What are containers? What do they include?
- isolated user-space instances
that include: - application source code,
- requiered libraries
- **required runtime **
to run the application without any external dependencies
What makes containers possible?
Operating-System-level virtualization
-> applications running in containers only see resources etc belonging to that container
What problem makes containers useful/necessary?
Deyploying multiple applications in parallel on one host leads to problems with isolating them from each other and avoiding conflicts between:
- dependencies
- libraries
- runtimes
Problems arise as well, when trying to run an application on multiple hardware and platforms
-> challanges with portability
How do containers solve the portability challange?
By bundling the application and all its dependencies in a box
- that box can be shipped to different platforms and runs identically on each of them
What are building blocks of the container technology (provided by Linux)
- namespaces
- Control groups
- Union filesystem
What is a namespace in a container (Linux kernel)?
- wrap a particular global system resource like network or process IDs in an abstraction
- to the processes within the namespace it appears that they have their own isolated instance of the global resource
- > isolate processes from each other
How are VMs and containers different?
Virtual Machine simulate whole OSes, isolated from each other on the same host. Installed on top of hypervisor. Multiple layers between running application and outside world: guest OS, hypervisor, and at time host OS
containers:
- Namespaces isolate processes from each other.
- Possibly multiple processes running on the same host OS.
- No middle layers like in VMs.
- Enables near-native performance.
- Easier to run multiple containers than multiple VMs
- but Containers need to be compatible with host OS
What global resources are names paced? (6)
- pid
- net
- mnt
- ipc
- uts
- user
What does the pid namespace enable?
- each process can have the same PIDs.
- Each container has its own PID 1
What does the net namespace enable?
- allows each namespace to have its network stack.
- Each container has its own IP address.
What does the mnt namespace enable?
- allows each namespace to have its own view of the filesystem hierarchy
What does the ipc namespace enable?
- allows each namespace to have its own interprocess communication
What does the uts namespace enable?
- allows each namespace to have its own hostname and domain name
What does the user namespace enable?
- allows each namespace to have its own user and group ID number spaces
- root user inside a container is not the root user of the host on which the container is running
What are Control Groups (linux kernel) used for?
- used to organize processes hierarchically
- and distribute resources along the hierarchy in a controlled and configurable manner
What Features do control Groups (cgroup) have? (4)
- resource limits: for a cgroup can a limit be set how much of a particular resource a process can use
- prioritization: controlable how much of a resource an process can use compared to other processes when there is resource contention
- accounting: resource limits are monitored and reported at cgroup level
- control: status (frozen, stopped, restarted) of all processes in a cgroup can be changed with a single command
How does the Union filesystem work?
- allows files and directories of separate filesystems, known as layers, to be transparently overlaid on top of each other, to create a new virtual filesystem
- at runtime a container is made of multiple layers merged to create a** read-only filesystem**
- on top of the read-only filesystem, a container gets a read-write layer, which is an ephemeral layer and it is local to the container
How do container runtimes help?
- container runtimes ensure the containers portability, offering a consistent environment for containers to run, regardless of the infrastructure
- with them can be interacted through a collection of tools (Docker, Kubernetes, CRI-O)
What are the most popular container runtimes?
- runc: CLI tool for spawning and running containers, according to Open Container Initiative (OCI) specifications
- crun: OCI-conformant runtime. Fast
- containerd: OCI-compliant container runtime, emphasis on simplicity, robustness and portability, high-level runtime
- CRI-O: OCI-compatible runtime, lightweight high-level runtime alternative to using Docker as the runtime for Kubernetes
What is the Docker Platform?
- a collection of development tools that follow a client-server architecture
How does the Docker Client-Server architecture work?
- Docker Host server runs the Docker daemon (like fomr Containerd) to execute commands for containers and image management
- > in response to client requests
Do Docker containers always run as rooted containers?
No, rooted containers are default. But rootless containers have been introduced
What is Podman? Or Pod Manager
- open source, daemonless tool designed to support the searching, running, building, sharing and deploying of applications using OCI containers and container images
What are Podman advantages?
- open source
- daemonless (can spawn root containers as well as rootless ones)
- can run containers rootless by default
-
LFS151.x Chapter 132
-
LFS151.x Chapter 2 Infrastructure as a Service36
-
Chapter 3. Platform as a Service15
-
Chapter 4. Containers25
-
Chapter 5. Containers: Micro OSes for Containers7
-
Chapter 6: Container Orchestration32
-
Chapter 7. Unikernels6
-
Chapter 8. Microservices4
-
Chapter 9. Software-Defined Networking and Networking for Containers24
-
Kubernetes Networking4
-
Chapter 10. Software-defined Storage and Storage Management for Containers22
-
Chapter 11. DevOps and CI/CD3
-
Chapter 12: Tools for Cloud Infrastructure (TCI)- Configuration Management8
-
Chapter 13. TCI - Build & Release9
-
Chapter 14. TCI - Key-Value Pair Store12
-
Chapter 15. TCI - Image Building4
-
Chapter 16. TCI - Debugging, Logging and Monitoring for Containerized Applications8
-
Chapter 17. Service Mesh11
-
Chapter 19. Serverless Computing8
-
Chapter 20. Distributed Computing6
