DOCSLIB.ORG

LXC (Linux Containers)

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

بس حم م ال الر ن الرحیم Sharif University of Data and Network Technology Security Lab. LightweightLightweight VirtualizationVirtualization inin LinuxLinux SadeghSadegh DorriDorri N.N. PhDPhD CandidateCandidate Data and Network Security Lab. Seminar, 4 Aban 1393 TheThe NeedNeed forfor VirtualizationVirtualization Hypervisors are the living proof of operating system's incompetence! SchedulingScheduling aa Multi-processMulti-process “application”“application” - Nice, priority, etc. are hard to be dynamically managed KernelKernel MemoryMemory ManagementManagement - Fork bumps - $ while true; do mkdir x; cd x; done AbuseAbuse shouldshould bebe thethe application'sapplication's problem,problem, ratherrather thanthan beingbeing everyone's!everyone's! The failure of operating systems and how we can fix it: http://lwn.net/Articles/524952/ AgendaAgenda MotivationMotivation - Virtualization architectures - OS-level virtualization in Linux AA demodemo UnderUnder thethe hoodhood - LXC components - Related kernel features: cgroups and namespaces SecuritySecurity considerationsconsiderations ConclusionConclusion VariousVarious VirtualizationVirtualization ArchitecturesArchitectures HardwareHardware VirtualizationVirtualization VMware,VMware, Parallels,Parallels, QEmu,QEmu, Bochs,Bochs, Xen,Xen, KVMKVM ResourcesResources cannotcannot bebe sharedshared betweenbetween VMs.VMs. OS-LevelOS-Level VirtualizationVirtualization Linux Containers (LXC), Linux-VServer, OpenVZ, Parallels Virtuozzo Containers FreeBSD jails Solaris Containers/Zones IBM AIX6 WPARs (Workload Partitions) OS-LevelOS-Level VirtualizationVirtualization inin LinuxLinux LinuxLinux ContainersContainers - Allow a kernel to support more resource-isolation use- cases - Without the overhead and complexity of running multiple kernel and driver instances BenefitsBenefits - Isolation - Small footprint - Speed 3)3) SpeedSpeed 2)2) FootprintFootprint OnOn aa typicaltypical physicalphysical server,server, withwith averageaverage computecompute resources,resources, youyou cancan easilyeasily run:run: - 10-100 virtual machines - 100-1000 containers OnOn disk,disk, containerscontainers cancan bebe veryvery light.light. - A few MB — even without fancy storage. 1)1) IsolationIsolation EachEach containercontainer has:has: ItsIts ownown networknetwork interfaceinterface (and(and IPIP address)address) - can be bridged, routed... just like VMs ItsIts ownown filesystemfilesystem - Debian host can run Fedora container (& vice-versa) IsolationIsolation (security)(security) - container A & B can't harm (or even see) each other IsolationIsolation (resource(resource usage)usage) - soft & hard quotas for RAM, CPU, I/O... PossibilityPossibility ofof processprocess checkpoint/freezecheckpoint/freeze andand migrationmigration - Isolation prevents resource name conflicts Use-Cases:Use-Cases: DevelopersDevelopers ContinuousContinuous IntegrationIntegration - After each commit, run 100 tests in 100 environments ContinuousContinuous PackagingPackaging - Example: Project Builder EscapeEscape dependencydependency hellhell - Build (and/or run) in a controlled environment PutPut everythingeverything inin aa containercontainer - Even the tiny things Use-Cases:Use-Cases: HostingHosting ProvidersProviders CheapCheap CheaperCheaper HostingHosting (VPS(VPS providers)providers) GiveGive awayaway moremore freefree stuffstuff - "Pay for your production, get your staging for free!" - Spin up/down on demand, in seconds - Example: dotCloud ““Google has built their entire datacenter infrastructure around Linux containers, launching more than 2 billion containers per week.”” (Kubernetes:(Kubernetes: openopen sourcesource GoogleGoogle cloudcloud platform)platform) Use-Cases:Use-Cases: EveryoneEveryone LookLook insideinside youryour VMsVMs - You can see (and kill) individual processes - You can browse (and change) the filesystem DoDo (almost)(almost) whateverwhatever youyou diddid withwith VMsVMs - ... But faster MigrationMigration - Checkpoint then unfreeze: experimental (CRIU) Solutions in Linux OpenVZOpenVZ ModifiedModified LinuxLinux kernelkernel - Also works with unpatched Linux 3.x (reduced feature set) EachEach containercontainer isis aa separateseparate entityentity withwith itsits own:own: - Files: System libraries, applications, virtualized /proc and /sys, virtualized locks, etc. - Users and groups: its own root user, as well as other users and groups. - Process tree: only sees its own processes (incl. init) - Network: virtual network device with own IP addresses, iptables, and routing rules. - Devices: can be granted access to real devices. - IPC objects: shared memory, semaphores, messages. LXCLXC (LinuX(LinuX Containers)Containers) Container:Container: - Provides an env. like a standard Linux installation but without the need for a separate kernel. - Single kernel and drivers, multiple different user spaces AA groupgroup ofof processesprocesses inin LinuxLinux inin anan isolatedisolated environment.environment. - From inside: looks like a VM - From outside: looks like normal processes - Something (conceptually) in the middle between a chroot on steroids and a full fledged VM LXCLXC vs.vs. OpenVZOpenVZ - OpenVZ: production ready and stable; pushing to the upstream - LXC: a work-in-progress; uses standard kernel features LXCLXC LifecycleLifecycle lxc-createlxc-create - Setup a container (root filesystem and config) lxc-startlxc-start - Boot the container (by default, you get a console) lxc-consolelxc-console - Attach a console (if you started in background) lxc-stoplxc-stop - Shutdown the container lxc-destroylxc-destroy - Destroy the filesystem created with lxc- create See also: LXC Web Panel - http://lxc-webpanel.github.io/ Demo... Under the Hood LXCLXC ComponentsComponents Components:Components: - The liblxc library - Several language bindings for the API: ● Python, lua, Go, ruby, Haskell - A set of standard tools to control the containers - Container templates OpenOpen source!source! https://linuxcontainers.org/https://linuxcontainers.org/ FeaturesFeatures MakingMaking upup LXCLXC KernelKernel featuresfeatures usedused inin LXC:LXC: - Isolation: ● Kernel namespaces (ipc, uts, mount, pid, network and user) ● Chroots (using pivot_root) - Resource management ● Control groups (cgroups) - Security: ● Apparmor and SELinux profiles ● Seccomp policies ● Kernel capabilities Pivot_rootPivot_root andand ChrootChroot ChangeChange thethe rootroot directorydirectory toto aa newnew pathpath - Pivot_root: switches the complete system and remove dependencies on the old root dir. - Chroot: applied on a single process SeccompSeccomp seccompseccomp (SECure(SECure COMPutingCOMPuting mode)mode) - A simple sandboxing mechanism (Linux 2.6.12+ (2005)) - Allows a process to make a one-way transition into a "secure" state ● Syscalls limited to exit(), sigreturn(), read() and write() to already-open file descriptors. - Any attempts for other system calls result in SIGKILL. seccomp-bpfseccomp-bpf - An extension to seccomp that allows filtering of system calls using a configurable policy - Used by OpenSSH and vsftpd as well as Google Chrome/Chromium on Chrome OS and Linux to sandbox Flash player and renderers. CapabilitiesCapabilities In traditional UNIX, processes are: - Privileged (EUID is 0): Bypass all kernel permission checks. - Unprivileged: full permission checking (EUID, EGID, and supplementary group list). Since Linux kernel 2.2: - The superuser privileges are divided into distinct units (a.k.a. as capabilities) - Capabilities can be independently enabled and disabled (per-thread) Examples: - CAP_CHOWN: Make arbitrary changes to file UIDs and GIDs. - CAP_KILL: Bypass permission checks for sending signals. - CAP_NET_ADMIN: Perform various network-related operations. - CAP_SYS_ADMIN - CAP_SYS_BOOT: Use reboot and kexec_load LinuxLinux SecuritySecurity ModulesModules (LSM)(LSM) AA LinuxLinux kernelkernel frameworkframework toto supportsupport differentdifferent securitysecurity modelsmodels - Avoids favoritism toward any single implementation. - Examples: AppArmor, SELinux, Smack and TOMOYO Linux UsedUsed toto implementimplement differentdifferent MACsMACs Access Control Control Groups IntroductionIntroduction toto CGroupsCGroups CgroupsCgroups (control(control groups):groups): - Allocate resources (CPU, memory, network, or their combinations) among user-defined groups of tasks (processes) - Think ulimit, but for groups of processes ... and with fine-grained accounting. - Initiated at Google (2006) - Available in Fedora 18 kernel and ubuntu 12.10 kernel (also some previous releases). Commands:Commands: - cgcreate: creates new cgroup - cgset: sets parameters for given cgroup(s) - cgexec: runs a task in specified control groups. CGroups:CGroups: ImplementationImplementation ImplementedImplemented asas aa specialspecial cgroupcgroup filefile systemsystem - libcgroup is a library that abstracts the control group file system in Linux. - CGroup services: Allow persistence across reboot and ease of use. AA fewfew simplesimple hookshooks insertedinserted intointo thethe kernelkernel (not(not performance-performance- critical):critical): - In boot phase, process creation and destroy methods, task_struct procfsprocfs entries:entries: ● For each process: /proc/pid/cgroup. ● System-wide: /proc/cgroups CGroupCGroup SubsystemsSubsystems cpucpu - control CPU scheduler cpuacctcpuacct - generates automatic reports on CPU resources cpusetcpuset - assigns individual CPUs (cores) and memory
Recommended publications
  • Oracle VM Virtualbox Container Domains for SPARC Or X86

    Oracle VM Virtualbox Container Domains for SPARC Or X86

    1 <Insert Picture Here> Virtualisierung mit Oracle VirtualBox und Oracle Solaris Containern Detlef Drewanz Principal Sales Consultant SAFE HARBOR STATEMENT The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. In addition, the following is intended to provide information for Oracle and Sun as we continue to combine the operations worldwide. Each country will complete its integration in accordance with local laws and requirements. In the EU and other non-EU countries with similar requirements, the combinations of local Oracle and Sun entities as well as other relevant changes during the transition phase will be conducted in accordance with and subject to the information and consultation requirements of applicable local laws, EU Directives and their implementation in the individual members states. Sun customers and partners should continue to engage with their Sun contacts for assistance for Sun products and their Oracle contacts for Oracle products. 3 So .... Server-Virtualization is just reducing the number of boxes ? • Physical systems • Virtual Machines Virtualizationplattform Virtualizationplattform 4 Virtualization Use Workloads and Deployment Platforms
  • In Search of the Ideal Storage Configuration for Docker Containers

    In Search of the Ideal Storage Configuration for Docker Containers

    In Search of the Ideal Storage Configuration for Docker Containers Vasily Tarasov1, Lukas Rupprecht1, Dimitris Skourtis1, Amit Warke1, Dean Hildebrand1 Mohamed Mohamed1, Nagapramod Mandagere1, Wenji Li2, Raju Rangaswami3, Ming Zhao2 1IBM Research—Almaden 2Arizona State University 3Florida International University Abstract—Containers are a widely successful technology today every running container. This would cause a great burden on popularized by Docker. Containers improve system utilization by the I/O subsystem and make container start time unacceptably increasing workload density. Docker containers enable seamless high for many workloads. As a result, copy-on-write (CoW) deployment of workloads across development, test, and produc- tion environments. Docker’s unique approach to data manage- storage and storage snapshots are popularly used and images ment, which involves frequent snapshot creation and removal, are structured in layers. A layer consists of a set of files and presents a new set of exciting challenges for storage systems. At layers with the same content can be shared across images, the same time, storage management for Docker containers has reducing the amount of storage required to run containers. remained largely unexplored with a dizzying array of solution With Docker, one can choose Aufs [6], Overlay2 [7], choices and configuration options. In this paper we unravel the multi-faceted nature of Docker storage and demonstrate its Btrfs [8], or device-mapper (dm) [9] as storage drivers which impact on system and workload performance. As we uncover provide the required snapshotting and CoW capabilities for new properties of the popular Docker storage drivers, this is a images. None of these solutions, however, were designed with sobering reminder that widespread use of new technologies can Docker in mind and their effectiveness for Docker has not been often precede their careful evaluation.
  • ISSN: 1804-0527 (Online) 1804-0519 (Print) Vol.8 (2), PP. 63-69 Introduction During the Latest Years, a Lot of Projects Have Be

    ISSN: 1804-0527 (Online) 1804-0519 (Print) Vol.8 (2), PP. 63-69 Introduction During the Latest Years, a Lot of Projects Have Be

    Perspectives of Innovations, Economics & Business, Volume 8, Issue 2, 201 1 EVALUATION OF PERFORMANCE OF SOLARIS TRUSTED EXTENSIONS USING CONTAINERS TECHNOLOGY EVALUATION OF PERFORMANCE OF GENTI DACI SOLARIS TRUSTED EXTENSIONS USING CONTAINERS TECHNOLOGY Faculty of Information Technology Polytechnic University of Tirana, Albania UDC: 004.45 Key words: Solaris Containers. Abstract: Server and system administrators have been concerned about the techniques on how to better utilize their computing resources. Today, there are developed many technologies for this purpose, which consists of running multiple applications and also multiple operating systems on the same hardware, like VMWARE, Linux-VServer, VirtualBox, Xen, etc. These systems try to solve the problem of resource allocation from two main aspects: running multiple operating system instances and virtualizing the operating system environment. Our study presents an evaluation of scalability and performance of an operating system virtualization technology known as Solaris Containers, with the main objective on measuring the influence of a security technology known as Solaris Trusted Extensions. Solaris. We will study its advantages and disadvantages and also the overhead that it introduces to the scalability of the system’s main advantages. ISSN: 1804 -0527 (online) 1804 -0519 (print) Vol.8 (2), PP. 63 -69 Introduction administration because there are no multiple operating system instances in a system. During the latest years, a lot of projects have been looking on virtualizing operating system Operating systems environments, such as FreeBSD Jail, Linux- VServer, Virtuozzo etc. This virtualization technique is based in using only one underlying Solaris/OpenSolaris are Operating Systems operating system kernel. Using this paradigm the performing as the main building blocks of computer user has the possibility to run multiple applications systems; they provide the interface between user in isolation from each other.
  • The Server Virtualization Landscape, Circa 2007

    The Server Virtualization Landscape, Circa 2007

    ghaff@ illuminata.com Copyright © 2007 Illuminata, Inc. single user license Gordon R Haff Illuminata, Inc. TM The Server Virtualization Bazaar, Circa 2007 Inspired by both industry hype and legitimate customer excitement, many Research Note companies seem to have taken to using the “virtualization” moniker more as the hip phrase of the moment than as something that’s supposed to convey actual meaning. Think of it as “eCommerce” or “Internet-enabled” for the Noughts. The din is loud. It doesn’t help matters that virtualization, in the broad sense of “remapping physical resources to more useful logical ones,” spans a huge swath of Gordon Haff technologies—including some that are so baked-in that most people don’t even 27 July 2007 think of them as virtualization any longer. Personally licensed to Gordon R Haff of Illuminata, Inc. for your personal education and individual work functions. Providing its contents to external parties, including by quotation, violates our copyright and is expressly forbidden. However, one particular group of approaches is capturing an outsized share of the limelight today. That would, of course, be what’s commonly referred to as “server virtualization.” Although server virtualization is in the minds of many inextricably tied to the name of one company—VMware—there are many companies in this space. Their offerings include not only products that let multiple virtual machines (VMs) coexist on a single physical server, but also related approaches such as operating system (OS) virtualization or containers. In the pages that follow, I offer a guide to today’s server virtualization bazaar— which at first glance can perhaps seem just a dreadfully confusing jumble.
  • Virtual Containers: Asset Management Best Practices and Licensing Considerations

    Virtual Containers: Asset Management Best Practices and Licensing Considerations

    Virtual Containers: Asset Management Best Practices and Licensing Considerations Virtual containers have seen tremendous adoption and growth within all industries. However, in terms of IT asset management, cont- ainers are not being managed and are an unknown area of risk for many of our clients. Because it is a newer technology, there is very little information about managing containers and how to address the emerging SAM & ITAM challenges they bring. Due to this lack of public information, Anglepoint has published this whitepaper on navigating the world of containers, with an empha- sis on asset management and licensing. We will cover everything from the history of containers, to what containers are, the benefits of containers, asset management best practices, and some publisher-specific licensing considerations. A BRIEF HISTORY OF VIRTUAL CONTAINERS The first proper containers came from the Linux world as LXC (LinuX Containers) in 2008. However, it wasn’t until 2013 that containers entered the IT public consciousness, when Docker came onto the scene with Enterprise usage in mind. Even then, though, it was more of an enthusiast’s technology. In 2015, Google released and open sourced Kubernetes which manages and ‘orchestrates’ containers. However, it wasn’t until 2017 that Docker and Kubernetes had matured enough to be considered for production use within corporate environments. 2017 also saw VMware, Microsoft, and Amazon beginning to support and offer solutions for Kubernetes and Docker on their top-tier cloud infrastructure. WHAT IS A CONTAINER? Often, people conflate the term ‘container’ with multiple technologies that make up the container ecosystem. Let’s look at what a modern container is at the most fundamental level.
  • Resource Management: Linux Kernel Namespaces and Cgroups

    Resource Management: Linux Kernel Namespaces and Cgroups

    Resource management: Linux kernel Namespaces and cgroups Rami Rosen [email protected] Haifux, May 2013 www.haifux.org 1/121 http://ramirose.wix.com/ramirosen TOC Network Namespace PID namespaces UTS namespace Mount namespace user namespaces cgroups Mounting cgroups links Note: All code examples are from for_3_10 branch of cgroup git tree (3.9.0-rc1, April 2013) 2/121 http://ramirose.wix.com/ramirosen General The presentation deals with two Linux process resource management solutions: namespaces and cgroups. We will look at: ● Kernel Implementation details. ●what was added/changed in brief. ● User space interface. ● Some working examples. ● Usage of namespaces and cgroups in other projects. ● Is process virtualization indeed lightweight comparing to Os virtualization ? ●Comparing to VMWare/qemu/scaleMP or even to Xen/KVM. 3/121 http://ramirose.wix.com/ramirosen Namespaces ● Namespaces - lightweight process virtualization. – Isolation: Enable a process (or several processes) to have different views of the system than other processes. – 1992: “The Use of Name Spaces in Plan 9” – http://www.cs.bell-labs.com/sys/doc/names.html ● Rob Pike et al, ACM SIGOPS European Workshop 1992. – Much like Zones in Solaris. – No hypervisor layer (as in OS virtualization like KVM, Xen) – Only one system call was added (setns()) – Used in Checkpoint/Restart ● Developers: Eric W. biederman, Pavel Emelyanov, Al Viro, Cyrill Gorcunov, more. – 4/121 http://ramirose.wix.com/ramirosen Namespaces - contd There are currently 6 namespaces: ● mnt (mount points, filesystems) ● pid (processes) ● net (network stack) ● ipc (System V IPC) ● uts (hostname) ● user (UIDs) 5/121 http://ramirose.wix.com/ramirosen Namespaces - contd It was intended that there will be 10 namespaces: the following 4 namespaces are not implemented (yet): ● security namespace ● security keys namespace ● device namespace ● time namespace.
  • Containerisation Gareth Roy Gridpp 32, Pitlochry �1 Intermodal Containers

    Containerisation Gareth Roy Gridpp 32, Pitlochry 1 Intermodal Containers

    Containerisation Gareth Roy GridPP 32, Pitlochry "1 Intermodal Containers Developed by Malcolm P. McLean & Keith W. Tantlinger. Reaction to slow loading times produced by using “break bulk cargo.” Apparatus for shipping freight (1958): “In 1956, loose cargo cost $5.86 per ton US 2853968 A - Malcolm P McLean to load. Using an ISO shipping container, the cost was reduced to only .16 cents per ton.” IMPERIAL METRIC Length 19’ 10.5” 6.058 m Width 8’ 0” 2.438 m Height 8’ 6” 2.591 m Empty Weight 4,850 lb 2,200 kg Max Weight 66,139 lb 30,400 kg "2 Mærsk Mc-Kinney Møller (18270 TEU) Linux Containers Form of OS Level Virtualisation. Kernel hosts multiple separated user-land instances (Virtual Environment/Engine). Application Low overheads, elastic, multi-tennant. VE Storage can be Copy-on-Write or use UnionFS OS Examples: chroot (1982) Solaris Containers (2005) Physical Hardware FreeBSD Jails (1988) AIX WPARS (2007) Virtuozzo (2001) LXC (2008) OpenVZ (2005) "3 VM’s vs Containers Application Application Application Application Guest OS Guest OS VE VE Virtual HW Virtual HW OS Hypervisor / OS Physical Hardware Physical Hardware Virtual Machine Linux Container "4 VM’s vs Containers (Arguments) Pros: Pros: OS Independent Lightweight / Dense Secure / Isolated Fast Instantiation Flexible Elastic Resource Live Migration Low Memory Consumption Mature Ecosystem Native Performance Cons: Cons: Full System Image Restricted / Linux Only Slow Startup/Shutdown/Build Shared Kernel Memory Consumption Overhead Security Model Opaque to System Young Ecosystem Virtual Machine Linux Container "5 Containers in More Detail Running Application Application Application Instanced Namespace Virtual Environment Virtual Environment Resource Control Group Container CGROUP Container CGROUP Kernel Namespace Layer PID MNT IPC NET UTS USER* Linux Kernel > 2.6.23 OS Physical Hardware "6 Namespaces Application A Namespace wraps a global resource and presents an isolated instance to running process.
  • Containers – Namespaces and Cgroups

    Containers – Namespaces and Cgroups

    Containers – namespaces and cgroups --- Ajay Nayak Motivation Why containers? • Important use-case: implementing lightweight virtualization • Virtualization == isolation of processes • Traditional virtualization: Hypervisors • Processes isolated by running in separate guest kernels that sit on top of host kernel • Isolation is “all or nothing” • Virtualization via containers • Permit isolation of processes running on a single kernel be per-global- resource --- via namespaces • Restrict resource consumption --- via cgroups Outline • Motivation • Concepts • Linux Namespaces • UTS • UID • Mount • C(ontrol) groups • Food for thought Introduction Concepts • Isolation • Goal: Limit “WHAT” a process can use • “wrap” some global system resource to provide resource isolation • Namespaces jump into the picture • Control • Goal: Limit “HOW MUCH” a process can use • A mechanism for aggregating/partitioning sets of tasks, and all their future children, into hierarchical groups • Assign specialized behaviour to the group • C(ontrol) groups jump into the picture https://github.com/nayakajay/linux-namespaces Namespaces Linux namespaces • Supports following NS types: (CLONE_FLAG; symlink) • Mount (CLONE_NEWNS; /proc/pid/ns/mnt) • UTS (CLONE_NEWUTS; /proc/pid/ns/uts) • IPC (CLONE_NEWIPC; /proc/pid/ns/ipc) • PID (CLONE_NEWPID; /proc/pid/ns/pid) • Network (CLONE_NEWNET; /proc/pid/ns/net) • User (CLONE_NEWUSER; /proc/pid/ns/user) • Cgroup (CLONE_NEWCGROUP; /proc/pid/ns/cgroup) • Time (CLONE_NEWTIME; /proc/pid/ns/time) <= very new! # Magic symlinks, which
  • Security of OS-Level Virtualization Technologies: Technical Report

    Security of OS-Level Virtualization Technologies: Technical Report

    Security of OS-level virtualization technologies Elena Reshetova1, Janne Karhunen2, Thomas Nyman3, N. Asokan4 1 Intel OTC, Finland 2 Ericsson, Finland 3 University of Helsinki, Finland 4 Aalto University and University of Helsinki, Finland Abstract. The need for flexible, low-overhead virtualization is evident on many fronts ranging from high-density cloud servers to mobile devices. During the past decade OS-level virtualization has emerged as a new, efficient approach for virtualization, with implementations in multiple different Unix-based systems. Despite its popularity, there has been no systematic study of OS-level virtualization from the point of view of security. In this report, we conduct a comparative study of several OS- level virtualization systems, discuss their security and identify some gaps in current solutions. 1 Introduction During the past couple of decades the use of different virtualization technolo- gies has been on a steady rise. Since IBM CP-40 [19], the first virtual machine prototype in 1966, many different types of virtualization and their uses have been actively explored both by the research community and by the industry. A relatively recent approach, which is becoming increasingly popular due to its light-weight nature, is Operating System-Level Virtualization, where a number of distinct user space instances, often referred to as containers, are run on top of a shared operating system kernel. A fundamental difference between OS-level virtualization and more established competitors, such as Xen hypervisor [24], VMWare [48] and Linux Kernel Virtual Machine [29] (KVM), is that in OS-level virtualization, the virtualized artifacts are global kernel resources, as opposed to hardware.
  • Container Technologies

    Container Technologies

    Zagreb, NKOSL, FER Container technologies Marko Golec · Juraj Vijtiuk · Jakov Petrina April 11, 2020 About us ◦ Embedded Linux development and integration ◦ Delivering solutions based on Linux, OpenWrt and Yocto • Focused on software in network edge and CPEs ◦ Continuous participation in Open Source projects ◦ www.sartura.hr Introduction to GNU/Linux ◦ Linux = operating system kernel ◦ GNU/Linux distribution = kernel + userspace (Ubuntu, Arch Linux, Gentoo, Debian, OpenWrt, Mint, …) ◦ Userspace = set of libraries + system software Linux kernel ◦ Operating systems have two spaces of operation: • Kernel space – protected memory space and full access to the device’s hardware • Userspace – space in which all other application run • Has limited access to hardware resources • Accesses hardware resources via kernel • Userspace applications invoke kernel services with system calls User applications E.g. bash, LibreOffice, GIMP, Blender, Mozilla Firefox, etc. System daemons: Windowing system: User mode Low-level system systemd, runit, logind, X11, Wayland, Other libraries: GTK+, Qt, EFL, SDL, SFML, Graphics: Mesa, AMD components networkd, PulseAudio, SurfaceFlinger FLTK, GNUstep, etc. Catalyst, … … (Android) C standard library Up to 2000 subroutines depending on C library (glibc, musl, uClibc, bionic) ( open() , exec() , sbrk() , socket() , fopen() , calloc() , …) About 380 system calls ( stat , splice , dup , read , open , ioctl , write , mmap , close , exit , etc.) Process scheduling Memory management IPC subsystem Virtual files subsystem Network subsystem Kernel mode Linux Kernel subsystem subsystem Other components: ALSA, DRI, evdev, LVM, device mapper, Linux Network Scheduler, Netfilter Linux Security Modules: SELinux, TOMOYO, AppArmor, Smack Hardware (CPU, main memory, data storage devices, etc.) TABLE 1 Layers within Linux Virtualization Virtualization Concepts Two virtualization concepts: ◦ Hardware virtualization (full/para virtualization) • Emulation of complete hardware (virtual machines - VMs) • VirtualBox, QEMU, etc.
  • Performance Isolation of a Misbehaving Virtual Machine with Xen, Vmware and Solaris Containers

    Performance Isolation of a Misbehaving Virtual Machine with Xen, Vmware and Solaris Containers

    Performance Isolation of a Misbehaving Virtual Machine with Xen, VMware and Solaris Containers Todd Deshane, Demetrios Dimatos, Gary Hamilton, Madhujith Hapuarachchi, Wenjin Hu, Michael McCabe, Jeanna Neefe Matthews Clarkson University {deshantm, dimatosd, hamiltgr, hapuarmg , huwj, mccabemt, jnm}@clarkson.edu Abstract In recent years, there have been a number of papers comparing the performance of different virtualization environ- ments for x86 such as Xen, VMware and UML. These comparisons have focused on quantifying the overhead of virtualization for one VM compared to a base OS. In addition, researchers have examined the performance degrada- tion experienced when multiple VMs are running the same workload. This is an especially relevant metric when determining a systems’ suitability for supporting commercial hosting environments – the target environment for some virtualization systems. In such an environment, a provider may allow multiple customers to administer virtual ma- chines on the same physical host. It is natural for these customers to want a certain guaranteed level of performance regardless of the actions taken by other VMs on the same physical host. In that light, another key aspect of the com- parison between virtualization environments has received less attention - how well do different virtualization systems protect VMs from misbehavior or resource hogging on other VMs? In this paper, we present the results of running a variety of different misbehaving applications under three different virtualization environments VMware, Xen, and Solaris containers. These are each examples of a larger class of virtualization techniques namely full virtualization, paravirtualization and generic operating systems with additional isolation layers. To test the isolation properties of these systems, we run six different stress tests - a fork bomb, a test that consumes a large amount of memory, a CPU intensive test, a test that runs 10 threads of IOzone and two tests that send and receive a large amount of network I/O.
  • Container-Based Virtualization

    Container-Based Virtualization

    Container-Based Virtualization Advanced Operating Systems Luca Abeni [email protected] Virtualized Resources • Virtual Machine: efficient, isolated duplicate of a physical machine • Why focusing on physical machines? • What about abstract machines? • Software stack: hierarchy of abstract machines • ... • Abstract machine: language runtime • Abstract machine: OS (hardware + system library calls) • Abstract machine: OS kernel (hardware + syscalls) • Physical machine (hardware) Advanced Operating Systems Container-Based Virtualization Hardware Virtualization • Can be full hardware virtualization or paravirtualization • Paravirtualization requires modifications to guest OS (kernel) • Can be based on trap and emulate • Can use special CPU features (hardware assisted virtualization) • In any case, the hardware (whole machine) is virtualized! • Guests can provide their own OS kernel • Guests can execute at various privilege levels Advanced Operating Systems Container-Based Virtualization OS-Level Virtualization • The OS kernel (or the whole OS) is virtualized • Guests can provide the user-space part of the OS (system libraries + binaries, boot scripts, ...) or just an application... • ...But continue to use the host OS kernel! • One single OS kernel (the host kernel) in the system • The kernel virtualizes all (or part) of its services • OS kernel virtualization: container-based virtualization • Example of OS virtualization: wine Advanced Operating Systems Container-Based Virtualization Virtualization at Language Level • The language runtime