Más contenido relacionado
La actualidad más candente (20)
Similar a Building Infrastructure with Containers (SJSU Talk) (20)
Building Infrastructure with Containers (SJSU Talk)
- 7. What If Darth can’t see Luke?
darth
(user: root)
(pid: 1)
luke
(user: root)
(pid: 2)
# pkill -9 luke
process not found
©ContainerX, http://containerx.io, @ContainerXInc
- 9. But, Darth can still see Luke
darth
(user: root)
(pid: 1)
luke
(user: root)
(pid: 2)
# pkill -9 luke
process not found
# cd /home/luke
# rm –rf *
©ContainerX, http://containerx.io, @ContainerXInc
- 10. How to contain?
Namespaces
1. PID
2. File system (or mount)
3. UTS – isolate hostname, nodename
4. IPC – mq and other IPC objects
5. Network – sockets, IP address, network stack
6. …
©ContainerX, http://containerx.io, @ContainerXInc
- 11. Darth can’t see Luke!
darth
(user: root)
(pid: 1)
luke
(user: root)
(pid: 2)
# pkill -9 luke
process not found
# cd /home/luke
no such directory
©ContainerX, http://containerx.io, @ContainerXInc
- 12. But, resources are shared
darth
(user: root)
(pid: 1)
luke
(user: root)
(pid: 2)
# cat /dev/zero > /dev/null
©ContainerX, http://containerx.io, @ContainerXInc
- 13. Use cgroups to limit resources
group limitcpu {
cpu { cpu.shares = 400; }
}
group limitmem {
memory { memory.limit_in_bytes = 512m; }
}
©ContainerX, http://containerx.io, @ContainerXInc
- 14. How to contain?
1. Namespaces
2. Cgroups
©ContainerX, http://containerx.io, @ContainerXInc
- 15. We are not done yet
darth
(user: nonroot)
(pid: 1)
luke
(user: root)
(pid: 2)
$ bindto 22
©ContainerX, http://containerx.io, @ContainerXInc
- 16. Capabilities
Two modes
1. Run as root, deny all, grant selected capabilities
2. Run as non-root, grant selected capabilities
a) grant net_bind_service
©ContainerX, http://containerx.io, @ContainerXInc
- 17. How to contain?
1. Namespaces
2. Cgroups
3. Capabilities
©ContainerX, http://containerx.io, @ContainerXInc
- 19. Docker is a wrapper around lxc
simplifies container creation
©ContainerX, http://containerx.io, @ContainerXInc
- 21. Build layers using Dockerfile
FROM ubuntu
RUN apt-get install -y apache2
CMD ["/usr/sbin/apache2ctl", "-D", "FOREGROUND"]
©ContainerX, http://containerx.io, @ContainerXInc
- 22. Build, Run and Inspect a container
• Setup a Docker host using docker-machine
• Write a Dockerfile
• Build
• Run
• Inspect
©ContainerX, http://containerx.io, @ContainerXInc
- 24. How to manage multiple hosts and
containers?
• It’s easy to setup a Docker hos and run a container
• It’s “super hard” to manage many of them, why?
1. Scale
2. Allocating resources (compute, storage and network)
3. Day-to-day management
4. Running infrastructure efficiently
©ContainerX, http://containerx.io, @ContainerXInc
- 27. Host and Container Management
• Cluster concept – aggregation
• Elasticity
• Addition and deletion of hosts
• Automatically in cloud environments
• Horizontal scaling
• Storage
• Network
©ContainerX, http://containerx.io, @ContainerXInc
- 28. Resource Management
0%
Green Container Pool
CPU Limit: 30%
Mem Limit: 30%
Priority: Medium
20% 0%
Yellow Container Pool
CPU Limit: 60%
Mem Limit: 70%
Priority: High
60%0%
Blue Container Pool
CPU Limit: 30%
Mem Limit: 20%
Priority: Low
20%
30%30% 40%
©ContainerX, http://containerx.io, @ContainerXInc
- 30. Many Scheduling Algorithms
What works?
• Feedback based algorithms
• Simple heuristics
• Extensive simulation to understand corner cases
Real-world robustness is most important!
©ContainerX, http://containerx.io, @ContainerXInc
- 31. Cluster scheduling – feedback loop
Monitor
Control
Action
Stats
Performance goals
Control parameters
Model
Model can model
applications, containers,
and underlying resources
Change allocation
©ContainerX, http://containerx.io, @ContainerXInc
- 32. Summary
• What are containers?
• OS virtualization
• Namespaces + CGroups + Capabilities
• Docker
• Wrapper around lxc
• User-friendly containers
• Container management – hard!
• Aggregation, Elastiticy, Multi-tenancy …
• Feedback loop for cluster scheduling
©ContainerX, http://containerx.io, @ContainerXInc