How did we create a virtual machine?
Start with a physical machine.
Create software (hypervisor) responsible for isolating the guest OS inside the VM
VM resources (memory, disk, networking, etc) are provided by the physical machine but visibility outside of the VM is limited
What are the three implications of creating a virtual machine?
- VM and physical machine share same instruction set, so must the host and guest
- Guest OS can provide a different application binary interface (ABI) inside the VM
- Lots of challenges in getting this to work because guest OS expects to have privileged hardware access
How do we create a virtual operating system (container)?
- Start with a real operating system.
- Create software responsible for isolating guest software inside the container.
- Container resources (processes, files, network sockets, etc) are provided by the real operating system but visibility outside the container is limited
What are the 3 implications of creating a virtual operating system (container)?
- Container and real OS share same kernel
- So applications inside and outside the kernel must share the same ABI
- Challenges in getting this to work are due to shared OS namespace
True or False: You can run Windows inside a container provided by Linux.
FALSE. Container shares the kernel with the host
True or False: You can run SUSE Linux inside an Ubuntu container.
TRUE. As long as both distributions use the same kernel, differences are confined to different binary tools and file locations
True or False: Running ps inside the container will show all processes.
FALSE. Container process namespaces is isolated from the host
What is the difference between hypervisor and container virtualization?
The hypervisor exists above the Host OS and on top of that hypervisor are a number of Guest OSs. Above each Guest OS is a copy of the binaries/libraries and then the apps.
In container virtualization, multiple copies of the binaries/libraries and apps sit on top of the Host OS.
Why virtualize an operating system?
Shares many (but not all) of the benefits of hardware virtualization with much lower overhead
Describe the three properties of Decoupling in container virtualization
- Cannot run multiple operating systems on the same machine
- Can transfer software setups to another machine as long as it has an identical or nearly identical hardware kernel
- Can adjust hardware container resources to system needs
Describe the two properties of Isolation in container virtualization
- Container should not leak information inside and outside the container
- Can isolate all of the configuration and software packages a particular application needs to run
What is the hardware virtualization system call path?
Application inside the VM makes a system call.
Trap to the host OS (or hypervisor)
Hand trap back to the guest OS
What is the OS virtualization system call path?
Application inside the container makes a system call.
Trap to the OS.
Remember all of the work we had to do to deprivilege the guest OS and deal with uncooperative machine architectures like x86? OS virtualization does not require any of this: there is only one OS!
What kind of names must the container virtualize?
Process IDs:
- top inside container shows only processes running inside container
- top outside container may show processes inside the container, but with different PIDs
File names:
- processes inside the container may have a limited or different view of the mounted file system
- file names may resolve to different names - and some file names outside the container may be removed
User names:
- containers may have different users with different roles
- root inside the container should not be root outside the container
Host name and IP address:
-processes inside the container may use a different host name and IP address when performing network operations
What resources does OS virtualization concern itself with?
IOW: The OS may want to ensure that the entire container - or everything that runs inside it - cannot consume more than a certain amount of:
CPU time
Memory
Disk or network bandwidth
What resources does Linux provide namespace separation for?
Mount points, process IDs, network, and devices.
Describe how Linux handles namespace separation for mounting points.
Allows different namespaces to see different views of the file system
Describe how Linux handles namespace separation for process IDs.
New processes are allocated IDs in their current namespace and all parent namespaces
Describe how Linux handles namespace separation for networks.
Namespaces can have private IP addresses and their own routing tables, and can communicate with other namespaces through virtual interfaces
Describe how Linux handles namespace separation for devices.
Devices can be present or hidden in different namespaces
What do cgroups do?
cgrousp make it possible to control the resources (CPU time, memory, disk or network bandwidth) allocated to a set of processes
How does path name resolution work in UnionFS?
UnionFS is a stackable unification file system
First: Does foo/bar exist in the top layer? If yes, return its contents
Else: Does foo/bar exist in the next layer? If yes, return its contents.
Etc…
Note: Can also stop at a certain point if access is only permitted to a certain level
What is the principle underlying copy-on-write file systems?
Only make modifications to the underlying file system when the container modifies files
This speeds start up and reduces storage usage (the container mainly needs read-only access to host files)
What is Docker?
Docker builds on previous technologies:
- Provides a unified set of tools for container management on a variety of systems
- Layered file system images for easy updates
- Now involved in development of containerization libraries on Linux
-
1. The Process Abstraction19
-
0. Midterm Questions43
-
2. Processes and File Handles11
-
3. Fork() and Pipe()16
-
4. Synchronization33
-
5. Deadlock and Exec17
-
6. Interrupt and Exception Handling28
-
7. Context Switching16
-
8. Threads and Thread Implementations26
-
9. Intro to Scheduling35
-
17. Swapping18
-
10. Simple Schedulers10
-
11. A Scheduling Story21
-
12. Intro to Memory Management25
-
13. Virtual Addresses22
-
14. Address Translation18
-
15. Page Translation14
-
18. Page Replacement33
-
16. Paging12
-
19. Disks26
-
20. Files14
-
21. Intro to File Systems16
-
22. File System Data Structures11
-
23. File System Caching and Consistency26
-
24. Journaling and FFS27
-
25. Log-Structured File Systems21
-
26. RAID26
-
27. Full Virtualization29
-
28. Xen and the Art of Virtualization21
-
29. Container Virtualization24
-
30. Performance and Benchmarking12
-
31. Amdahl's Law14
-
32. LA: Hints for Computer System Design9
-
33. LA: OS Implications of Fast, Cheap, Non-Volatile Memory10
-
34. Short Answer Questions_Final13
-
35. Medium Length Questions_Final3
-
36. LA: Cross-Device I/O Sharing1
