Presentation is loading. Please wait.

Presentation is loading. Please wait.

Linux Containers Overview & Roadmap

Published byDelphia Sutton Modified over 6 years ago

Similar presentations

Presentation on theme: "Linux Containers Overview & Roadmap"— Presentation transcript:

1

2 Linux Containers Overview & Roadmap
Bhavna Sarathy Senior Product Manager, Red Hat Dan Walsh Senior Principal Software Engineer, Red Hat June

3 Key elements of Linux Containers
Process Isolation Resource Management Security Bhavna: Linux containers can just be thought of as a collection of processes, separated from the main host processes via a set of resource namespaces and constrained via control groups resource tunables. Now, lets look into the key elements of Linux containers. The 4 tenets of Linux Containers are: - Process Isolation - Resource Management - Security - Management or Tooling Process Isolation is achieved through kernel namespaces which provides a simulated environment for the various kernel capabilities such as process ID, mount, network, UTS, and user ID. Resource management is achieved using process control groups or cgroups to allocate, and manage the host CPU, system memory, disk I/O, and network resources. Security is provided using SELinux, which applies security labels to Linux containers and their resources. In addition, SELinux policies are applied to containers. Management tooling is provided using the libvirt API which provides a collection of services (virt-sandbox-service, virt-sandbox) to support application sandboxing capabilities. Management

4 Linux Container Architecture

5 Red Hat Enterprise Linux Container Architecture
Linux Kernel Hardware (Intel, AMD)

6 Red Hat Enterprise Linux Container Architecture
Linux Kernel Hardware (Intel, AMD) Namespaces

7 Namespaces Process Isolation Mount : mounting/unmounting filesystems
UTS : hostname, domainname IPC : SysV message queues, semaphore/shared memory segments Network: IPv4/IPv6 stacks, routing, firewall PID: Private /proc, multiple pid 1's User: (UID) Just showing up in the Kernel now. Not planning on supporting in RHEL7. Bhavna: Linux containers can just be thought of as a collection of processes, separated from the main host processes via a set of resource namespaces and constrained via control groups resource tunables. Now, lets look into the key elements of Linux containers. The 4 tenets of Linux Containers are: - Process Isolation - Resource Management - Security - Management or Tooling Process Isolation is achieved through kernel namespaces which provides a simulated environment for the various kernel capabilities such as process ID, mount, network, UTS, and user ID. Resource management is achieved using process control groups or cgroups to allocate, and manage the host CPU, system memory, disk I/O, and network resources. Security is provided using SELinux, which applies security labels to Linux containers and their resources. In addition, SELinux policies are applied to containers. Management tooling is provided using the libvirt API which provides a collection of services (virt-sandbox-service, virt-sandbox) to support application sandboxing capabilities.

8 Namespace Use Process Isolation pam_namespace - RHEL5/6
SELinux sandbox - RHEL6 SystemD - Fedora 17 UnitFile: PrivateTmp, PrivateNetwork Openshift - RHEL6 Pam_namespace : Private /tmp

9 Red Hat Enterprise Linux Container Architecture
Linux Kernel Hardware (Intel, AMD) Namespaces Cgroups

10 Resource Management with Cgroups
Network Memory CPU Block IO Linux Kernel Namespaces Cgroups Hardware (Intel, AMD)

11 Cgroup Use Resource Management Libvirt/qemu – RHEL6 OpenShift - RHEL6
SystemD - Fedora 18 UnitFile: ControlGroup* Red Hat Storage Service Gluster - RHEL6

12 Red Hat Enterprise Linux Container Architecture
Linux Kernel Hardware (Intel, AMD) Namespaces Cgroups SELinux

13 SELinux Use Security Targeted - RHEL4 MLS – RHEL5 Targeted/MCS - RHEL6
sVirt OpenShift sandbox -X

14 Red Hat Enterprise Linux Container Architecture
Linux Kernel Hardware (Intel, AMD) Namespaces Cgroups SELinux Libvirt Drivers

15 Red Hat Enterprise Linux Container Architecture
Linux Kernel Hardware (Intel, AMD) Namespaces Cgroups SELinux Libvirt Drivers

16 Red Hat Enterprise Linux Container Architecture
Linux Kernel Hardware (Intel, AMD) Namespaces Cgroups SELinux Libvirt Containers Containers Drivers

17 Libvirt Use Libvirt - RHEL5, RHEL6 Launch Virtual Machines
Libvirt-lxc – RHEL6.4 Launch Containers Management

18 Linux Container Use Cases
Process Isolation Resource Management Security Bhavna: Linux containers can just be thought of as a collection of processes, separated from the main host processes via a set of resource namespaces and constrained via control groups resource tunables. Now, lets look into the key elements of Linux containers. The 4 tenets of Linux Containers are: - Process Isolation - Resource Management - Security - Management or Tooling Process Isolation is achieved through kernel namespaces which provides a simulated environment for the various kernel capabilities such as process ID, mount, network, UTS, and user ID. Resource management is achieved using process control groups or cgroups to allocate, and manage the host CPU, system memory, disk I/O, and network resources. Security is provided using SELinux, which applies security labels to Linux containers and their resources. In addition, SELinux policies are applied to containers. Management tooling is provided using the libvirt API which provides a collection of services (virt-sandbox-service, virt-sandbox) to support application sandboxing capabilities. Management

19 Shared RHEL Host Software
Containers use cases Shared RHEL Host Software Generic Application Container Systemd Application Container Generic Application container Start any application Shared /usr Systemd Application Container launch container and persist across reboots Interactive : invoke from virt-sandbox CLI Chroot on steroids Ability to run different application stacks in containers This is where the rubber meets the road! OS containers – Not Supported Boot guest OSes inside a container Use full featured KVM Virtualization!

20 Shared RHEL Host Software
Containers use cases Shared RHEL Host Software Generic Application Container Systemd Application Container Unshared OS Software Chroot Application Container Booted OS Container Generic Application container Start any application Shared /usr Systemd Application Container launch container and persist across reboots Interactive : invoke from virt-sandbox CLI Chroot on steroids Ability to run different application stacks in containers This is where the rubber meets the road! OS containers – Not Supported Boot guest OSes inside a container Use full featured KVM Virtualization!

21 Generic Application Container
virt-sandbox-service Libvirt libvirt-lxc Any command

22 Systemd Application Container
virt-sandbox-service Libvirt libvirt-lxc Unit file

23 Chroot Application Container
virt-sandbox-service Libvirt libvirt-lxc Any Command In Chroot

24 virt-sandbox-service
Booted OS Container virt-sandbox-service Libvirt libvirt-lxc /sbin/init

25 virt-sandbox-service
Booted OS Containers Not supported!!! Use KVM virt-sandbox-service Libvirt libvirt-lxc /sbin/init

26 Containers vs KVM Virtualization
When should I use containers and when should I use KVM?

27 Containers vs KVM Virtualization
Startup and shutdown speed Ease of Maintainance Easy to create System-wide changes visible in each container For RHEL Shared OS Containers Scalability: Number of containers Process Memory Sharing

28 KVM Virtualization vs Containers
Boot multiple Different Operating Systems Including Windows Separate kernel Better Security Kernel crash does not take down host Guest Isolation from host changes Full Separation Features such as live migration, live storage migration

29 Linux Containers : Scalability
How many containers can you run? Theoritical Scales to 6000 containers and bind mounts of root filesystem directories Practical Running real workloads, containers doing work in parallel

30

31 Future Seccomp – Linux syscall restriction
Better audit support/logging support Working UnionFS. What's going to break?????

32 Related Summit Sessions
Managing SELinux in the Enterprise Wed 4:50 pm, Rm 312 Secure Development Practices Thu 1:20 pm, Rm 306 Under the Hood of OpenShift, Turbocharged by RHEL Thu 3:40 pm, Rm 304 KVM Hypervisor Roadmap & Technology Update Thu 10:40am, Rm 304 Hypervisor Technology Comparison & Migration Fri 9:45am, Rm 313

33 Contact Info Dan Walsh Blog: danwalsh.livejournal.com Bhavna Sarathy

34 Questions?

Download ppt "Linux Containers Overview & Roadmap"

Similar presentations

With ovirt & virt manager

With ovirt & virt manager
PlanetLab: An Overlay Testbed for Broad-Coverage Services Bavier, Bowman, Chun, Culler, Peterson, Roscoe, Wawrzoniak Presented by Jason Waddle.

PlanetLab: An Overlay Testbed for Broad-Coverage Services Bavier, Bowman, Chun, Culler, Peterson, Roscoe, Wawrzoniak Presented by Jason Waddle.
Virtual Machine Technology Dr. Gregor von Laszewski Dr. Lizhe Wang.

Virtual Machine Technology Dr. Gregor von Laszewski Dr. Lizhe Wang.
Lightweight virtual system mechanism Gao feng

Lightweight virtual system mechanism Gao feng
Profit from the cloud TM Parallels Dynamic Infrastructure AndOpenStack.

Profit from the cloud TM Parallels Dynamic Infrastructure AndOpenStack.
Xen , Linux Vserver , Planet Lab

Xen , Linux Vserver , Planet Lab
KVM and Container Performance and Isolation Deep Dive.

KVM and Container Performance and Isolation Deep Dive.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.

Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.
Virtualization for Cloud Computing

Virtualization for Cloud Computing
Virtualization 101.

Virtualization 101.
Red Hat Installation. Installing Red Hat Linux is the process of copying operating system files from a CD, DVD, or USB flash drive to hard disk(s) on.

Red Hat Installation. Installing Red Hat Linux is the process of copying operating system files from a CD, DVD, or USB flash drive to hard disk(s) on.
Condor Project Computer Sciences Department University of Wisconsin-Madison Virtual Machines in Condor.

Condor Project Computer Sciences Department University of Wisconsin-Madison Virtual Machines in Condor.
Methodologies, strategies and experiences Virtualization.

Methodologies, strategies and experiences Virtualization.
INTRODUCTION TO CLOUD COMPUTING CS 595 LECTURE 7 2/23/2015.

INTRODUCTION TO CLOUD COMPUTING CS 595 LECTURE 7 2/23/2015.
May 19-20 l Washington, DC l Omni Shoreham Nick Dobrovolskiy VP Parallels Open Platform May 19 th, 2008 Introducing Parallels Server.

May l Washington, DC l Omni Shoreham Nick Dobrovolskiy VP Parallels Open Platform May 19 th, 2008 Introducing Parallels Server.
Systems Security & Audit Operating Systems security.

Systems Security & Audit Operating Systems security.
A Cloud is a type of parallel and distributed system consisting of a collection of inter- connected and virtualized computers that are dynamically provisioned.

A Cloud is a type of parallel and distributed system consisting of a collection of inter- connected and virtualized computers that are dynamically provisioned.
Module 7: Hyper-V. Module Overview List the new features of Hyper-V Configure Hyper-V virtual machines.

Module 7: Hyper-V. Module Overview List the new features of Hyper-V Configure Hyper-V virtual machines.
V IRTUALIZATION Sayed Ahmed B.Sc. Engineering in Computer Science & Engineering M.Sc. In Computer Science.

V IRTUALIZATION Sayed Ahmed B.Sc. Engineering in Computer Science & Engineering M.Sc. In Computer Science.
A RedStack Technology Company Oracle EMEA Database Partner of the Year Oracle Partner of the year 2010 & 2012 +44 (0) 844 811 3600

A RedStack Technology Company Oracle EMEA Database Partner of the Year Oracle Partner of the year 2010 & (0)

Similar presentations

Ads by Google