmedHussein950959
 
Vaccine management system project report documentation..pdf
Vaccine management system project report documentation..pdfVaccine management system project report documentation..pdf
Vaccine management system project report documentation..pdf
Kamal Acharya
 
MCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdfMCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdf
Osamah Alsalih
 
Water Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdfWater Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation & Control
 
Railway Signalling Principles Edition 3.pdf
Railway Signalling Principles Edition 3.pdfRailway Signalling Principles Edition 3.pdf
Railway Signalling Principles Edition 3.pdf
TeeVichai
 
WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234
AafreenAbuthahir2
 
power quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptxpower quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptx
ViniHema
 
Democratizing Fuzzing at Scale by Abhishek Arya
Democratizing Fuzzing at Scale by Abhishek AryaDemocratizing Fuzzing at Scale by Abhishek Arya
Democratizing Fuzzing at Scale by Abhishek Arya
abh.arya
 
Forklift Classes Overview by Intella Parts
Forklift Classes Overview by Intella PartsForklift Classes Overview by Intella Parts
Forklift Classes Overview by Intella Parts
Intella Parts
 
J.Yang, ICLR 2024, MLILAB, KAIST AI.pdf
J.Yang, ICLR 2024, MLILAB, KAIST AI.pdfJ.Yang, ICLR 2024, MLILAB, KAIST AI.pdf
J.Yang, ICLR 2024, MLILAB, KAIST AI.pdf
MLILAB
 
ethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.pptethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.ppt
Jayaprasanna4
 
block diagram and signal flow graph representation
block diagram and signal flow graph representationblock diagram and signal flow graph representation
block diagram and signal flow graph representation
Divya Somashekar
 
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Dr.Costas Sachpazis
 
Courier management system project report.pdf
Courier management system project report.pdfCourier management system project report.pdf
Courier management system project report.pdf
Kamal Acharya
 
DESIGN A COTTON SEED SEPARATION MACHINE.docx
DESIGN A COTTON SEED SEPARATION MACHINE.docxDESIGN A COTTON SEED SEPARATION MACHINE.docx
DESIGN A COTTON SEED SEPARATION MACHINE.docx
FluxPrime1
 
TECHNICAL TRAINING MANUAL GENERAL FAMILIARIZATION COURSE
TECHNICAL TRAINING MANUAL GENERAL FAMILIARIZATION COURSETECHNICAL TRAINING MANUAL GENERAL FAMILIARIZATION COURSE
TECHNICAL TRAINING MANUAL GENERAL FAMILIARIZATION COURSE
DuvanRamosGarzon1
 
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptxCFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
R&R Consult
 

Recently uploaded (20)

Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
 
addressing modes in computer architecture
addressing modes in computer architectureaddressing modes in computer architecture
addressing modes in computer architecture
 
Planning Of Procurement o different goods and services
Planning Of Procurement o different goods and servicesPlanning Of Procurement o different goods and services
Planning Of Procurement o different goods and services
 
ASME IX(9) 2007 Full Version .pdf
ASME IX(9) 2007 Full Version .pdfASME IX(9) 2007 Full Version .pdf
ASME IX(9) 2007 Full Version .pdf
 
Vaccine management system project report documentation..pdf
Vaccine management system project report documentation..pdfVaccine management system project report documentation..pdf
Vaccine management system project report documentation..pdf
 
MCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdfMCQ Soil mechanics questions (Soil shear strength).pdf
MCQ Soil mechanics questions (Soil shear strength).pdf
 
Water Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdfWater Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdf
 
Railway Signalling Principles Edition 3.pdf
Railway Signalling Principles Edition 3.pdfRailway Signalling Principles Edition 3.pdf
Railway Signalling Principles Edition 3.pdf
 
WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234
 
power quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptxpower quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptx
 
Democratizing Fuzzing at Scale by Abhishek Arya
Democratizing Fuzzing at Scale by Abhishek AryaDemocratizing Fuzzing at Scale by Abhishek Arya
Democratizing Fuzzing at Scale by Abhishek Arya
 
Forklift Classes Overview by Intella Parts
Forklift Classes Overview by Intella PartsForklift Classes Overview by Intella Parts
Forklift Classes Overview by Intella Parts
 
J.Yang, ICLR 2024, MLILAB, KAIST AI.pdf
J.Yang, ICLR 2024, MLILAB, KAIST AI.pdfJ.Yang, ICLR 2024, MLILAB, KAIST AI.pdf
J.Yang, ICLR 2024, MLILAB, KAIST AI.pdf
 
ethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.pptethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.ppt
 
block diagram and signal flow graph representation
block diagram and signal flow graph representationblock diagram and signal flow graph representation
block diagram and signal flow graph representation
 
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
 
Courier management system project report.pdf
Courier management system project report.pdfCourier management system project report.pdf
Courier management system project report.pdf
 
DESIGN A COTTON SEED SEPARATION MACHINE.docx
DESIGN A COTTON SEED SEPARATION MACHINE.docxDESIGN A COTTON SEED SEPARATION MACHINE.docx
DESIGN A COTTON SEED SEPARATION MACHINE.docx
 
TECHNICAL TRAINING MANUAL GENERAL FAMILIARIZATION COURSE
TECHNICAL TRAINING MANUAL GENERAL FAMILIARIZATION COURSETECHNICAL TRAINING MANUAL GENERAL FAMILIARIZATION COURSE
TECHNICAL TRAINING MANUAL GENERAL FAMILIARIZATION COURSE
 
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptxCFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
 

The building blocks of docker.

  • 1. Ready to get shipped? By Chafik Belhaoues @XebiaFr
  • 2. Introduction [History & newness of the idea]1 Anatomy of the building blocks2 Namespaces3 cgroups5 Storage backends6 Execution environments7
  • 3. A little bit of history: The marine containers have been created in 1956 par Malcom Mclean in NewYork, just because time is money (-90% of transport costs). BEFORE AFTER
  • 4. Did the containerization {concept} exist before Docker? OH YEAH…
  • 6. The need of containerization: Develop, ship, and run applications {everywhere}. Concept? Product? Life-cycle engine? …you said {DevOps} tool? A single, runnable, distributable executable. What is the difference with the other form of virtualization then? Open source [CS version]. Not OS-related [theoretically]. No hypervisor needed. A different [new] vision of IT. Closer to the most IT needs.
  • 7. Hardware-centric: A VM packages a full stack (virtual hardware, kernel, a user space). Designed with machine operators in mind, not software developers. VMs offer no facilities for application versioning, monitoring, configuration, logging or service discovery… Application-centric: Packages only the user space; there is no kernel or virtual hardware. Sandboxing method known as containerization = Application virtualization.
  • 8. Overview: Docker is based on a client-server architecture. The client {user commands} talks to the Docker Daemon. Daemon: runs on a host machine. Client: accepts commands from the user and communicates back and forth with a Docker Daemon using API. 3 components involved: build..ship..run Images: a read-only template, images are the build component of Docker. Registries: hold images, the distribution component of Docker. Containers: holds everything that is needed for an application to run, the run component of Docker
  • 9. Combination: A container consists of a read-only image based on a given operating system, user-added files, and meta-data.
  • 10. Anatomy of the building blocks: Apartment complex analogy: 1. Each apartment will require water and electricity and these resources should be distributed fairly {resources}. 2. The apartments are isolated with walls to keep people separate from their respective neighbors {isolation}. 3. Each apartment also has a door, lock, and keys {security}. 4. Finally, most apartment complexes benefit from a manager who works to ensure a consistent and clean steady state of operations {management}. By analogy to system resources required for a container, the kernel should implement 4 elements: - Resource Management. - Process Isolation. - Security. - Tooling (CLI).
  • 11. Resource management is provided by control groups (cgroups). Process isolation is provided by kernel namespaces. Security is provided by policy manager like: SELinux Overall management by Docker CLI.
  • 12. Namespace: Wraps a global system resources in an abstraction. Changes are visible only inside the namespace. Kernel namespaces allow the new process to have its own hostname, IP address and a whole network stack, filesystem, PID, IPC stack, and even user mapping. The container to look a VM. Kernal space: Strictly reserved for running a privileged operating system kernel, kernel extensions, and most device drivers, the gate to this land is managed by CAP_SYS_ADMIN capability starting with kernel 2.2 [before it was the superuser, or root, ID 0]. User space [userland]: The memory area where application software and some drivers execute.
  • 13. These interactions are managed by 3 syscall : clone setns unshare
  • 14. Playing with Syscalls: clone: Creates a new process, in a manner similar to fork then creates new namespaces for every flag CLONE_NEW*. Unlike fork, the child process is allowed to share parts of its execution context with the calling process (the memory space, the table of file descriptors, the table of signal handlers…). setns: Allows the calling process to join an existing namespace. unshare: Moves the calling process to a new namespace in other words: disassociates parts of its execution context that are currently being shared with other processes (or threads).
  • 15. Namespace Date Kernel version mount 2002 2.4.19 uts 2006 2.6.19 ipc 2006 2.6.19 pid 2008 2.6.24 net 2009 2.6.29 user 2013 3.8
  • 16. MNT namespace: Isolate the set of filesystem mount points. Means that processes in different mount namespaces can have different views of the filesystem hierarchy. The container “thinks” that a directory which is actually mounted from the host OS is exclusive to the container. Interacting with this namespace is simply done by mount/umount syscalls. All about Isolation…
  • 17. PID namespace: Isolate the process ID number space = processes in different "PID namespaces" can have the same PID. The container thinks it has a separate standalone instance of the OS. Technically, the new process created in a new namespace will be the famous PID 1 "init“. Inside the namespace fork/clone syscalls will produce processes with PIDs that are unique. This mechanism allows containers to provide functionality such as: suspending/resuming the set of processes. PID consistency on migration.
  • 18. NETNS namespace: Logically another copy of the network stack, with its own routes, firewall rules, and network devices. It means each network namespace has its own network devices, IP addresses, IP routing tables, /proc/net directory, port numbers... It allows a container to have its own IP address, independent of that of the host.
  • 19. UTS namespace [UNIX Time Sharing]: Historically the term "UTS" derives from the name of the structure passed to the uname() system call: struct utsname. {Initially the time sharing was invited to allow a large number of users to interact concurrently with a single computer by the sharing of a computing resource among many users by means of multiprogramming and multi-tasking at the same time}. This mechanism isolates two system identifiers nodename and domainname. It allows the containers to have its own separate identity {hostname and NIS domain name}.
  • 20. IPC namespace: IPC (POSIX/SysV IPC) namespace provides isolation/separation of IPC resources: Named shared memory segments. Semaphores. Message queues. Why this need ? Shared memory segments are used to accelerate inter-process communication at memory speed, rather than through pipes or through the network stack. It is commonly used by databases and custom-built high performance applications for scientific computing and financial services industries. If these types of applications are broken into multiple containers, you might need to share the IPC mechanisms of the containers.
  • 21. User namespace: The last namespace to be implemented, integrated in the kernel mainstream starting from 3.8 BUT in technical preview in almost all Linux distros. A process's user and group IDs can be different inside and outside a user namespace, that means a process can have a normal unprivileged user ID outside a user namespace while at the same time having a user ID of 0 inside the namespace. Which in term of isolation, makes the user and group ID number spaces totally separated.
  • 22. cgroups: Traditionally, all processes received similar amount of system resources and all the tuning goes through the process niceness value. A mechanism to organize processes hierarchically and distribute system resources — such as CPU time, system memory, network bandwidth, or combinations of these resources — along the hierarchy in a controlled and configurable manner. Every process belongs to one and only one cgroup. Initially, only the root cgroup exists to which all processes belong. All processes are put in the cgroup that the parent process belongs to at the time. Two parts of cgroups: 1. core: primarily responsible for hierarchically organizing processes. 2. controller: responsible for distributing or applying limits to a specific type of system resource.
  • 23. blkio: sets limits on input/output access to and from block devices. cpu: uses the CPU scheduler to provide cgroup tasks an access to the CPU. cpuacct: creates automatic reports on CPU resources used by tasks in a cgroup. cpuset: assigns individual CPUs (on a multicore system) and memory nodes to tasks in a cgroup. devices: allows or denies access to devices for tasks in a cgroup. freezer: suspends or resumes tasks in a cgroup. memory: sets limits on memory used by tasks in a cgroup. net_cls: tags network packets with a class identifier (classid) that allows the traffic controller to identify packets originating from a particular cgroup task. perf_event: enables monitoring cgroups with the perf tool. hugetlb: allows to use virtual memory pages of large sizes, and to enforce resource limits on these pages.
  • 24. Union filesystem: A stackable unification file system, which merges the contents of several directories (branches), while keeping their physical content separate. Builds file systems that operate by creating layers, allow files and directories of separate file systems {branches}, to be transparently overlaid, forming a single coherent file system. It allows any combination of read-only and read-write branches, as well as insertion and deletion of branches anywhere in the tree.
  • 25. AUFS [Another Union File System]: Since V2 it stands for "advanced multi layered unification filesystem“. It was the first storage driver in use with Docker, developed in 2006 as a complete rewrite of the earlier UnionFS. According to Docker: AUFS is not included in the mainline (upstream) Linux kernel. It was rejected because of the dense, unreadable, and uncommented code.
  • 26. OverlayFS: Merged in the Linux kernel in 2014, kernel version 3.18. The natural successor to aufs. Combines two filesystems - an 'upper' filesystem and a 'lower' filesystem. When a name exists in both filesystems, the object in the 'upper' filesystem is visible while the object in the 'lower' filesystem is either hidden or, in the case of directories, merged with the 'upper' object.
  • 27. DeviceMapper [storage backend ]: Initially developed by Redhat as an alternative to AUFS. Based on snapshots. Uses allocate-on-demand.
  • 28. Container format: Docker wraps all the previous components into an execution environment or driver called {container format}. Traditional container drivers: OpenVZ, systemd-nspawn, libvirt-lxc, libvirt-sandbox, qemu/kvm, BSD Jails, Solaris Zones, and even good old chroot. The new execution drivers: moving from libcontainer to runc & containerd.