C-Balancer: a System for Container Profiling and Scheduling
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
IEEE Std 1003.1-2008
This preview is downloaded from www.sis.se. Buy the entire standard via https://www.sis.se/std-911530 INTERNATIONAL ISO/IEC/ STANDARD IEEE 9945 First edition 2009-09-15 Information technology — Portable Operating System Interface (POSIX®) Base Specifications, Issue 7 Technologies de l'information — Spécifications de base de l'interface pour la portabilité des systèmes (POSIX ®), Issue 7 Reference number ISO/IEC/IEEE 9945:2009(E) Copyright © 2001-2008, IEEE and The Open Group. All rights reserved This preview is downloaded from www.sis.se. Buy the entire standard via https://www.sis.se/std-911530 ISO/IEC/IEEE 9945:2009(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. Neither the ISO Central Secretariat nor IEEE accepts any liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies and IEEE members. In the unlikely event that a problem relating to it is found, please inform the ISO Central Secretariat or IEEE at the address given below. -
In Search of the Ideal Storage Configuration for Docker Containers
In Search of the Ideal Storage Configuration for Docker Containers Vasily Tarasov1, Lukas Rupprecht1, Dimitris Skourtis1, Amit Warke1, Dean Hildebrand1 Mohamed Mohamed1, Nagapramod Mandagere1, Wenji Li2, Raju Rangaswami3, Ming Zhao2 1IBM Research—Almaden 2Arizona State University 3Florida International University Abstract—Containers are a widely successful technology today every running container. This would cause a great burden on popularized by Docker. Containers improve system utilization by the I/O subsystem and make container start time unacceptably increasing workload density. Docker containers enable seamless high for many workloads. As a result, copy-on-write (CoW) deployment of workloads across development, test, and produc- tion environments. Docker’s unique approach to data manage- storage and storage snapshots are popularly used and images ment, which involves frequent snapshot creation and removal, are structured in layers. A layer consists of a set of files and presents a new set of exciting challenges for storage systems. At layers with the same content can be shared across images, the same time, storage management for Docker containers has reducing the amount of storage required to run containers. remained largely unexplored with a dizzying array of solution With Docker, one can choose Aufs [6], Overlay2 [7], choices and configuration options. In this paper we unravel the multi-faceted nature of Docker storage and demonstrate its Btrfs [8], or device-mapper (dm) [9] as storage drivers which impact on system and workload performance. As we uncover provide the required snapshotting and CoW capabilities for new properties of the popular Docker storage drivers, this is a images. None of these solutions, however, were designed with sobering reminder that widespread use of new technologies can Docker in mind and their effectiveness for Docker has not been often precede their careful evaluation. -
Operating Systems Processes
Operating Systems Processes Eno Thereska [email protected] http://www.imperial.ac.uk/computing/current-students/courses/211/ Partly based on slides from Julie McCann and Cristian Cadar Administrativia • Lecturer: Dr Eno Thereska § Email: [email protected] § Office: Huxley 450 • Class website http://www.imperial.ac.uk/computing/current- students/courses/211/ 2 Tutorials • No separate tutorial slots § Tutorials embedded in lectures • Tutorial exercises, with solutions, distributed on the course website § You are responsible for studying on your own the ones that we don’t cover during the lectures § Let me know if you have any questions or would like to discuss any others in class 3 Tutorial question & warmup • List the most important resources that must be managed by an operating system in the following settings: § Supercomputer § Smartphone § ”Her” A lonely writer develops an unlikely relationship with an operating system designed to meet his every need. Copyright IMDB.com 4 Introduction to Processes •One of the oldest abstractions in computing § An instance of a program being executed, a running program •Allows a single processor to run multiple programs “simultaneously” § Processes turn a single CPU into multiple virtual CPUs § Each process runs on a virtual CPU 5 Why Have Processes? •Provide (the illusion of) concurrency § Real vs. apparent concurrency •Provide isolation § Each process has its own address space •Simplicity of programming § Firefox doesn’t need to worry about gcc •Allow better utilisation of machine resources § Different processes require different resources at a certain time 6 Concurrency Apparent Concurrency (pseudo-concurrency): A single hardware processor which is switched between processes by interleaving. -
Resource Management: Linux Kernel Namespaces and Cgroups
Resource management: Linux kernel Namespaces and cgroups Rami Rosen [email protected] Haifux, May 2013 www.haifux.org 1/121 http://ramirose.wix.com/ramirosen TOC Network Namespace PID namespaces UTS namespace Mount namespace user namespaces cgroups Mounting cgroups links Note: All code examples are from for_3_10 branch of cgroup git tree (3.9.0-rc1, April 2013) 2/121 http://ramirose.wix.com/ramirosen General The presentation deals with two Linux process resource management solutions: namespaces and cgroups. We will look at: ● Kernel Implementation details. ●what was added/changed in brief. ● User space interface. ● Some working examples. ● Usage of namespaces and cgroups in other projects. ● Is process virtualization indeed lightweight comparing to Os virtualization ? ●Comparing to VMWare/qemu/scaleMP or even to Xen/KVM. 3/121 http://ramirose.wix.com/ramirosen Namespaces ● Namespaces - lightweight process virtualization. – Isolation: Enable a process (or several processes) to have different views of the system than other processes. – 1992: “The Use of Name Spaces in Plan 9” – http://www.cs.bell-labs.com/sys/doc/names.html ● Rob Pike et al, ACM SIGOPS European Workshop 1992. – Much like Zones in Solaris. – No hypervisor layer (as in OS virtualization like KVM, Xen) – Only one system call was added (setns()) – Used in Checkpoint/Restart ● Developers: Eric W. biederman, Pavel Emelyanov, Al Viro, Cyrill Gorcunov, more. – 4/121 http://ramirose.wix.com/ramirosen Namespaces - contd There are currently 6 namespaces: ● mnt (mount points, filesystems) ● pid (processes) ● net (network stack) ● ipc (System V IPC) ● uts (hostname) ● user (UIDs) 5/121 http://ramirose.wix.com/ramirosen Namespaces - contd It was intended that there will be 10 namespaces: the following 4 namespaces are not implemented (yet): ● security namespace ● security keys namespace ● device namespace ● time namespace. -
Openextensions POSIX Conformance Document
z/VM Version 7 Release 1 OpenExtensions POSIX Conformance Document IBM GC24-6298-00 Note: Before you use this information and the product it supports, read the information in “Notices” on page 73. This edition applies to version 7, release 1, modification 0 of IBM z/VM (product number 5741-A09) and to all subsequent releases and modifications until otherwise indicated in new editions. Last updated: 2018-09-12 © Copyright International Business Machines Corporation 1993, 2018. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents List of Tables........................................................................................................ ix About This Document............................................................................................xi Intended Audience......................................................................................................................................xi Conventions Used in This Document.......................................................................................................... xi Where to Find More Information.................................................................................................................xi Links to Other Documents and Websites.............................................................................................. xi How to Send Your Comments to IBM....................................................................xiii Summary of Changes for z/VM -
Containers – Namespaces and Cgroups
Containers – namespaces and cgroups --- Ajay Nayak Motivation Why containers? • Important use-case: implementing lightweight virtualization • Virtualization == isolation of processes • Traditional virtualization: Hypervisors • Processes isolated by running in separate guest kernels that sit on top of host kernel • Isolation is “all or nothing” • Virtualization via containers • Permit isolation of processes running on a single kernel be per-global- resource --- via namespaces • Restrict resource consumption --- via cgroups Outline • Motivation • Concepts • Linux Namespaces • UTS • UID • Mount • C(ontrol) groups • Food for thought Introduction Concepts • Isolation • Goal: Limit “WHAT” a process can use • “wrap” some global system resource to provide resource isolation • Namespaces jump into the picture • Control • Goal: Limit “HOW MUCH” a process can use • A mechanism for aggregating/partitioning sets of tasks, and all their future children, into hierarchical groups • Assign specialized behaviour to the group • C(ontrol) groups jump into the picture https://github.com/nayakajay/linux-namespaces Namespaces Linux namespaces • Supports following NS types: (CLONE_FLAG; symlink) • Mount (CLONE_NEWNS; /proc/pid/ns/mnt) • UTS (CLONE_NEWUTS; /proc/pid/ns/uts) • IPC (CLONE_NEWIPC; /proc/pid/ns/ipc) • PID (CLONE_NEWPID; /proc/pid/ns/pid) • Network (CLONE_NEWNET; /proc/pid/ns/net) • User (CLONE_NEWUSER; /proc/pid/ns/user) • Cgroup (CLONE_NEWCGROUP; /proc/pid/ns/cgroup) • Time (CLONE_NEWTIME; /proc/pid/ns/time) <= very new! # Magic symlinks, which -
Security of OS-Level Virtualization Technologies: Technical Report
Security of OS-level virtualization technologies Elena Reshetova1, Janne Karhunen2, Thomas Nyman3, N. Asokan4 1 Intel OTC, Finland 2 Ericsson, Finland 3 University of Helsinki, Finland 4 Aalto University and University of Helsinki, Finland Abstract. The need for flexible, low-overhead virtualization is evident on many fronts ranging from high-density cloud servers to mobile devices. During the past decade OS-level virtualization has emerged as a new, efficient approach for virtualization, with implementations in multiple different Unix-based systems. Despite its popularity, there has been no systematic study of OS-level virtualization from the point of view of security. In this report, we conduct a comparative study of several OS- level virtualization systems, discuss their security and identify some gaps in current solutions. 1 Introduction During the past couple of decades the use of different virtualization technolo- gies has been on a steady rise. Since IBM CP-40 [19], the first virtual machine prototype in 1966, many different types of virtualization and their uses have been actively explored both by the research community and by the industry. A relatively recent approach, which is becoming increasingly popular due to its light-weight nature, is Operating System-Level Virtualization, where a number of distinct user space instances, often referred to as containers, are run on top of a shared operating system kernel. A fundamental difference between OS-level virtualization and more established competitors, such as Xen hypervisor [24], VMWare [48] and Linux Kernel Virtual Machine [29] (KVM), is that in OS-level virtualization, the virtualized artifacts are global kernel resources, as opposed to hardware. -
System Calls & Signals
CS345 OPERATING SYSTEMS System calls & Signals Panagiotis Papadopoulos [email protected] 1 SYSTEM CALL When a program invokes a system call, it is interrupted and the system switches to Kernel space. The Kernel then saves the process execution context (so that it can resume the program later) and determines what is being requested. The Kernel carefully checks that the request is valid and that the process invoking the system call has enough privilege. For instance some system calls can only be called by a user with superuser privilege (often referred to as root). If everything is good, the Kernel processes the request in Kernel Mode and can access the device drivers in charge of controlling the hardware (e.g. reading a character inputted from the keyboard). The Kernel can read and modify the data of the calling process as it has access to memory in User Space (e.g. it can copy the keyboard character into a buffer that the calling process has access to) When the Kernel is done processing the request, it restores the process execution context that was saved when the system call was invoked, and control returns to the calling program which continues executing. 2 SYSTEM CALLS FORK() 3 THE FORK() SYSTEM CALL (1/2) • A process calling fork()spawns a child process. • The child is almost an identical clone of the parent: • Program Text (segment .text) • Stack (ss) • PCB (eg. registers) • Data (segment .data) #include <sys/types.h> #include <unistd.h> pid_t fork(void); 4 THE FORK() SYSTEM CALL (2/2) • The fork()is one of the those system calls, which is called once, but returns twice! Consider a piece of program • After fork()both the parent and the child are .. -
Process Relationships (Chapter 9 )
Process Relationships (Chapter 9 ) Terminal Logins & Network Logins Process Groups and Sessions Job Control Relationships explained with examples Amy Lin, UAH 6/25/2019 Terminal Login Procedure init getty login shell “init” • At old time, the sysadmin would create a text file called /etc/ttys, each line would specify the device name and other parameters passed to getty • On Linux, the information is in /etc/inittab, a typical line in inittab is - 5:2345:respawn:/sbin/mingetty tty5 (man 5 inittab) - mingetty is almost the same as getty except it’s not suitable for serial line connections , you might consider to use (m)getty if dialup connection is needed. • On system startup, init reads inittab to get terminal information and fork/exec a “getty” process for each terminal “getty” • Calls open for the terminal device (read and write) • Opens descriptors 0, 1, and 2 to the device and outputs “login:” • Waits for someone to enter a user name Amy Lin, UAH 6/25/2019 The “login” After user enters a user name, login invokes exec function execle(“/bin/login”, “login”, “-p”, username, (char*)0, envp); • login calls “getpwnam” to fetch the password file entry • login reads the entered password, call crypt (3) to encrypt the password then compare to the encrypted password file entry • If log incorrectly, login exits with “1”, init then respawns getty to start over In successful login, login performs the following - Change to user’s home directory - Change permissions of terminal device so we can read from and write to it - Set group IDs - Initialize environment variables, such as PATH, HOME, SHELL, USER, LOGNAME Amy Lin, UAH 6/25/2019 The “shell” At the end of login process, a login shell is invoked with fork/exec execl(“/bin/sh”,“-sh”,(char*)0) - The prefix “-” before argv[0] is a flag to all the shells that they are being invoked as a login shell. -
Container-Based Virtualization
Container-Based Virtualization Advanced Operating Systems Luca Abeni [email protected] Virtualized Resources • Virtual Machine: efficient, isolated duplicate of a physical machine • Why focusing on physical machines? • What about abstract machines? • Software stack: hierarchy of abstract machines • ... • Abstract machine: language runtime • Abstract machine: OS (hardware + system library calls) • Abstract machine: OS kernel (hardware + syscalls) • Physical machine (hardware) Advanced Operating Systems Container-Based Virtualization Hardware Virtualization • Can be full hardware virtualization or paravirtualization • Paravirtualization requires modifications to guest OS (kernel) • Can be based on trap and emulate • Can use special CPU features (hardware assisted virtualization) • In any case, the hardware (whole machine) is virtualized! • Guests can provide their own OS kernel • Guests can execute at various privilege levels Advanced Operating Systems Container-Based Virtualization OS-Level Virtualization • The OS kernel (or the whole OS) is virtualized • Guests can provide the user-space part of the OS (system libraries + binaries, boot scripts, ...) or just an application... • ...But continue to use the host OS kernel! • One single OS kernel (the host kernel) in the system • The kernel virtualizes all (or part) of its services • OS kernel virtualization: container-based virtualization • Example of OS virtualization: wine Advanced Operating Systems Container-Based Virtualization Virtualization at Language Level • The language runtime -
RED HAT ENTERPRISE LINUX FEATURE BRIEF Application-Optimized Infrastructure with Containers
RED HAT ENTERPRISE LINUX FEATURE BRIEF Application-optimized infrastructure with containers TECHNOLOGY BRIEF Four key elements that an Linux containers combine the flexibility of image-based deployment with lightweight application operating system should isolation. Developers choose Linux containers because they simplify application deployment. And implement that are also many Platform-as-a-Service (PaaS) architectures are built around Linux container technology — addressed by Linux containers: including OpenShift by Red Hat. • Resource management Red Hat® Enterprise Linux® 7 beta implements Linux containers using core technologies like control groups (cgroups) for resource management, namespaces for process isolation, and Security- • Process isolation Enhanced Linux (SELinux) for security. This allows secure multi-tenancy and reduces the potential • Security for security exploits. • Tooling For managing containers in Red Hat Enterprise Linux 7 beta, Docker provides a native toolkit for manipulating core system capabilities such as: • cgroups • namespaces • network interfaces • firewalls • kernel features Red Hat container certification ensures that application containers built using Red Hat Enterprise Linux will operate seamlessly across certified container hosts. FEATURES AND CAPABILITIES RESOURCE MANAGEMENT Resource management for containers is based on cgroups, which allow users to allocate CPU time, system memory, network bandwidth, block IO, or any combination of these resources to a set of user-defined task groups or processes running on a given system. Users can then monitor any cgroups they configure, deny cgroups access to certain resources, and even dynamically reconfigure cgroups on a running system. Cgroups give system administrators fine-grained control over allocat- ing, prioritizing, denying, managing, and monitoring system resources. Hardware resources can be divided among tasks and users, often increasing overall system efficiency. -
Multiple Instances of the Global Linux Namespaces
Multiple Instances of the Global Linux Namespaces Eric W. Biederman Linux Networx [email protected] Abstract to create a clean implementation that can be merged into the Linux kernel. The discussion has begun on the linux-kernel list and things are Currently Linux has the filesystem namespace slowly progressing. for mounts which is beginning to prove use- ful. By adding additional namespaces for pro- cess ids, SYS V IPC, the network stack, user ids, and probably others we can, at a trivial 1 Introduction cost, extend the UNIX concept and make novel uses of Linux possible. Multiple instances of a namespace simply means that you can have two 1.1 High Performance Computing things with the same name. For servers the power of computers is growing, and it has become possible for a single server I have been working with high performance to easily fulfill the tasks of what previously re- clusters for several years and the situation is quired multiple servers. Hypervisor solutions painful. Each Linux box in the cluster is ref- like Xen are nice but they impose a perfor- ered to as a node, and applications running or mance penalty and they do not easily allow re- queued to run on a cluster are jobs. sources to be shared between multiple servers. Jobs are run by a batch scheduler and, once For clusters application migration and preemp- launched, each job runs to completion typically tion are interesting cases but almost impossibly consuming 99% of the resources on the nodes hard because you cannot restart the application it is running on.